{ "type": "URL", "indicator": "https://4com.apple.usernotifications.delegate.com.apple", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://4com.apple.usernotifications.delegate.com.apple", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 2759761116, "indicator": "https://4com.apple.usernotifications.delegate.com.apple", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-05-31T01:02:14", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2813, "FileHash-SHA1": 2576, "FileHash-SHA256": 8145, "domain": 1903, "hostname": 1502, "URL": 1359, "email": 46, "CVE": 54, "CIDR": 3, "YARA": 7, "JA3": 1, "IPv4": 11 }, "indicator_count": 18420, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "6 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b283a733a36fe75a38bb9c", "name": "The Gatby Script Loader", "description": "Im still hooked on the Belasco Chain being a thing.", "modified": "2026-05-30T00:28:12.957000", "created": "2026-03-12T09:13:11.392000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 227, "FileHash-MD5": 24, "FileHash-SHA1": 14, "domain": 64, "URL": 42, "hostname": 58, "CVE": 6, "JA3": 1 }, "indicator_count": 436, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d5984ae3b073952a9f8559", "name": "VirusTotal report for geomi / cape / yomi hunter / zenbox", "description": "The collision of legacy software, rapidly advancing AI, and modern infrastructure has created a critical juncture for digital oversight. Current surveillance practices within these hybrid environments often operate without transparency or defined accountability, leading to heightened risks in data privacy and system security. The only viable forward path is adopting a stance of deliberate, good intent and establishing stringent accountability structures to preserve the foundational integrity of the internet. This should not happen, ever.", "modified": "2026-05-07T23:11:24.361000", "created": "2026-04-07T23:50:34.805000", "tags": [ "a nxdomain", "ds nxdomain", "nxdomain", "unknown", "passive dns", "ip address", "domain", "pulse pulses", "urls", "files", "msie", "windows nt", "wow64", "slcc2", "media center", "ref b", "file type", "sysv", "sample", "drops", "ascii", "https", "performs dns", "tls version", "mitre attack", "network info", "reads cpu", "proc indicative", "persistence", "memory pattern", "dns resolutions", "ip traffic", "domains", "urls http", "tls sni", "hashes cape", "linux", "zenbox linux", "file system", "ipv4", "cdn range", "ssltls client", "less ip", "contacted", "related pulses", "pulses", "tags", "related tags", "ascii text", "size", "sha256", "ssdeep", "magic", "trid null", "macbinary", "memo file", "apollo database", "engine", "magika iso", "file size", "accept", "gmt ifnonematch", "uri data", "united", "pdfkit.net", "sim", "uuid", "privileged access", "evasion", "wiper", "not cryptographically sound", "time change auth by root date" ], "references": [ "https://otx.alienvault.com/pulse/69d5859750dfad7fe7989ef4", "https://www.virustotal.com/gui/file/64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b/behavior", "https://www.virustotal.com/gui/file/2e9df8987212300815928e0426e9358b1380a1eaba38270d03dd69e421686b5b/behavior", "https://www.virustotal.com/gui/file/897b30acabf35da4937b1b8258d30dd2f89cf64ada8522b558d01eb503b7b85f/behavior", "https://www.virustotal.com/graph/gd016713b8645450da71f7493b0829def1376ce3e16cf4f6d95061a7400af5447", "https://www.virustotal.com/gui/file/4bf52ea159354bc0aefecb53fbf93b2fea7019eabf9ada27c58fa00c1e9bb990/details", "https://www.virustotal.com/gui/file/c0085eb467d2fc9c9f395047e057183b3cd1503a4087d0db565161c13527a76f/detection/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 147, "FileHash-SHA1": 117, "FileHash-SHA256": 110, "URL": 243, "hostname": 138, "domain": 15, "CVE": 4 }, "indicator_count": 774, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d5a070bf1c88b4790eea91", "name": "Geomi / Cape Threat / Yomi Hunter / Zenbox | ", "description": "", "modified": "2026-05-07T23:11:24.361000", "created": "2026-04-08T00:25:20.217000", "tags": [ "a nxdomain", "ds nxdomain", "nxdomain", "unknown", "passive dns", "ip address", "domain", "pulse pulses", "urls", "files", "msie", "windows nt", "wow64", "slcc2", "media center", "ref b", "file type", "sysv", "sample", "drops", "ascii", "https", "performs dns", "tls version", "mitre attack", "network info", "reads cpu", "proc indicative", "persistence", "memory pattern", "dns resolutions", "ip traffic", "domains", "urls http", "tls sni", "hashes cape", "linux", "zenbox linux", "file system", "ipv4", "cdn range", "ssltls client", "less ip", "contacted", "related pulses", "pulses", "tags", "related tags", "ascii text", "size", "sha256", "ssdeep", "magic", "trid null", "macbinary", "memo file", "apollo database", "engine", "magika iso", "file size", "accept", "gmt ifnonematch", "uri data", "united", "pdfkit.net", "sim", "uuid", "privileged access", "evasion", "wiper", "not cryptographically sound", "time change auth by root date" ], "references": [ "https://otx.alienvault.com/pulse/69d5859750dfad7fe7989ef4", "https://www.virustotal.com/gui/file/64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b/behavior", "https://www.virustotal.com/gui/file/2e9df8987212300815928e0426e9358b1380a1eaba38270d03dd69e421686b5b/behavior", "https://www.virustotal.com/gui/file/897b30acabf35da4937b1b8258d30dd2f89cf64ada8522b558d01eb503b7b85f/behavior", "https://www.virustotal.com/graph/gd016713b8645450da71f7493b0829def1376ce3e16cf4f6d95061a7400af5447", "https://www.virustotal.com/gui/file/4bf52ea159354bc0aefecb53fbf93b2fea7019eabf9ada27c58fa00c1e9bb990/details", "https://www.virustotal.com/gui/file/c0085eb467d2fc9c9f395047e057183b3cd1503a4087d0db565161c13527a76f/detection/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" } ], "industries": [], "TLP": "green", "cloned_from": "69d5984ae3b073952a9f8559", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 147, "FileHash-SHA1": 117, "FileHash-SHA256": 110, "URL": 243, "hostname": 138, "domain": 14, "CVE": 4 }, "indicator_count": 773, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/gui/file/4bf52ea159354bc0aefecb53fbf93b2fea7019eabf9ada27c58fa00c1e9bb990/details", "https://www.virustotal.com/graph/gd016713b8645450da71f7493b0829def1376ce3e16cf4f6d95061a7400af5447", "https://otx.alienvault.com/pulse/69d5859750dfad7fe7989ef4", "https://www.virustotal.com/gui/file/64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b/behavior", "https://www.virustotal.com/gui/file/2e9df8987212300815928e0426e9358b1380a1eaba38270d03dd69e421686b5b/behavior", "https://www.virustotal.com/gui/file/897b30acabf35da4937b1b8258d30dd2f89cf64ada8522b558d01eb503b7b85f/behavior", "https://www.virustotal.com/gui/file/c0085eb467d2fc9c9f395047e057183b3cd1503a4087d0db565161c13527a76f/detection/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 13270 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/com.apple", "whois": "http://whois.domaintools.com/com.apple", "domain": "com.apple", "hostname": "4com.apple.usernotifications.delegate.com.apple" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-05-31T01:02:14", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2813, "FileHash-SHA1": 2576, "FileHash-SHA256": 8145, "domain": 1903, "hostname": 1502, "URL": 1359, "email": 46, "CVE": 54, "CIDR": 3, "YARA": 7, "JA3": 1, "IPv4": 11 }, "indicator_count": 18420, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "6 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b283a733a36fe75a38bb9c", "name": "The Gatby Script Loader", "description": "Im still hooked on the Belasco Chain being a thing.", "modified": "2026-05-30T00:28:12.957000", "created": "2026-03-12T09:13:11.392000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 227, "FileHash-MD5": 24, "FileHash-SHA1": 14, "domain": 64, "URL": 42, "hostname": 58, "CVE": 6, "JA3": 1 }, "indicator_count": 436, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d5984ae3b073952a9f8559", "name": "VirusTotal report for geomi / cape / yomi hunter / zenbox", "description": "The collision of legacy software, rapidly advancing AI, and modern infrastructure has created a critical juncture for digital oversight. Current surveillance practices within these hybrid environments often operate without transparency or defined accountability, leading to heightened risks in data privacy and system security. The only viable forward path is adopting a stance of deliberate, good intent and establishing stringent accountability structures to preserve the foundational integrity of the internet. This should not happen, ever.", "modified": "2026-05-07T23:11:24.361000", "created": "2026-04-07T23:50:34.805000", "tags": [ "a nxdomain", "ds nxdomain", "nxdomain", "unknown", "passive dns", "ip address", "domain", "pulse pulses", "urls", "files", "msie", "windows nt", "wow64", "slcc2", "media center", "ref b", "file type", "sysv", "sample", "drops", "ascii", "https", "performs dns", "tls version", "mitre attack", "network info", "reads cpu", "proc indicative", "persistence", "memory pattern", "dns resolutions", "ip traffic", "domains", "urls http", "tls sni", "hashes cape", "linux", "zenbox linux", "file system", "ipv4", "cdn range", "ssltls client", "less ip", "contacted", "related pulses", "pulses", "tags", "related tags", "ascii text", "size", "sha256", "ssdeep", "magic", "trid null", "macbinary", "memo file", "apollo database", "engine", "magika iso", "file size", "accept", "gmt ifnonematch", "uri data", "united", "pdfkit.net", "sim", "uuid", "privileged access", "evasion", "wiper", "not cryptographically sound", "time change auth by root date" ], "references": [ "https://otx.alienvault.com/pulse/69d5859750dfad7fe7989ef4", "https://www.virustotal.com/gui/file/64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b/behavior", "https://www.virustotal.com/gui/file/2e9df8987212300815928e0426e9358b1380a1eaba38270d03dd69e421686b5b/behavior", "https://www.virustotal.com/gui/file/897b30acabf35da4937b1b8258d30dd2f89cf64ada8522b558d01eb503b7b85f/behavior", "https://www.virustotal.com/graph/gd016713b8645450da71f7493b0829def1376ce3e16cf4f6d95061a7400af5447", "https://www.virustotal.com/gui/file/4bf52ea159354bc0aefecb53fbf93b2fea7019eabf9ada27c58fa00c1e9bb990/details", "https://www.virustotal.com/gui/file/c0085eb467d2fc9c9f395047e057183b3cd1503a4087d0db565161c13527a76f/detection/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 147, "FileHash-SHA1": 117, "FileHash-SHA256": 110, "URL": 243, "hostname": 138, "domain": 15, "CVE": 4 }, "indicator_count": 774, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d5a070bf1c88b4790eea91", "name": "Geomi / Cape Threat / Yomi Hunter / Zenbox | ", "description": "", "modified": "2026-05-07T23:11:24.361000", "created": "2026-04-08T00:25:20.217000", "tags": [ "a nxdomain", "ds nxdomain", "nxdomain", "unknown", "passive dns", "ip address", "domain", "pulse pulses", "urls", "files", "msie", "windows nt", "wow64", "slcc2", "media center", "ref b", "file type", "sysv", "sample", "drops", "ascii", "https", "performs dns", "tls version", "mitre attack", "network info", "reads cpu", "proc indicative", "persistence", "memory pattern", "dns resolutions", "ip traffic", "domains", "urls http", "tls sni", "hashes cape", "linux", "zenbox linux", "file system", "ipv4", "cdn range", "ssltls client", "less ip", "contacted", "related pulses", "pulses", "tags", "related tags", "ascii text", "size", "sha256", "ssdeep", "magic", "trid null", "macbinary", "memo file", "apollo database", "engine", "magika iso", "file size", "accept", "gmt ifnonematch", "uri data", "united", "pdfkit.net", "sim", "uuid", "privileged access", "evasion", "wiper", "not cryptographically sound", "time change auth by root date" ], "references": [ "https://otx.alienvault.com/pulse/69d5859750dfad7fe7989ef4", "https://www.virustotal.com/gui/file/64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b/behavior", "https://www.virustotal.com/gui/file/2e9df8987212300815928e0426e9358b1380a1eaba38270d03dd69e421686b5b/behavior", "https://www.virustotal.com/gui/file/897b30acabf35da4937b1b8258d30dd2f89cf64ada8522b558d01eb503b7b85f/behavior", "https://www.virustotal.com/graph/gd016713b8645450da71f7493b0829def1376ce3e16cf4f6d95061a7400af5447", "https://www.virustotal.com/gui/file/4bf52ea159354bc0aefecb53fbf93b2fea7019eabf9ada27c58fa00c1e9bb990/details", "https://www.virustotal.com/gui/file/c0085eb467d2fc9c9f395047e057183b3cd1503a4087d0db565161c13527a76f/detection/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" } ], "industries": [], "TLP": "green", "cloned_from": "69d5984ae3b073952a9f8559", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 147, "FileHash-SHA1": 117, "FileHash-SHA256": 110, "URL": 243, "hostname": 138, "domain": 14, "CVE": 4 }, "indicator_count": 773, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://4com.apple.usernotifications.delegate.com.apple", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://4com.apple.usernotifications.delegate.com.apple", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780212392.5363703 }