{
"type": "URL",
"indicator": "https://91.208.184.78/TzGG",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://91.208.184.78/TzGG",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4036765781,
"indicator": "https://91.208.184.78/TzGG",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 8,
"pulses": [
{
"id": "69a5c36b78ed73550bb0bf22",
"name": "by Disable_Duck",
"description": "",
"modified": "2026-03-04T23:37:24.208000",
"created": "2026-03-02T17:05:47.288000",
"tags": [
"kgs0",
"kls0",
"botname http",
"entity",
"UAlberta",
"Telus",
"Norton",
"ffss",
"Alberta",
"AlbertaNDP",
"InteriorHealth",
"RCMP",
"CrimeStoppersAB",
"EdmontonPolice",
"RCMP Kelowna",
"RCMP AB",
"TLS/SSL Crawler",
"CVE-2026-24061 Attempt",
"Generic IoT Default Password Attempt",
"Cisco Prime Infrastructure CVE-2019-1821 RCE Attempt",
"Dahua Backdoor Attempt",
"ENV Crawler",
"DCERPC Protocol",
"Carries HTTP Referer",
"GNU Inetutils Telnetd Auth Bypass",
"ICMPv4 Protocol"
],
"references": [
"https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
"https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada",
"https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"Netherlands",
"Panama",
"Poland",
"United Kingdom of Great Britain and Northern Ireland",
"Slovakia",
"Aruba",
"Anguilla",
"Australia",
"Costa Rica",
"Guatemala",
"Mexico",
"Trinidad and Tobago",
"Cura\u00e7ao",
"Philippines",
"Virgin Islands, U.S.",
"Ukraine",
"Barbados",
"Germany",
"Sint Maarten (Dutch part)",
"Argentina",
"Switzerland"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Healthcare",
"Government",
"Technology",
"Energy",
"Telecommunications"
],
"TLP": "white",
"cloned_from": "6901363c4ce422f5caf0f72c",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3903,
"FileHash-SHA1": 4967,
"FileHash-SHA256": 12884,
"URL": 996,
"domain": 987,
"hostname": 3306,
"email": 4,
"CVE": 1
},
"indicator_count": 27048,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "88 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6901363c4ce422f5caf0f72c",
"name": "Copy of DevT-OddTags-Browser-BasedOdditites - (L4ke.Aff3ct.216, 01.18.26)",
"description": "Updated based on VT Graph & Tracking Spread of Cybercrime. This Pulse is mostly covering activity in the Province of Alberta Canada. Given recent news, it appears that BC Interior Health and Kelowna RCMP Detachment impacted in addition to Alberta Sectors of Education, Healthcare, and Government (Provincial & Federal - e.g. Treaty 6,7,8 as well as the Canadian CRA heavily impacted). \nEnriched a graph by vt user (L4ke.Aff3ct.216, 01.02.26)\nSubmitted IOCs to Greynoise.io (10.28.25)",
"modified": "2026-02-18T05:00:41.494000",
"created": "2025-10-28T21:31:40.008000",
"tags": [
"kgs0",
"kls0",
"botname http",
"entity",
"UAlberta",
"Telus",
"Norton",
"ffss",
"Alberta",
"AlbertaNDP",
"InteriorHealth",
"RCMP",
"CrimeStoppersAB",
"EdmontonPolice",
"RCMP Kelowna",
"RCMP AB"
],
"references": [
"https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
"https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"Netherlands",
"Panama",
"Poland",
"United Kingdom of Great Britain and Northern Ireland",
"Slovakia",
"Aruba",
"Anguilla",
"Australia",
"Costa Rica",
"Guatemala",
"Mexico",
"Trinidad and Tobago",
"Cura\u00e7ao",
"Philippines",
"Virgin Islands, U.S.",
"Ukraine",
"Barbados",
"Germany",
"Sint Maarten (Dutch part)"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Healthcare",
"Government",
"Technology",
"Energy",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3903,
"FileHash-SHA1": 4967,
"FileHash-SHA256": 12884,
"URL": 995,
"domain": 984,
"hostname": 3305,
"email": 4
},
"indicator_count": 27042,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 129,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68cda7d2fa81b016a486aad8",
"name": "logo Virustotal/Virustotal.com( usuni\u0119te pliki Virustotal i ich wsp\u00f3lne cechy)",
"description": "",
"modified": "2025-10-19T18:02:53.885000",
"created": "2025-09-19T18:58:26.750000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 213,
"FileHash-MD5": 100,
"FileHash-SHA1": 100,
"FileHash-SHA256": 150,
"domain": 11,
"hostname": 5
},
"indicator_count": 579,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 124,
"modified_text": "224 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68adee67c08cd025b05c2ab0",
"name": "Collection of Collections - Updated - Malicious Certificates & University of Alberta DataBreach - 09.15.25.25",
"description": "This Pulse is an attempt to aggregate all known certificates from all sources.\n\nEncrypted Communication: The malware uses Bitcoin and Ethereum addresses for communication, allowing it to receive commands and exfiltrate data securely.\nEvasion Techniques: The malware generates long and unusual domain parts using Domain Generation Algorithms to evade detection and establish communication with its C2 server.\nData Exfiltration: The malware can exfiltrate data to cloud storage services, enabling the threat actor to steal sensitive information from the compromised system.\nRemote Access: The malware leverages bidirectional communication and system binary proxy execution techniques to enable remote access and control over the infected system.\nIngress Tool Transfer: The malware downloads executable files from URLs, indicating its ability to download additional malicious payloads or updates to enhance its capabilities.",
"modified": "2025-10-16T05:02:02.452000",
"created": "2025-08-26T17:27:01.650000",
"tags": [
"http",
"https",
"kgs0",
"kls0",
"Malcerts",
"Certificates",
"Alberta",
"GovAB",
"UAlberta",
"Speader"
],
"references": [
"https://www.virustotal.com/graph/embed/g0cfdc207f7d14c9a9173c2f9b804dd92b17706ef2a8c41dba3e0af36353cd70b?theme=dark",
"https://viz.greynoise.io/ip/analysis/408b56e2-1932-4975-b348-5a8a7c5991d4",
"https://report.netcraft.com/submission/ATkcJjvq2iKUQhELceQs7q4WVU76Q8QG - Submitted IPv4s to Netcraft 08.29.25",
"https://www.filescan.io/uploads/68b261771c81c34281d8af6d/reports/44924eb0-000d-42ad-944e-36bf849a406d/overview",
"https://www.virustotal.com/gui/file/19ec86ce10a716e8e63804239052c96cfa0a7fb66c2820bda2e66358f622525c/community",
"Added some URLs from FSio Report to URLScan"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"Netherlands",
"Aruba",
"Panama",
"Poland",
"Ukraine",
"United Kingdom of Great Britain and Northern Ireland",
"Anguilla",
"United Arab Emirates",
"Ireland",
"Tanzania, United Republic of",
"Philippines",
"Japan",
"Guatemala",
"Mexico",
"Bahamas",
"Barbados",
"Georgia",
"Slovakia",
"Sint Maarten (Dutch part)",
"Kenya"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Government",
"Technology",
"Telecommunications",
"Healthcare"
],
"TLP": "white",
"cloned_from": null,
"export_count": 25,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1639,
"FileHash-MD5": 1481,
"FileHash-SHA1": 1421,
"FileHash-SHA256": 5969,
"domain": 707,
"hostname": 2311,
"email": 5,
"CIDR": 13
},
"indicator_count": 13546,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 133,
"modified_text": "228 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68b78d521f024d3a98fc79c8",
"name": "VT Graph miniuser - Databreach IOCs & Links",
"description": "Related to Pulse: Food for Thought (Updated 09.02.25)\n\n*Note most links are malicious",
"modified": "2025-10-03T00:01:12.616000",
"created": "2025-09-03T00:35:30.936000",
"tags": [
"kgs0",
"kls0",
"entity",
"UAlberta",
"University of Alberta",
"Hacked",
"DataBreach"
],
"references": [
"https://www.virustotal.com/graph/embed/g1ed56ef53af34510a0e0ee0c2d204f066a8684fa5aeb4e69aef49403742ef6a5?theme=dark"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 132,
"FileHash-SHA1": 121,
"FileHash-SHA256": 711,
"URL": 83,
"domain": 50,
"hostname": 125
},
"indicator_count": 1222,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 129,
"modified_text": "241 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "67b109cbfbcc6f92c399b327",
"name": "UAlberta Breach Data - Food for thought - thoughts & input on how to 'bring some attention to this' (not enriched)",
"description": "Just thought I'd throw thisntogether and 'see what ya'll make of it' (documents a VT graph produced and slightly modified) that pulls a lot of things together. Highlights both 'some problems' - U of A / Gov. of AB (who are also some 'solutions'). \nIdeas on how to grab their attention and maybe bring some 'urgency' to this issue? I have a few solutions and ideas for everyone - problem: I require some folks to 'do their jobs' (there is not 10 of me). Thoughts on how to encourage them to act on these problems. Present status: Connected directly to them on other devices. Within literal 5 min walking range.",
"modified": "2025-05-27T07:01:17.646000",
"created": "2025-02-15T21:40:27.895000",
"tags": [
"kgs0",
"kls0"
],
"references": [
"https://www.virustotal.com/graph/embed/g1ed56ef53af34510a0e0ee0c2d204f066a8684fa5aeb4e69aef49403742ef6a5?theme=dark",
"",
"Government of AB https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecce OTX AlienVault 2096",
"UAlberta = https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecbe"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Government",
"Healthcare",
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 5,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 215,
"FileHash-SHA1": 193,
"FileHash-SHA256": 1302,
"URL": 166,
"domain": 100,
"hostname": 234
},
"indicator_count": 2210,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 131,
"modified_text": "370 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "67d031976cb9f909df091316",
"name": "Playbook Hunting Chinese APT",
"description": "Chinese state-sponsored cyber-espionage group APT41 used two different tools, one of which used Microsoft CertUtil, to download Cobalt Strike BEACON shellcode, as part of a series of intrusions.",
"modified": "2025-04-10T12:01:48.217000",
"created": "2025-03-11T12:50:31.862000",
"tags": [
"commandline",
"or commandline",
"image",
"folderpath",
"wineventlog",
"redacted",
"rules threat",
"intelligence",
"threat hunting",
"chinese apt",
"powershell",
"apache",
"path",
"cobalt strike",
"shadow",
"mimikatz",
"config",
"impacket",
"dumpcreds",
"encodedcommand",
"copy",
"write",
"defender",
"crypto",
"persistence",
"vmprotected meterpreter"
],
"references": [
"https://medium.com/detect-fyi/playbook-hunting-chinese-apt-379a6b950492"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "VMProtected Meterpreter",
"display_name": "VMProtected Meterpreter",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1087",
"name": "Account Discovery",
"display_name": "T1087 - Account Discovery"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1490",
"name": "Inhibit System Recovery",
"display_name": "T1490 - Inhibit System Recovery"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "PetrP.73",
"id": "154605",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 16,
"FileHash-MD5": 5,
"FileHash-SHA1": 5,
"FileHash-SHA256": 14,
"domain": 11
},
"indicator_count": 51,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 541,
"modified_text": "417 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "67aac6e4b628acffaed3f068",
"name": "New Batch - Malcerts - 02.10.25 - unenriched",
"description": "Here is the full text of the text that was found on the website of Mozilla, following an investigation by the security firm Virustotal and the UK's Office of National Statistics (ONS).. [autofilled].\n\nMore Malcerts from Sample Device deployed at several sites in YEG - Canada. Related to pulse - Thor Scan Lite Linux\nNot enriched on import, but did include links to VT entries as IOCs (those will be false positives - but easy access). \nFolder name: Mozilla Located @ /usr/share/ca-certificates",
"modified": "2025-03-16T17:01:06.968000",
"created": "2025-02-11T03:41:24.585000",
"tags": [
"UAlberta",
"Malcerts",
"Certificates",
"Eduroam",
"Alberta"
],
"references": [
"https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/iocs",
"https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/summary",
"https://hybrid-analysis.com/file-collection/67aa8951a3fc5708a905306a",
"https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/community",
"https://tria.ge/250210-3c3c3askfz",
"https://tria.ge/250210-3nh4kasmes",
"https://tria.ge/250210-3y8f7sspdy",
"https://tria.ge/250211-dhpxgswlax",
"https://tria.ge/250211-dt1hcswme1",
"https://tria.ge/250211-dx9v7swnbw",
"Zipped IOC: c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
"https://www.virustotal.com/graph/embed/g4d7797bcffdd450281d4012ac3a0a5ee3fafe8b4f5964c18b4e0332306cb367b?theme=dark",
"https://tip.neiki.dev/file/c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
"c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
"Cert[.]pl MLDB: 1da23fc67a5f101321e39d04e76dcaa7"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Government",
"Healthcare",
"Telecommunications",
"Finance",
"Agriculture",
"Hospitality",
"Media",
"Retail"
],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 831,
"FileHash-SHA1": 801,
"FileHash-SHA256": 3227,
"URL": 395,
"domain": 189,
"hostname": 798
},
"indicator_count": 6241,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 131,
"modified_text": "441 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"https://viz.greynoise.io/ip/analysis/408b56e2-1932-4975-b348-5a8a7c5991d4",
"https://www.virustotal.com/graph/embed/g1ed56ef53af34510a0e0ee0c2d204f066a8684fa5aeb4e69aef49403742ef6a5?theme=dark",
"https://hybrid-analysis.com/file-collection/67aa8951a3fc5708a905306a",
"https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/summary",
"https://tria.ge/250210-3c3c3askfz",
"https://tria.ge/250210-3nh4kasmes",
"https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96",
"https://tria.ge/250210-3y8f7sspdy",
"https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/iocs",
"https://tria.ge/250211-dx9v7swnbw",
"Added some URLs from FSio Report to URLScan",
"https://www.filescan.io/uploads/68b261771c81c34281d8af6d/reports/44924eb0-000d-42ad-944e-36bf849a406d/overview",
"https://tria.ge/250211-dt1hcswme1",
"https://www.virustotal.com/gui/file/19ec86ce10a716e8e63804239052c96cfa0a7fb66c2820bda2e66358f622525c/community",
"c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
"https://tip.neiki.dev/file/c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
"https://www.virustotal.com/graph/embed/g4d7797bcffdd450281d4012ac3a0a5ee3fafe8b4f5964c18b4e0332306cb367b?theme=dark",
"https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/community",
"https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
"Zipped IOC: c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
"https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada",
"https://tria.ge/250211-dhpxgswlax",
"Government of AB https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecce OTX AlienVault 2096",
"https://report.netcraft.com/submission/ATkcJjvq2iKUQhELceQs7q4WVU76Q8QG - Submitted IPv4s to Netcraft 08.29.25",
"",
"https://www.virustotal.com/graph/embed/g0cfdc207f7d14c9a9173c2f9b804dd92b17706ef2a8c41dba3e0af36353cd70b?theme=dark",
"UAlberta = https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecbe",
"Cert[.]pl MLDB: 1da23fc67a5f101321e39d04e76dcaa7",
"https://medium.com/detect-fyi/playbook-hunting-chinese-apt-379a6b950492"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Vmprotected meterpreter",
"Cobalt strike"
],
"industries": [
"Healthcare",
"Retail",
"Agriculture",
"Technology",
"Education",
"Telecommunications",
"Hospitality",
"Media",
"Government",
"Finance",
"Energy"
],
"unique_indicators": 15985
}
}
},
"false_positive": [],
"alexa": "",
"whois": "http://whois.domaintools.com/91.208.184.78",
"domain": "Unavailable",
"hostname": "Unavailable"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 8,
"pulses": [
{
"id": "69a5c36b78ed73550bb0bf22",
"name": "by Disable_Duck",
"description": "",
"modified": "2026-03-04T23:37:24.208000",
"created": "2026-03-02T17:05:47.288000",
"tags": [
"kgs0",
"kls0",
"botname http",
"entity",
"UAlberta",
"Telus",
"Norton",
"ffss",
"Alberta",
"AlbertaNDP",
"InteriorHealth",
"RCMP",
"CrimeStoppersAB",
"EdmontonPolice",
"RCMP Kelowna",
"RCMP AB",
"TLS/SSL Crawler",
"CVE-2026-24061 Attempt",
"Generic IoT Default Password Attempt",
"Cisco Prime Infrastructure CVE-2019-1821 RCE Attempt",
"Dahua Backdoor Attempt",
"ENV Crawler",
"DCERPC Protocol",
"Carries HTTP Referer",
"GNU Inetutils Telnetd Auth Bypass",
"ICMPv4 Protocol"
],
"references": [
"https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
"https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada",
"https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"Netherlands",
"Panama",
"Poland",
"United Kingdom of Great Britain and Northern Ireland",
"Slovakia",
"Aruba",
"Anguilla",
"Australia",
"Costa Rica",
"Guatemala",
"Mexico",
"Trinidad and Tobago",
"Cura\u00e7ao",
"Philippines",
"Virgin Islands, U.S.",
"Ukraine",
"Barbados",
"Germany",
"Sint Maarten (Dutch part)",
"Argentina",
"Switzerland"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Healthcare",
"Government",
"Technology",
"Energy",
"Telecommunications"
],
"TLP": "white",
"cloned_from": "6901363c4ce422f5caf0f72c",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3903,
"FileHash-SHA1": 4967,
"FileHash-SHA256": 12884,
"URL": 996,
"domain": 987,
"hostname": 3306,
"email": 4,
"CVE": 1
},
"indicator_count": 27048,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "88 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6901363c4ce422f5caf0f72c",
"name": "Copy of DevT-OddTags-Browser-BasedOdditites - (L4ke.Aff3ct.216, 01.18.26)",
"description": "Updated based on VT Graph & Tracking Spread of Cybercrime. This Pulse is mostly covering activity in the Province of Alberta Canada. Given recent news, it appears that BC Interior Health and Kelowna RCMP Detachment impacted in addition to Alberta Sectors of Education, Healthcare, and Government (Provincial & Federal - e.g. Treaty 6,7,8 as well as the Canadian CRA heavily impacted). \nEnriched a graph by vt user (L4ke.Aff3ct.216, 01.02.26)\nSubmitted IOCs to Greynoise.io (10.28.25)",
"modified": "2026-02-18T05:00:41.494000",
"created": "2025-10-28T21:31:40.008000",
"tags": [
"kgs0",
"kls0",
"botname http",
"entity",
"UAlberta",
"Telus",
"Norton",
"ffss",
"Alberta",
"AlbertaNDP",
"InteriorHealth",
"RCMP",
"CrimeStoppersAB",
"EdmontonPolice",
"RCMP Kelowna",
"RCMP AB"
],
"references": [
"https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
"https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"Netherlands",
"Panama",
"Poland",
"United Kingdom of Great Britain and Northern Ireland",
"Slovakia",
"Aruba",
"Anguilla",
"Australia",
"Costa Rica",
"Guatemala",
"Mexico",
"Trinidad and Tobago",
"Cura\u00e7ao",
"Philippines",
"Virgin Islands, U.S.",
"Ukraine",
"Barbados",
"Germany",
"Sint Maarten (Dutch part)"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Healthcare",
"Government",
"Technology",
"Energy",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3903,
"FileHash-SHA1": 4967,
"FileHash-SHA256": 12884,
"URL": 995,
"domain": 984,
"hostname": 3305,
"email": 4
},
"indicator_count": 27042,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 129,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68cda7d2fa81b016a486aad8",
"name": "logo Virustotal/Virustotal.com( usuni\u0119te pliki Virustotal i ich wsp\u00f3lne cechy)",
"description": "",
"modified": "2025-10-19T18:02:53.885000",
"created": "2025-09-19T18:58:26.750000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 213,
"FileHash-MD5": 100,
"FileHash-SHA1": 100,
"FileHash-SHA256": 150,
"domain": 11,
"hostname": 5
},
"indicator_count": 579,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 124,
"modified_text": "224 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68adee67c08cd025b05c2ab0",
"name": "Collection of Collections - Updated - Malicious Certificates & University of Alberta DataBreach - 09.15.25.25",
"description": "This Pulse is an attempt to aggregate all known certificates from all sources.\n\nEncrypted Communication: The malware uses Bitcoin and Ethereum addresses for communication, allowing it to receive commands and exfiltrate data securely.\nEvasion Techniques: The malware generates long and unusual domain parts using Domain Generation Algorithms to evade detection and establish communication with its C2 server.\nData Exfiltration: The malware can exfiltrate data to cloud storage services, enabling the threat actor to steal sensitive information from the compromised system.\nRemote Access: The malware leverages bidirectional communication and system binary proxy execution techniques to enable remote access and control over the infected system.\nIngress Tool Transfer: The malware downloads executable files from URLs, indicating its ability to download additional malicious payloads or updates to enhance its capabilities.",
"modified": "2025-10-16T05:02:02.452000",
"created": "2025-08-26T17:27:01.650000",
"tags": [
"http",
"https",
"kgs0",
"kls0",
"Malcerts",
"Certificates",
"Alberta",
"GovAB",
"UAlberta",
"Speader"
],
"references": [
"https://www.virustotal.com/graph/embed/g0cfdc207f7d14c9a9173c2f9b804dd92b17706ef2a8c41dba3e0af36353cd70b?theme=dark",
"https://viz.greynoise.io/ip/analysis/408b56e2-1932-4975-b348-5a8a7c5991d4",
"https://report.netcraft.com/submission/ATkcJjvq2iKUQhELceQs7q4WVU76Q8QG - Submitted IPv4s to Netcraft 08.29.25",
"https://www.filescan.io/uploads/68b261771c81c34281d8af6d/reports/44924eb0-000d-42ad-944e-36bf849a406d/overview",
"https://www.virustotal.com/gui/file/19ec86ce10a716e8e63804239052c96cfa0a7fb66c2820bda2e66358f622525c/community",
"Added some URLs from FSio Report to URLScan"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"Netherlands",
"Aruba",
"Panama",
"Poland",
"Ukraine",
"United Kingdom of Great Britain and Northern Ireland",
"Anguilla",
"United Arab Emirates",
"Ireland",
"Tanzania, United Republic of",
"Philippines",
"Japan",
"Guatemala",
"Mexico",
"Bahamas",
"Barbados",
"Georgia",
"Slovakia",
"Sint Maarten (Dutch part)",
"Kenya"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Government",
"Technology",
"Telecommunications",
"Healthcare"
],
"TLP": "white",
"cloned_from": null,
"export_count": 25,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1639,
"FileHash-MD5": 1481,
"FileHash-SHA1": 1421,
"FileHash-SHA256": 5969,
"domain": 707,
"hostname": 2311,
"email": 5,
"CIDR": 13
},
"indicator_count": 13546,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 133,
"modified_text": "228 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68b78d521f024d3a98fc79c8",
"name": "VT Graph miniuser - Databreach IOCs & Links",
"description": "Related to Pulse: Food for Thought (Updated 09.02.25)\n\n*Note most links are malicious",
"modified": "2025-10-03T00:01:12.616000",
"created": "2025-09-03T00:35:30.936000",
"tags": [
"kgs0",
"kls0",
"entity",
"UAlberta",
"University of Alberta",
"Hacked",
"DataBreach"
],
"references": [
"https://www.virustotal.com/graph/embed/g1ed56ef53af34510a0e0ee0c2d204f066a8684fa5aeb4e69aef49403742ef6a5?theme=dark"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 132,
"FileHash-SHA1": 121,
"FileHash-SHA256": 711,
"URL": 83,
"domain": 50,
"hostname": 125
},
"indicator_count": 1222,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 129,
"modified_text": "241 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "67b109cbfbcc6f92c399b327",
"name": "UAlberta Breach Data - Food for thought - thoughts & input on how to 'bring some attention to this' (not enriched)",
"description": "Just thought I'd throw thisntogether and 'see what ya'll make of it' (documents a VT graph produced and slightly modified) that pulls a lot of things together. Highlights both 'some problems' - U of A / Gov. of AB (who are also some 'solutions'). \nIdeas on how to grab their attention and maybe bring some 'urgency' to this issue? I have a few solutions and ideas for everyone - problem: I require some folks to 'do their jobs' (there is not 10 of me). Thoughts on how to encourage them to act on these problems. Present status: Connected directly to them on other devices. Within literal 5 min walking range.",
"modified": "2025-05-27T07:01:17.646000",
"created": "2025-02-15T21:40:27.895000",
"tags": [
"kgs0",
"kls0"
],
"references": [
"https://www.virustotal.com/graph/embed/g1ed56ef53af34510a0e0ee0c2d204f066a8684fa5aeb4e69aef49403742ef6a5?theme=dark",
"",
"Government of AB https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecce OTX AlienVault 2096",
"UAlberta = https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecbe"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Government",
"Healthcare",
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 5,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 215,
"FileHash-SHA1": 193,
"FileHash-SHA256": 1302,
"URL": 166,
"domain": 100,
"hostname": 234
},
"indicator_count": 2210,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 131,
"modified_text": "370 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "67d031976cb9f909df091316",
"name": "Playbook Hunting Chinese APT",
"description": "Chinese state-sponsored cyber-espionage group APT41 used two different tools, one of which used Microsoft CertUtil, to download Cobalt Strike BEACON shellcode, as part of a series of intrusions.",
"modified": "2025-04-10T12:01:48.217000",
"created": "2025-03-11T12:50:31.862000",
"tags": [
"commandline",
"or commandline",
"image",
"folderpath",
"wineventlog",
"redacted",
"rules threat",
"intelligence",
"threat hunting",
"chinese apt",
"powershell",
"apache",
"path",
"cobalt strike",
"shadow",
"mimikatz",
"config",
"impacket",
"dumpcreds",
"encodedcommand",
"copy",
"write",
"defender",
"crypto",
"persistence",
"vmprotected meterpreter"
],
"references": [
"https://medium.com/detect-fyi/playbook-hunting-chinese-apt-379a6b950492"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "VMProtected Meterpreter",
"display_name": "VMProtected Meterpreter",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1087",
"name": "Account Discovery",
"display_name": "T1087 - Account Discovery"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1490",
"name": "Inhibit System Recovery",
"display_name": "T1490 - Inhibit System Recovery"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "PetrP.73",
"id": "154605",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 16,
"FileHash-MD5": 5,
"FileHash-SHA1": 5,
"FileHash-SHA256": 14,
"domain": 11
},
"indicator_count": 51,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 541,
"modified_text": "417 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "67aac6e4b628acffaed3f068",
"name": "New Batch - Malcerts - 02.10.25 - unenriched",
"description": "Here is the full text of the text that was found on the website of Mozilla, following an investigation by the security firm Virustotal and the UK's Office of National Statistics (ONS).. [autofilled].\n\nMore Malcerts from Sample Device deployed at several sites in YEG - Canada. Related to pulse - Thor Scan Lite Linux\nNot enriched on import, but did include links to VT entries as IOCs (those will be false positives - but easy access). \nFolder name: Mozilla Located @ /usr/share/ca-certificates",
"modified": "2025-03-16T17:01:06.968000",
"created": "2025-02-11T03:41:24.585000",
"tags": [
"UAlberta",
"Malcerts",
"Certificates",
"Eduroam",
"Alberta"
],
"references": [
"https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/iocs",
"https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/summary",
"https://hybrid-analysis.com/file-collection/67aa8951a3fc5708a905306a",
"https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/community",
"https://tria.ge/250210-3c3c3askfz",
"https://tria.ge/250210-3nh4kasmes",
"https://tria.ge/250210-3y8f7sspdy",
"https://tria.ge/250211-dhpxgswlax",
"https://tria.ge/250211-dt1hcswme1",
"https://tria.ge/250211-dx9v7swnbw",
"Zipped IOC: c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
"https://www.virustotal.com/graph/embed/g4d7797bcffdd450281d4012ac3a0a5ee3fafe8b4f5964c18b4e0332306cb367b?theme=dark",
"https://tip.neiki.dev/file/c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
"c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
"Cert[.]pl MLDB: 1da23fc67a5f101321e39d04e76dcaa7"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Government",
"Healthcare",
"Telecommunications",
"Finance",
"Agriculture",
"Hospitality",
"Media",
"Retail"
],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 831,
"FileHash-SHA1": 801,
"FileHash-SHA256": 3227,
"URL": 395,
"domain": 189,
"hostname": 798
},
"indicator_count": 6241,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 131,
"modified_text": "441 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://91.208.184.78/TzGG",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://91.208.184.78/TzGG",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780316653.3779337
}