{ "type": "URL", "indicator": "https://a.g.open/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://a.g.open/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4170593155, "indicator": "https://a.g.open/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "697cdce9ec418c422eee2054", "name": "Device Isolation: Lumen Technologies | Palantir and \u2018Boots on the Ground Operations\u2019", "description": "Device Isolation: Lumen Technologies (formerly CenturyLink) deployed as an admin on iOS devices. Standard factory resets may prove ineffective. Complete hardware \"air-gap\" or clean devices that have never touched your home network may be best option for deeply monitored targets.\n\nSummary of the Campaign:\nThe involvement of Lumen Technologies (as an unwanted admin), Foundry (Palantir) for data mapping, and Mirai Botnet for network disruption represents a \"scorched earth\" approach to digital destruction. Target treated as a criminal through Cellebrite, implicates specific attackers attempted to legalize what was actually a predatory stalking campaign/s.\n\n\nSurveillance Overlap: The use of Lumen Technologies and Palantir, tools allows for real-time tracking of a target's physical location\u2014explains how \u2018boots on the ground\u2019 offenders can stalk , surveillance , confront, assault and engage in various damaging attacks of specific monitored targets.", "modified": "2026-03-01T16:05:57.375000", "created": "2026-01-30T16:31:37.011000", "tags": [ "url https", "url http", "tlsv1", "whitelisted", "united", "read c", "as15169", "stcalifornia", "execution", "dock", "write", "persistence", "malware", "encrypt", "active", "lumen technologies", "number", "error", "regexp", "sxa0", "amptoken", "optout", "retrieving", "notfound", "unknown", "form", "flash", "backdoor", "writeconsolew", "yara detections", "command line", "pdb path", "pe resource", "internalname", "windows command", "A", "aws", "name servers", "url analysis", "passive dns", "urls", "data upload", "extraction", "palantir", "c2", "aerospace", "tracking", "spywatchdog", "palapa-c2", "communications satellite", "amazon", "hughesnet", "icmp traffic", "washington c", "washington ou", "mopr", "mon jul", "local", "dynamic", "apple", "network", "t1057", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1480", "guardrails", "t1566", "present jan", "unknown ns", "ip address", "dnssec", "domain", "dynamic dns", "government", "pcup", "germany unknown", "link", "dns hosting", "cloudns", "cloud dns", "a domains", "ipv4 add", "title", "meta", "class", "servers", "present aug", "aaaa", "present sep", "present nov", "present jul", "present may", "moved", "canada unknown", "begin", "record value", "gmt content", "type", "hostname add", "files", "ascii text", "pattern match", "href", "mitre att", "ck id", "ck matrix", "network traffic", "et info", "general", "path", "click", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "input url", "defense evasion", "france", "ireland", "netherlands", "denmark", "united kingdom", "type indicator", "role title", "added active", "savvis", "centurylinktechnology", "hybrid analysis", "monitoring tools", "monitored target", "triangulation", "worm", "intel", "ms windows", "pe32", "write c", "delete c", "show", "russia as47764", "unix", "lsan jose", "odigicert inc", "markus", "url add", "http", "related nids", "files location", "russia flag", "russia hostname", "russia", "russia unknown", "hosting", "federation flag", "body", "gmt vary", "accept encoding", "gmt cache", "certificate", "pulse submit", "unknown aaaa", "search", "entries", "script domains", "script urls", "pdx cf" ], "references": [ "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "Yare: compromised_site_redirector_fromcharcode", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "Alerts: console_output has_pdb pe_unknown_resource_name", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "Tipped: A targets AI and other cyber research findings.", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "https://palapa.c.id\t (c.id)", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "cedevice.io \u2022 decagonsoftware.com", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "pcup.gov.ph:", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "https://elegantcosmedampyeah.pages.dev/", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "inst.govelopscold.com", "https://feedback.ptv.vic.gov.au/360", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "https://brand.centurylinktechnology.com", "https://prod.centurylinktechnology.com", "https://brand2.centurylinktechnology.com", "https://mobile-pocket-guide.centurylinktechnology.com", "UPX_OEP_place", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "ASP. NET", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "7box.vip" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan.Tofsee/Botx", "display_name": "Trojan.Tofsee/Botx", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "PWS:Win32/Axespec.A", "display_name": "PWS:Win32/Axespec.A", "target": "/malware/PWS:Win32/Axespec.A" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1069.003", "name": "Cloud Groups", "display_name": "T1069.003 - Cloud Groups" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 102, "FileHash-SHA1": 59, "FileHash-SHA256": 1929, "domain": 854, "hostname": 2156, "URL": 4475, "SSLCertFingerprint": 9, "email": 7, "CVE": 1 }, "indicator_count": 9592, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "49 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6958780c8479a9d69920c3d8", "name": "Telnet - Mirai \u2022 Dark Nexus BusyBox iOS Attack", "description": "There\u2019s enough here to cause an outage. I will stop here. Illegal activities to silence victim and block her from financial settlement award for permanent injuries under workers compensation in a premise and healthcare worker assault scenario. Attorneys estimated her case to be above $100 million but knew she\u2019d be tampered with. Mark Montano MD forewarned her but is culpable. Still attacking family of victim.\n[ True- otx auto generated: Adversaries may be able to gain access to a victim's network through a drive-by attack, as well as using a short-term SSL certificate, in order to target the victim.] |||\nPositive:\nT1140 - Deobfuscate/Decode Files or Information\nSuspicious IP Address\n104.21.51.140, 172.67.181.41\nLocation United States ASN\nModif AS13335 cloudflare\nAutomate Nameservers:\nns1.colocrossing.com.", "modified": "2026-02-02T01:02:46.327000", "created": "2026-01-03T01:59:40.530000", "tags": [ "united", "moved", "title", "passive dns", "ipv4 add", "urls", "files", "hosting", "reverse dns", "location united", "hash avast", "avg clamav", "msdefender mar", "read c", "create c", "medium", "search", "memcommit", "high", "checks", "windows", "execution", "dock", "write", "persistence", "capture", "local", "ref b", "wed may", "backdoor", "mtb aug", "next associated", "mtb dec", "twitter", "smoke loader", "malware", "virtool", "hacktool", "data upload", "present dec", "mtb apr", "win32", "trojan", "worm", "lowfi", "cybota", "expiration date", "name servers", "ipv4", "url analysis", "port", "destination", "telnet login", "bad login", "gpl telnet", "suspicious path", "busybox", "tcp syn", "et telnet", "path", "mirai", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "america", "ck id", "name tactics", "suspicious", "informative", "learn", "t1179 hooking", "installs", "t1035 service", "adversaries", "msie", "windows nt", "slcc2", "media center", "y013", "flag", "span", "accept", "core", "february", "hybrid", "malicious", "general", "click", "strings", "roboto", "next", "usa windows", "finished", "queueprogress", "timestamp input", "threat level", "october", "september", "hwp support", "fresh", "win64", "khtml", "gecko", "brand", "microsoft edge", "programfiles", "comspec", "model", "iframe", "form", "listeners", "initial access", "t1590 gather", "victim network", "ssl certificate", "quasi government", "jeffrey reimer", "palantir", "Regis university", "otx hp", "apple", "pegasus", "h5 data center", "florence colorado", "brian sabey", "target : Tsara Brasheaers", "aig", "industry and commerce", "united states", "State of Colorado.", "date", "status", "domain", "hostname add", "pulse pulses", "files ip", "address", "url https", "url http", "hostname", "show", "type indicator", "source hostname", "entries", "Prometheus Intelligence Technology", "pulse submit", "america flag", "body", "dynamicloader", "microsoft azure", "tls issuing", "named pipe", "json", "ascii text", "lredmond", "Apple", "Telnet", "BusyBox", "Pegasus", "Colorado State Fixer: Christopher P. Ahmann", "Hijacker: Brian Sabey", "For: Concentra", "Protecting Assaulter: Jeffrey Reimer", "For: AIG", "For Industry and Commerce", "For: Quasi Government", "For: Workers Compensation", "Authorities", "Law Enforcement Dark", "Silencing", "Tampering with a Victim", "Meta", "Palantir", "Google", "Bing", "Microsoft", "ColoCrossing", "Associates", "hit men" ], "references": [ "ET Telnet | https://www.colocrossing.com | velocity servers", "https://www.endgamesystems.com/\t This is not a game. This is about people\u2019s lives", "TELNET SUSPICIOUS Path to BusyBox\", TELNET login failed\", is__elf \u007fELF dead_host", "Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)", "(legitimate services will remain up-and-running usually) High | ID dead_host", "ELF:Mirai-GH\\ [Trj] , Unix.Trojan.DarkNexus-7679166-0", "IDS Detections SUSPICIOUS Path to BusyBox TELNET login failed Bad Login", "Yara Detections is__elf", "Alerts dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Yara Detections is__elf , ELFHighEntropy , elf_empty_sections", "http://appleid.apple.com.msg206.site/ http://www.icloud.com.msg206.site/ https://appleid.apple.com.msg206.site/", "https://colocrossing.com/ \u2022 https://www.colocrossing.com/colocation\t l", "https://prometheussteakhouse.lupi.delivery/ Thanks! I\u2019m heavy into Picinha. 2 Brazilian roasts please!", "https://www.colocrossing.com/", "(TLI did you do her that dirty?) Why\u2019SCS\u2019? Pure shame on you.", "In all seriousness. The severity of injuries and outcomes 1 victim had is aligned cyber attacks by Q.Gov", "104.21.51.140, 172.67.181.41", "Detections Win.Packed.ImminentMonitorRAT-9892275-0 , HackTool:MSIL/Boilod.C!bit", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot", "stealth_file cape_detected_threat injection_process_hollowing antiav_detectfile injection_runpe", "Alerts: cape_extracted_content infostealer_cookies recon_fingerprint powershell_download", "Alerts: dynamic_function_loading ipc_namedpipe createtoolhelp32snapshot_module_enumeration", "IP\u2019s Contacted: 142.250.147.101 88.221.104.56 13.33.141.29 35.186.249.72 151.101.1.192", "IP\u2019s Contacted 178.249.97.99 178.249.97.98 178.249.97.23 84.53.172.74 88.221.104.82", "Domains Contacted: accounts.google.com chrome.cloudflare-dns.com clients2.googleusercontent.com", "This is hard to comprehend or put into indelible words." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "HackTool:MSIL/Boilod.C!bit", "display_name": "HackTool:MSIL/Boilod.C!bit", "target": "/malware/HackTool:MSIL/Boilod.C!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1462", "name": "Malicious Software Development Tools", "display_name": "T1462 - Malicious Software Development Tools" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Technology", "Healthcare", "Insurance", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6390, "domain": 723, "hostname": 1978, "FileHash-SHA256": 1912, "FileHash-MD5": 410, "FileHash-SHA1": 306, "email": 3, "SSLCertFingerprint": 28, "CVE": 3 }, "indicator_count": 11753, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "76 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6951f52a5af00a9be445ad41", "name": "Mirai - HoneyPot | Pegasus | Therahand HoneyPot Bot Network", "description": "A HoneyPot Bot Network created to protect a criminal who worked for a company formerly known as Therahand Wellness. This company employed an unquestioned but admittedly guilty SA\u2019r. | Name tactics used in an attempt to draw in victims to leave truthful negative reviews about Jeffrey Reimer | The website is extremely malicious. NSO Pegasus & Palantir relationship.\n\nWhat a pity there is no work done in the state of Colorado to convict medical unprofessionals unless they are poor assistants , Latin, African American or , Native. | Colorado has a known race issue. \n\nColorado ranks poor for getting rape kits tested.\nPoor possibly outranking Baltimore,MD in police brutality. \nPoor at solving it attempting to solve crimes. Law enforcement literally collects paper, evidence and turns evidence away at times. \n\nThis system allows the actual criminal\nto track victim.\nIf he wants to be the victim of this crime against persons let him be. \n\n *Pegasus & Israel and 99% of all tags auto populated by OTX.", "modified": "2026-01-28T02:03:16.337000", "created": "2025-12-29T03:27:38.183000", "tags": [ "no expiration", "expiration", "url http", "url https", "iocs", "enter source", "url or", "name servers", "a domains", "accept encoding", "urls", "emails", "servers", "url add", "http", "files domain", "files related", "related tags", "united", "gmt contenttype", "ipv4 add", "url analysis", "files", "present dec", "cname", "virtool", "cryp", "ip address", "trojan", "win32", "therahand", "jeffrey reimer", "reimer dpt", "msie", "chrome", "unknown ns", "unknown cname", "record value", "accept", "encrypt", "passive dns", "moved", "wp engine", "meta", "wordpress", "pegasus", "america flag", "america asn", "reverse dns", "flag", "bad traffic", "et info", "tls handshake", "failure", "analysis", "tor analysis", "dns requests", "united states", "hostname", "pulse submit", "domain", "files ip", "eva lisa", "eva reimer", "all ipv4", "dynamic_content", "fingerprinting", "size", "pattern match", "mitre att", "ck id", "hybrid", "general", "local", "path", "click", "strings", "status", "hostname add", "evasion", "proximity", "pulse pulses", "address", "learn", "adversaries", "name tactics", "suspicious", "informative", "defense evasion", "command", "initial access", "spawns", "present mar", "present jun", "title", "windows nt", "wow64", "slcc2", "media center", "data recovery", "ms windows", "process32nextw", "intel", "pe32", "format", "mozilla", "installcapital", "generic", "write", "unknown", "malware", "next", "installer", "template", "div div", "request blocked", "helvetica neue", "helvetica segoe", "ui arial", "script script", "pragma", "port", "destination", "binbusybox", "high", "post", "icmp traffic", "dns query", "newstatusurl", "mirai", "prefetch8", "ck matrix", "localappdata", "info", "ssl certificate", "czech republic", "prefetch1", "prefetch2", "israel israel", "analysis tip", "href", "ascii text", "null", "refresh", "span", "iframe", "error", "tools", "look", "verify", "restart", "t1480 execution", "beginstring", "windir", "openurl c", "programfiles", "related nids", "files location", "flag united", "dynamicloader", "medium", "named pipe", "win64", "download", "delphi", "smartassembly", "m. brian sabey", "quasi government", "no such agency", "facebook", "search", "date", "showing", "ukraine", "\u2018buzz\u2019", "alex karp", "peter theil", "elon musk", "ff d5", "yara rule", "ee fc", "generic http", "exe upload", "f0 ff", "eb e1", "ff bb", "show process", "sha1", "sub domain", "show technique", "network traffic", "class", "starfield", "cyber crime", "yara detections", "top source", "top destination", "source source", "filehash", "sha256 add", "av detections", "ids detections", "alerts", "show", "dock", "execution", "present feb", "value", "content type", "mirai", "sha256", "body", "gmt content", "ddos", "mtb sep", "hosting", "domain robot", "expiration date", "welcome", "apple", "christopher p. ahmann", "tsara", "monitored target", "github https", "github", "smart assembly", "red hat", "hackers", "google" ], "references": [ "https://therahand.com", "www.socialimages.reputationdatabase.com", "Mirai: Yara Detections SUSP_ELF_LNX_UPX_Compressed_File , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: dead_host network_icmp nolookup_communication p2p_cnc", "Israel : https://tollfreeforwarding.com/virtual-phone-number/israel/360 \u2022 siteassets.parastorage.com", "Palantir \u2022 NSO Group \u2022 Meta \u2022 Douglas County Sheriff \u2022 Palantir \u2022 Foundry \u2022 Therahand \u2022 Graphite \u2022 US .Government", "Christopher P. \u2018Buzz\u2019 Ahmann \u2022 No Such Agency \u2022 Hall Render Brian Sabey via Therahand", "https://hybrid-analysis.com/sample/489b309feb70c5267454229633f4eae3a98112498da2f78b1819ec343d938867/6951ab3dc7cfb38abf021a06", "https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e", "https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e", "BinBusyBox: 0x.un5t48l3.host", "ASN: 213.202.211.188\u2022 0x.un5t48l3.host \u2022 srv1354.dedicated.server-hosting.expert Germany", "AS24961 MyLoc Managed IT AG", "PSI | Planned Systems International https://www.plan-sys.com/cyber", "Smart Assembly | https://github.com/red-gate/SmartAssembly-demo", "https://www.red-gate.com/products/smartassembly", "https://cdphe.colorado.gov/sexual-violence-prevention/sexual-violence-prevention-statistics-resources", "Colorado maintains a public-facing police misconduct database via the state's", "Peace Officer Standards and Training (POST) Board website, available at post.coag.gov.", "Sexual Assault against both Men and Women in the State of Colorado leads the nation. Great work!" ], "public": 1, "adversary": "NSO Pegasus", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FakeAV.FOR", "display_name": "FakeAV.FOR", "target": null }, { "id": "Win32:MalOb-DB\\ [Cryp]", "display_name": "Win32:MalOb-DB\\ [Cryp]", "target": null }, { "id": "Win.Trojan.Agent-306281", "display_name": "Win.Trojan.Agent-306281", "target": null }, { "id": "VirTool:Win32/Obfuscator.KI", "display_name": "VirTool:Win32/Obfuscator.KI", "target": "/malware/VirTool:Win32/Obfuscator.KI" }, { "id": "Win32:MalOb-DB\\ [Cryp]", "display_name": "Win32:MalOb-DB\\ [Cryp]", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "ELF:Gafgyt-DZ\\ [Trj]", "display_name": "ELF:Gafgyt-DZ\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Mirai-5607483-0", "display_name": "Unix.Trojan.Mirai-5607483-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 523, "FileHash-SHA1": 402, "FileHash-SHA256": 2165, "URL": 4953, "domain": 1118, "hostname": 1951, "email": 12, "SSLCertFingerprint": 52, "CVE": 2 }, "indicator_count": 11178, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "inst.govelopscold.com", "Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot", "https://cdphe.colorado.gov/sexual-violence-prevention/sexual-violence-prevention-statistics-resources", "AS24961 MyLoc Managed IT AG", "Alerts dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "https://prod.centurylinktechnology.com", "https://brand2.centurylinktechnology.com", "ET Telnet | https://www.colocrossing.com | velocity servers", "ELF:Mirai-GH\\ [Trj] , Unix.Trojan.DarkNexus-7679166-0", "https://brand.centurylinktechnology.com", "pcup.gov.ph:", "https://www.colocrossing.com/", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "stealth_file cape_detected_threat injection_process_hollowing antiav_detectfile injection_runpe", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "Palantir \u2022 NSO Group \u2022 Meta \u2022 Douglas County Sheriff \u2022 Palantir \u2022 Foundry \u2022 Therahand \u2022 Graphite \u2022 US .Government", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "https://www.endgamesystems.com/\t This is not a game. This is about people\u2019s lives", "This is hard to comprehend or put into indelible words.", "http://appleid.apple.com.msg206.site/ http://www.icloud.com.msg206.site/ https://appleid.apple.com.msg206.site/", "www.socialimages.reputationdatabase.com", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "104.21.51.140, 172.67.181.41", "Detections Win.Packed.ImminentMonitorRAT-9892275-0 , HackTool:MSIL/Boilod.C!bit", "Israel : https://tollfreeforwarding.com/virtual-phone-number/israel/360 \u2022 siteassets.parastorage.com", "Yare: compromised_site_redirector_fromcharcode", "IDS Detections SUSPICIOUS Path to BusyBox TELNET login failed Bad Login", "In all seriousness. The severity of injuries and outcomes 1 victim had is aligned cyber attacks by Q.Gov", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "Peace Officer Standards and Training (POST) Board website, available at post.coag.gov.", "TELNET SUSPICIOUS Path to BusyBox\", TELNET login failed\", is__elf \u007fELF dead_host", "Alerts: console_output has_pdb pe_unknown_resource_name", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "Yara Detections is__elf , ELFHighEntropy , elf_empty_sections", "Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)", "Domains Contacted: accounts.google.com chrome.cloudflare-dns.com clients2.googleusercontent.com", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "cedevice.io \u2022 decagonsoftware.com", "Tipped: A targets AI and other cyber research findings.", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "Sexual Assault against both Men and Women in the State of Colorado leads the nation. Great work!", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "Alerts: cape_extracted_content infostealer_cookies recon_fingerprint powershell_download", "Yara Detections is__elf", "Mirai: Yara Detections SUSP_ELF_LNX_UPX_Compressed_File , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "(legitimate services will remain up-and-running usually) High | ID dead_host", "Christopher P. \u2018Buzz\u2019 Ahmann \u2022 No Such Agency \u2022 Hall Render Brian Sabey via Therahand", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "https://prometheussteakhouse.lupi.delivery/ Thanks! I\u2019m heavy into Picinha. 2 Brazilian roasts please!", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "https://therahand.com", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "(TLI did you do her that dirty?) Why\u2019SCS\u2019? Pure shame on you.", "https://mobile-pocket-guide.centurylinktechnology.com", "Colorado maintains a public-facing police misconduct database via the state's", "https://palapa.c.id\t (c.id)", "PSI | Planned Systems International https://www.plan-sys.com/cyber", "7box.vip", "https://www.red-gate.com/products/smartassembly", "Alerts: dead_host network_icmp nolookup_communication p2p_cnc", "https://colocrossing.com/ \u2022 https://www.colocrossing.com/colocation\t l", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "Smart Assembly | https://github.com/red-gate/SmartAssembly-demo", "UPX_OEP_place", "https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "Alerts: dynamic_function_loading ipc_namedpipe createtoolhelp32snapshot_module_enumeration", "https://feedback.ptv.vic.gov.au/360", "ASP. NET", "https://hybrid-analysis.com/sample/489b309feb70c5267454229633f4eae3a98112498da2f78b1819ec343d938867/6951ab3dc7cfb38abf021a06", "ASN: 213.202.211.188\u2022 0x.un5t48l3.host \u2022 srv1354.dedicated.server-hosting.expert Germany", "BinBusyBox: 0x.un5t48l3.host", "https://elegantcosmedampyeah.pages.dev/", "IP\u2019s Contacted: 142.250.147.101 88.221.104.56 13.33.141.29 35.186.249.72 151.101.1.192", "IP\u2019s Contacted 178.249.97.99 178.249.97.98 178.249.97.23 84.53.172.74 88.221.104.82" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "NSO Pegasus" ], "malware_families": [ "Pegasus", "Alf:jasyp:trojan:win32/ircbot!atmn", "Mirai", "Worm:win32/lightmoon.h", "Fakeav.for", "Unix.trojan.mirai-5607483-0", "Virtool:win32/obfuscator.ki", "Elf:gafgyt-dz\\ [trj]", "Other malware", "Hacktool:msil/boilod.c!bit", "Win32:malob-db\\ [cryp]", "Elf:mirai-gh\\ [trj]", "Pws:win32/axespec.a", "Trojan.tofsee/botx", "Win.trojan.agent-306281", "Unix.trojan.darknexus-7679166-0" ], "industries": [ "Civil society", "Technology", "Healthcare", "Insurance" ], "unique_indicators": 31614 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/g.open", "whois": "http://whois.domaintools.com/g.open", "domain": "g.open", "hostname": "a.g.open" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "697cdce9ec418c422eee2054", "name": "Device Isolation: Lumen Technologies | Palantir and \u2018Boots on the Ground Operations\u2019", "description": "Device Isolation: Lumen Technologies (formerly CenturyLink) deployed as an admin on iOS devices. Standard factory resets may prove ineffective. Complete hardware \"air-gap\" or clean devices that have never touched your home network may be best option for deeply monitored targets.\n\nSummary of the Campaign:\nThe involvement of Lumen Technologies (as an unwanted admin), Foundry (Palantir) for data mapping, and Mirai Botnet for network disruption represents a \"scorched earth\" approach to digital destruction. Target treated as a criminal through Cellebrite, implicates specific attackers attempted to legalize what was actually a predatory stalking campaign/s.\n\n\nSurveillance Overlap: The use of Lumen Technologies and Palantir, tools allows for real-time tracking of a target's physical location\u2014explains how \u2018boots on the ground\u2019 offenders can stalk , surveillance , confront, assault and engage in various damaging attacks of specific monitored targets.", "modified": "2026-03-01T16:05:57.375000", "created": "2026-01-30T16:31:37.011000", "tags": [ "url https", "url http", "tlsv1", "whitelisted", "united", "read c", "as15169", "stcalifornia", "execution", "dock", "write", "persistence", "malware", "encrypt", "active", "lumen technologies", "number", "error", "regexp", "sxa0", "amptoken", "optout", "retrieving", "notfound", "unknown", "form", "flash", "backdoor", "writeconsolew", "yara detections", "command line", "pdb path", "pe resource", "internalname", "windows command", "A", "aws", "name servers", "url analysis", "passive dns", "urls", "data upload", "extraction", "palantir", "c2", "aerospace", "tracking", "spywatchdog", "palapa-c2", "communications satellite", "amazon", "hughesnet", "icmp traffic", "washington c", "washington ou", "mopr", "mon jul", "local", "dynamic", "apple", "network", "t1057", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1480", "guardrails", "t1566", "present jan", "unknown ns", "ip address", "dnssec", "domain", "dynamic dns", "government", "pcup", "germany unknown", "link", "dns hosting", "cloudns", "cloud dns", "a domains", "ipv4 add", "title", "meta", "class", "servers", "present aug", "aaaa", "present sep", "present nov", "present jul", "present may", "moved", "canada unknown", "begin", "record value", "gmt content", "type", "hostname add", "files", "ascii text", "pattern match", "href", "mitre att", "ck id", "ck matrix", "network traffic", "et info", "general", "path", "click", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "input url", "defense evasion", "france", "ireland", "netherlands", "denmark", "united kingdom", "type indicator", "role title", "added active", "savvis", "centurylinktechnology", "hybrid analysis", "monitoring tools", "monitored target", "triangulation", "worm", "intel", "ms windows", "pe32", "write c", "delete c", "show", "russia as47764", "unix", "lsan jose", "odigicert inc", "markus", "url add", "http", "related nids", "files location", "russia flag", "russia hostname", "russia", "russia unknown", "hosting", "federation flag", "body", "gmt vary", "accept encoding", "gmt cache", "certificate", "pulse submit", "unknown aaaa", "search", "entries", "script domains", "script urls", "pdx cf" ], "references": [ "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "Yare: compromised_site_redirector_fromcharcode", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "Alerts: console_output has_pdb pe_unknown_resource_name", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "Tipped: A targets AI and other cyber research findings.", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "https://palapa.c.id\t (c.id)", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "cedevice.io \u2022 decagonsoftware.com", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "pcup.gov.ph:", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "https://elegantcosmedampyeah.pages.dev/", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "inst.govelopscold.com", "https://feedback.ptv.vic.gov.au/360", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "https://brand.centurylinktechnology.com", "https://prod.centurylinktechnology.com", "https://brand2.centurylinktechnology.com", "https://mobile-pocket-guide.centurylinktechnology.com", "UPX_OEP_place", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "ASP. NET", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "7box.vip" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan.Tofsee/Botx", "display_name": "Trojan.Tofsee/Botx", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "PWS:Win32/Axespec.A", "display_name": "PWS:Win32/Axespec.A", "target": "/malware/PWS:Win32/Axespec.A" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1069.003", "name": "Cloud Groups", "display_name": "T1069.003 - Cloud Groups" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 102, "FileHash-SHA1": 59, "FileHash-SHA256": 1929, "domain": 854, "hostname": 2156, "URL": 4475, "SSLCertFingerprint": 9, "email": 7, "CVE": 1 }, "indicator_count": 9592, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "49 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6958780c8479a9d69920c3d8", "name": "Telnet - Mirai \u2022 Dark Nexus BusyBox iOS Attack", "description": "There\u2019s enough here to cause an outage. I will stop here. Illegal activities to silence victim and block her from financial settlement award for permanent injuries under workers compensation in a premise and healthcare worker assault scenario. Attorneys estimated her case to be above $100 million but knew she\u2019d be tampered with. Mark Montano MD forewarned her but is culpable. Still attacking family of victim.\n[ True- otx auto generated: Adversaries may be able to gain access to a victim's network through a drive-by attack, as well as using a short-term SSL certificate, in order to target the victim.] |||\nPositive:\nT1140 - Deobfuscate/Decode Files or Information\nSuspicious IP Address\n104.21.51.140, 172.67.181.41\nLocation United States ASN\nModif AS13335 cloudflare\nAutomate Nameservers:\nns1.colocrossing.com.", "modified": "2026-02-02T01:02:46.327000", "created": "2026-01-03T01:59:40.530000", "tags": [ "united", "moved", "title", "passive dns", "ipv4 add", "urls", "files", "hosting", "reverse dns", "location united", "hash avast", "avg clamav", "msdefender mar", "read c", "create c", "medium", "search", "memcommit", "high", "checks", "windows", "execution", "dock", "write", "persistence", "capture", "local", "ref b", "wed may", "backdoor", "mtb aug", "next associated", "mtb dec", "twitter", "smoke loader", "malware", "virtool", "hacktool", "data upload", "present dec", "mtb apr", "win32", "trojan", "worm", "lowfi", "cybota", "expiration date", "name servers", "ipv4", "url analysis", "port", "destination", "telnet login", "bad login", "gpl telnet", "suspicious path", "busybox", "tcp syn", "et telnet", "path", "mirai", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "america", "ck id", "name tactics", "suspicious", "informative", "learn", "t1179 hooking", "installs", "t1035 service", "adversaries", "msie", "windows nt", "slcc2", "media center", "y013", "flag", "span", "accept", "core", "february", "hybrid", "malicious", "general", "click", "strings", "roboto", "next", "usa windows", "finished", "queueprogress", "timestamp input", "threat level", "october", "september", "hwp support", "fresh", "win64", "khtml", "gecko", "brand", "microsoft edge", "programfiles", "comspec", "model", "iframe", "form", "listeners", "initial access", "t1590 gather", "victim network", "ssl certificate", "quasi government", "jeffrey reimer", "palantir", "Regis university", "otx hp", "apple", "pegasus", "h5 data center", "florence colorado", "brian sabey", "target : Tsara Brasheaers", "aig", "industry and commerce", "united states", "State of Colorado.", "date", "status", "domain", "hostname add", "pulse pulses", "files ip", "address", "url https", "url http", "hostname", "show", "type indicator", "source hostname", "entries", "Prometheus Intelligence Technology", "pulse submit", "america flag", "body", "dynamicloader", "microsoft azure", "tls issuing", "named pipe", "json", "ascii text", "lredmond", "Apple", "Telnet", "BusyBox", "Pegasus", "Colorado State Fixer: Christopher P. Ahmann", "Hijacker: Brian Sabey", "For: Concentra", "Protecting Assaulter: Jeffrey Reimer", "For: AIG", "For Industry and Commerce", "For: Quasi Government", "For: Workers Compensation", "Authorities", "Law Enforcement Dark", "Silencing", "Tampering with a Victim", "Meta", "Palantir", "Google", "Bing", "Microsoft", "ColoCrossing", "Associates", "hit men" ], "references": [ "ET Telnet | https://www.colocrossing.com | velocity servers", "https://www.endgamesystems.com/\t This is not a game. This is about people\u2019s lives", "TELNET SUSPICIOUS Path to BusyBox\", TELNET login failed\", is__elf \u007fELF dead_host", "Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)", "(legitimate services will remain up-and-running usually) High | ID dead_host", "ELF:Mirai-GH\\ [Trj] , Unix.Trojan.DarkNexus-7679166-0", "IDS Detections SUSPICIOUS Path to BusyBox TELNET login failed Bad Login", "Yara Detections is__elf", "Alerts dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Yara Detections is__elf , ELFHighEntropy , elf_empty_sections", "http://appleid.apple.com.msg206.site/ http://www.icloud.com.msg206.site/ https://appleid.apple.com.msg206.site/", "https://colocrossing.com/ \u2022 https://www.colocrossing.com/colocation\t l", "https://prometheussteakhouse.lupi.delivery/ Thanks! I\u2019m heavy into Picinha. 2 Brazilian roasts please!", "https://www.colocrossing.com/", "(TLI did you do her that dirty?) Why\u2019SCS\u2019? Pure shame on you.", "In all seriousness. The severity of injuries and outcomes 1 victim had is aligned cyber attacks by Q.Gov", "104.21.51.140, 172.67.181.41", "Detections Win.Packed.ImminentMonitorRAT-9892275-0 , HackTool:MSIL/Boilod.C!bit", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot", "stealth_file cape_detected_threat injection_process_hollowing antiav_detectfile injection_runpe", "Alerts: cape_extracted_content infostealer_cookies recon_fingerprint powershell_download", "Alerts: dynamic_function_loading ipc_namedpipe createtoolhelp32snapshot_module_enumeration", "IP\u2019s Contacted: 142.250.147.101 88.221.104.56 13.33.141.29 35.186.249.72 151.101.1.192", "IP\u2019s Contacted 178.249.97.99 178.249.97.98 178.249.97.23 84.53.172.74 88.221.104.82", "Domains Contacted: accounts.google.com chrome.cloudflare-dns.com clients2.googleusercontent.com", "This is hard to comprehend or put into indelible words." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "HackTool:MSIL/Boilod.C!bit", "display_name": "HackTool:MSIL/Boilod.C!bit", "target": "/malware/HackTool:MSIL/Boilod.C!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1462", "name": "Malicious Software Development Tools", "display_name": "T1462 - Malicious Software Development Tools" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Technology", "Healthcare", "Insurance", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6390, "domain": 723, "hostname": 1978, "FileHash-SHA256": 1912, "FileHash-MD5": 410, "FileHash-SHA1": 306, "email": 3, "SSLCertFingerprint": 28, "CVE": 3 }, "indicator_count": 11753, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "76 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6951f52a5af00a9be445ad41", "name": "Mirai - HoneyPot | Pegasus | Therahand HoneyPot Bot Network", "description": "A HoneyPot Bot Network created to protect a criminal who worked for a company formerly known as Therahand Wellness. This company employed an unquestioned but admittedly guilty SA\u2019r. | Name tactics used in an attempt to draw in victims to leave truthful negative reviews about Jeffrey Reimer | The website is extremely malicious. NSO Pegasus & Palantir relationship.\n\nWhat a pity there is no work done in the state of Colorado to convict medical unprofessionals unless they are poor assistants , Latin, African American or , Native. | Colorado has a known race issue. \n\nColorado ranks poor for getting rape kits tested.\nPoor possibly outranking Baltimore,MD in police brutality. \nPoor at solving it attempting to solve crimes. Law enforcement literally collects paper, evidence and turns evidence away at times. \n\nThis system allows the actual criminal\nto track victim.\nIf he wants to be the victim of this crime against persons let him be. \n\n *Pegasus & Israel and 99% of all tags auto populated by OTX.", "modified": "2026-01-28T02:03:16.337000", "created": "2025-12-29T03:27:38.183000", "tags": [ "no expiration", "expiration", "url http", "url https", "iocs", "enter source", "url or", "name servers", "a domains", "accept encoding", "urls", "emails", "servers", "url add", "http", "files domain", "files related", "related tags", "united", "gmt contenttype", "ipv4 add", "url analysis", "files", "present dec", "cname", "virtool", "cryp", "ip address", "trojan", "win32", "therahand", "jeffrey reimer", "reimer dpt", "msie", "chrome", "unknown ns", "unknown cname", "record value", "accept", "encrypt", "passive dns", "moved", "wp engine", "meta", "wordpress", "pegasus", "america flag", "america asn", "reverse dns", "flag", "bad traffic", "et info", "tls handshake", "failure", "analysis", "tor analysis", "dns requests", "united states", "hostname", "pulse submit", "domain", "files ip", "eva lisa", "eva reimer", "all ipv4", "dynamic_content", "fingerprinting", "size", "pattern match", "mitre att", "ck id", "hybrid", "general", "local", "path", "click", "strings", "status", "hostname add", "evasion", "proximity", "pulse pulses", "address", "learn", "adversaries", "name tactics", "suspicious", "informative", "defense evasion", "command", "initial access", "spawns", "present mar", "present jun", "title", "windows nt", "wow64", "slcc2", "media center", "data recovery", "ms windows", "process32nextw", "intel", "pe32", "format", "mozilla", "installcapital", "generic", "write", "unknown", "malware", "next", "installer", "template", "div div", "request blocked", "helvetica neue", "helvetica segoe", "ui arial", "script script", "pragma", "port", "destination", "binbusybox", "high", "post", "icmp traffic", "dns query", "newstatusurl", "mirai", "prefetch8", "ck matrix", "localappdata", "info", "ssl certificate", "czech republic", "prefetch1", "prefetch2", "israel israel", "analysis tip", "href", "ascii text", "null", "refresh", "span", "iframe", "error", "tools", "look", "verify", "restart", "t1480 execution", "beginstring", "windir", "openurl c", "programfiles", "related nids", "files location", "flag united", "dynamicloader", "medium", "named pipe", "win64", "download", "delphi", "smartassembly", "m. brian sabey", "quasi government", "no such agency", "facebook", "search", "date", "showing", "ukraine", "\u2018buzz\u2019", "alex karp", "peter theil", "elon musk", "ff d5", "yara rule", "ee fc", "generic http", "exe upload", "f0 ff", "eb e1", "ff bb", "show process", "sha1", "sub domain", "show technique", "network traffic", "class", "starfield", "cyber crime", "yara detections", "top source", "top destination", "source source", "filehash", "sha256 add", "av detections", "ids detections", "alerts", "show", "dock", "execution", "present feb", "value", "content type", "mirai", "sha256", "body", "gmt content", "ddos", "mtb sep", "hosting", "domain robot", "expiration date", "welcome", "apple", "christopher p. ahmann", "tsara", "monitored target", "github https", "github", "smart assembly", "red hat", "hackers", "google" ], "references": [ "https://therahand.com", "www.socialimages.reputationdatabase.com", "Mirai: Yara Detections SUSP_ELF_LNX_UPX_Compressed_File , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: dead_host network_icmp nolookup_communication p2p_cnc", "Israel : https://tollfreeforwarding.com/virtual-phone-number/israel/360 \u2022 siteassets.parastorage.com", "Palantir \u2022 NSO Group \u2022 Meta \u2022 Douglas County Sheriff \u2022 Palantir \u2022 Foundry \u2022 Therahand \u2022 Graphite \u2022 US .Government", "Christopher P. \u2018Buzz\u2019 Ahmann \u2022 No Such Agency \u2022 Hall Render Brian Sabey via Therahand", "https://hybrid-analysis.com/sample/489b309feb70c5267454229633f4eae3a98112498da2f78b1819ec343d938867/6951ab3dc7cfb38abf021a06", "https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e", "https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e", "BinBusyBox: 0x.un5t48l3.host", "ASN: 213.202.211.188\u2022 0x.un5t48l3.host \u2022 srv1354.dedicated.server-hosting.expert Germany", "AS24961 MyLoc Managed IT AG", "PSI | Planned Systems International https://www.plan-sys.com/cyber", "Smart Assembly | https://github.com/red-gate/SmartAssembly-demo", "https://www.red-gate.com/products/smartassembly", "https://cdphe.colorado.gov/sexual-violence-prevention/sexual-violence-prevention-statistics-resources", "Colorado maintains a public-facing police misconduct database via the state's", "Peace Officer Standards and Training (POST) Board website, available at post.coag.gov.", "Sexual Assault against both Men and Women in the State of Colorado leads the nation. Great work!" ], "public": 1, "adversary": "NSO Pegasus", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FakeAV.FOR", "display_name": "FakeAV.FOR", "target": null }, { "id": "Win32:MalOb-DB\\ [Cryp]", "display_name": "Win32:MalOb-DB\\ [Cryp]", "target": null }, { "id": "Win.Trojan.Agent-306281", "display_name": "Win.Trojan.Agent-306281", "target": null }, { "id": "VirTool:Win32/Obfuscator.KI", "display_name": "VirTool:Win32/Obfuscator.KI", "target": "/malware/VirTool:Win32/Obfuscator.KI" }, { "id": "Win32:MalOb-DB\\ [Cryp]", "display_name": "Win32:MalOb-DB\\ [Cryp]", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "ELF:Gafgyt-DZ\\ [Trj]", "display_name": "ELF:Gafgyt-DZ\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Mirai-5607483-0", "display_name": "Unix.Trojan.Mirai-5607483-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 523, "FileHash-SHA1": 402, "FileHash-SHA256": 2165, "URL": 4953, "domain": 1118, "hostname": 1951, "email": 12, "SSLCertFingerprint": 52, "CVE": 2 }, "indicator_count": 11178, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://a.g.open/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://a.g.open/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776616662.7130823 }