{ "type": "URL", "indicator": "https://aabb88.cc", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://aabb88.cc", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4160542537, "indicator": "https://aabb88.cc", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 45, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "14 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e2e5ed5d25f6949b1d752b", "name": "CAPE Sandbox- The Unified Layer", "description": "\"A public key has been issued by the US government to secure the signature of US President Barack Obama and US Secretary of State John Kerry, who both want to use it to send their private messages.\"", "modified": "2026-04-18T04:07:44.254000", "created": "2026-04-18T02:01:17.468000", "tags": [ "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr11", "validity", "subject public", "key info", "key algorithm", "certificate", "eig network", "nethandle", "net162", "net1620000", "layer", "blueh2", "layer orgid", "south", "east city", "settings", "first counter", "default", "inprocserver32", "mbisslshort", "bearer", "mwdb", "bazaar", "sha3384", "ssdeep", "info", "bridge", "accept", "date", "agent", "shutdown", "root", "back" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/1cf39e937e336af49cc01531f7bb7be83dfa289155a8437a51026a0e7d58f82c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776477807&Signature=oSRFzpQidegADbfg0MoAaOppxJPT%2BHBOfJDD0gT3CsqzdA4Tjoyves4A8yyH%2BI2qY4aff864krjBwpMFqHLhr4ph8NiNxA9fALzN1Tp4DVT5dD%2FeWXgVIj8kxAH%2BzCGLgscgTkiLeb5E6Zv0SQy%2By%2B3ASvjo1VRj4FLsixsH6uU6QKX0UmF2IPqI5UtfPUrb76d1fddT1PAGmtP1q6YxY44QADQhIxF6Y4MB4iqEVd2ItuD0eL" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 69, "FileHash-SHA256": 274, "hostname": 328, "CIDR": 1, "URL": 229, "email": 2, "IPv4": 152, "domain": 60, "FileHash-MD5": 587, "CVE": 1 }, "indicator_count": 1703, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b908eb4a06b82d61c7c47d", "name": "Civil Rights. Wow.", "description": "Pulses: A full list of keywords, phrases, and statistics (1.1-2.4 million characters) - the full set of words, which can be accessed with a mouse.<--- pretext my own experimet : 50756c7365733a20412066756c6c206c697374206f66206b6579776f7264732c20706872617365732c20616e6420737461746973746963732028312e312d322e34206d696c6c696f6e206368617261637465727329202d207468652066756c6c20736574206f6620776f7264732c2077686963682063616e20626520616363657373656420776974682061206d6f7573652e\nHashes\nMD5: 887fda95f95104ed9bf8c4e8614e0b7a\nSHA-1: 307f07dc6036d04ef5e0da8a6f9eaefd5282c2c7\nSHA-2 (SHA-256): 22be0871410e9f0057cc2f754796c360cf3b9cd39f682ff733441ace4c726795", "modified": "2026-04-16T08:05:04.592000", "created": "2026-03-17T07:55:23.062000", "tags": [ "ids detections", "pulse pulses", "av detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "tls handshake", "failure yara" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 44, "FileHash-SHA1": 22, "FileHash-SHA256": 147, "hostname": 77, "domain": 143, "URL": 75, "email": 2, "JA3": 2, "CVE": 1 }, "indicator_count": 513, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69decb6dd1bd6da78fc72d0a", "name": "Solarwinds Similarties? Tactics ASP.Net IoC\u2019s ISOLATED", "description": "Does this have similarities to the SolarWinds Attack? Anyone?\n\nASP.NET is a web application framework created by Microsoft for building dynamic web applications.\nIt enables developers to create web pages that can interact with databases and respond to user inputs.\nASP.NET supports various programming languages, including C# and VB.NET.\nContext: ASP.NET is widely used for developing modern web applications and services. It allows developers to create interactive and data-driven web pages that can run on various operating systems, including Windows, Linux, and macOS. The framework is open-source and supports various architectures, including MVC (Model-View-Controller) and Web API, which facilitate the organization and development of complex applications.\nIn many instances ASP.net has been seen connected to malicious Tulach , Apple , a browser agent that transmits data to New Relic's collectors by using either of the domains bam.nr-data.net or bam-cell.nr-data.net.", "modified": "2026-04-14T23:19:09.495000", "created": "2026-04-14T23:19:09.495000", "tags": [ "united", "aaaa", "certificate", "error", "read c", "rgba", "unicode", "memcommit", "delete", "dock", "execution", "command decode", "suricata ipv4", "suricata tcpv4", "flag", "localappdata", "windir", "openurl c", "programfiles", "suricata udpv4", "win64", "click", "strings", "anon", "username", "userprofile", "mitre att", "ck id", "ck matrix", "appdata", "comspec", "model", "path", "april", "hybrid", "general", "learn", "suspicious", "informative", "adversaries", "command", "spawns", "ck techniques", "mtb apr", "exploit", "trojan", "backdoor", "please", "x msedge", "all ipv4", "ransom", "date hash", "avast avg", "win32orbus apr", "dynamicloader", "yara rule", "high", "tofsee", "rndhex", "rndchar", "loaderid", "lidfileupd", "localcfg", "write", "stream", "push", "mtb alerts", "ee fc", "ff d5", "lredmond", "malware", "msie", "windows nt", "wow64", "slcc2", "media center", "yara detections", "av detections", "ids detections", "hostile", "unknown", "extraction", "data upload", "failed", "include review", "stop data", "typ url", "url data", "typ no", "th all", "stop", "port", "destination", "ds detections", "tls sni", "nrv2x", "upxoepplace", "alerts", "contacted", "markus", "hostile alerts", "less see", "all ip", "tulach", "brian sabey", "quasi", "link", "script urls", "record value", "script domains", "fireeye", "create c", "as15169", "next", "all url", "http", "related pulses", "related tags", "google safe", "code", "y se", "included review", "io excluded", "suggeste", "ipv4", "unknown ns", "redacted admin", "fax redacted", "name redacted", "phone redacted", "code redacted", "redacted tech", "christopher ahmann", "solarwinds like?" ], "references": [ "asp.net \u2022 cdnsrc.asp.net", "https://www.countercept.com/assets/Uploads/whitepapers/MWRI-Countercept-Machine-Learning-Whitepaper-2017-04-01.pdf", "http://www.phonefactor.com/PfPaWs/ConfirmActivation", "IPv4 13.107.253.70 exploit_source \u2022 IPv4 13.107.226.70 malware_hosting", "https://wsps.ourschoolpages.com/Account/ForgotPasswor (typo", "https://hybrid-analysis.com/sample/529a0b900eef6657ce6c98b1b5bccebe6db2e021aa02a316b7eb2604df810d3f/69de30ef0a22c3b506077a8c", "www.fireeye.com", "danilovstyle.ru", "ns4-04.azure-dns.info", "ns4-04.azure-dns.info danilovst) ns4-04.azure-dns.info", "www.fireeye.com .", "https://hypic-anaivsis.com/sambrerb/a0p9veebo", "Are these table SolarWinds attackers? Using same tacktics, good? Unsure.", "Tulach\u2019s ASP.Net Open Source destruction" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/SodinokibiCrypt.SK!MTB", "display_name": "Ransom:Win32/SodinokibiCrypt.SK!MTB", "target": "/malware/Ransom:Win32/SodinokibiCrypt.SK!MTB" }, { "id": "Win.Ransomware.Tofsee-10015002", "display_name": "Win.Ransomware.Tofsee-10015002", "target": null }, { "id": "Trojan:Win32/Comisproc!gmb I", "display_name": "Trojan:Win32/Comisproc!gmb I", "target": "/malware/Trojan:Win32/Comisproc!gmb I" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 88, "FileHash-MD5": 211, "FileHash-SHA1": 186, "FileHash-SHA256": 1366, "URL": 1848, "domain": 418, "email": 4, "hostname": 622, "SSLCertFingerprint": 21 }, "indicator_count": 4764, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ddeb45c45f6a3cd721397d", "name": "Active attacks \u2022 Apple \u2022 Tulach", "description": "Including 360+ Apple\nIoC\u2019s from Malicious Tulac.cc + Virtual Servers Pulses. Ongoing history of malicious attacks, custom malware engineer, malicious media , account control. \n\nI was blocked from VirusToltal. It was Tulach Nextcloud posse. What I am doing now s legal. \n\nReferenced below. URL: \"https://accountapple.com/\" contacted related malicious domain: \"accountapple.com\"\nCONTACTED DOMAIN: \"sqllq.com\" has been identified as malicious", "modified": "2026-04-14T07:22:45.250000", "created": "2026-04-14T07:22:45.250000", "tags": [ "url http", "ipv4", "indicator role", "active related", "united", "moved", "gmt content", "certificate", "all domain", "msie", "chrome", "extraction", "data upload", "twitter", "cookie", "extra", "include data", "review locs", "exclude", "suggested os", "onlv", "failed", "stop data", "read c", "unicode", "rgba", "memcommit", "delete", "dock", "write", "execution", "sc type", "extri", "include review", "exclude sugges", "typ data", "a domains", "present apr", "script urls", "files", "files ip", "address", "ios", "mac", "apple", "appleid", "itunes", "next associated", "all ipv4", "included ic", "uny teade", "type hostnar", "hostnar hostnar", "hostnar", "macair", "macairaustralia", "ipad", "ipod", "cryptexportkey", "invalid pointer", "cryptgenkey", "stream", "defender", "delphi", "class", "stack", "format", "unknown", "united states", "phishing", "password", "traffic redirected", "service mod", "service execution", "youtube", "music", "streams", "songs", "played songs", "music streams", "most played", "fonelab", "indicator", "included iocs", "manually add", "review ocs", "exclude inn", "sugges data", "find", "include", "url https", "enter sc", "type", "no matchme", "search otx", "https", "references x", "analyze", "open th", "url data", "se http", "no match", "excluded iocs", "iocs", "ip whitelisted", "whitelisted", "tcp include", "analysis date", "file score", "medium risk", "yara detections", "contacted", "related tags", "x vercel", "file type", "type indicator", "role title", "related pulses", "mulch virtua", "library loade", "included i0", "review ioc", "excluded ic", "suggested", "find sugt", "samuel tulach", "unity engine", "tulach", "sa awareness", "sabey", "sar cut", "autofill", "includer review", "portiana oney", "targeting", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "musickit_1_.js", "lazarus", "injection", "CVE-2017-8570", "prefetch2", "target", "aaaa", "ip address", "record value", "emails", "samuel tuachs", "sapev", "review exclude", "monitored target", "script", "mitre att", "ascii text", "span", "path", "iframe", "april", "hybrid", "general", "local", "click", "strings", "body", "development att", "t1055.012 list planting", "active" ], "references": [ "https://trade.kraken.com/charts/KRAKEN:APT-USD>+y", "https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/", "https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/", "https://podcasts.apple.com/us/podcast/lazarus", "http://help.aiseesoft.jp/video-converter-ultimate/", "http://help.aiseesoft.jp/blu-ray-player", "http://help.aiseesoft.jp/fonelab/", "https://action.aiseesoft.jp/itunes.php", "http://help.aiseesoft.jp/total-video-converter", "http://help.aiseesoft.jp/total-video-converter/", "http://help.aiseesoft.jp/video-converter-ultimate/", "http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/", "http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch", "http://test-firstmile.digitecgalaxus.ch", "https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/", "No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]", "cdn.rss.applemarketingtools.com", "https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json", "1.bing.com.cn", "www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net", "www.phantomcameras.cn", "https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"", "podcasts.apple.com \u2022 23.34.32.21", "www.apple.com \u2022 23.34.32.199", "js-cdn.music.apple.com \u2022 23.78.51.170", "http://firstmile.digitecgalaxus.ch", "Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb", "Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca", "Tulach.cc", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019", "https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json", "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as", "Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains", "asp.net domain pointer", "developer.x.com", "aotx.alienvault.com (aotx.?)", "https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh", "https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1020.001", "name": "Traffic Duplication", "display_name": "T1020.001 - Traffic Duplication" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591.002", "name": "Business Relationships", "display_name": "T1591.002 - Business Relationships" }, { "id": "T1591.001", "name": "Determine Physical Locations", "display_name": "T1591.001 - Determine Physical Locations" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1029, "domain": 396, "email": 7, "URL": 2784, "FileHash-SHA256": 898, "FileHash-MD5": 79, "FileHash-SHA1": 68, "IPv4": 35, "CVE": 1, "SSLCertFingerprint": 13 }, "indicator_count": 5310, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ddcb3c30b80ca6a36304b5", "name": "myIndicator of compromise ", "description": "", "modified": "2026-04-14T05:06:04.305000", "created": "2026-04-14T05:06:04.305000", "tags": [ "get http", "engb", "dns resolutions", "ip traffic", "guid", "blob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "69d214c82964f598d31d166c", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "john1235", "id": "398130", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 531, "FileHash-MD5": 50, "FileHash-SHA1": 32, "FileHash-SHA256": 2200, "URL": 1193, "domain": 483, "IPv4": 395 }, "indicator_count": 4884, "is_author": false, "is_subscribing": null, "subscriber_count": 3, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dc04c12782d2d76c111a93", "name": "VirusTotal \u2022 PsBanker \u2022 Attacked / Blocked", "description": "", "modified": "2026-04-12T20:46:57.338000", "created": "2026-04-12T20:46:57.338000", "tags": [ "indicator role", "active related", "ck ids", "files", "information", "discovery", "mitre att", "pattern match", "ck id", "ck matrix", "ascii text", "united", "binary file", "april", "hybrid", "apikey", "general", "local", "path", "iframe", "click", "protocol", "learn", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "related pulses", "dll read", "function read", "icmp traffic", "machineguid", "systembiosdate", "total", "read", "write", "network_icmp", "js_eval", "recon_fingerprint", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "tls handshake", "execution", "dock", "persistence", "malware", "unknown", "neue", "certificate", "error", "scans show", "record value", "title site", "servers", "emails", "all hostname", "dnsadmin", "data upload", "extraction", "failed", "include review", "exclude sugges", "find s", "typ no", "active", "urls", "ip address", "asn as54113", "registrar", "wscript", "united states", "stcalifornia", "lmountain view", "ogoogle llc", "ogoogle trust", "cngts ca", "whitelisted", "as15169", "hostile", "crash", "contacted", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "detections alf", "hostile yara", "detections none", "less ip", "domains", "ms windows", "intel", "pe32", "regsetvalueexa", "langturkish", "sublangdefault", "port", "destination", "entries", "worm", "delphi", "win32", "body", "explorer", "defender", "regdword", "false", "true", "end sub", "object", "createobject", "sheetschanged", "private sub", "string", "boolean", "cancel", "trojan", "copy", "query", "dns update", "useragent", "myapp", "delphi alerts", "alerts deadhost", "women who code", "tulach", "114.114.114.114", "samuel", "brian sabey" ], "references": [ "https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file", "this.target", "c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1", "amazon.com \u2022 pki.goog \u2022 google-analytics.com", "authrootstl.cab common file extension", "dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell", "https://securityaffairs.com/144927/cyber-crime~#", "https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html", "virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com", "https://clockoutbox.es/password", "http://cr-malware.testpanw.com/url", "IDS Detections: Query to a *.pw domain - Likely Hostile", "Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer", "Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows", "Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_", "Alerts: windows_utilities antivm_memory_available pe_features raises_exception", "IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227", "IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94", "Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog", "Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com", "Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw", "Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections compromised_site_redirector_fromcharcode , Delphi", "Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad", "Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx", "IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29", "Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org", "Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com", "114.114.114.114 = Tulach" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:Trojan:Win64/PsBanker", "display_name": "ALF:Trojan:Win64/PsBanker", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Trojan:O97M/Madeba.A!det", "display_name": "Trojan:O97M/Madeba.A!det", "target": "/malware/Trojan:O97M/Madeba.A!det" }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1114, "hostname": 594, "domain": 200, "FileHash-SHA256": 2379, "FileHash-MD5": 426, "FileHash-SHA1": 259, "IPv4": 322, "SSLCertFingerprint": 24, "email": 2, "IPv6": 1 }, "indicator_count": 5321, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69da656a68549f39be14bd77", "name": "Anonymous ai Chat guided as Duck.ai \u2022 DisableUAC \u2022 Drive by Compromise", "description": "I decided to test most malicious devices I\u2019m researching. I tested 2 browsers on device, an anonymous version of chat GPT 5 popped up (drive by compromise). Labeled: duck.ai in browser bar. I chose to interact with something that came seemingly from nowhere. \n\nDuring each interaction a red recording button appeared. Screen recording in progress on device. I asked anonymous actor about the recording button. Response: \u2018That red square is the browser or site's visual indicator that the page is capturing input or has an active interactive state - it isn't me recording audio. Try these checks:\n\u2022 Look for a site-level microphone/camera permission prompt in your browser address bar.\u2019\n\nThe attackers must be associated with Tulach /\nNextCloud , likely angry that I researched the adversarial nature of the presence in malicious, deeply compromised media. \n\nConsequences: threat actors retaliating because their own behavior and existence in malicious media is being researched. \n#tulach #nextcloud #anonymous_ai_chat", "modified": "2026-04-11T15:14:50.815000", "created": "2026-04-11T15:14:50.815000", "tags": [ "united", "unknown ns", "ip address", "st kitts", "gmt content", "ai chat", "all domain", "encrypt", "mtb mar", "virtool", "x frame", "x xss", "x content", "gmt cache", "twitter", "win32", "locale", "extraction", "gm cache", "include data", "review exclude", "suggestadiacs", "report spam", "duckduckgo", "url http", "urls", "all url", "http", "active", "duck.ai", "duckduckgo ai", "private ai", "chatbot", "free ai", "chat", "anonymous ai", "ai chat", "no sign up", "openai", "anthropic", "llama", "mistral", "open source", "javascript", "ai models", "privacy focused", "recording screen", "ai", "no account ai chat", "data upload", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "development att", "ssl certificate", "over", "defense evasion", "mitre att", "ck matrix", "size", "meta", "april", "hybrid", "general", "local", "path", "click", "strings", "dark", "roboto", "invisible", "desktop", "small", "tls sni", "contacted", "filehash", "ids detections", "yara detections", "alerts", "file sharing", "https domain", "tls handshake", "failure alerts", "less ip", "nextcloud", "hackers", "they mad", "msie", "windows nt", "wow64", "slcc2", "media center", "port", "destination", "malware", "write", "self", "network_icmp", "icmp traffic", "passive dns", "moved", "netherlands", "gmt server", "gmt etag", "user agent", "all ipv4", "pulse submit", "url analysis", "apache", "accept", "writeconsolea", "script", "read c", "search", "show", "medium", "html", "high", "form", "create c", "write c", "registry", "windows", "delete c", "tools", "persistence", "execution", "dock", "malicious", "unknown" ], "references": [ "duck.ai \u2022 https://duck.ai/chat phishing", "go.trckclick.xyz \u2022 att.trk.173trk.com", "anyconnect.online", "ddg.gg \u2022 http://ddg.gg/?q=corezuelo \u2022 http://ddg.gg/?q=embozalar", "files.catbox.moe", "passwordresetalcb.accenture.cn", "https://www.phantomcameras.cn.bscedge.com", "www.cam4.page \u2022 campaigncdn.com \u2022 accesscam.org", "loophole.outlook89.accesscam.org", "https://www.phantomcameras.cn/applications/where/piv", "https://www.phantomcameras.cn.bscedge.com", "52.250.42.157 scanning_host", "https://nextcloud.simonduffey.ch", "https://nextcloud.paroxity.org/", "http://mail.saynextapp.accesscam.org/", "http://dict.bing.com.cn/cloudwidget/Scripts/Generated/BingTranslate_Hover_Phrase_Selection_ShowIcon.js';script.onload=INIT;document.body.appendChild(script", "https://duck.ai/chat?q=tsara+brashears+hacked&t=iphone:", "http://docs.duckduckhack.com/walkthroughs/programming-syntax.html", "http://www.duckduckhack.com \u2022 docs.duckduckhack.com", "http://docs.duckduckhack.com/frontend-reference/cheat-sheet-reference.html", "https://duck.ai/apple-touch-icon.png", "http://r13.c.lencr.org/24.crl \u2022 http://r13.i.lencr.org/", "http://up.chenmin.org/login/jquery.min.js", "ALF:HSTR:Trojan:Win32/DisableUAC.A!bit", "Win.Packed.Reline-9875163-0", "IDS Detections: OpenSSL Demo CA - Internet Widgits Pty (O)", "Alerts: network_icmp nolookup_communication antisandbox_idletime antisandbox_sleep_exception", "Alerts: antivm_generic_bios antivm_firmware antivm_vmware_in_instruction dumped_buffer", "Alerts: network_cnc_http network_http nids_alert allocates_rwx antivm_network_adapters", "Alerts: packer_entropy antivm_queries_computername checks_debugger console_output", "Alerts: antivm_memory_available pe_features raises", "IP\u2019s Contacted: 104.18.11.39 104.73.1.162 142.93.108.213 52.250.42.157 72.21.81.240", "Domains Contacted: www.download.windowsupdate.com www.microsoft.com cacerts.digicert.com duckduckgo.com ,", "Redline: https://otx.alienvault.com/otxapi/indicators/file/screenshot/316c67e7150c6841d0d40a180bba390793ffeb9edfb8ec0321e1a16e97f68722", "https://www.mof.gov.cn.lxcvc.com/", "https://cms.medicarementalhealthcheckin.gov.au", "https://duck.ai/apple-touch-icon.png", "edge-mobile-static.azureedge.net" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALF:HSTR:Trojan:Win32/DisableUAC.A!bit", "display_name": "ALF:HSTR:Trojan:Win32/DisableUAC.A!bit", "target": null }, { "id": "VirTool:MSIL/Mousewe.A!MTB", "display_name": "VirTool:MSIL/Mousewe.A!MTB", "target": "/malware/VirTool:MSIL/Mousewe.A!MTB" }, { "id": "Win.Packed.Reline-9875163-0", "display_name": "Win.Packed.Reline-9875163-0", "target": null } ], "attack_ids": [ { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1462", "name": "Malicious Software Development Tools", "display_name": "T1462 - Malicious Software Development Tools" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1181, "FileHash-SHA1": 195, "IPv4": 50, "domain": 320, "hostname": 529, "FileHash-SHA256": 1702, "FileHash-MD5": 201, "SSLCertFingerprint": 8 }, "indicator_count": 4186, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d3843cba399db62eeae702", "name": "CAPE Sandbox - Stalking", "description": "A full report on the latest Android operating system: PK.3.4.5.1 (c) on 1 January, 2026, to be published by the Google Research Institute (GRI).", "modified": "2026-04-06T10:18:23.324000", "created": "2026-04-06T10:00:28.397000", "tags": [ "renewed", "8gbram", "windows10", "19inlcdmonitor", "desktop pc", "package", "intel core", "hard drive", "dvdrw", "wifi", "title", "blink", "date", "meta", "elite", "body", "https", "mitre attack", "network info", "tls version", "united", "overview", "zenbox android", "verdict", "guest system", "ultimate file", "fraud", "cloud", "next", "program", "processes extra", "overview zenbox", "info file", "file type", "default", "parent pid", "full path", "command line", "registry keys", "commands c", "k dcomlaunch", "files c", "devicecng c", "read registry" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/2533042959ad1fe050d14ab7536126910a2d240992bff397640382472b6a7c69_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775469608&Signature=fK1I2%2FxXVm0l3ZiELwtstes8iVN402Ww%2By%2BgvxYOB0LiC2iO3J9cedWJk1hMIr4IfLSGKprfui8vANzR%2BkWfSd594S%2FFe9A59YKyOA2MFmQTBRXVy6O3xF1e1lPETp5Md%2FbGJCOzrZxdHyReyuk7cgdDDBAewptjJhfTYxql7F9X%2FB4qe9BYWPrvned2fFWfU%2F4G%2F4UBqY9Jj%2BG1CTP%2FaGqOdWFs0Q5cPYZ4bytp", "https://vtbehaviour.commondatastorage.googleapis.com/6c39ae0368703f254070a0648c0066115140c3e762d9bf5b52833a037a1e3743_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775469752&Signature=Df%2Bamm33qFPdsDg6nWC5FQjse7h4fksSXqONp4nMEItb0gpBwqx66TqcCnFzQplUk6ExMge79qNZR2OElv63sX54D4fSGwI9nvHYhQoiVdZIgf4ct8dIAr%2BYO9jSx0WpPUVFsvf%2FXtXvm6jM5n5v7CGiyFRyAz8PES5g%2FcOlLt%2BDhsc8bhi%2FMU9mAkyyr5nFVPcTmUSHOTNXOeKDUlyRkQE6b9FEbFhUL1h3%2B%2FBVtysh", "https://vtbehaviour.commondatastorage.googleapis.com/5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775469810&Signature=Mj5ODxCW7tD5UNn6P11Ta7F2cmDLSJuEB7JSLFg%2FERfANmnRR5L7XzDwXxI5G48vkQFx0%2FBMtjMLwWHn6ZHKlt13rfzkvoOu5fJ%2Fb5lMJqUp1rSQIG0JLL80QAnXyJf2W8pL7MvK97Tr4jsCIUfd8ezliJtV5SmahV6Q8lYu2KJUnANrHkA10RFrcT4O26Vk7gbDsuC7caDXC6U9KXTTB0cpC77%2FV7w86ftN2JPXx6oEHUvSj02qsvhKwKQvmM", "https://vtbehaviour.commondatastorage.googleapis.com/5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775469831&Signature=ZlRZLvCaJ%2F9niupu9DFCvXvfgFpDEOsK%2FsH46CB2zEVUDjcQRNMDp9XXKKx0dekmHQbhl02yqygHPOA8Wty5duGtK216QCvKNkYpbpdOjN7xgAg3AsldciWbqeJr8N4I%2F1%2FPRSdVfB%2BNGaBJKxZG1RQkX206MSvX%2BeY%2FdeEYpq3NYdrPWlxdV0pa3yaqcMrf2s%2FCFSM%2FdO3xt5PKyXWG%2FDCNM5iiuXh8OT2ckhZhf%" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 182, "FileHash-MD5": 781, "FileHash-SHA1": 509, "FileHash-SHA256": 539, "URL": 387, "hostname": 361, "domain": 100, "CIDR": 1, "email": 1 }, "indicator_count": 2861, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d214c82964f598d31d166c", "name": "Habo Analysis System", "description": "", "modified": "2026-04-05T08:44:43.360000", "created": "2026-04-05T07:52:40.107000", "tags": [ "get http", "engb", "dns resolutions", "ip traffic", "guid", "blob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 531, "FileHash-MD5": 50, "FileHash-SHA1": 32, "FileHash-SHA256": 2200, "URL": 1193, "domain": 483, "IPv4": 395 }, "indicator_count": 4884, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d214c68bab9c38fe4b3e2e", "name": "Habo Analysis System", "description": "", "modified": "2026-04-05T08:43:44.054000", "created": "2026-04-05T07:52:38.261000", "tags": [ "get http", "engb", "dns resolutions", "ip traffic", "guid", "blob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 532, "FileHash-MD5": 50, "FileHash-SHA1": 32, "FileHash-SHA256": 2196, "URL": 1193, "domain": 485, "IPv4": 395 }, "indicator_count": 4883, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d214c3864a70e3a6eb45ed", "name": "Habo Analysis System", "description": "", "modified": "2026-04-05T08:43:43.490000", "created": "2026-04-05T07:52:35.966000", "tags": [ "get http", "engb", "dns resolutions", "ip traffic", "guid", "blob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 531, "FileHash-MD5": 50, "FileHash-SHA1": 32, "FileHash-SHA256": 2196, "URL": 1193, "domain": 484, "IPv4": 395 }, "indicator_count": 4881, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d214c2864a70e3a6eb45ec", "name": "Habo Analysis System", "description": "", "modified": "2026-04-05T08:35:04.061000", "created": "2026-04-05T07:52:34.332000", "tags": [ "get http", "engb", "dns resolutions", "ip traffic", "guid", "blob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 534, "FileHash-MD5": 56, "FileHash-SHA1": 35, "FileHash-SHA256": 2199, "URL": 1246, "domain": 490, "IPv4": 395 }, "indicator_count": 4955, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d1f8041acb7d71607578f3", "name": "CAPE Sandbox", "description": "<>", "modified": "2026-04-05T06:02:06.057000", "created": "2026-04-05T05:49:56.708000", "tags": [ "verisign", "verisign class", "display driver", "verisign trust", "network o", "pulses", "code signing", "mon feb", "public primary", "digital id", "class", "win32 exe", "pe32", "ms windows", "icons library", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "status", "issuer verisign", "ca valid", "from", "valid", "valid usage", "algorithm", "thumbprint", "ca status", "g5 valid", "verisign status", "valid issuer", "client auth", "hash", "cf b8", "b7 b4", "a8 f0", "ab c5", "bb f6", "f7 a3", "name verisign", "g5 issuer", "microsoft code", "valid from", "thumbprint md5", "serial number", "ec f2", "init", "copyright", "product monitor", "original name", "file version", "word document", "file v2", "document", "outlook", "settings", "generic ole2", "multistream", "compound", "time stamping", "signer", "g4 issuer", "symantec time", "stamping", "g2 valid", "open xml", "zip archive", "word microsoft", "office open", "xml format", "open packaging", "cf f4", "c8 fe", "digicert sha2", "assured id" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 54, "FileHash-SHA256": 1900, "URL": 684, "IPv4": 135, "hostname": 657, "domain": 387 }, "indicator_count": 3888, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d1f8066431fee3647fa5ff", "name": "CAPE Sandbox", "description": "<>", "modified": "2026-04-05T05:53:01.644000", "created": "2026-04-05T05:49:58.156000", "tags": [ "verisign", "verisign class", "display driver", "verisign trust", "network o", "pulses", "code signing", "mon feb", "public primary", "digital id", "class", "win32 exe", "pe32", "ms windows", "icons library", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "status", "issuer verisign", "ca valid", "from", "valid", "valid usage", "algorithm", "thumbprint", "ca status", "g5 valid", "verisign status", "valid issuer", "client auth", "hash", "cf b8", "b7 b4", "a8 f0", "ab c5", "bb f6", "f7 a3", "name verisign", "g5 issuer", "microsoft code", "valid from", "thumbprint md5", "serial number", "ec f2", "init", "copyright", "product monitor", "original name", "file version", "word document", "file v2", "document", "outlook", "settings", "generic ole2", "multistream", "compound", "time stamping", "signer", "g4 issuer", "symantec time", "stamping", "g2 valid", "open xml", "zip archive", "word microsoft", "office open", "xml format", "open packaging", "cf f4", "c8 fe", "digicert sha2", "assured id" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 54, "FileHash-SHA256": 1900, "URL": 684, "IPv4": 135, "hostname": 657, "domain": 387, "CVE": 6 }, "indicator_count": 3894, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69aa41b0d714318bf8937184", "name": "W.Vashti .Net obfuscator clone", "description": "", "modified": "2026-04-04T00:06:41.423000", "created": "2026-03-06T02:53:36.216000", "tags": [ "no expiration", "domain", "name", "control flow", "dlls", "method parent", "declarative", "ms build", "core", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "dock", "write", "execution", "capture", "endgame", "united", "moved", "ip address", "record value", "gate software", "newnham house", "expiration date", "urls", "url add", "http", "related nids", "files location", "flag united", "present aug", "present sep", "present nov", "present oct", "name servers", "emails", "present dec", "meta", "passive dns", "next associated", "ipv4", "url analysis", "files", "cookie", "subscribe", "unsubscribe", "s paris", "englewood", "state", "skip", "espaol", "summary", "filing history", "ireland", "title", "united states", "certificate", "colorado", "ipv4 add", "america flag", "showing", "pulse submit", "size", "pattern match", "mitre att", "ck id", "path", "hybrid", "general", "local", "iframe", "click", "strings", "cece", "mult", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "sha1", "sha256", "njmk", "kwruymy", "mime", "submitted", "process details", "calls", "apis", "reads", "defense evasion", "model", "getprocaddress", "show technique", "ck matrix", "access type", "value", "api call", "open", "august", "format", "typeof symbol", "typeof s", "typeof c", "function", "symbol", "comenabled", "image path", "ndex", "ndroleextdll", "f0f0f0", "ff4b55", "stop", "span", "show process", "binary file", "file", "network traffic", "encrypt", "date", "found", "ssl certificate", "creation date", "hostname add", "pulse pulses", "files ip", "address domain", "data upload", "extraction", "ge6 mira", "failed", "ascii text", "development att", "hostname", "files domain", "files related", "pulses otx", "pulses", "unknown aaaa", "unknown ns", "united states", "urls show", "date checked", "url hostname", "server response", "google safe", "results may", "a domains", "search", "germany unknown", "win32", "lowfi", "chrome", "susp", "trojan", "backdoor", "twitter", "virtool", "worm", "exploit", "trojandropper", "win32upatre dec", "mtb dec", "reverse dns", "body", "location united", "asn as14618", "less whois", "files show", "date hash", "avast avg", "initial access", "javascript", "root", "enterprise", "form", "desktop", "command decode", "suricata ipv4", "spycloud", "robots", "bots", "chatbot", "bot network", "spy", "mixb", "a2fryx", "therahand", "typosquating" ], "references": [ "https://www.red-gate.com/products/smartassembly", "spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud", "https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=", "https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0", "dasima-containers.palantirfoundry.com \u2022 blitzrobots.com", "https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com", "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/", "https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3", "Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-", "Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" } ], "industries": [], "TLP": "green", "cloned_from": "6952d4fc6910b0b866746d8a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 343, "FileHash-SHA256": 1332, "domain": 1062, "hostname": 1969, "URL": 5700, "email": 10, "SSLCertFingerprint": 21, "CVE": 1 }, "indicator_count": 10779, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69aa019f4509897e354fe029", "name": "credit Q Vashti Cloned Pulse ", "description": "", "modified": "2026-03-29T20:03:36.333000", "created": "2026-03-05T22:20:15.324000", "tags": [ "pattern match", "heuristic match", "all url", "files domain", "pulses otx", "germany unknown", "aaaa", "ip address", "emails", "gmt server", "vary", "modified", "accept", "title", "present feb", "present jan", "united", "part", "moved", "passive dns", "cname", "final", "bill", "antivm", "xlsx", "xlsm", "urls", "otx logo", "all hostname", "server", "organization", "city", "stateprovince", "postal code", "phone", "registrar abuse", "privacy admin", "paris admin", "april", "direct", "february", "http", "dfn verein", "zur foerderung", "domain", "page url", "tags", "de summary", "erlangen", "germany", "securitytrails", "de seen", "general info", "geo erlangen", "as as680", "de note", "route", "data upload", "extraction", "failed", "extra data", "referen", "include review", "exclude data", "summary", "url age", "as680", "se source", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "over", "ascii text", "mitre att", "size", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "node traffic", "tlsv1", "search", "rgba", "medium", "read c", "module load", "t1129", "execution", "next", "dock", "write", "persistence", "calls", "apis", "reads", "model", "value", "getprocaddress", "show technique", "ck matrix", "access type", "windir", "regexp", "open", "date", "format", "virtual disk drive", "sha256", "sha1", "body", "filehashsha1", "found", "unknown", "stop", "root", "form", "9999", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "bad traffic", "et info", "tls handshake", "failure", "flag", "analysis tip", "openurl c", "msie", "windows nt", "wow64", "slcc2", "media center", "show", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "malicious yara", "detections none", "less ip", "dynamicloader", "get na", "c3bhaw", "high", "copy", "guard", "push", "Palantir", "Foundry", "Whitehouse", "X.Com", "Justice.gov", "Apple", "AI", "node traffic" ], "references": [ "tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net", "https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022", "http://truefoundry.prodigaltech.com/", "git.spywarewatchdog.org", "marriott-control-prd.accenture.cn", "marriott-datacenter-prd.accenture.cn", "accenture.cn", "c.j.location.host \u2022 videodata.video \u2022 referrer.search", "target.id \u2022 tostring.call \u2022 title.search", "https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737", "https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019", "http://truefoundry.prodigaltech.com/", "Attacker being used by several legal entities attacking a target\u2019s family", "Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render", "Luxury Apartments and Townhome communities do use Foundry Palantir", "Some Colorado communities have been taken over by the State Government", "Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)", "Denver Justice System. Palantir allegedly moved potato Headquarters to Miami", "Foundry Foot Soldiers are still in Colorado targeting innocents", "Foundry Palantir still has a presence in Colorado", "I need some help.", "Accurately tipped about air travel safety. In past. Proven true.", "Tipped of new looming airline threats", "Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.", "Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.", "FBI files opened up on a targeted phone, Iunseel, only in search history.", "Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /", "No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!", "Hours after files were deemed malicious. We powered on targeted Smart TV", "You have to go through a series of steps to change themes and wallpapers , including powering off TV", "Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .", "A man claiming to have the name Sebastian is communicating with targets love one", "Uses code, no phone calls. Connected via instagram.", "I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious", "By remote view of NEW targeys view, all key calls are routed through him.", "Targets associated warned. Not very open to advice.", "I would post his public information. It may be unwise.", "Connects to all NEW targets key contacts main targets contacts.", "We have foot soldiers. Be aware", "https://www.justice.gov/opa/pr/departmen.t", "https://api.manus.im/api/oauth2_callback/apple", "https://apple.btprmjo.cc/", "https://creative.miqdigital.com/.well-known/apple-app-site-association", "internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf", "http://www.internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf", "https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~", "Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Node Traffic", "display_name": "Node Traffic", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1055.011", "name": "Extra Window Memory Injection", "display_name": "T1055.011 - Extra Window Memory Injection" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1055.004", "name": "Asynchronous Procedure Call", "display_name": "T1055.004 - Asynchronous Procedure Call" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1055.014", "name": "VDSO Hijacking", "display_name": "T1055.014 - VDSO Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": "69a2127d12dce12538b57d72", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5644, "domain": 701, "hostname": 1920, "FileHash-SHA256": 1161, "FileHash-MD5": 235, "email": 4, "FileHash-SHA1": 200, "CVE": 1, "CIDR": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9877, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a2127d12dce12538b57d72", "name": "FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets ~ Apple Jacked Targets", "description": "Remote Attack - FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets.\n\nChecked search history on a targeted device and found an FBI link apparently delivered via unknown AI technology.\n|| yara detections\nzur foerderung\nA\n+ Add Tag\n\u8840\nCount: 1\nGRO Probability: 1\nText: Suricata Alerts Event\nCategory Description CID\nIND131.188.40.12g otx.alienvault.com\nlocal:49181 (TCP) Misc\nAttack ET TOR Known Tor\nRelay/Router (Not Exit)\n\"A\" | [[Next pulse will list on malware, rats , bats, Trojans used]", "modified": "2026-03-29T20:03:36.333000", "created": "2026-02-27T21:54:05.261000", "tags": [ "pattern match", "heuristic match", "all url", "files domain", "pulses otx", "germany unknown", "aaaa", "ip address", "emails", "gmt server", "vary", "modified", "accept", "title", "present feb", "present jan", "united", "part", "moved", "passive dns", "cname", "final", "bill", "antivm", "xlsx", "xlsm", "urls", "otx logo", "all hostname", "server", "organization", "city", "stateprovince", "postal code", "phone", "registrar abuse", "privacy admin", "paris admin", "april", "direct", "february", "http", "dfn verein", "zur foerderung", "domain", "page url", "tags", "de summary", "erlangen", "germany", "securitytrails", "de seen", "general info", "geo erlangen", "as as680", "de note", "route", "data upload", "extraction", "failed", "extra data", "referen", "include review", "exclude data", "summary", "url age", "as680", "se source", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "over", "ascii text", "mitre att", "size", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "node traffic", "tlsv1", "search", "rgba", "medium", "read c", "module load", "t1129", "execution", "next", "dock", "write", "persistence", "calls", "apis", "reads", "model", "value", "getprocaddress", "show technique", "ck matrix", "access type", "windir", "regexp", "open", "date", "format", "virtual disk drive", "sha256", "sha1", "body", "filehashsha1", "found", "unknown", "stop", "root", "form", "9999", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "bad traffic", "et info", "tls handshake", "failure", "flag", "analysis tip", "openurl c", "msie", "windows nt", "wow64", "slcc2", "media center", "show", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "malicious yara", "detections none", "less ip", "dynamicloader", "get na", "c3bhaw", "high", "copy", "guard", "push", "Palantir", "Foundry", "Whitehouse", "X.Com", "Justice.gov", "Apple", "AI", "node traffic" ], "references": [ "tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net", "https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022", "http://truefoundry.prodigaltech.com/", "git.spywarewatchdog.org", "marriott-control-prd.accenture.cn", "marriott-datacenter-prd.accenture.cn", "accenture.cn", "c.j.location.host \u2022 videodata.video \u2022 referrer.search", "target.id \u2022 tostring.call \u2022 title.search", "https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737", "https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019", "http://truefoundry.prodigaltech.com/", "Attacker being used by several legal entities attacking a target\u2019s family", "Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render", "Luxury Apartments and Townhome communities do use Foundry Palantir", "Some Colorado communities have been taken over by the State Government", "Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)", "Denver Justice System. Palantir allegedly moved potato Headquarters to Miami", "Foundry Foot Soldiers are still in Colorado targeting innocents", "Foundry Palantir still has a presence in Colorado", "I need some help.", "Accurately tipped about air travel safety. In past. Proven true.", "Tipped of new looming airline threats", "Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.", "Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.", "FBI files opened up on a targeted phone, Iunseel, only in search history.", "Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /", "No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!", "Hours after files were deemed malicious. We powered on targeted Smart TV", "You have to go through a series of steps to change themes and wallpapers , including powering off TV", "Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .", "A man claiming to have the name Sebastian is communicating with targets love one", "Uses code, no phone calls. Connected via instagram.", "I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious", "By remote view of NEW targeys view, all key calls are routed through him.", "Targets associated warned. Not very open to advice.", "I would post his public information. It may be unwise.", "Connects to all NEW targets key contacts main targets contacts.", "We have foot soldiers. Be aware", "https://www.justice.gov/opa/pr/departmen.t", "https://api.manus.im/api/oauth2_callback/apple", "https://apple.btprmjo.cc/", "https://creative.miqdigital.com/.well-known/apple-app-site-association", "internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf", "http://www.internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf", "https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~", "Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Node Traffic", "display_name": "Node Traffic", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1055.011", "name": "Extra Window Memory Injection", "display_name": "T1055.011 - Extra Window Memory Injection" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1055.004", "name": "Asynchronous Procedure Call", "display_name": "T1055.004 - Asynchronous Procedure Call" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1055.014", "name": "VDSO Hijacking", "display_name": "T1055.014 - VDSO Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5643, "domain": 700, "hostname": 1918, "FileHash-SHA256": 1161, "FileHash-MD5": 235, "email": 4, "FileHash-SHA1": 200, "CVE": 1, "CIDR": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9873, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c0977eac36cdce8b39bc24", "name": "Win EXE", "description": "certs need to be considered for revoking. 80604770c16fc09ef4d8ca10d375c04c\n822b5b8cb9169c358c6bc2c92466d439c983cd87\nf520a87fbe85e4021c9d5e9fe24be9ccaa9549fd0ea3acc91089cbd5a3f2fdf4\n1536:iwZ9MAVrUFC/6r0MsKBFsr+aT5ziXYzSKQVSVic6N/sd:iwD0m6r0aBFcvSKkSyt4\nT106D32E9659A512C7EC635AB18CD0B46D4D63A74C2B648DBDD41B323BCDE840373AE32B\nunknown\ndata\nCertificate Trust List (DER encoded) (90.1%) Microsoft Security Catalog (9.8%)\nCAT\n136.94 KB (140227 bytes)", "modified": "2026-03-23T04:14:21.558000", "created": "2026-03-23T01:29:34.024000", "tags": [ "nsudo launcher", "option", "debugger", "file execution", "ddumbstatet", "s system", "parameter", "create", "crea", "para", "error", "accept", "look", "unknown", "bsod", "malware", "click", "launcher", "first", "generic", "packer", "strings", "antivm", "matrix", "sandbox", "service", "drop", "syst", "linea", "overwrite", "gozi", "kill", "window", "this", "open", "nodesktop", "noclose", "wallpaper", "list", "catalog", "trust list", "status", "valid from", "valid", "valid usage", "root list", "thumbprint", "serial number", "b8 bb", "list ca", "status valid", "authority", "code signing", "ctl usage", "signing", "microsoft root", "all algorithm", "bf ba" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 130, "FileHash-SHA1": 134, "FileHash-SHA256": 575, "IPv4": 24, "URL": 41, "domain": 78, "hostname": 19, "CVE": 30 }, "indicator_count": 1031, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "27 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697cdce9ec418c422eee2054", "name": "Device Isolation: Lumen Technologies | Palantir and \u2018Boots on the Ground Operations\u2019", "description": "Device Isolation: Lumen Technologies (formerly CenturyLink) deployed as an admin on iOS devices. Standard factory resets may prove ineffective. Complete hardware \"air-gap\" or clean devices that have never touched your home network may be best option for deeply monitored targets.\n\nSummary of the Campaign:\nThe involvement of Lumen Technologies (as an unwanted admin), Foundry (Palantir) for data mapping, and Mirai Botnet for network disruption represents a \"scorched earth\" approach to digital destruction. Target treated as a criminal through Cellebrite, implicates specific attackers attempted to legalize what was actually a predatory stalking campaign/s.\n\n\nSurveillance Overlap: The use of Lumen Technologies and Palantir, tools allows for real-time tracking of a target's physical location\u2014explains how \u2018boots on the ground\u2019 offenders can stalk , surveillance , confront, assault and engage in various damaging attacks of specific monitored targets.", "modified": "2026-03-01T16:05:57.375000", "created": "2026-01-30T16:31:37.011000", "tags": [ "url https", "url http", "tlsv1", "whitelisted", "united", "read c", "as15169", "stcalifornia", "execution", "dock", "write", "persistence", "malware", "encrypt", "active", "lumen technologies", "number", "error", "regexp", "sxa0", "amptoken", "optout", "retrieving", "notfound", "unknown", "form", "flash", "backdoor", "writeconsolew", "yara detections", "command line", "pdb path", "pe resource", "internalname", "windows command", "A", "aws", "name servers", "url analysis", "passive dns", "urls", "data upload", "extraction", "palantir", "c2", "aerospace", "tracking", "spywatchdog", "palapa-c2", "communications satellite", "amazon", "hughesnet", "icmp traffic", "washington c", "washington ou", "mopr", "mon jul", "local", "dynamic", "apple", "network", "t1057", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1480", "guardrails", "t1566", "present jan", "unknown ns", "ip address", "dnssec", "domain", "dynamic dns", "government", "pcup", "germany unknown", "link", "dns hosting", "cloudns", "cloud dns", "a domains", "ipv4 add", "title", "meta", "class", "servers", "present aug", "aaaa", "present sep", "present nov", "present jul", "present may", "moved", "canada unknown", "begin", "record value", "gmt content", "type", "hostname add", "files", "ascii text", "pattern match", "href", "mitre att", "ck id", "ck matrix", "network traffic", "et info", "general", "path", "click", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "input url", "defense evasion", "france", "ireland", "netherlands", "denmark", "united kingdom", "type indicator", "role title", "added active", "savvis", "centurylinktechnology", "hybrid analysis", "monitoring tools", "monitored target", "triangulation", "worm", "intel", "ms windows", "pe32", "write c", "delete c", "show", "russia as47764", "unix", "lsan jose", "odigicert inc", "markus", "url add", "http", "related nids", "files location", "russia flag", "russia hostname", "russia", "russia unknown", "hosting", "federation flag", "body", "gmt vary", "accept encoding", "gmt cache", "certificate", "pulse submit", "unknown aaaa", "search", "entries", "script domains", "script urls", "pdx cf" ], "references": [ "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "Yare: compromised_site_redirector_fromcharcode", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "Alerts: console_output has_pdb pe_unknown_resource_name", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "Tipped: A targets AI and other cyber research findings.", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "https://palapa.c.id\t (c.id)", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "cedevice.io \u2022 decagonsoftware.com", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "pcup.gov.ph:", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "https://elegantcosmedampyeah.pages.dev/", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "inst.govelopscold.com", "https://feedback.ptv.vic.gov.au/360", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "https://brand.centurylinktechnology.com", "https://prod.centurylinktechnology.com", "https://brand2.centurylinktechnology.com", "https://mobile-pocket-guide.centurylinktechnology.com", "UPX_OEP_place", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "ASP. NET", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "7box.vip" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan.Tofsee/Botx", "display_name": "Trojan.Tofsee/Botx", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "PWS:Win32/Axespec.A", "display_name": "PWS:Win32/Axespec.A", "target": "/malware/PWS:Win32/Axespec.A" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1069.003", "name": "Cloud Groups", "display_name": "T1069.003 - Cloud Groups" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 102, "FileHash-SHA1": 59, "FileHash-SHA256": 1929, "domain": 854, "hostname": 2156, "URL": 4475, "SSLCertFingerprint": 9, "email": 7, "CVE": 1 }, "indicator_count": 9592, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "49 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6976d6afd744c55bd596ed6e", "name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)", "description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello", "modified": "2026-02-25T02:03:02.441000", "created": "2026-01-26T02:51:27.248000", "tags": [ "united", "error", "port", "destination", "host", "tlsv1", "intel", "ms windows", "worm", "delphi", "write", "malware", "suspicious", "autorun", "bloat", "checkin", "google", "drive", "cape", "lowfi", "hookwowlow dec", "passive dns", "mtb jan", "mtb nov", "hookwowlow nov", "twitter", "trojandropper", "virtool", "win32", "susp", "hookwowlow", "injection", "please", "x msedge", "ipv4 add", "urls", "dynamicloader", "windows", "professional", "delete c", "tls issuing", "x005x00xc0", "xc0xc0", "xc0nxc0tx00jx00", "stwa", "lredmond", "explorer", "powershell", "accept", "corporation10", "trojan", "pegasus", "url add", "http", "hostname", "files domain", "files related", "related tags", "present sep", "present aug", "redacted for", "ip address", "search", "unknown cname", "memcommit", "default", "sectigo limited", "read c", "gb st", "inprocserver32", "sectigo public", "defender", "next", "present jan", "spain", "domain add", "files", "asn as15169", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "ck techniques", "mitre att", "ck matrix", "starfield", "hybrid", "general", "path", "strings", "extraction", "data upload", "failed", "include review", "exclude sugges", "stop data", "levelblue", "open threat", "url https", "none google", "url http", "no expiration", "iocs", "domain", "pdf report", "pcap", "stix", "openioc", "ocs to", "exclude", "suggesteu", "find s", "snow", "aitypes", "suspicious_redirect", "url_encoding", "present dec", "unknown aaaa", "present oct", "record value", "body", "encrypt", "access att", "link initial", "ascii text", "pattern match", "sha256", "show technique", "iframe", "local", "united states", "brian sabey", "christopher p. ahmann", "black rock", "td td", "td tr", "a td", "dynamic dns", "meta name", "strong", "static dns", "date", "null", "enough", "hosts", "fast" ], "references": [ "Sprouts Farmers Market", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?", "Pegasus | A targets devices are obviously infiltrated", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi", "Alerts: cape_detected_threat https_ urls", "IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252", "Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog", "Domains Contacted: drive.usercontent.google.com", "ConventionEngine_Anomaly_MultiPDB_Double", "https://jviwczq.zc-apple.com/", "SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx", "Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,", "Malware Hosting: 13.107.226.70", "Scanning Host: 13.107.246.70", "https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com", "http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/", "pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com", "www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/", "endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/", "https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us", "https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com", "https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/", "http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com", "sprouts@em.sprouts.com?", "http://blackrock.work.gd/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io", "supplierportal.gov2x.com", "http://wonporn.com/top/Pakistani_Sucking", "https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo", "https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303", "supply.qld.gov.au", "okta-dev.gov2x.com", "verify.gov.tl", "api.optimizer.insitemaxdev.gov2x.com", "iot.insitemaxdev.gov2x.com", "https://kb.drakesoftware.com/Site/Browse/15183/State", "https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW", "freedns.afraid.org", "https://hello.riskxchange.co/api/mailings/unsubscribe", "Sabey , Ahmann, Quasi Government, Government" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFI:HookwowLow", "display_name": "#LowFI:HookwowLow", "target": null }, { "id": "Win.Trojan.CobaltStrike-9044898-1", "display_name": "Win.Trojan.CobaltStrike-9044898-1", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "SLF:Win64/CobPipe.A", "display_name": "SLF:Win64/CobPipe.A", "target": "/malware/SLF:Win64/CobPipe.A" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:Trojan:Win32/Anorocuriv.A", "display_name": "ALF:Trojan:Win32/Anorocuriv.A", "target": null }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Win.Trojan.Pushdo-15", "display_name": "Win.Trojan.Pushdo-15", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Win32:Trojano-CHF\\ [Trj]", "display_name": "Win32:Trojano-CHF\\ [Trj]", "target": null }, { "id": "Win.Downloader.3867-1", "display_name": "Win.Downloader.3867-1", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "Virtool:Win32/CeeInject.gen!AH", "display_name": "Virtool:Win32/CeeInject.gen!AH", "target": "/malware/Virtool:Win32/CeeInject.gen!AH" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1055.008", "name": "Ptrace System Calls", "display_name": "T1055.008 - Ptrace System Calls" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [ "Retail", "Government", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12640, "hostname": 4429, "email": 7, "domain": 1250, "FileHash-SHA256": 1633, "FileHash-MD5": 278, "FileHash-SHA1": 343, "SSLCertFingerprint": 17 }, "indicator_count": 20597, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6976d6a601f06adcd1ed22fc", "name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)", "description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello", "modified": "2026-02-25T02:03:02.441000", "created": "2026-01-26T02:51:18.022000", "tags": [ "united", "error", "port", "destination", "host", "tlsv1", "intel", "ms windows", "worm", "delphi", "write", "malware", "suspicious", "autorun", "bloat", "checkin", "google", "drive", "cape", "lowfi", "hookwowlow dec", "passive dns", "mtb jan", "mtb nov", "hookwowlow nov", "twitter", "trojandropper", "virtool", "win32", "susp", "hookwowlow", "injection", "please", "x msedge", "ipv4 add", "urls", "dynamicloader", "windows", "professional", "delete c", "tls issuing", "x005x00xc0", "xc0xc0", "xc0nxc0tx00jx00", "stwa", "lredmond", "explorer", "powershell", "accept", "corporation10", "trojan", "pegasus", "url add", "http", "hostname", "files domain", "files related", "related tags", "present sep", "present aug", "redacted for", "ip address", "search", "unknown cname", "memcommit", "default", "sectigo limited", "read c", "gb st", "inprocserver32", "sectigo public", "defender", "next", "present jan", "spain", "domain add", "files", "asn as15169", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "ck techniques", "mitre att", "ck matrix", "starfield", "hybrid", "general", "path", "strings", "extraction", "data upload", "failed", "include review", "exclude sugges", "stop data", "levelblue", "open threat", "url https", "none google", "url http", "no expiration", "iocs", "domain", "pdf report", "pcap", "stix", "openioc", "ocs to", "exclude", "suggesteu", "find s", "snow", "aitypes", "suspicious_redirect", "url_encoding", "present dec", "unknown aaaa", "present oct", "record value", "body", "encrypt", "access att", "link initial", "ascii text", "pattern match", "sha256", "show technique", "iframe", "local", "united states", "brian sabey", "christopher p. ahmann", "black rock", "td td", "td tr", "a td", "dynamic dns", "meta name", "strong", "static dns", "date", "null", "enough", "hosts", "fast" ], "references": [ "Sprouts Farmers Market", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?", "Pegasus | A targets devices are obviously infiltrated", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi", "Alerts: cape_detected_threat https_ urls", "IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252", "Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog", "Domains Contacted: drive.usercontent.google.com", "ConventionEngine_Anomaly_MultiPDB_Double", "https://jviwczq.zc-apple.com/", "SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx", "Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,", "Malware Hosting: 13.107.226.70", "Scanning Host: 13.107.246.70", "https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com", "http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/", "pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com", "www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/", "endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/", "https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us", "https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com", "https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/", "http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com", "sprouts@em.sprouts.com?", "http://blackrock.work.gd/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io", "supplierportal.gov2x.com", "http://wonporn.com/top/Pakistani_Sucking", "https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo", "https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303", "supply.qld.gov.au", "okta-dev.gov2x.com", "verify.gov.tl", "api.optimizer.insitemaxdev.gov2x.com", "iot.insitemaxdev.gov2x.com", "https://kb.drakesoftware.com/Site/Browse/15183/State", "https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW", "freedns.afraid.org", "https://hello.riskxchange.co/api/mailings/unsubscribe", "Sabey , Ahmann, Quasi Government, Government" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFI:HookwowLow", "display_name": "#LowFI:HookwowLow", "target": null }, { "id": "Win.Trojan.CobaltStrike-9044898-1", "display_name": "Win.Trojan.CobaltStrike-9044898-1", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "SLF:Win64/CobPipe.A", "display_name": "SLF:Win64/CobPipe.A", "target": "/malware/SLF:Win64/CobPipe.A" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:Trojan:Win32/Anorocuriv.A", "display_name": "ALF:Trojan:Win32/Anorocuriv.A", "target": null }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Win.Trojan.Pushdo-15", "display_name": "Win.Trojan.Pushdo-15", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Win32:Trojano-CHF\\ [Trj]", "display_name": "Win32:Trojano-CHF\\ [Trj]", "target": null }, { "id": "Win.Downloader.3867-1", "display_name": "Win.Downloader.3867-1", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "Virtool:Win32/CeeInject.gen!AH", "display_name": "Virtool:Win32/CeeInject.gen!AH", "target": "/malware/Virtool:Win32/CeeInject.gen!AH" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1055.008", "name": "Ptrace System Calls", "display_name": "T1055.008 - Ptrace System Calls" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [ "Retail", "Government", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12640, "hostname": 4429, "email": 7, "domain": 1250, "FileHash-SHA256": 1633, "FileHash-MD5": 278, "FileHash-SHA1": 343, "SSLCertFingerprint": 17 }, "indicator_count": 20597, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6976d69ecbc0497f97e28618", "name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)", "description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello", "modified": "2026-02-25T02:03:02.441000", "created": "2026-01-26T02:51:10.502000", "tags": [ "united", "error", "port", "destination", "host", "tlsv1", "intel", "ms windows", "worm", "delphi", "write", "malware", "suspicious", "autorun", "bloat", "checkin", "google", "drive", "cape", "lowfi", "hookwowlow dec", "passive dns", "mtb jan", "mtb nov", "hookwowlow nov", "twitter", "trojandropper", "virtool", "win32", "susp", "hookwowlow", "injection", "please", "x msedge", "ipv4 add", "urls", "dynamicloader", "windows", "professional", "delete c", "tls issuing", "x005x00xc0", "xc0xc0", "xc0nxc0tx00jx00", "stwa", "lredmond", "explorer", "powershell", "accept", "corporation10", "trojan", "pegasus", "url add", "http", "hostname", "files domain", "files related", "related tags", "present sep", "present aug", "redacted for", "ip address", "search", "unknown cname", "memcommit", "default", "sectigo limited", "read c", "gb st", "inprocserver32", "sectigo public", "defender", "next", "present jan", "spain", "domain add", "files", "asn as15169", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "ck techniques", "mitre att", "ck matrix", "starfield", "hybrid", "general", "path", "strings", "extraction", "data upload", "failed", "include review", "exclude sugges", "stop data", "levelblue", "open threat", "url https", "none google", "url http", "no expiration", "iocs", "domain", "pdf report", "pcap", "stix", "openioc", "ocs to", "exclude", "suggesteu", "find s", "snow", "aitypes", "suspicious_redirect", "url_encoding", "present dec", "unknown aaaa", "present oct", "record value", "body", "encrypt", "access att", "link initial", "ascii text", "pattern match", "sha256", "show technique", "iframe", "local", "united states", "brian sabey", "christopher p. ahmann", "black rock", "td td", "td tr", "a td", "dynamic dns", "meta name", "strong", "static dns", "date", "null", "enough", "hosts", "fast" ], "references": [ "Sprouts Farmers Market", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?", "Pegasus | A targets devices are obviously infiltrated", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi", "Alerts: cape_detected_threat https_ urls", "IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252", "Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog", "Domains Contacted: drive.usercontent.google.com", "ConventionEngine_Anomaly_MultiPDB_Double", "https://jviwczq.zc-apple.com/", "SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx", "Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,", "Malware Hosting: 13.107.226.70", "Scanning Host: 13.107.246.70", "https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com", "http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/", "pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com", "www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/", "endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/", "https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us", "https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com", "https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/", "http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com", "sprouts@em.sprouts.com?", "http://blackrock.work.gd/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io", "supplierportal.gov2x.com", "http://wonporn.com/top/Pakistani_Sucking", "https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo", "https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303", "supply.qld.gov.au", "okta-dev.gov2x.com", "verify.gov.tl", "api.optimizer.insitemaxdev.gov2x.com", "iot.insitemaxdev.gov2x.com", "https://kb.drakesoftware.com/Site/Browse/15183/State", "https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW", "freedns.afraid.org", "https://hello.riskxchange.co/api/mailings/unsubscribe", "Sabey , Ahmann, Quasi Government, Government" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFI:HookwowLow", "display_name": "#LowFI:HookwowLow", "target": null }, { "id": "Win.Trojan.CobaltStrike-9044898-1", "display_name": "Win.Trojan.CobaltStrike-9044898-1", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "SLF:Win64/CobPipe.A", "display_name": "SLF:Win64/CobPipe.A", "target": "/malware/SLF:Win64/CobPipe.A" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:Trojan:Win32/Anorocuriv.A", "display_name": "ALF:Trojan:Win32/Anorocuriv.A", "target": null }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Win.Trojan.Pushdo-15", "display_name": "Win.Trojan.Pushdo-15", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Win32:Trojano-CHF\\ [Trj]", "display_name": "Win32:Trojano-CHF\\ [Trj]", "target": null }, { "id": "Win.Downloader.3867-1", "display_name": "Win.Downloader.3867-1", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "Virtool:Win32/CeeInject.gen!AH", "display_name": "Virtool:Win32/CeeInject.gen!AH", "target": "/malware/Virtool:Win32/CeeInject.gen!AH" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1055.008", "name": "Ptrace System Calls", "display_name": "T1055.008 - Ptrace System Calls" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [ "Retail", "Government", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12640, "hostname": 4429, "email": 7, "domain": 1250, "FileHash-SHA256": 1633, "FileHash-MD5": 278, "FileHash-SHA1": 343, "SSLCertFingerprint": 17 }, "indicator_count": 20597, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6975c5cd4db6104ea1a3d69b", "name": "The Blender Foundation BouncyCastle-Virut | Malware /Stealer Empty FileHash | Eternal7 (Shadow Broker) Related", "description": "Empty FileHash isn\u2019t benign. Interesting relationships to the Eternal 7. Malware, Stealer and Suspicious History File Operation. BouncyCastle-Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys / Startul ErrorPageTemplate[1] netcore, BouncyCastle.", "modified": "2026-02-24T06:02:43.853000", "created": "2026-01-25T07:27:09.640000", "tags": [ "empty", "blender", "eurostile", "augustin", "butterfield", "cook", "drummer", "erickson", "fjsv", "flynn", "gorman", "holmes", "easy", "rada", "xanadu", "config", "reboot", "screen", "microsoft", "commerce server", "edition", "draw", "exchange server", "tools", "linux", "ideal link", "nsrl test", "nist", "file", "cultureneutral", "fix pack", "free download", "bouncycastle", "read c", "search", "et trojan", "w32kegotip cnc", "whitelisted", "ids detections", "intel", "write", "trojan", "malware", "yara detections", "productversion", "fileversion", "av detections", "alerts", "analysis date", "file score", "united", "aaaa", "passive dns", "ip address", "present dec", "body html", "head meta", "title", "urls", "url https", "http", "hostname", "files domain", "files related", "related tags", "beacon", "et", "ipv4", "files", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "show", "win32virut", "destination", "port", "ms windows", "pe32", "medium", "suspicious", "virustotal", "startul", "shadowbrokers", "total", "delete", "artemis", "win32.injector", "trendmicro", "data upload", "extraction", "included iocs" ], "references": [ "The Blender Foundation", "website \u2022 http://oldapps.com/blender.php?old_blender=7584", "oldapps \u2022 http://oldapps.com/blender.php?old_blender=7584?download", "Google android-cts-7.1_r6-linux_x86-arm.zip", "Google android-cts-7.1_r6-linux_x86-arm.zip", "android-cts-7.1_r6-linux_x86-arm.zip [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]", "Empty FileHash - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "Empty FileHash -Matches rule Suspicious History File Operations by Mikhail Larin, oscd.community", "Empty FileHash - Malware,Stealer, Related to ShadowBrokers EternalRocks", "ET TROJAN W32/Kegotip CnC Beacon", "IDS Detections ET POLICY Suspicious User-Agent Containing .exe", "Extensions,.Trojan Age Win Version=4.2.0.168 Win32/1 Culture=neutral, amnit", "Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys /", "Startul ErrorPageTemplate[1] netcore, BouncyCastle.", "Secure Protocols: Provides APIs for TLS 1.3, S/MIME, OpenPGP & CMS (Cryptographic Message Syntax)" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BouncyCastle", "display_name": "BouncyCastle", "target": null }, { "id": "Sf:ShellCode-AU", "display_name": "Sf:ShellCode-AU", "target": null }, { "id": "Win.Trojan.Fareit-82", "display_name": "Win.Trojan.Fareit-82", "target": null }, { "id": "Win.Trojan.Agent-245901", "display_name": "Win.Trojan.Agent-245901", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "W32/Kegotip CnC", "display_name": "W32/Kegotip CnC", "target": null }, { "id": "W32.Virut.ci", "display_name": "W32.Virut.ci", "target": null }, { "id": "Downloader.Generic13.CMTW", "display_name": "Downloader.Generic13.CMTW", "target": null }, { "id": "Downloader.Generic13.BOBZ", "display_name": "Downloader.Generic13.BOBZ", "target": null }, { "id": "Win.Trojan.Injector-12138", "display_name": "Win.Trojan.Injector-12138", "target": null }, { "id": "Generic36.ADTY", "display_name": "Generic36.ADTY", "target": null }, { "id": "Generic36.AIAA.Dropper", "display_name": "Generic36.AIAA.Dropper", "target": null }, { "id": "Generic36.AJSM", "display_name": "Generic36.AJSM", "target": null }, { "id": "Win32/Virut", "display_name": "Win32/Virut", "target": null }, { "id": "Win32/Ramnit.A", "display_name": "Win32/Ramnit.A", "target": null }, { "id": "Worm.Autorun-6180", "display_name": "Worm.Autorun-6180", "target": null }, { "id": "Hider.BIY", "display_name": "Hider.BIY", "target": null }, { "id": "Win.Trojan.Rootkit-4532", "display_name": "Win.Trojan.Rootkit-4532", "target": null }, { "id": "Win32/Blacked", "display_name": "Win32/Blacked", "target": null }, { "id": "Win32.Injector", "display_name": "Win32.Injector", "target": null }, { "id": "TrendMicro", "display_name": "TrendMicro", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 71, "FileHash-SHA256": 853, "URL": 1639, "domain": 288, "FileHash-MD5": 78, "hostname": 545 }, "indicator_count": 3474, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "54 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697488f095f69d392afd00fb", "name": "Fidelity Investments \u2022\u2019 EternalRocks | Financial Crimes", "description": "Fidelity Life and Guarantee defaults to Fidelity Investments. Long standing issue. Possible phishing email interception. Multiple accounts stolen at the time a man who presents himself as M. Brian Sabey Esq. Elder/Estate attorney unable to\nsettle life claim more action was requested. Attorney repeatedly redirected to an investment team. We decided to use targets phone to\ntest results , payout is overdue. Illegal tactics were used to defraud victim/s.. Fraud operators ask for SSN and later state they cannot help. L of Fraud phone , \u2018team\u2019 cannot complete internal phone transfers.,can conference you in to other people who act confused , disheveled who also\nask for SSN. \n\nSince victims experiences less\nthan covert interactions, I\u2019m unclear as to why there is a strong FBI, CIA , Palantir Foundry presence. It\u2019s rattling . \nReiterating : Entity steals financial products, health , life insurance policies, investment accounts, credit card frauds , bank accounts,intellectual property anything of value.", "modified": "2026-02-23T07:04:04.285000", "created": "2026-01-24T08:55:12.845000", "tags": [ "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "ck techniques", "evasion att", "t1480 execution", "href", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "form", "click", "strings", "error", "tools", "look", "verify", "restart", "active related", "url https", "related pulses", "url http", "united", "czechia", "hong kong", "ipv4", "indicators hong", "kong", "south korea", "netherlands", "germany", "ireland", "denmark", "sweden", "active", "government", "finance", "security", "type indicator", "yara detections", "av detections", "ids detections", "alerts", "analysis date", "mcsf", "microsoft", "yara", "insurance", "fidelity investments", "description", "fidelity international", "ms windows", "pe32", "writeconsolew", "read c", "pe32 executable", "t1045", "susp", "write", "win64", "malware", "modified", "ck ids", "t1040", "sniffing", "packing", "t1112", "packing t1045", "icmp traffic", "memcommit", "pe section", "low software", "pe resource", "win32", "trojan", "april", "sara ligorria", "tramp advert", "black paper", "createdate", "subject laser", "title laser", "format", "types of", "japan", "regsetvalueexa", "regdword", "regbinary", "module download", "tls handshake", "high", "defense evasion", "discovery att", "adversaries", "title", "role", "flag", "name server", "server", "domain address", "markmonitor", "clicktale ltd", "enom", "whoisguard", "medium", "unicode", "rgba", "delete", "crlf line", "next", "dock", "execution", "date", "users", "tls sni", "total", "cnc domain", "search", "oamazon", "cnamazon rsa", "push", "failure yara", "contacted", "hours ago", "created", "cia", "fbi", "telegram", "tulach", "sabey", "state", "gov", "ahmann", "financial fraud", "t-mobile", "walmartmobile", "life insurance", "fidelity life", "guarantee", "team", "role title", "added active", "scan", "iocs", "learn more", "filehashsha1", "filehashmd5", "kw3recepten", "domainname0", "searchbox0", "kw1brinta", "kw2muesli", "indicator role", "title added", "pulses url", "cve cve20170147", "apple", "apple id" ], "references": [ "https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226", "https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com", "http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com", "https://bhive.nectar.social/rKvoMY", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,", "TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161", "Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.", "EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS", "Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad", "Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name", "Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.", "Domains Contacted api.nuget.org", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png", "https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.fidelity.com/ https://www.fidelity.com/", "cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99", "cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl", "https://www.anyxxxtube.net/search-porn/", "https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears", "fidelity-account.com e http://fidelity-account.com/fidelity/code.html", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex", "http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022", "\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:", "https://bhive.nectar.social/rKvoMY", "apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co", "http://appleid.app", "https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win64:Trojan-gen", "display_name": "Win64:Trojan-gen", "target": null }, { "id": "Trojan:MSIL/Ursu.KP", "display_name": "Trojan:MSIL/Ursu.KP", "target": "/malware/Trojan:MSIL/Ursu.KP" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F", "display_name": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F", "target": null }, { "id": "Trojan:PDF/Phish.RR!MTB", "display_name": "Trojan:PDF/Phish.RR!MTB", "target": "/malware/Trojan:PDF/Phish.RR!MTB" }, { "id": "Win32:TrojanX-gen\\ [Trj]", "display_name": "Win32:TrojanX-gen\\ [Trj]", "target": null }, { "id": ": ALF:Trojan:MSIL/Azorult.AC!", "display_name": ": ALF:Trojan:MSIL/Azorult.AC!", "target": null }, { "id": "ALF:Trojan:Win32/CryptWrapper.RT!MTB", "display_name": "ALF:Trojan:Win32/CryptWrapper.RT!MTB", "target": null }, { "id": "Trojan:Win32/Conbea!rfn", "display_name": "Trojan:Win32/Conbea!rfn", "target": "/malware/Trojan:Win32/Conbea!rfn" }, { "id": "Trojan:Win32/Ausiv!rfn", "display_name": "Trojan:Win32/Ausiv!rfn", "target": "/malware/Trojan:Win32/Ausiv!rfn" }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat", "target": null }, { "id": "Trojan:BAT/Musecador", "display_name": "Trojan:BAT/Musecador", "target": "/malware/Trojan:BAT/Musecador" }, { "id": "TrojanDropper:Win32/Qhost", "display_name": "TrojanDropper:Win32/Qhost", "target": "/malware/TrojanDropper:Win32/Qhost" }, { "id": "Trojan:Win32/Miner.KA!MTB", "display_name": "Trojan:Win32/Miner.KA!MTB", "target": "/malware/Trojan:Win32/Miner.KA!MTB" }, { "id": "DNSTrojan", "display_name": "DNSTrojan", "target": null }, { "id": "EternalRocks", "display_name": "EternalRocks", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Finance", "Insurance" ], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2793, "URL": 6639, "FileHash-SHA256": 2462, "domain": 1070, "FileHash-MD5": 307, "FileHash-SHA1": 186, "SSLCertFingerprint": 1, "email": 1, "CVE": 3 }, "indicator_count": 13462, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "55 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6964c08bf79bcb252eaa9e15", "name": "TrojanSpy - Spotify account under an attack which conceals artists releases / deletes followers", "description": "Spotify Attacks: TrojanSpy - Streamer Spotify account under an attack which conceals artists releases / deletes followers. The attack is adversarial. I\u2019m unclear how widespread it is. . Further research required. OTX auto generated Pegasus. Released work that was once viewable is now concealed, followers deleted.\n#cloudfront #spyware #delete_service #cloudfront_attacks", "modified": "2026-02-11T09:03:20.933000", "created": "2026-01-12T09:36:11.701000", "tags": [ "google", "fastly", "googlecl", "january", "http", "domain", "akamaias", "cloudflar", "page url", "de summary", "april", "reverse dns", "url https", "general full", "software", "united", "resource hash", "protocol h3", "security quic", "protocol h2", "security tls", "main", "present jan", "title", "gmt max", "certificate", "moved", "lowfi", "gmt content", "meta", "present dec", "status", "aaaa", "passive dns", "urls", "search", "expiration date", "win32", "files", "verdict", "files ip", "address", "mtb jan", "trojandropper", "backdoor", "win32upatre jan", "origin trial", "gmt cache", "443 ma2592000", "possible", "worm", "trojan", "ip address", "record value", "dark", "found", "ipv4 add", "error", "trojanspy", "emails", "servers", "pegasus", "america flag", "america asn", "tlsv1", "read c", "show", "medium", "lstockholm", "ospotify ab", "odigicert inc", "execution", "next", "dock", "write", "persistence", "dynamicloader", "yara rule", "ms windows", "pe32", "named pipe", "smartassembly", "delphi", "malware", "united states", "pe file", "filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "high", "write c", "tls sni", "tls handshake", "delete", "as15169", "stun binding", "request", "port", "win64", "themida", "guard", "risepro", "sha256", "sha1", "pattern match", "ascii text", "size", "mitre att", "ck id", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "learn", "command", "name tactics", "suspicious", "informative", "spawns", "ck techniques", "evasion att", "t1480 execution", "directui", "element", "hwndhost", "classinfobase", "hwndelement", "value", "explorer", "insert", "movie", "hacktool", "showing", "entries http", "scans show", "california", "location united", "next associated", "pulse pulses", "name servers", "found request", "unique", "url add", "related nids", "files location", "expiration", "flag united", "present nov", "present sep", "href", "suricata stream", "command decode", "starfield", "encrypt", "iframe", "date", "title error", "hostname", "pulse submit", "memcommit", "checks", "windows", "capture", "cloudfront", "colorado", "creation date", "hostname add", "eset", "binary file", "pdb path", "internalname", "nod32", "amon" ], "references": [ "open.spotify.com \u2022", "https://open.spotify.com/intl-de/track/5KjB1j0u54VXg6M8SN8hH2", "https://open.spotify.com/track/5KjB1j0u54VXg6M8SN8hH2", "FileHash-SHA256 cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "events.launchdarkly.com \u2022 clientstream.launchdarkly. \u2022 app.launchdarkly.com", "https://target.tccwest.www.littleswimmers.fr/", "www.onyx-ware.com \u2022 endgamesystems.com", "cloudfront.net \u2022 d127qq8ld0aiq5.cloudfront.net" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Packed.Stealerc-10017074-0", "display_name": "Win.Packed.Stealerc-10017074-0", "target": null }, { "id": "#Lowfi:Win32/AutoIt", "display_name": "#Lowfi:Win32/AutoIt", "target": "/malware/#Lowfi:Win32/AutoIt" }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "TrojanSpy:MSIL/Yakbeex.A", "display_name": "TrojanSpy:MSIL/Yakbeex.A", "target": "/malware/TrojanSpy:MSIL/Yakbeex.A" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Win32:HacktoolX-gen\\ [Trj]", "display_name": "Win32:HacktoolX-gen\\ [Trj]", "target": null }, { "id": "nUFS_unicode", "display_name": "nUFS_unicode", "target": null }, { "id": "HackTool:Win32/CobaltStrike.A", "display_name": "HackTool:Win32/CobaltStrike.A", "target": "/malware/HackTool:Win32/CobaltStrike.A" }, { "id": "Win.Dropper.PoisonIvy-9876745-0", "display_name": "Win.Dropper.PoisonIvy-9876745-0", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" } ], "industries": [ "Entertainment", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1293, "URL": 3389, "FileHash-MD5": 635, "FileHash-SHA1": 531, "FileHash-SHA256": 2345, "domain": 501, "email": 12, "SSLCertFingerprint": 16 }, "indicator_count": 8722, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "67 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69642a749490c0bf404aa8ac", "name": "Google Services - Malware Packed Google Branded Services", "description": "Contacted Google services | Service (1 of 3) || GoogleChromeElevationService | Mofksys \u2022 Unruy | Relationship: https://otx.alienvault.com/pulse/69640c0afc9805a6fa2da07b | \n#affilliated #worm _#exploit #alternate_google #infection #spyware", "modified": "2026-02-10T22:01:54.041000", "created": "2026-01-11T22:55:48.308000", "tags": [ "write c", "write", "delete c", "ms windows", "pe32 executable", "globalc", "united", "worm", "malware", "defender", "united states", "google", "google account", "mtb ids", "cloudflare dns", "https domain", "tls sni", "medium priority", "yara detections", "alerts", "google play", "google api", "google chrome", "mofksys", "exploit", "process32nextw", "msie", "windows nt", "wow64", "slcc2", "media center", "search", "precreate read", "read c", "dock", "unknown", "suspicious", "alt google", "execution att", "lowfi", "mtb jan", "trojandropper", "passive dns", "backdoor", "win32upatre jan", "origin trial", "gmt cache", "443 ma2592000", "possible", "trojan", "title", "mtb dec", "ipv4 add", "state", "trojan", "dropper", "phishing", "ransom", "of colorado" ], "references": [ "accounts.google.com \u2022 apis.google.com clients2.google.com \u2022 clients2.googleusercontent.com", "142.251.9.95 \u2022 https://clients2.google.com/cr/report \u2022 accounts.google.com \u2022", "ogads-pa.clients6.google.com \u2022 optimizationguide-pa.googleapis.com \u2022 play.google.com", "update.googleapis.com \u2022 www.google.com \u2022 clientservices.googleapis.com", "Worm:Win32/Mofksys.RND!MTB | Yara Detections: SUSP_Imphash_Mar23_2", "IDS Detection: Observed Cloudflare DNS over HTTPS \u2022 Domain (cloudflare-dns .com in TLS SNI)", "Alerts: suspicious_iocontrol_codes infostealer_cookies persistence_autorun antisandbox_sleep", "Alerts: persistence_autorun_tasks polymorphic procmem_yara static_pe_anomaly antiav_detectfile", "Alerts: antiav_detectreg antivm_bochs_keys antivm_generic_disk infostealer_mail injection_write", "Alerts: suspicious_command_tools anomalous_deletefile mouse_movement_detect", "Alerts: dynamic_function_loading resumethread_remote_process stealth_hiddenreg", "Contacted Google services", "SERVICE NAME: SSDPSRV \u2022 Delete upnphost\tDelete \u2022 GoogleChromeElevationService", "https://otx.alienvault.com/indicator/file/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "codewiki.google", "Win.Malware.Unruy-6912804-0 IDS Detections: Win32/Unruy.C Activity 403 Forbidden", "Alerts: network_icmp persistence_autorun antivm_vmware_in_instruction", "Alerts: network_http antisandbox_sleep creates_exe dropper stealth_window", "Alerts: injection_process_search protection_rx", "IP\u2019s Contacted: 142.250.74.68 142.250.74.99 18.66.121.69 185.53.179.170 2.22.41.134 204.79.197.200", "IP\u2019s Contacted: 208.91.196.46 209.197.3.8 216.239.32.29 35.186.238.101", "Domains Contacted: www.microsoft.com www.bing.com www2.megawebdeals.com www.google.com", "Domains Contacted: ocsp.pki.goog www.download.windowsupdate.com ifdnzact.com", "Domains Contacted: d38psrni17bvxu.cloudfront.net www2.megawebfind.com www6.megawebfind.com", "PE Version Information : TJprojMain.exe", "Found in : https://otx.alienvault.com/pulse/69640c0afc9805a6fa2da07b", "IDS Detections Win32/Unruy.C Activity \u2022 403 Forbidden" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Malware.Unruy-6912804-0", "display_name": "Win.Malware.Unruy-6912804-0", "target": null }, { "id": "Win.Packed.Eyestye-9754938-0", "display_name": "Win.Packed.Eyestye-9754938-0", "target": null }, { "id": "Eyestye", "display_name": "Eyestye", "target": null }, { "id": "AutoRun", "display_name": "AutoRun", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Trojan:Win32/EyeStye.T", "display_name": "Trojan:Win32/EyeStye.T", "target": "/malware/Trojan:Win32/EyeStye.T" }, { "id": "ALF:HeraklezEval:PUA:Win32/4Shared", "display_name": "ALF:HeraklezEval:PUA:Win32/4Shared", "target": null }, { "id": "Cassini", "display_name": "Cassini", "target": null }, { "id": "DarkMoon", "display_name": "DarkMoon", "target": null }, { "id": "PolyRansom", "display_name": "PolyRansom", "target": null }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1078.003", "name": "Local Accounts", "display_name": "T1078.003 - Local Accounts" }, { "id": "T1078.001", "name": "Default Accounts", "display_name": "T1078.001 - Default Accounts" }, { "id": "T1087.003", "name": "Email Account", "display_name": "T1087.003 - Email Account" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1090.004", "name": "Domain Fronting", "display_name": "T1090.004 - Domain Fronting" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 198, "FileHash-SHA1": 165, "FileHash-SHA256": 867, "URL": 1461, "hostname": 429, "domain": 221, "SSLCertFingerprint": 1 }, "indicator_count": 3342, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69640c0afc9805a6fa2da07b", "name": "MUSO.AI Malware \u2018Incredimail\u2019 Palantir in use[OTX auto populated title -Tsara Brashears]", "description": "MUSO.Ai , Is have to do more research. Some searches on reports MUSO as an opt in resource for artist to view, sort, and manage legacy credits, MUSO also collects royalties. Research and investigation confirms no one on music team is associated with or l thinks they may have heard of MUSO. Is MUSO. AI Palantir customer or service ,spy app services by the folks at Palantir. . [otx auto pop praise: Tsara Brashears is the most popular songwriter in the world, but can you use the app to find out more about the artist and the musicians behind the tracks?] cute. \n#dembiak #palantir #muso #ai", "modified": "2026-02-10T20:03:47.214000", "created": "2026-01-11T20:46:02.176000", "tags": [ "lark kdence", "zack dare", "zafira", "jon bonus", "andy flebbe", "div div", "present nov", "a domains", "united", "script urls", "div a", "script domains", "discover", "moved", "insert", "x0 tw", "urls", "cloudfront x", "title error", "url analysis", "reverse dns", "servers", "name servers", "united states", "all ipv4", "aaaa", "ip address", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "evasion att", "t1480 execution", "ascii text", "mitre att", "pattern match", "null", "error", "click", "hybrid", "general", "local", "path", "starfield", "strings", "refresh", "tools", "meta", "onload", "span", "data upload", "extraction", "type", "extra", "referen https", "include review", "exclude sugges", "stop", "aivoes typ", "passive dns", "date", "united states", "status", "domain add", "files", "hostname", "read c", "medium", "search", "show", "memcommit", "high", "checks", "windows", "delete", "execution", "dock", "write", "persistence", "capture", "next", "amazon02", "as autonomous", "system", "asn16509", "domain", "current dns", "a record", "as16509", "december", "ip information", "ipasns ip", "google", "fastly", "googlecl", "akamaias", "cloudflar", "domain tree", "links ip", "address as", "cisco", "umbrella rank", "general full", "url https", "software", "resource hash", "protocol h2", "security tls", "hostname add", "challengescript", "captchascript", "name", "value", "source level", "url text", "automatic", "webgl", "please", "extr data", "data", "size", "title", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "entries", "rgba", "unicode", "asnone", "malware", "port", "destination", "tlsv1", "tls handshake", "failure", "roboto", "msie", "windows nt", "wow64", "slcc2", "media center", "expiration", "url http", "no expiration", "present jan", "unknown ns", "certificate", "body", "present oct", "present may", "present dec", "present sep", "present feb", "showing", "next associated", "all se", "pulse pulses", "http", "files domain", "files related", "pulses none", "debiak", "tsara brashears", "ai", "palantir", "muso ai", "sort", "artists", "royalties", "music", "songwriter", "collect", "view", "malicious app", "false claims" ], "references": [ "https://credits.muso.ai/profile/ad62a9c1-de4a-4b3a-91d4-8f1ca6b5ad7a", "22.hio52.r.cloudfront.net", "us-gov-west-1.gov.reveal-global.com", "us-g0v-wact-1anvrav\u0645al=\u0635\u0639 \u0627\u062d\u0637\u0645\u0644\u0647", "MD5 be5eae9bd85769bce02d6e52a4927bcd Pulses Integrations C EXIF Data: HTML:Title\tINetSim default HTML page", "External Hosts Israel Unique Countries 2 Unique ASNs 2 IP", "ASN 82.80.204.63 www5.incredimail.com \u2022 Israel", "United States | ASNone 82.80.204.5 cen.incredibar.com \u2022 Israel", "AS8551 bezeq international-Itd 3.163.24.31 www5l.incredimail.com \u2022 Israel", "Antivirus Detections: Win.Malware.Incredimail-6804483-0 IDS Detections: Misspelled Mozilla User-Agent (Mozila)", "IP\u2019s Contacted : 82.80.204.63 3.163.24.31 82.80.204.5", "Domains Contacted: cen.incredibar.com www5l.incredimail.com www5.incredimail.com", "medallion-compute.washington.palantircloud.com \u2022 graviera-compute.palantirfedstart.com", "caerphilly-containers.palantirfedstart.com \u2022 equilibrium.palantirfoundry.com \u2022 palantirfoundry.com", "upstreamx.palantirfoundry.com \u2022 https://usw-2-dev.palantirfoundry.com", "https://upstreamx.palantirfoundry.com \u2022 edwards.palantirfoundry.com \u2022 stagwellmarketingcloud.palantirfoundry.com", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master", "https://paloma.palantirfoundry.com https://lucyw.palantirfoundry.com \u2022 http://edwards.palantirfoundry.com/", "http://dasima-containers.palantirfoundry.com \u2022 http://usw-2-dev.palantirfoundry.com", "https://kt-presales.palantirfoundry.co \u2022 https://glare.palantirfoundry.com", "engage.palantirfoundry.com \u2022 http://engage.palantirfoundry.com", "https://equilibrium.palantirfoundry.com \u2022\u2019https://engage.palantirfoundry.com", "http://upstreamx.palantirfoundry.com/ \u2022 https://equilibrium.palantirfoundry.com/", "https://glare.pali om. \u2022 http://engage.palantirfou?", "What? patch.virtualworldweb.com \u2022 s.palantirfoundry.com \u2022 http://u tirfoundry.co", "(patch.virtualworldweb.com) why does this sound so creepy? DIT , simulation, OWO ,sentient weird.", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t\u2022", "www.endgame \u2022 http://battlefront.com/matrixgames.html \u2022 prometheus.services.myscript.com - Wild!", "campdeadwood2026.com", "http://www.mobile-connection-alert.fyi/eb/bn/bn-9-nopop/9-nopop-1.html?var=&var2=&var3=$device=MOBILE&brand=Apple&model=iPhone&city=San%20Antonio&os=IOS&osversion=IOS%2011.4&country=US&countryname=United%20States&carrier=&referrerdomain=&language=en&connectiontype=CABLE&ip=76.185.246.58®ion=Texas&cep=W-gWTncHS9Jzl2WpUnQW3DI5dgjcKdwNWM11yWj-BtNBDFNTD52Baezh0F6DNui3qOYcu9zUPktlUvTulBlF6GONqMgW0w5NXdG42lOJGAp8P79kEUkAM3xGHBcIuf2PfSpz0mTGxnhbXyAteh4g-wCUR45SdW6fMtSANbFpDDpNDCq8LpN8mLeQJjdLUA_TGOXW9mubTgOyAGy", "Pornhub to your phone. Dumping or by request?", "https://soerkvingo.msnstyle.dk/vaginas-escort-girl-ukraina-pure-nudisme-dyresex-noveller-sukker-pris-porno-med-norsk-tale/", "www.killer333.club So I\u2019m right." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Incredimail-6804483-0", "display_name": "Win.Malware.Incredimail-6804483-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "TA0028", "name": "Persistence", "display_name": "TA0028 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10686, "hostname": 2427, "domain": 1094, "FileHash-MD5": 175, "FileHash-SHA1": 65, "FileHash-SHA256": 1118, "email": 4, "SSLCertFingerprint": 14 }, "indicator_count": 15583, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6961a8ed7b492f9e0ba38990", "name": "HeartSender.A and other Malware attacks originating from Palantirs Pahamify Pegasus", "description": "Pahamify Pegasus : HackTool \u2022 Speedcat \u2022 HeartSender.A \u2022 Zbot and other malware found.\nSearc begins with single FileHash referenced below. \nI\u2019m checking the processes and sharing it here one group at a time. Too much research at once could bring Amazon AWS down. Again.", "modified": "2026-02-09T00:04:37.974000", "created": "2026-01-10T01:18:36.999000", "tags": [ "read c", "write c", "port", "destination", "united", "medium", "as16509", "memcommit", "write", "execution", "dock", "persistence", "next executed", "commands graph", "tree", "sample hash", "passive dns", "present jan", "title error", "urls", "files", "date hash", "avast avg", "dynamicloader", "host", "utf8", "unicode text", "crlf line", "binary resource", "ms windows", "search", "intel", "pcspeedcat", "win32", "internal", "malware", "local", "unknown", "get na", "http", "okrnserver", "ip address", "http traffic", "guard", "powershell", "ipv4 add", "servers", "name servers", "capture", "link", "gateway", "tofsee att", "ck ids", "t1055", "injection", "t1071", "protocol", "t1573", "target", "url http", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "t1480 execution", "discovery att", "mitre att", "ck matrix", "ascii text", "hybrid", "general", "path", "click", "strings", "high", "etpro malware", "next", "stack", "format", "error", "unicode", "head http", "regsetvalueexa", "qt binary", "resource file", "pe32", "hostile", "unknown aaaa", "unknown ns", "x content", "gmt cache", "domain add", "title", "present sep", "a td", "td tr", "dir td", "td td", "present may", "present jun", "present apr", "present aug", "present oct", "head body", "gmt server", "index", "main", "accept", "status", "th tr", "moved", "record value", "expiration date", "germany unknown", "present dec", "cache control", "present nov", "max age1000000", "cookie", "hosting", "reverse dns", "location france", "france asn", "as16276", "trojandropper", "next associated", "mtb jan", "exploit", "emails", "trojan", "pegasus", "hostname add", "url analysis", "domain", "files ip", "address", "france unknown", "asn as16276", "backdoor", "entries", "setcookie", "twitter", "refloadapihash", "virtool", "show", "displayname", "windows", "rndhex", "tofsee", "stream", "encrypt", "push", "creation date", "france", "date", "body", "pup", "amazon", "amazon aws", "salesforce", "herokuappdev", "google", "igoogle", "monitored target", "cats" ], "references": [ "FileHash-SHA256\t9f66cab9d7c581cf2dd28b6ae3178bb3d38975ff257c3ffb67c3e89d0f7135ee", "https://otx.alienvault.com/indicator/ip/3.163.24.10", "External Hosts: 52.57.183.74\t access.pcspeedcat.com\taccess.pcspeedcat.com\tGermany\tAS16509 amazon.com inc\taccess.pcspeedcat.com Germany AS16509 amazon.", "External Hosts: 3.163.24.10\t www.pcspeedcat.com\twww.pcspeedcat.com\tUnited States ASNone", "https://otx.alienvault.com/indicator/hostname/pegasus.pahamify.com", "https://otx.alienvault.com/indicator/url/https://pegasus.pahamify.com/", "https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV", "http://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV", "biblegateway.comwww.biblegateway.com \u2022 www.biblegateway.com", "Malicious Application Development: herokuappdev.com (Patter match 8 years +)", "direwolf-8b1a1bc476.staging.herokuappdev.com", "Malicious Application Development: herokuappdev.com (pattern matching spans 8+ years)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Generic-9871124-0", "display_name": "Win.Malware.Generic-9871124-0", "target": null }, { "id": "ALF:HackTool:MSIL/HeartSender.A", "display_name": "ALF:HackTool:MSIL/HeartSender.A", "target": null }, { "id": "Win.Malware.Speedcat-6957425", "display_name": "Win.Malware.Speedcat-6957425", "target": null }, { "id": "Tofsee Attack", "display_name": "Tofsee Attack", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 404, "FileHash-SHA1": 286, "FileHash-SHA256": 1419, "SSLCertFingerprint": 7, "domain": 441, "URL": 4233, "hostname": 1217, "email": 10 }, "indicator_count": 8017, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "69 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69612a0df518040b20932bef", "name": "Pahamify Pegasus | Palantir Malicious delivery via Bible app downloaded from iOS App Store", "description": "Pahamify Pegasus | Requires much further research.\nWorking backwards: Targeted device had a Bible Gateway app download by target from both iOS and Android devices. As per report each time app was accessed, iOS became glitched, passwords stolen, drive by compromise on lock screen prompted target to review app. She found the app login was changed to an unknown users name. I tested a (Bible Gateway) URI to see if her belief BG was a honey pot was true. \nThis may take 2-3 more rounds of research. \nIs Pegasus. Is Palantir. Is intrusive and malicious.\n\n[OTC auto generated Title: 2 Timothy 3 NIV - But mark this: There will be terrible - Bible Gateway]", "modified": "2026-02-08T15:00:50.749000", "created": "2026-01-09T16:17:17.632000", "tags": [ "defense evasion", "cor ta0011", "techni process", "application l", "encrypted ch", "christ jesus", "just", "final charge", "timothy10", "antioch", "iconium", "lystra", "lord", "holy scriptures", "scripture", "bible gateway", "no expiration", "expiration", "a domains", "present sep", "united", "present jun", "meta", "present oct", "present aug", "servers", "title", "data upload", "extraction", "palantir foundry", "listeners", "dev", "redirects", "redirect health", "health data", "utc google", "utc na", "script", "utc amazon", "bible", "meta tags", "read", "bible reading", "trackers google", "anchor", "analyse headers", "contenttype", "transferenco", "connection", "date fri", "server", "read c", "as16509", "rgba", "unicode", "execution", "dock", "write", "persistence", "jsvendor", "jsapp", "script script", "cssapp", "jsfirebase", "moved", "urls", "pegasus", "encrypt", "script urls", "record value", "tls handshake", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "next", "capture", "malware", "unknown", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "access att", "t1189 driveby", "html", "mitre att", "ck matrix", "ascii text", "pattern match", "et info", "bad traffic", "hybrid", "general", "local", "path", "click", "adversaries", "execution att", "t1204 user", "t1480 execution", "null", "refresh", "span", "strings", "error", "tools", "look", "verify", "restart", "timothy", "search", "tag manager", "g8t6ln06z40", "code", "css", "js", "router", "cloudfront", "John 12:17", "port", "yara rule", "high", "tofsee", "rndhex", "rndchar", "destination", "loaderid", "lidfileupd", "stream" ], "references": [ "https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV", "https://pegasus.pahamify.com/", "aptia.palantirfoundry.com \u2022 palantirfoundry.com \u2022\u2019agent-infra-mojito.palantirfoundry.com", "equilibrium.palantirfoundry.com \u2022 kt-presales.palantirfoundry.com \u2022 paloma.palantirfoundry.com", "usw-2-dev.palantirfoundry.com \u2022 lucyw.palantirfoundry.com \u2022 https://fegdip.palantirfoundry.com/", "http://dasima-containers.palantirfoundry.com/ \u2022 https://glare.palantirfoundry.com/", "https://inbound-message-listener-temporary-testing.palantirfoundry.com", "https://listeners.usw-16.palantirfoundry.com \u2022 https://pacificlife.palantirfoundry.com/", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.afa33b71-01ea-477c-bc01-f6a3ab623e9d/master", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master", "https://sfmg-testing.palantirfoundry.com\t\u2022 https://signup.palantirfoundry.com/", "https://uhsinc.palantirfoundry.com/ \u2022 https://velocityglobal.palantirfoundry.com", "https://wes.palantirfoundry.com/ \u2022 http://utilities-bootcamp.palantirfoundry.com/", "http://glare.palantirfoundry.com/ \u2022 https://woodward.palantirfoundry.com/", "https://sfmg-testing.palantirfoundry.com\t\u2022 https://signup.palantirfoundry.com/", "https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd45176426a", "https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd458176426a", "https://pegasus.pahamify.com/ \u2022 https://pegasus.pahamify.com/study-plan/ \u2022 pegasus.pahamify.com", "John 12:17" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Bible Gateway", "display_name": "Bible Gateway", "target": null }, { "id": "Pahamify Pegasus", "display_name": "Pahamify Pegasus", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6527, "hostname": 2450, "FileHash-SHA256": 1716, "FileHash-MD5": 245, "FileHash-SHA1": 134, "domain": 1101, "email": 3, "SSLCertFingerprint": 8 }, "indicator_count": 12184, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "70 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695c7b40f5d2f292a7512e81", "name": "USteal Reputation Smear | Malicious Media | TrojanSpy - CrazyFrost.com", "description": "Who is CrazyFrost? USteal Reputation Smear | Malicious Media | TrojanSpy would affect anyone who clicks on honeypot / dga domain. iPhone spyware. We\u2019ve been working on exposing spyware. Emotet / AutoIT , cabs, password stealer, and more found. Investigators and attorneys from the past Investigators reported victims life, was being promoted over the dark web. From bathing to cooking , conversations to arguments, getting dressed to passing gas. Haha. Small cameras were accessed remotely in her former. Castle Pines, Co hideaway. A third investigator confirmed tiny cameras were installed when victim was in staycationing. When family arrived home garage door and secured doors were boldly left open. Crazy True. [otx auto generated- The following is the full text of the public-key-precert-scts, which has been posted on the website of Redporn.video, the site of an unauthorised sex tape.]", "modified": "2026-02-05T02:03:26.707000", "created": "2026-01-06T03:02:24.932000", "tags": [ "gmtn", "log id", "ca issuers", "b0n timestamp", "signature", "d097", "f2334482", "fc46", "b10b2898797d", "fingerprintsha1", "tsara", "we1 certificate", "dynamicloader", "medium", "write c", "host", "yara rule", "myapp", "delphi", "worm", "win32", "error", "write", "code", "malware", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "ssl certificate", "execution att", "t1204 user", "united", "mitre att", "ck matrix", "flag", "ogoogle trust", "href", "network traffic", "span", "babe", "super", "close", "general", "local", "path", "encrypt", "click", "strings", "form", "extraction", "data upload", "all ht", "enter source", "one on", "tezunau", "daut un", "dauwol lype", "ur extraction", "extrac", "n tezunau", "one opa", "included review", "faileextra", "include data", "review exclude", "sugges", "delete c", "json", "ascii text", "high", "data", "search", "stream", "unknown", "push", "next", "dirty", "enter s", "type", "extr data", "include", "ff d5", "ee fc", "eb d8", "f0 ff", "ff bb", "fd ff", "ff eb", "ed b8", "agent", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "read c", "execution", "dock", "persistence", "sc data", "present jan", "present mar", "present dec", "unknown aaaa", "passive dns", "urls", "trojanspy", "date", "present feb", "susp", "moved", "ip address", "backdoor", "usteal", "body", "title", "hybrid", "regopenkeyexa", "memcommit", "regsz", "english", "copy", "ufr stealer", "markus", "april", "updater", "entries", "rsds", "c reg", "environment", "launch" ], "references": [ "https://www.redporn.video/tsara-brashears-slandered-.htm \u2022 www.redporn.video \u2022 http://www.redporn", "guidepaparazzisurface.com", "http://www.crazyfrost.com\t\u2022 http://www.crazyfrost", "http://chaturbate.com/notabottom/\t\u2022 http://chaturbate.com/notabottom/\\", "iPhone Spyware - https://bam.nr-data.net/1/6f524845d1?a=24279235&v=1169.7b094c0&to=MwYEbUdYXxJQWhULDApMIExbWkUIXldOAQsFF0hPXFxGEgtrDg0OMgoDThteVBU%3D&rst=6546&ck=1&ref=https://chaturbate.com/notabottom/&ap=123&fe=4218&dc=4218&af=err", "iPhone Spyware - https://bam.nr-data.net/jserrors/ping/6f524845d1?a=24279235&v=1169.7b094c0&to=MwYEbUdYXxJQWhULDApMIExbWkUIXldOAQsFF0hPXFxGEgtrDg0OMgoDThteVBU%3D&rst=6546&ck=1&ref=https://chaturbate.com/notabottom/", "https://chaturbate.com/notabottom/", "https://www.google-analytics.com/r/collect?v=1&_v=j83&a=1390847564&t=pageview&_s=1&dl=https%3A%2F%2Fchaturbate.com%2Fnotabottom%2F&ul=en-us&de=utf-8&dt=Chaturbate%20-%20100%25%20Free%20Chat%20%26%20Webcams&sd=32-bit&sr=1024x768&vp=780x439&je=0&_u=YEBAAE~&jid=915940444&gjid=1686072238&cid=922362881.1595496808&tid=UA-23607725-1&_gid=1317601001.1595496808&_r=1&cd1=chaturbate.com&cd2=&cd3=-&cd4=&cd5=anonymous&z=762468946" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "TrojanSpy:Win32/Usteal", "display_name": "TrojanSpy:Win32/Usteal", "target": "/malware/TrojanSpy:Win32/Usteal" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1204.003", "name": "Malicious Image", "display_name": "T1204.003 - Malicious Image" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2543, "hostname": 848, "FileHash-SHA256": 1320, "SSLCertFingerprint": 25, "domain": 463, "FileHash-MD5": 418, "FileHash-SHA1": 197, "email": 2 }, "indicator_count": 5816, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6958780c8479a9d69920c3d8", "name": "Telnet - Mirai \u2022 Dark Nexus BusyBox iOS Attack", "description": "There\u2019s enough here to cause an outage. I will stop here. Illegal activities to silence victim and block her from financial settlement award for permanent injuries under workers compensation in a premise and healthcare worker assault scenario. Attorneys estimated her case to be above $100 million but knew she\u2019d be tampered with. Mark Montano MD forewarned her but is culpable. Still attacking family of victim.\n[ True- otx auto generated: Adversaries may be able to gain access to a victim's network through a drive-by attack, as well as using a short-term SSL certificate, in order to target the victim.] |||\nPositive:\nT1140 - Deobfuscate/Decode Files or Information\nSuspicious IP Address\n104.21.51.140, 172.67.181.41\nLocation United States ASN\nModif AS13335 cloudflare\nAutomate Nameservers:\nns1.colocrossing.com.", "modified": "2026-02-02T01:02:46.327000", "created": "2026-01-03T01:59:40.530000", "tags": [ "united", "moved", "title", "passive dns", "ipv4 add", "urls", "files", "hosting", "reverse dns", "location united", "hash avast", "avg clamav", "msdefender mar", "read c", "create c", "medium", "search", "memcommit", "high", "checks", "windows", "execution", "dock", "write", "persistence", "capture", "local", "ref b", "wed may", "backdoor", "mtb aug", "next associated", "mtb dec", "twitter", "smoke loader", "malware", "virtool", "hacktool", "data upload", "present dec", "mtb apr", "win32", "trojan", "worm", "lowfi", "cybota", "expiration date", "name servers", "ipv4", "url analysis", "port", "destination", "telnet login", "bad login", "gpl telnet", "suspicious path", "busybox", "tcp syn", "et telnet", "path", "mirai", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "america", "ck id", "name tactics", "suspicious", "informative", "learn", "t1179 hooking", "installs", "t1035 service", "adversaries", "msie", "windows nt", "slcc2", "media center", "y013", "flag", "span", "accept", "core", "february", "hybrid", "malicious", "general", "click", "strings", "roboto", "next", "usa windows", "finished", "queueprogress", "timestamp input", "threat level", "october", "september", "hwp support", "fresh", "win64", "khtml", "gecko", "brand", "microsoft edge", "programfiles", "comspec", "model", "iframe", "form", "listeners", "initial access", "t1590 gather", "victim network", "ssl certificate", "quasi government", "jeffrey reimer", "palantir", "Regis university", "otx hp", "apple", "pegasus", "h5 data center", "florence colorado", "brian sabey", "target : Tsara Brasheaers", "aig", "industry and commerce", "united states", "State of Colorado.", "date", "status", "domain", "hostname add", "pulse pulses", "files ip", "address", "url https", "url http", "hostname", "show", "type indicator", "source hostname", "entries", "Prometheus Intelligence Technology", "pulse submit", "america flag", "body", "dynamicloader", "microsoft azure", "tls issuing", "named pipe", "json", "ascii text", "lredmond", "Apple", "Telnet", "BusyBox", "Pegasus", "Colorado State Fixer: Christopher P. Ahmann", "Hijacker: Brian Sabey", "For: Concentra", "Protecting Assaulter: Jeffrey Reimer", "For: AIG", "For Industry and Commerce", "For: Quasi Government", "For: Workers Compensation", "Authorities", "Law Enforcement Dark", "Silencing", "Tampering with a Victim", "Meta", "Palantir", "Google", "Bing", "Microsoft", "ColoCrossing", "Associates", "hit men" ], "references": [ "ET Telnet | https://www.colocrossing.com | velocity servers", "https://www.endgamesystems.com/\t This is not a game. This is about people\u2019s lives", "TELNET SUSPICIOUS Path to BusyBox\", TELNET login failed\", is__elf \u007fELF dead_host", "Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)", "(legitimate services will remain up-and-running usually) High | ID dead_host", "ELF:Mirai-GH\\ [Trj] , Unix.Trojan.DarkNexus-7679166-0", "IDS Detections SUSPICIOUS Path to BusyBox TELNET login failed Bad Login", "Yara Detections is__elf", "Alerts dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Yara Detections is__elf , ELFHighEntropy , elf_empty_sections", "http://appleid.apple.com.msg206.site/ http://www.icloud.com.msg206.site/ https://appleid.apple.com.msg206.site/", "https://colocrossing.com/ \u2022 https://www.colocrossing.com/colocation\t l", "https://prometheussteakhouse.lupi.delivery/ Thanks! I\u2019m heavy into Picinha. 2 Brazilian roasts please!", "https://www.colocrossing.com/", "(TLI did you do her that dirty?) Why\u2019SCS\u2019? Pure shame on you.", "In all seriousness. The severity of injuries and outcomes 1 victim had is aligned cyber attacks by Q.Gov", "104.21.51.140, 172.67.181.41", "Detections Win.Packed.ImminentMonitorRAT-9892275-0 , HackTool:MSIL/Boilod.C!bit", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot", "stealth_file cape_detected_threat injection_process_hollowing antiav_detectfile injection_runpe", "Alerts: cape_extracted_content infostealer_cookies recon_fingerprint powershell_download", "Alerts: dynamic_function_loading ipc_namedpipe createtoolhelp32snapshot_module_enumeration", "IP\u2019s Contacted: 142.250.147.101 88.221.104.56 13.33.141.29 35.186.249.72 151.101.1.192", "IP\u2019s Contacted 178.249.97.99 178.249.97.98 178.249.97.23 84.53.172.74 88.221.104.82", "Domains Contacted: accounts.google.com chrome.cloudflare-dns.com clients2.googleusercontent.com", "This is hard to comprehend or put into indelible words." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "HackTool:MSIL/Boilod.C!bit", "display_name": "HackTool:MSIL/Boilod.C!bit", "target": "/malware/HackTool:MSIL/Boilod.C!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1462", "name": "Malicious Software Development Tools", "display_name": "T1462 - Malicious Software Development Tools" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Technology", "Healthcare", "Insurance", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6390, "domain": 723, "hostname": 1978, "FileHash-SHA256": 1912, "FileHash-MD5": 410, "FileHash-SHA1": 306, "email": 3, "SSLCertFingerprint": 28, "CVE": 3 }, "indicator_count": 11753, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "76 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695555b664c8998371393b8f", "name": "\u200emyMetro App - App Store \u2022 Access Attack via iOS App", "description": "Apple iOS attack. Drive by compromise. Device fully compromised. Service provider incorrect. Device user does not use MetroPCS as Cellular carrier. \n\n#cyberwarfare #pegasus #endgame #apple #earsinthecornfield #compromised_device #zombie", "modified": "2026-01-30T16:01:37.437000", "created": "2025-12-31T16:56:22.577000", "tags": [ "espaol", "metro pcs", "metro", "english", "data", "privacy", "learn", "requires", "strong", "see all", "bernie", "mint", "never", "example", "click", "indonesia", "\u2019m", "win32mydoom dec", "united", "trojan", "name servers", "servers", "expiration date", "backdoor", "found", "passive dns", "gmt connection", "control", "content type", "twitter", "title", "aaaa", "ember cli", "ember view", "certificate", "win32", "invalid url", "body html", "head title", "title head", "body h1", "reference", "urls", "akamai", "unknown ns", "domain", "search", "ipv4", "files", "reverse dns", "location united", "america flag", "america asn", "dynamicloader", "port", "high", "medium", "windows", "displayname", "write", "destination", "tofsee", "stream", "malware", "hostile", "read c", "show", "rgba", "unicode", "whitelisted", "memcommit", "delete", "execution", "dock", "persistence", "msie", "chrome", "ip address", "otx telemetry", "unknown soa", "gmt content", "for privacy", "moved", "record value", "ubuntu date", "encrypt", "a domains", "welcome", "type", "content length", "ipv4 add", "url analysis", "accept", "overview domain", "files ip", "address", "location france", "asn as16276", "tags none", "indicator facts", "historical otx", "france unknown", "ovhcloud meta", "domain add", "present dec", "status", "service", "win32cutwail", "setcookie", "gmt server", "refloadapihash", "virtool", "present nov", "present oct", "all ipv4", "hostname", "present jul", "saudi arabia", "present mar", "present jun", "present feb", "entries", "france asn", "asn as16509", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "pattern match", "ascii text", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "hybrid", "local", "path", "strings", "delete c", "okrndate", "grum", "powershell", "pegasus", "unknown", "crlf line", "ff d5", "unicode text", "utf8", "ee fc", "yara rule", "f0 ff", "ff bb", "push", "autorun", "suspicious", "pulse pulses", "date", "music", "apple", "apple id", "show process", "flag", "markmonitor", "name tactics", "informative", "command", "adversaries", "spawns", "access att", "t1566 phishing", "zerobits", "allocationtype", "protect", "programfiles", "processhandle", "commitsize", "viewsize", "regionsize", "handles modules", "files amsi", "filehandle", "path filehandle", "porthandle", "copy md5", "copy sha1", "copy sha256", "href", "null", "refresh", "body", "span", "general", "error", "tools", "look", "verify", "restart", "html", "x22scriptx22", "binary file", "t1189", "cyberwarfare", "brian sabey", "never say anything", "christopher ahmann", "colorado state", "quasi", "zombie device", "present may", "emails", "exif standard", "tiff image", "windows nt", "wow64", "slcc2", "media center", "jpeg image", "copy", "next", "pecompact", "february", "packer", "delphi", "code", "tlsv1", "ogoogle trust", "xserver", "lowfi", "creation date", "domain name", "showing", "ids detections", "yara detections", "worm", "arial", "present aug", "meta", "dns domain", "site", "free dns", "msil", "dnssec", "penetration", "injections", "dead host" ], "references": [ "https://apps.apple.com/app/", "metropcs.com/account/sign-in.html", "smtp.google.com \u2022 www.google.com/images/errors/robot.png", "https://www.endgamesystems.com/ \u2022 https://www.endgames.com/", "https://freedns.afraid.org/images/exclamation", "xred.mooo.com \u2022 mooo.com \u2022 afraid.org", "admin@bigtits.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Worm:Win32/Mydoom", "display_name": "Worm:Win32/Mydoom", "target": "/malware/Worm:Win32/Mydoom" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win.Trojan.Installcore-877", "display_name": "Win.Trojan.Installcore-877", "target": null }, { "id": "Win.Downloader.Small", "display_name": "Win.Downloader.Small", "target": null }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "Tibs", "display_name": "Tibs", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ALF:JASYP:PUA:Win32/4Shared", "display_name": "ALF:JASYP:PUA:Win32/4Shared", "target": null } ], "attack_ids": [ { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1577", "name": "Compromise Application Executable", "display_name": "T1577 - Compromise Application Executable" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1086", "name": "PowerShell", "display_name": "T1086 - PowerShell" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1863, "URL": 4952, "FileHash-SHA256": 1990, "FileHash-MD5": 981, "FileHash-SHA1": 791, "email": 26, "domain": 1277, "SSLCertFingerprint": 24 }, "indicator_count": 11904, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "79 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6952d4fc6910b0b866746d8a", "name": ".NET Obfuscator, Error Reporting, DLL Merging | SmartAssembly | Spycloud", "description": "*Mirai | Currently being used maliciously. Mirai botnet work in place. Obfuscation, call redirection, evasion , chatbots, spyware , cal retrieval , typosquating , and other tactics used against victim. Red hats being unethical is expected.. This team is attacking in this instance. Screen Capture 24/7. Malicious media +++ from Englewood, Co. \n\nWhen used ethically SmartAssembly protects your code and Intellectual Property with powerful obfuscation features, and provides error reports when your application crashes in the wild, as well as a range of other tools for database management and data management.\n#palantir #foundry #denver #englewood #colorado #spycloud #mirai #botnet", "modified": "2026-01-28T18:03:54.589000", "created": "2025-12-29T19:22:36.103000", "tags": [ "no expiration", "domain", "name", "control flow", "dlls", "method parent", "declarative", "ms build", "core", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "dock", "write", "execution", "capture", "endgame", "united", "moved", "ip address", "record value", "gate software", "newnham house", "expiration date", "urls", "url add", "http", "related nids", "files location", "flag united", "present aug", "present sep", "present nov", "present oct", "name servers", "emails", "present dec", "meta", "passive dns", "next associated", "ipv4", "url analysis", "files", "cookie", "subscribe", "unsubscribe", "s paris", "englewood", "state", "skip", "espaol", "summary", "filing history", "ireland", "title", "united states", "certificate", "colorado", "ipv4 add", "america flag", "showing", "pulse submit", "size", "pattern match", "mitre att", "ck id", "path", "hybrid", "general", "local", "iframe", "click", "strings", "cece", "mult", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "sha1", "sha256", "njmk", "kwruymy", "mime", "submitted", "process details", "calls", "apis", "reads", "defense evasion", "model", "getprocaddress", "show technique", "ck matrix", "access type", "value", "api call", "open", "august", "format", "typeof symbol", "typeof s", "typeof c", "function", "symbol", "comenabled", "image path", "ndex", "ndroleextdll", "f0f0f0", "ff4b55", "stop", "span", "show process", "binary file", "file", "network traffic", "encrypt", "date", "found", "ssl certificate", "creation date", "hostname add", "pulse pulses", "files ip", "address domain", "data upload", "extraction", "ge6 mira", "failed", "ascii text", "development att", "hostname", "files domain", "files related", "pulses otx", "pulses", "unknown aaaa", "unknown ns", "united states", "urls show", "date checked", "url hostname", "server response", "google safe", "results may", "a domains", "search", "germany unknown", "win32", "lowfi", "chrome", "susp", "trojan", "backdoor", "twitter", "virtool", "worm", "exploit", "trojandropper", "win32upatre dec", "mtb dec", "reverse dns", "body", "location united", "asn as14618", "less whois", "files show", "date hash", "avast avg", "initial access", "javascript", "root", "enterprise", "form", "desktop", "command decode", "suricata ipv4", "spycloud", "robots", "bots", "chatbot", "bot network", "spy", "mixb", "a2fryx", "therahand", "typosquating" ], "references": [ "https://www.red-gate.com/products/smartassembly", "spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud", "https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=", "https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0", "dasima-containers.palantirfoundry.com \u2022 blitzrobots.com", "https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com", "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/", "https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3", "Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-", "Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 343, "FileHash-SHA256": 1332, "domain": 1062, "hostname": 1967, "URL": 5699, "email": 10, "SSLCertFingerprint": 21, "CVE": 1 }, "indicator_count": 10776, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694dc80ac6e7fd5474b316a1", "name": "Malicious DDOS attacks targeting Brand New 2025 | Updated Apple Products affecting IRS payment portal", "description": "Malicious actors continue to target certain users attempting to pay the IRS. Victim is redirected to : http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan after typing in IRS.gov (w/ secure header \u2018https\u2019 )\nOnce information is input it is payment is rejected, levy against bank accounts and assets and other threats. There is social engineering as one victim is communicating with someone allegedly from the IRS? \nAlthough malicious entities contacted , malicious behavior continues. Adversaries in the Middle attack. US hacker group. Denver, Iowa, Arizona, NY and abroad. \n\n*Targets: https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main |", "modified": "2026-01-24T22:05:13.068000", "created": "2025-12-25T23:26:02.712000", "tags": [ "hash avast", "avg clamav", "msdefender feb", "url http", "url https", "zipcode", "active related", "cage01195 dec", "passports", "ipv4", "active", "irs", "apple", "role title", "indicator role", "malware attacks", "find encrypted", "lumen", "fastly", "create c", "read c", "delete", "write", "default", "medium", "rgba", "dock", "execution", "xport", "united", "passive dns", "urls", "expiration date", "unknown ns", "unknown aaaa", "pulse pulses", "merit", "dod network", "type indicator", "related pulses", "name", "name servers", "ffffff", "ip address", "emails", "object", "clsid6bf52a52", "cookie", "meta", "united kingdom", "germany", "russia", "search", "added active", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "href", "pattern match", "ascii text", "ck id", "mitre att", "ck matrix", "t1071", "general", "local", "path", "iframe", "click", "beginstring", "segoe ui", "null", "refresh", "span", "hybrid", "strings", "error", "tools", "title", "look", "verify", "restart", "data upload", "extraction", "failed", "include data", "entries", "unicode", "high", "memcommit", "next", "flag", "process details", "path expiresthu", "moved", "gmt set", "domain", "httponly path", "encrypt", "leaseweb", "iowa", "title added", "bad traffic", "et info", "tls handshake", "failure", "command decode", "suricata stream", "circle", "f5f8fa", "learn", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "development att", "suricata http", "windows nt", "date", "ips initial", "prefetch8", "localappdata", "prefetch1", "programfiles", "edge", "access att", "t1566 phishing", "initial access", "show process", "show technique", "process", "t1057", "contacted", "ck techniques", "evasion att", "body", "report spam", "apple", "ddos", "irs created", "hours ago", "white", "apple user", "industries", "government", "finance", "trojandropper", "appleservice", "mirai", "trojan", "next associated", "fastly error", "please", "sea p", "mozilla", "accept", "alerts", "filehash", "md5 add", "av detections", "ids detections", "yara detections", "analysis date", "file score", "medium risk", "copy", "richhash", "finding notes", "clamav malware", "files matching", "number", "sample analysis", "samples show", "date hash", "yara rule", "msie", "t1063", "windows", "malware", "detected", "https domain", "tls sni", "markus", "smartassembly", "win64", "exif data", "present dec", "status", "showing", "show", "icmp traffic", "pdb path", "crlf line", "mutex", "ms defender", "mtb malware", "hide samples", "rootkit", "apple webkit", "macbook pro", "apple ios" ], "references": [ "sa.www4.irs.gov \u2022 sa1.www4.irs.gov \u2022 sa2.www4.irs.gov \u2022 apps.irs.gov \u2022 freetaxassistance.for.irs.gov \u2022 home.treasury.gov \u2022", "132.3.48.38 \u2022 Description: CC=US ASN=AS721 dod network information center", "154.35.132.70\t\u2022 Description: CC=US ASN=AS14987 rethem hosting llc", "165.206.254.134 \u2022 Description: CC=US ASN=AS6122", "192.85.127.130 \u2022 Description: CC=US ASN=AS2173 hewlett-packard company", "195.128.76.205 \u2022 Description: CC=RU ASN=AS8470 jsc macomnet", "205.181.242.243 \u2022 Description: CC=US ASN=AS3738 state street bank and trust company", "207.75.164.17 \u2022 Description: CC=US ASN=AS237 merit network", "207.75.164.210 \u2022 Description: CC=US ASN=AS237 merit network", "214.25.9.149 \u2022 Description: CC=US ASN=AS344 dod network information center", "216.252.199.59 \u2022 Description: CC=US ASN=AS31827 biz net technologies", "78.46.218.253 \u2022 Description: CC=DE ASN=AS24940 hetzner online gmbh", "95.211.7.168 \u2022Description: CC=NL ASN=AS60781 leaseweb netherlands b.v.", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing - Adult Content", "http://www.anyxxxtube.net/search-porn/tsara-brashears - Adult Content", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ - Adult Content", "http://www.anyxxxtube.net/search-porn/ - Adult Content", "https://eliyporasa.life/uelbu/5/151504-harleyxwest-porn - Adult Content", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net - Adult Content", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t- Adult Content", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io\t- Adult Content", "https://wallpapers-nature.com/tsara-brashears/urlscan-io - Adult Content", "http://sissy.com/default - Adult Content", "https://eliyporasa - Adult Content", "64.38.232.180 - Adult Content IP", "www.anyxxxtube.net - Adult Content", "www.anyxxxtube.net - Adult Content IP", "http://www.iranianporn.com/ \u2022 iranianporn.com - Adult Content", "http://www.italianporn.com/ \u2022 italianporn.com - Adult Content IP", "jamaicansex.com \u2022 onlinesexmags.com \u2022 sexbible.com \u2022 bestsex.com - Adult Content IP", "https://www.anyxxxtube.net/video/2241/big-titted-sexy-chick-august-ames/ - Adult Content IP", "http://geometry.ru/articles/blinkovsexcircle.pdf- Adult Content IP", "http://www.onlinesexmags.com/members/gent/current/ - Adult Content IP", "http://sissy.com/default.php?qry=xinb0NVH3vxGQfarWy4r54j5FWwjyNsIfAXqPpjmSCTYnrY20orAEt5QcaKNVYpHM3.AFndEsyGlSb_SXAGpMTdue0rkjANJ3fQ0wH3yzmI9qKCDJp39iCno_V.ci7VYf_I4t_Y2ibuGhE_rlOAs3FGeaahClLHQmyX30MRH5AfpY6B5N9LDoau6dxnMaf3qGZEX_xCRYTdVAigxUMX2qRyl16DvSb9DohTpdet4E_v0QjzIjDwGGS4PYEDpjmzIeKlCSItsv09pHL84QDb6V_fvuFw0jX8tfoI8VQmpnaeudPhO0nDmV3c5G7HjNNcF&tgt=NO+TOKEN&searchKey=free+porn&wp=1&skp=3_2402 - Adult Content IP", "httpssa.www4.irs.gov \u2022 jobs.irs.gov \u2022 https://sa.www4.irs.gov/ \u2022 https://sa.www4.irs.gov \u2022 www.directfile.irs.gov \u2022", "http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan \u2022 www4.irs.gov \u2022 www.drupal.org", "asp.bet", "apple.co \u2022 apple.com \u2022 apple.info \u2022 apple.net", "https://www.freeiconspng.com/thumbs/icloud-logo/icloud-drive-mac-mail-cloud-apple-pc-works-c", "https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main", "http://usw2.apple.com/ \u2022 https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "applefilmmaker.com \u2022 appleid.com \u2022 appleiservices.com", "jobs.lumen.com \u2022 lumen.com \u2022 msradc.lumen.com \u2022 voip.lumen.com \u2022 www.lumen.com", "https://otx.alienvault.com/pulse/694d7d426afd8c1c816ddb9e", "Information gathered equals 2 pulses. Pulse (1) included", "https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d/694d9e6a07ba5e76e203a672", "https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d", "https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3", "https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676", "https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3/694d9a33a2febcb826005ed5", "https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676", "Follow up need. This is a serious financial crime following the victims.", "Victims have lost financial assets, jobs, vehicles", "Persistent. Is Christopher P. Ahmann, Brian Sabey, State of Colorado", "After an attack a different victim had awe , tax refund seized, Insurance became Medicaid, Was audited by the IRs and there was attempts on life w/ bad outcome" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Win.Malware.Msilperseus-6989564-0", "display_name": "Win.Malware.Msilperseus-6989564-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.Ramnit-1847", "display_name": "Win.Trojan.Ramnit-1847", "target": null }, { "id": "Win.Trojan.Fenomengame-14", "display_name": "Win.Trojan.Fenomengame-14", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Pandex!gen1", "display_name": "Pandex!gen1", "target": null }, { "id": "Mirai Sim Swap", "display_name": "Mirai Sim Swap", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Lumen IP", "display_name": "Lumen IP", "target": null }, { "id": "Unknown Malware \u2018Can't access file\u2019", "display_name": "Unknown Malware \u2018Can't access file\u2019", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Win.Trojan.Fenomengame-8", "display_name": "Win.Trojan.Fenomengame-8", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/Adialer", "display_name": "ALF:JASYP:Trojan:Win32/Adialer", "target": null }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "ELF:DDoS-S\\ [Trj]", "display_name": "ELF:DDoS-S\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Gafgyt-6981154-0", "display_name": "Unix.Trojan.Gafgyt-6981154-0", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [ "Financial", "Government", "Technology", "IRS" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 363, "FileHash-SHA1": 360, "FileHash-SHA256": 3009, "URL": 3504, "domain": 879, "email": 15, "hostname": 1487, "SSLCertFingerprint": 3 }, "indicator_count": 9620, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "85 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6944ce38344ccded23df66f5", "name": "Ransom - Amnesty.org - a single link in a Pegasus attack against a civilian.", "description": "I don\u2019t have the right words to put this together because it involves so much coercion, fraud, betrayal, manipulation , hacking, multiple business fronts, loud mouth mafia plants, working with someone under false pretenses, redhat security teams in Denver , Colorado, false implications of cyber attacks coming from foreign entities. \n\nTips come from a highly reliable sources. One link in a Pegasus attack .", "modified": "2026-01-18T03:05:59.836000", "created": "2025-12-19T04:02:00.973000", "tags": [ "intel", "ms windows", "write c", "pe32", "pe32 executable", "copy c", "free", "benjamin", "write", "worm", "win32", "code", "june", "delphi", "malware", "benjamin", "tulach", "state of colorado", "christopher p. \u2018buzz\u2019 ahmann", "danica implants", "nids_malware_alert", "bonu$", "network_icmp", "network_irc", "persistence_autorun", "network_http", "nids_alert", "allocates_rwx", "hackers", "creates_exe", "brian sabey", "sour del", "packer_entropy", "antivm_memory_available", "pe_features", "get key", "crime", "organized crime", "federal crime", "cyber crime", "piracy", "status", "china unknown", "name servers", "div div", "ip address", "domain", "creation date", "record value", "meta", "title", "hong kong", "passive dns", "gmt content", "type", "content length", "ipv4 add", "urls", "files", "location hong", "twitter", "youtube", "side 3 studios", "denver music", "infiltration", "whistleblower", "getkey", "cyber warfare", "fraud", "financial crimes", "pegasus", "music front", "france unknown", "present feb", "iran unknown", "present nov", "present jun", "present jan", "hidden", "present jul", "date", "united", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "llc name", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "pattern match", "mitre att", "show technique", "ck matrix", "ascii text", "href", "show process", "file", "general", "local", "path", "memory dumping", "entries", "icmp delphi", "showing", "delete", "yara detections", "windows nt", "wow64", "khtml", "gecko", "dns query", "packing t1045", "ransom", "cve", "palantir", "remote", "graham" ], "references": [ "Amnesty.org | remote.amnesty.org", "tulach.cc", "Worm:Win32/Benjamin IDS Detections: Win32.Worm.Benjamin.A CnC Checkin ICMP", "Alerts : nids_malware_alert network_icmp network_irc persistence_autorun network_http", "Alerts : nids_alert allocates_rwx creates_exe packer_entropy antivm_memory_available", "Delphi Likely Precursor to Scan PING Delphi-Piette Windows Yara Detections Delphi", "Delphi This program must be run under Win32 Compilers", "More IP\u2019s Contacted 74.6.143.26 Domains Contacted benjamin.xww.de", "http://www.yixun.com/getkey {\"privateKey\": \"JMVRar4COFWb3eKZ\"}", "Server: JFE https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.yixun.com/getkey", "http://www.shopsleuth.com/goal-academy/the-citadel/colorado-springs-co", "ipv4bot.whatismyipaddress.com", "helloprismatic.com", "https://palantir-staging.staging.candidate.app.paulsjob.ai/", "Brian Sabey", "Christopher P. \u2018Buzz\u2019 Ahmann" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "Ransom:Win32/GandCrab", "display_name": "Ransom:Win32/GandCrab", "target": "/malware/Ransom:Win32/GandCrab" }, { "id": "CVE-2023-2868", "display_name": "CVE-2023-2868", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 429, "FileHash-SHA1": 341, "FileHash-SHA256": 2766, "URL": 6976, "domain": 1151, "CVE": 2, "email": 3, "hostname": 2913, "SSLCertFingerprint": 4 }, "indicator_count": 14585, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "91 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693f57720ddcc1a02d19a78f", "name": "GameHack Malware | BeenVerified.com | Information Doman |", "description": "", "modified": "2026-01-14T00:04:33.341000", "created": "2025-12-15T00:33:54.304000", "tags": [ "united", "as13335", "as14061", "cname", "as20940", "date", "name", "status", "present dec", "present nov", "unknown", "body", "cluster", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "search", "read c", "show", "execution", "next", "dock", "write", "capture", "persistence", "local", "copy", "trojan", "win32", "mtb oct", "entries", "passive dns", "next associated", "msr feb", "gmt cache", "ipv4 add", "title", "urls", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "flag united", "name servers", "creation date", "emails", "domain name", "expiration date", "servers", "error", "flag", "prefetch8", "prefetch1", "win64", "khtml", "gecko", "pcap frame", "microsoft edge", "strings", "show process", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "network traffic", "ogoogle trust", "pattern match", "path", "hybrid", "cookie", "general", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "initial access", "spawns", "ssl certificate", "click" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": "693f5674439d297728312967", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1764, "FileHash-SHA256": 1006, "URL": 5427, "domain": 442, "email": 3, "FileHash-MD5": 115, "FileHash-SHA1": 62, "SSLCertFingerprint": 21 }, "indicator_count": 8840, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693f5675e3f12fa3229bdcb3", "name": "BeenVerified.com | Malicious Information Doman |", "description": "34.232.241.155:443 (segment.prod.bidr.io)\t GET\tsegment.prod.bidr.io/associate-segment?buzz_key=tatari&segment_key=tatari-983&value=&uncacheplz=9327084282", "modified": "2026-01-14T00:04:33.341000", "created": "2025-12-15T00:29:41.963000", "tags": [ "united", "as13335", "as14061", "cname", "as20940", "date", "name", "status", "present dec", "present nov", "unknown", "body", "cluster", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "search", "read c", "show", "execution", "next", "dock", "write", "capture", "persistence", "local", "copy", "trojan", "win32", "mtb oct", "entries", "passive dns", "next associated", "msr feb", "gmt cache", "ipv4 add", "title", "urls", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "flag united", "name servers", "creation date", "emails", "domain name", "expiration date", "servers", "error", "flag", "prefetch8", "prefetch1", "win64", "khtml", "gecko", "pcap frame", "microsoft edge", "strings", "show process", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "network traffic", "ogoogle trust", "pattern match", "path", "hybrid", "cookie", "general", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "initial access", "spawns", "ssl certificate", "click" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1764, "FileHash-SHA256": 1006, "URL": 5427, "domain": 442, "email": 3, "FileHash-MD5": 115, "FileHash-SHA1": 62, "SSLCertFingerprint": 21 }, "indicator_count": 8840, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693f5674439d297728312967", "name": "BeenVerified.com | Malicious Information Doman |", "description": "34.232.241.155:443 (segment.prod.bidr.io)\t GET\tsegment.prod.bidr.io/associate-segment?buzz_key=tatari&segment_key=tatari-983&value=&uncacheplz=9327084282", "modified": "2026-01-14T00:04:33.341000", "created": "2025-12-15T00:29:40.025000", "tags": [ "united", "as13335", "as14061", "cname", "as20940", "date", "name", "status", "present dec", "present nov", "unknown", "body", "cluster", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "search", "read c", "show", "execution", "next", "dock", "write", "capture", "persistence", "local", "copy", "trojan", "win32", "mtb oct", "entries", "passive dns", "next associated", "msr feb", "gmt cache", "ipv4 add", "title", "urls", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "flag united", "name servers", "creation date", "emails", "domain name", "expiration date", "servers", "error", "flag", "prefetch8", "prefetch1", "win64", "khtml", "gecko", "pcap frame", "microsoft edge", "strings", "show process", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "network traffic", "ogoogle trust", "pattern match", "path", "hybrid", "cookie", "general", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "initial access", "spawns", "ssl certificate", "click" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1764, "FileHash-SHA256": 1006, "URL": 5427, "domain": 442, "email": 3, "FileHash-MD5": 115, "FileHash-SHA1": 62, "SSLCertFingerprint": 21 }, "indicator_count": 8840, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693f3ef3b05672ba47b903e3", "name": "Create Amazing Password Forms - Project Cicada", "description": "Huge pulse of multiple IoC\u2019 from Project Cicada URL\n(not the 3301 Mystery) | Monitored Target | Indont know if it\u2019s related to Havana Syndrome. Is related to State of Colorado , Christopher P. \u2018Buzz\u2019 Ahmann and Tesla Hackers, \n\u201cThe right of a man or woman to retreat into his/her own home and there be free is from UNREASONABLE government intrusion is at the \u201c very core\u201d of the Fourth Amendment.\u201d\nFlorida vs. Jardines 569 U.S. 1 (2013)", "modified": "2026-01-13T22:02:50.260000", "created": "2025-12-14T22:49:23.114000", "tags": [ "cicada", "project cicada", "united states", "quasi government", "asnone country", "united", "moved", "agent", "meta", "title error", "reverse dns", "servers", "urls", "url analysis", "aaaa", "present dec", "ip address", "america flag", "unknown", "Christopher P. \u2018Buzz\u2019 Ahmann", "brian sabey.", "State of Colorado", "date checked", "url hostname", "server response", "google safe", "results mar", "avast avg", "qualified immunity", "address google", "freeman", "mathis", "special forces", "tailored access", "tao", "hacker force", "infiltrate", "manipulate", "sabotage", "tools", "show", "results nov", "9b", "tao operations", "root9b", "hunt operations", "error mar", "over watch", "overkill", "read c", "memcommit", "high", "checks", "windows", "delete", "execution", "dock", "write", "persistence", "capture", "next", "local", "msie", "windows nt", "wow64", "slcc2", "media center", "suspicious_write_exe", "network_icmp", "antisandbox_restart", "creates_largekey", "infostealer_keylogger", "proess_martian", "injection_resumethread", "allocates_rwx", "targeted intelligence", "js_eval", "network_http", "name servers", "value domain", "domain name", "expiration date", "safe browsing", "unknown ns", "record value", "vercel", "certificate", "domain add", "refresh", "encrypt", "x vercel", "k jun", "mtb jul", "next http", "scans record", "value", "deployment not", "ransom", "trojan", "a domains", "safari", "android", "webkit", "animation", "click", "title", "passive dns", "gmt content", "arial helvetica", "ipv4 add", "status", "search", "emails", "as15169 google", "virtool", "cryp", "as396982", "win32", "error", "code", "domain", "showing", "query", "hostile", "observed dns", "et dns", "et info", "dns query", "malware", "push", "gmt cache", "sameorigin", "files", "url add", "http", "related nids", "files location", "flag united", "as44273 host", "hostname add", "unknown aaaa", "win32upatre dec", "mtb dec", "trojandropper", "hstr", "next associated", "backdoor", "entity", "tempe", "present sep", "hostname", "verdict", "lowfi", "usesscrrun", "ipv4", "element", "password", "developers", "create", "forms web", "group", "make sure", "autocomplete", "currentpassword", "make", "extraction", "data upload", "search otx", "ider data", "asn na", "ag da", "source level", "url text", "general full", "url https", "protocol h2", "security tls", "asn16509", "amazon02", "resource", "hash", "as16509", "us note", "route", "redacted for", "script urls", "japan unknown", "present apr", "present mar", "accept", "cookie", "path", "sectigo https", "encrypt https", "log id", "trustasia https", "amazon", "search criteria", "22965417271", "summary leaf", "timestamp entry", "log operator", "https", "script script", "cname", "present jun", "coup", "files ip", "address", "location united", "asn as16509", "color value", "item tile", "gmt max", "primary text", "text color", "play button", "search bar", "dasher", "flag", "bad traffic", "tls handshake", "failure", "analysis tip", "windir", "openurl c", "ascii text", "ck id", "show technique", "mitre att", "ck matrix", "pattern match", "network traffic", "beginstring", "show process", "null", "span", "general", "strings", "look", "verify", "restart", "dynamicloader", "ee fc", "yara rule", "ff d5", "c1 e0", "f0 ff", "ff ff", "eb e2", "ed b8", "fe ff", "june", "polymorphic", "network cnc", "cnc", "dead connect", "present nov", "france unknown", "generic http", "exe upload", "uploading exe", "intel", "ms windows", "medium", "http traffic", "monitored target", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "learn", "command", "suspicious", "informative", "name tactics", "spawns", "t1480 execution", "file defense", "file discovery", "t1071", "t1057", "segoe ui", "script", "html", "body", "twitter", "formbook cnc", "checkin", "pegasus", "get updates", "p2p zeus", "downloader", "mpress", "win32upatre sep", "win32upatre oct", "win32upatre nov", "india unknown", "r61afin", "common upatre", "write c", "cts exe", "ids detections", "open", "present aug", "singapore", "date", "creation date", "pentest people", "tesla hackers", "vietnam unknown", "viet nam", "company limited", "pulse pulses" ], "references": [ "http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022", "dev-app.project-cicada.com \u2022 project-cicada.com", "NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com", "Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92", "Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.", "api.acumatica.flex.redteam.com", "CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]", "CICADA Contextual Inference & Comprehensive Analysis Data Agent", "https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png", "https://goo.gl/9p2vKq", "IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)", "Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name", "Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter", "IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake", "IDS Detections Gh0stCringe CnC Activity M2", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st", "Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks", "Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect", "https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls", "googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K", "teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com" ], "public": 1, "adversary": "State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Doc.Downloader.EmotetRed02220-9938909-0", "display_name": "Doc.Downloader.EmotetRed02220-9938909-0", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Cymt", "display_name": "Cymt", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.AA", "display_name": "TrojanDownloader:Win32/Upatre.AA", "target": "/malware/TrojanDownloader:Win32/Upatre.AA" }, { "id": "Win.Trojan.Gh0stRAT-9955419-1", "display_name": "Win.Trojan.Gh0stRAT-9955419-1", "target": null }, { "id": "Win32:MalOb-BX", "display_name": "Win32:MalOb-BX", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "VirTool:Win32/Obfuscator.K", "display_name": "VirTool:Win32/Obfuscator.K", "target": "/malware/VirTool:Win32/Obfuscator.K" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11102, "hostname": 4142, "domain": 4251, "email": 15, "FileHash-SHA256": 3108, "FileHash-MD5": 624, "FileHash-SHA1": 490, "CIDR": 1, "SSLCertFingerprint": 3 }, "indicator_count": 23736, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "96 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693de4a8a72cf95b028365f0", "name": "Bot Block 162.159.128.0/19 | X Fake tweets | Tofsee", "description": "Tofsee.Trojan.T malware infection affects infected devices. \n\n\n#unlocked #injection #dead_host #compromised_devices #folk_in _browser #botnets", "modified": "2026-01-12T21:02:35.560000", "created": "2025-12-13T22:11:52.474000", "tags": [ "network", "ip address", "subnet", "dynamicloader", "port", "destination", "high", "windows", "united", "write", "tofsee", "stream", "win64", "push", "urls", "url analysis", "dnssec", "script domains", "encrypt", "url add", "http", "related nids", "flag united", "germany", "address google", "passive dns", "ipv4 add", "files", "asn as13335", "dns resolutions", "domains top", "level", "unique tlds", "location united", "asn asnone", "present dec", "backdoor", "lowfi", "win32autoit mar", "urls show", "date checked", "connection", "httponly", "secure", "path", "expiressat", "dynamic cfray", "medium", "delete c", "displayname", "show", "unknown", "next", "rndhex", "malware", "cname", "next associated", "url hostname", "server response", "google safe", "read c", "unicode", "png image", "rgba", "memcommit", "dock", "execution", "files location", "china flag", "china hostname", "hostname", "domain", "files ip", "address", "asn as45102", "gmt content", "certificate", "associated urls", "location china", "china asn", "as4808 china", "present aug", "object", "present apr", "present oct", "alman", "present sep", "error", "present jul", "rmndrp", "present feb", "expiration", "url https", "url http", "iocs", "review iocs", "expireswed", "samesitenone", "maxage86400", "maxage0", "server", "expires", "victina nulcac", "data upload", "extraction", "enter", "enter source", "url data", "type", "extract indic", "included iocs", "china unknown", "botnet", "folk in browser", "japan unknown", "asnone country", "as13335", "a domains", "script urls", "servers", "title", "moved", "record value", "entries", "whitelisted", "powershell", "xf9xb5xf9", "xxcexf6x8fr", "k2xe7xcbxxeaxa2", "x99x19", "x88yxf9xc858", "x83x12x8da", "zx9bx8ex84", "attempts", "yara detections", "contacted", "tags none", "file type", "pe packer", "dll compilation", "guard", "botnets" ], "references": [ "https://x.com/DenverPolice/status/1999710339584475507?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet", "x.com | 162.159.140.229 (162.159.128.0/19) AS 13335 ( CLOUDFLARENET )", "foundry.neconsside.com \u2022 http://foundry.neconsside.com", "http://foundry.neconsside.com/ \u2022 https://foundry.neconsside.com \u2022 https://foundry.neconsside", "IT Mirai | https://otx.alienvault.com/indicator/domain/miraitranslate.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "United States of America", "Russian Federation", "T\u00fcrkiye", "Netherlands" ], "malware_families": [ { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "HtBot", "display_name": "HtBot", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1481", "name": "Web Service", "display_name": "T1481 - Web Service" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8145, "domain": 1389, "FileHash-SHA256": 1545, "CIDR": 2, "hostname": 2533, "FileHash-MD5": 209, "FileHash-SHA1": 190, "email": 6, "SSLCertFingerprint": 4 }, "indicator_count": 14023, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693adba47b2cce69440c726a", "name": "TESLA HACKERS | Login Google", "description": "Attackers target victims Google account, Google browser, Google homepage.\n\nTesla Hackers in the job. Tesla hackers are very young , angry, kids who chased target around mercilessly in their vehicles, photographed target, drive threateningly. Nothing sophisticated about the stalker crewl. This is intentional. Finding troubled individuals who are desperate for power is pretty easy. \n\nThe hit men range from gang members, white , black , Hispanic to the highly educated, Hit man who attempted to take target out was a spoiled, angry , aggressive, sneering POC. He walked in Denver. The next morning , the area target was driven if roadway was closed off and filled with a rather large road crew, work continues to work on this area. (Charlie Kirk like). Alleged traffic officer claims cameras pointed in different directions that night. He was identified as a computer science major by a PI. This feels so dangerous.", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T14:56:36.874000", "tags": [ "tlsv1", "united", "oamazon", "cnamazon rsa", "jfif", "ogoogle trust", "cngts ca", "exif standard", "tiff image", "xresolution74", "execution", "dock", "write", "persistence", "malware", "encrypt", "ca https", "no expiration", "iocs", "url https", "enter source", "url or", "text drag", "drop or", "browse to", "select file", "ipv4", "url http", "type indicator", "sec ch", "ch ua", "unknown", "ua full", "ua platform", "as44273 host", "ua bitness", "msie", "chrome", "backdoor", "trojandropper", "passive dns", "forbidden", "body", "twitter", "trojan", "cookie", "title", "windows nt", "wow64", "slcc2", "media center", "read c", "port", "destination", "local", "moved", "integration all", "urls", "files", "reverse dns", "location united", "america flag", "name servers", "hostname", "unique", "expires wed", "gmt date", "server", "date wed", "connection", "use linux", "cybersecurity", "http", "ip address", "files location", "flag united", "win32", "urls show", "date checked", "url hostname", "server response", "virtool", "date hash", "avast avg", "heur", "lowfi", "k sep", "contacted", "related tags", "none file", "type", "present dec", "present nov", "mtb mar", "aaaa", "hacktool", "indicator role", "domain", "url add", "as20940", "as16625 akamai", "present mar", "present may", "as54113", "present apr", "ipv4 add", "url analysis", "servers", "emails", "hostname add", "present aug", "present sep", "present oct", "status", "present jul", "data upload", "extraction", "as208722 yandex", "russia unknown", "a domains", "expirestue", "path", "certificate", "medium", "alerts show", "ck technique", "technique id", "installs", "pe32", "intel", "ms windows", "high", "icmp traffic", "dns query", "packing t1045", "t1045", "screenshots", "file type", "date february", "pm size", "imphash pehash", "guard", "syst", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "spawns", "t1590 gather", "flag", "united kingdom", "command decode", "belgium belgium", "federation", "france france", "ireland ireland", "canada canada", "suricata ipv4", "click", "tesla hackers", "elon musk", "show", "richhash", "external", "virustotal api", "comments", "vendor finding", "notes clamav", "ms defender", "files matching", "copy", "found", "ssl certificate", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "yara rule", "reads", "number", "sample analysis", "hide samples", "entries", "samples show", "next yara", "detections name", "devcv5 ujrb", "ujrb", "uja1t", "show technique", "mitre att", "ck matrix", "ascii text", "pattern match", "sha1", "network traffic", "show process", "general" ], "references": [ "https://www.teslarati.com/spacex", "https://omodeling.wpenginepowered.com/wp-content/uploads/2020/07/modelhub-pornhub-sell-nudes-1024x57", "https://cdn.teslarati.com \u2022 https://forums.teslarati.com/", "https://forums.teslarati.com/data/avatars/m/5/5998.jpg?1504431665 \u2022 https://forums.teslarati.com/forums/model-3.4/", "https://forums.teslarati.com/threads/humanlike-ai-robot-sophia-calls-out-elon-musk-during-live-interview.4970/", "https://www.teslarati.com/tesla-model-s-hitch-torklift-ecohitch-3-year-update/", "https://www.teslarati.com/tesla-tsla-monster-investment-rise-alaska-dept-of-revenue/", "https://www.teslarati.com/wp-content/themes/teslarati-mag/map/", "https://www.teslarati.com/tesla-model-3-crash-insight-60mph-collision/", "https://www.teslarati.com/", "https://www.teslarati.com/spacex", "https://www.teslarati.com/tesla-lands-87-million-megapack-belgium/", "https://www.teslarati.com/tesla-giga-shanghai-builds-5-millionth-battery-pack/", "https://www.teslarati.com/TESLA-DEBUTS-GROK-AI-UPDATE-2025-26-WHAT-YOU-NEED-TO-KNOW/", "https://www.teslarati.com/tesla-robotaxi-vs-new-york-taxi-why-the-yellow-cab-a-lot-to-lose/", "pornlynx.com \u2022 https://pornlynx.com \u2022 https://www.pornlynx", "http://www.aiupnow.com/2023/04/pakistani-hackers-use-linux-malware.html\\", "http://pickyhot.disqus.com/ \u2022 https://www.teslarati.com/tesla-hackers \u2022 https://pickyhot.disqus.com/tsara-brashears", "http://dev.browserweb.yandex.kg/ \u2022 https://api.messenger.yandex.az/ \u2022 https://yandex.uz/maps/-/CLWNeAKm", "HTML contains suspicious external redirect patterns details Suspicious redirect patterns detected: Redirect Types: Delayed Redirect Redirects to: /doodles/ Suspicious", "Redirect (Delayed Redirect): setTimeout(function(){location.href= source Binary File relevance 10/10 ATT&CK ID T1189", "External resources linked to high-risk commonly abused domains detected: mc.yandex.ru | script | src snd.click | src |", "Source : Binary File ATT&CK ID T1566.002", "Domain match: \"media-mbst-pub-ue1.s3.amazonaws.com\" possible high risk indicator. Commonly abused for malicious purposes. .", "Domain: \"snd.click\" possible high risk indicator. Domain uses TLD that is commonly abused for malicious purposes", "Detected Non-Google domain serving Google homepage details", "Detected Google homepage HTML served from suspicious domain Matched required Google homepage markers", "Source: Binary File relevance 10/10 ATT&CK ID T1204.001 | Target contacted CBI re: Suspicious looking Google Homepage.", "CBI (Colorado) - target believes she was redirected to malicious actors. Staffers not found in directory.", "Female states title as \u2018intern\u2019 dropped false information at front desk of CBI. Claims target ID theft victim. True", "Alleged CBI staffer refuses to provide evidence of identity theft resolution. Target unaware of. what\u2019s true", "CBI - asked target to enter Gmail in a resource. Targets Gmail account disappeared" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Japan" ], "malware_families": [ { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Ms Defender\tTrojan:Win32/Qbot.KVD!MTB", "display_name": "Ms Defender\tTrojan:Win32/Qbot.KVD!MTB", "target": "/malware/Ms Defender\tTrojan:Win32/Qbot.KVD!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Malware.Jaik-9940406-0", "display_name": "Win.Malware.Jaik-9940406-0", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/Genmaldown!atmn", "display_name": "ALF:JASYP:Trojan:Win32/Genmaldown!atmn", "target": null }, { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5894, "FileHash-MD5": 458, "FileHash-SHA1": 305, "FileHash-SHA256": 2481, "SSLCertFingerprint": 26, "hostname": 2406, "domain": 966, "email": 16, "CVE": 1 }, "indicator_count": 12553, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6939d93da11a7d2bf7535ef1", "name": "Tesla Hackers Log In | Disqus", "description": "I\u2019m not for certain when blog \u2018https://pickyhot.disqus.com/tsara-brashears\u2019 first appeared online. It was present in 2016 -2021. It was a porn spewing blog that obviously was full of tools. The lot pics debated targets race , beauty and other silly things. I don\u2019t know if target ever clicked on links. Tesla Hackers have played a major role in attacks against target. I haven\u2019t sifted through all malware yet. \n\n\n - Elon Musk - When Brashears suffered attempted hit on roadway she described suspect as an Elon Musk type, possible, offspring, or someone closely tied to him.", "modified": "2026-01-09T19:02:12.608000", "created": "2025-12-10T20:34:05.903000", "tags": [ "disqus", "disqus.com", "comments", "blog", "blogs", "discussion", "google facebook", "twitter", "microsoft apple", "email", "forgot password", "login", "sign", "general full", "url https", "security tls", "united", "asn54113", "fastly", "reverse dns", "resource", "hash", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "ck id", "show technique", "mitre att", "ck matrix", "pattern match", "ascii text", "network traffic", "t1057", "path", "learn", "command", "suspicious", "informative", "name tactics", "spawns", "t1480 execution", "signing defense", "file defense", "read c", "tlsv1", "search", "jfif", "ijg jpeg", "tls handshake", "failure", "show", "port", "execution", "next", "dock", "write", "persistence", "malware", "unknown", "waymo", "tesla", "musk", "austin", "bay area", "tesla ceo", "elon musk", "wednesday", "safety monitor", "synacktiv", "aaaa", "present jul", "status", "asnone country", "as13335", "present sep", "present apr", "present dec", "present jun", "lte all", "search otx", "additionally", "enter source", "url or", "data upload", "extraction", "entries", "present may", "dynamicloader", "as15169", "medium", "write c", "odigicert inc", "windows", "as54113", "worm", "copy", "explorer", "encrypt", "target tsraa brashears" ], "references": [ "http://pickyhot.disqus.com/", "https://www.teslarati.com/tesla-hackers", "https://pickyhot.disqus.com/tsara-brashears", "All tags auto populated including\u2019 Elon Musk\u2019", "Running webserver Running WordPress Running Drupal", "bulletproof.palantirapollo.com \u2022 vpn-etuleusj2dpr.palantirclou", "https://publicsector.google/404-page-not-found/\t \u2022 www.founderstack.pro \u2022 oedfoundation.org", "https://www.founderstack.pro/feedhive \u2022 https://coinbase.getro.com/companies/astar-foundation \u2022 founders-vision.com", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "www.endgame.com", "://blog.endgamesystems.com/ \u2022 http://httpswww.endgamesystems.com\t URL\thttp://wg41xm05b3.endgamesystems.com", "https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com\t\u2022 http://blog.endgamesystems.com", "https://httpswww.endgamesystems.com\t\u2022 https://wg41xm05b3.endgamesystems.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com", "https://blog.endgamesystems.com/\t\u2022 https://blog.endgamesystems.com", "http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/", "http://www.endgamesystems.com/", "Requires further research" ], "public": 1, "adversary": "Tesla Hackers", "targeted_countries": [], "malware_families": [ { "id": "Synacktiv", "display_name": "Synacktiv", "target": null }, { "id": "Tesla Hackers", "display_name": "Tesla Hackers", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Mofksys", "display_name": "Mofksys", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2523, "URL": 6583, "FileHash-SHA256": 1132, "domain": 1483, "FileHash-SHA1": 43, "SSLCertFingerprint": 17, "FileHash-MD5": 109, "email": 2 }, "indicator_count": 11892, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f", "1.bing.com.cn", "api.acumatica.flex.redteam.com", "iot.insitemaxdev.gov2x.com", "freedns.afraid.org", "https://cdn.teslarati.com \u2022 https://forums.teslarati.com/", "Tipped: A targets AI and other cyber research findings.", "Domains Contacted: ocsp.pki.goog www.download.windowsupdate.com ifdnzact.com", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "http://www.yixun.com/getkey {\"privateKey\": \"JMVRar4COFWb3eKZ\"}", "https://www.countercept.com/assets/Uploads/whitepapers/MWRI-Countercept-Machine-Learning-Whitepaper-2017-04-01.pdf", "John 12:17", "Antivirus Detections: Win.Malware.Incredimail-6804483-0 IDS Detections: Misspelled Mozilla User-Agent (Mozila)", "https://soerkvingo.msnstyle.dk/vaginas-escort-girl-ukraina-pure-nudisme-dyresex-noveller-sukker-pris-porno-med-norsk-tale/", "https://otx.alienvault.com/indicator/hostname/pegasus.pahamify.com", "http://help.aiseesoft.jp/total-video-converter", "http://pickyhot.disqus.com/ \u2022 https://www.teslarati.com/tesla-hackers \u2022 https://pickyhot.disqus.com/tsara-brashears", "Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)", "inst.govelopscold.com", "http://appleid.app", "ogads-pa.clients6.google.com \u2022 optimizationguide-pa.googleapis.com \u2022 play.google.com", "asp.net \u2022 cdnsrc.asp.net", "http://docs.duckduckhack.com/frontend-reference/cheat-sheet-reference.html", "http://test-firstmile.digitecgalaxus.ch", "Yare: compromised_site_redirector_fromcharcode", "usw-2-dev.palantirfoundry.com \u2022 lucyw.palantirfoundry.com \u2022 https://fegdip.palantirfoundry.com/", "(TLI did you do her that dirty?) Why\u2019SCS\u2019? Pure shame on you.", "https://prod.centurylinktechnology.com", "IP\u2019s Contacted: 208.91.196.46 209.197.3.8 216.239.32.29 35.186.238.101", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://www.mobile-connection-alert.fyi/eb/bn/bn-9-nopop/9-nopop-1.html?var=&var2=&var3=$device=MOBILE&brand=Apple&model=iPhone&city=San%20Antonio&os=IOS&osversion=IOS%2011.4&country=US&countryname=United%20States&carrier=&referrerdomain=&language=en&connectiontype=CABLE&ip=76.185.246.58®ion=Texas&cep=W-gWTncHS9Jzl2WpUnQW3DI5dgjcKdwNWM11yWj-BtNBDFNTD52Baezh0F6DNui3qOYcu9zUPktlUvTulBlF6GONqMgW0w5NXdG42lOJGAp8P79kEUkAM3xGHBcIuf2PfSpz0mTGxnhbXyAteh4g-wCUR45SdW6fMtSANbFpDDpNDCq8LpN8mLeQJjdLUA_TGOXW9mubTgOyAGy", "CBI - asked target to enter Gmail in a resource. Targets Gmail account disappeared", "https://clockoutbox.es/password", "Alerts: network_icmp persistence_autorun antivm_vmware_in_instruction", "https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo", "Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92", "http://cr-malware.testpanw.com/url", "https://vtbehaviour.commondatastorage.googleapis.com/5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775469810&Signature=Mj5ODxCW7tD5UNn6P11Ta7F2cmDLSJuEB7JSLFg%2FERfANmnRR5L7XzDwXxI5G48vkQFx0%2FBMtjMLwWHn6ZHKlt13rfzkvoOu5fJ%2Fb5lMJqUp1rSQIG0JLL80QAnXyJf2W8pL7MvK97Tr4jsCIUfd8ezliJtV5SmahV6Q8lYu2KJUnANrHkA10RFrcT4O26Vk7gbDsuC7caDXC6U9KXTTB0cpC77%2FV7w86ftN2JPXx6oEHUvSj02qsvhKwKQvmM", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "tulach.cc", "https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d", "www.endgame.com", "supply.qld.gov.au", "Alerts: dynamic_function_loading resumethread_remote_process stealth_hiddenreg", "jobs.lumen.com \u2022 lumen.com \u2022 msradc.lumen.com \u2022 voip.lumen.com \u2022 www.lumen.com", "Uses code, no phone calls. Connected via instagram.", "Targets associated warned. Not very open to advice.", "http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/", "Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)", "endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "http://chaturbate.com/notabottom/\t\u2022 http://chaturbate.com/notabottom/\\", "https://www.endgamesystems.com/\t This is not a game. This is about people\u2019s lives", "https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/", "195.128.76.205 \u2022 Description: CC=RU ASN=AS8470 jsc macomnet", "Alerts: cape_detected_threat https_ urls", "us-g0v-wact-1anvrav\u0645al=\u0635\u0639 \u0627\u062d\u0637\u0645\u0644\u0647", "c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1", "IDS Detections SUSPICIOUS Path to BusyBox TELNET login failed Bad Login", "://blog.endgamesystems.com/ \u2022 http://httpswww.endgamesystems.com\t URL\thttp://wg41xm05b3.endgamesystems.com", "https://vtbehaviour.commondatastorage.googleapis.com/1cf39e937e336af49cc01531f7bb7be83dfa289155a8437a51026a0e7d58f82c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776477807&Signature=oSRFzpQidegADbfg0MoAaOppxJPT%2BHBOfJDD0gT3CsqzdA4Tjoyves4A8yyH%2BI2qY4aff864krjBwpMFqHLhr4ph8NiNxA9fALzN1Tp4DVT5dD%2FeWXgVIj8kxAH%2BzCGLgscgTkiLeb5E6Zv0SQy%2By%2B3ASvjo1VRj4FLsixsH6uU6QKX0UmF2IPqI5UtfPUrb76d1fddT1PAGmtP1q6YxY44QADQhIxF6Y4MB4iqEVd2ItuD0eL", "ConventionEngine_Anomaly_MultiPDB_Double", "https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226", "IPv4 13.107.253.70 exploit_source \u2022 IPv4 13.107.226.70 malware_hosting", "us-gov-west-1.gov.reveal-global.com", "Denver Justice System. Palantir allegedly moved potato Headquarters to Miami", "https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW", "https://www.redporn.video/tsara-brashears-slandered-.htm \u2022 www.redporn.video \u2022 http://www.redporn", "https://publicsector.google/404-page-not-found/\t \u2022 www.founderstack.pro \u2022 oedfoundation.org", "https://pegasus.pahamify.com/", "78.46.218.253 \u2022 Description: CC=DE ASN=AS24940 hetzner online gmbh", "https://action.aiseesoft.jp/itunes.php", "IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29", "https://securityaffairs.com/144927/cyber-crime~#", "Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render", "caerphilly-containers.palantirfedstart.com \u2022 equilibrium.palantirfoundry.com \u2022 palantirfoundry.com", "https://www.founderstack.pro/feedhive \u2022 https://coinbase.getro.com/companies/astar-foundation \u2022 founders-vision.com", "ddg.gg \u2022 http://ddg.gg/?q=corezuelo \u2022 http://ddg.gg/?q=embozalar", "fidelity-account.com e http://fidelity-account.com/fidelity/code.html", "dev-app.project-cicada.com \u2022 project-cicada.com", "Domain match: \"media-mbst-pub-ue1.s3.amazonaws.com\" possible high risk indicator. Commonly abused for malicious purposes. .", "Connects to all NEW targets key contacts main targets contacts.", "direwolf-8b1a1bc476.staging.herokuappdev.com", "https://www.teslarati.com/tesla-tsla-monster-investment-rise-alaska-dept-of-revenue/", "Domains Contacted: www.download.windowsupdate.com www.microsoft.com cacerts.digicert.com duckduckgo.com ,", "What? patch.virtualworldweb.com \u2022 s.palantirfoundry.com \u2022 http://u tirfoundry.co", "https://forums.teslarati.com/data/avatars/m/5/5998.jpg?1504431665 \u2022 https://forums.teslarati.com/forums/model-3.4/", "7box.vip", "http://www.endgamesystems.com/", "httpssa.www4.irs.gov \u2022 jobs.irs.gov \u2022 https://sa.www4.irs.gov/ \u2022 https://sa.www4.irs.gov \u2022 www.directfile.irs.gov \u2022", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png", "https://upstreamx.palantirfoundry.com \u2022 edwards.palantirfoundry.com \u2022 stagwellmarketingcloud.palantirfoundry.com", "Domains Contacted: www.microsoft.com www.bing.com www2.megawebdeals.com www.google.com", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master", "https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com", "https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com", "IDS Detections: OpenSSL Demo CA - Internet Widgits Pty (O)", "https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file", "216.252.199.59 \u2022 Description: CC=US ASN=AS31827 biz net technologies", "https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears", "214.25.9.149 \u2022 Description: CC=US ASN=AS344 dod network information center", "Pegasus | A targets devices are obviously infiltrated", "Alerts: antiav_detectreg antivm_bochs_keys antivm_generic_disk infostealer_mail injection_write", "http://r13.c.lencr.org/24.crl \u2022 http://r13.i.lencr.org/", "www.cam4.page \u2022 campaigncdn.com \u2022 accesscam.org", "https://www.teslarati.com/spacex", "https://bhive.nectar.social/rKvoMY", "https://freedns.afraid.org/images/exclamation", "114.114.114.114 = Tulach", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.justice.gov/opa/pr/departmen.t", "Win.Malware.Unruy-6912804-0 IDS Detections: Win32/Unruy.C Activity 403 Forbidden", "http://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV", "Running webserver Running WordPress Running Drupal", "http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "http://help.aiseesoft.jp/blu-ray-player", "https://www.phantomcameras.cn/applications/where/piv", "foundry.neconsside.com \u2022 http://foundry.neconsside.com", "https://www.teslarati.com/tesla-giga-shanghai-builds-5-millionth-battery-pack/", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2", "https://hybrid-analysis.com/sample/529a0b900eef6657ce6c98b1b5bccebe6db2e021aa02a316b7eb2604df810d3f/69de30ef0a22c3b506077a8c", "https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737", "duck.ai \u2022 https://duck.ai/chat phishing", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "https://duck.ai/apple-touch-icon.png", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "Alerts: suspicious_command_tools anomalous_deletefile mouse_movement_detect", "PE Version Information : TJprojMain.exe", "https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3", "https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3/694d9a33a2febcb826005ed5", "You have to go through a series of steps to change themes and wallpapers , including powering off TV", "ns4-04.azure-dns.info", "64.38.232.180 - Adult Content IP", "Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com", "wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/", "IP\u2019s Contacted: 142.250.147.101 88.221.104.56 13.33.141.29 35.186.249.72 151.101.1.192", "CBI (Colorado) - target believes she was redirected to malicious actors. Staffers not found in directory.", "files.catbox.moe", "No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]", "Alerts: suspicious_iocontrol_codes infostealer_cookies persistence_autorun antisandbox_sleep", "http://dasima-containers.palantirfoundry.com/ \u2022 https://glare.palantirfoundry.com/", "http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e", "Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter", "192.85.127.130 \u2022 Description: CC=US ASN=AS2173 hewlett-packard company", "www.killer333.club So I\u2019m right.", "http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html", "https://vtbehaviour.commondatastorage.googleapis.com/5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775469831&Signature=ZlRZLvCaJ%2F9niupu9DFCvXvfgFpDEOsK%2FsH46CB2zEVUDjcQRNMDp9XXKKx0dekmHQbhl02yqygHPOA8Wty5duGtK216QCvKNkYpbpdOjN7xgAg3AsldciWbqeJr8N4I%2F1%2FPRSdVfB%2BNGaBJKxZG1RQkX206MSvX%2BeY%2FdeEYpq3NYdrPWlxdV0pa3yaqcMrf2s%2FCFSM%2FdO3xt5PKyXWG%2FDCNM5iiuXh8OT2ckhZhf%", "207.75.164.17 \u2022 Description: CC=US ASN=AS237 merit network", "IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252", "Contacted Google services", "campdeadwood2026.com", "https://credits.muso.ai/profile/ad62a9c1-de4a-4b3a-91d4-8f1ca6b5ad7a", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "https://prometheussteakhouse.lupi.delivery/ Thanks! I\u2019m heavy into Picinha. 2 Brazilian roasts please!", "https://www.teslarati.com/tesla-model-3-crash-insight-60mph-collision/", "IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94", "https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com", "https://forums.teslarati.com/threads/humanlike-ai-robot-sophia-calls-out-elon-musk-during-live-interview.4970/", "http://wonporn.com/top/Pakistani_Sucking", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "ipv4bot.whatismyipaddress.com", "TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161", "https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022", "Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb", "http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/", "Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97", "Pornhub to your phone. Dumping or by request?", "https://chaturbate.com/notabottom/", "wg41xm05b3.endgamesystems.com\t\u2022 http://blog.endgamesystems.com", "https://feedback.ptv.vic.gov.au/360", "engage.palantirfoundry.com \u2022 http://engage.palantirfoundry.com", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "https://blog.endgamesystems.com/\t\u2022 https://blog.endgamesystems.com", "apple.co \u2022 apple.com \u2022 apple.info \u2022 apple.net", "http://pickyhot.disqus.com/", "https://nextcloud.simonduffey.ch", "http://blackrock.work.gd/", "ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,", "Luxury Apartments and Townhome communities do use Foundry Palantir", "https://www.anyxxxtube.net/video/2241/big-titted-sexy-chick-august-ames/ - Adult Content IP", "http://upstreamx.palantirfoundry.com/ \u2022 https://equilibrium.palantirfoundry.com/", "www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019", "Alerts: network_icmp nolookup_communication antisandbox_idletime antisandbox_sleep_exception", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing - Adult Content", "metropcs.com/account/sign-in.html", "xred.mooo.com \u2022 mooo.com \u2022 afraid.org", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ - Adult Content", "https://cms.medicarementalhealthcheckin.gov.au", "https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com", "Alerts: network_cnc_http network_http nids_alert allocates_rwx antivm_network_adapters", "132.3.48.38 \u2022 Description: CC=US ASN=AS721 dod network information center", "https://trade.kraken.com/charts/KRAKEN:APT-USD>+y", "Accurately tipped about air travel safety. In past. Proven true.", "http://help.aiseesoft.jp/total-video-converter/", "equilibrium.palantirfoundry.com \u2022 kt-presales.palantirfoundry.com \u2022 paloma.palantirfoundry.com", "http://www.phonefactor.com/PfPaWs/ConfirmActivation", "api.optimizer.insitemaxdev.gov2x.com", "(legitimate services will remain up-and-running usually) High | ID dead_host", "https://apps.apple.com/app/", "Redline: https://otx.alienvault.com/otxapi/indicators/file/screenshot/316c67e7150c6841d0d40a180bba390793ffeb9edfb8ec0321e1a16e97f68722", "https://goo.gl/9p2vKq", "ET Telnet | https://www.colocrossing.com | velocity servers", "aotx.alienvault.com (aotx.?)", "\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.", "Yara Detections is__elf , ELFHighEntropy , elf_empty_sections", "Secure Protocols: Provides APIs for TLS 1.3, S/MIME, OpenPGP & CMS (Cryptographic Message Syntax)", "NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com", "Alerts: injection_process_search protection_rx", "https://inbound-message-listener-temporary-testing.palantirfoundry.com", "Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com", "internationalfrontier.com", "More IP\u2019s Contacted 74.6.143.26 Domains Contacted benjamin.xww.de", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "anyconnect.online", "Follow up need. This is a serious financial crime following the victims.", "Female states title as \u2018intern\u2019 dropped false information at front desk of CBI. Claims target ID theft victim. True", "https://vtbehaviour.commondatastorage.googleapis.com/2533042959ad1fe050d14ab7536126910a2d240992bff397640382472b6a7c69_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775469608&Signature=fK1I2%2FxXVm0l3ZiELwtstes8iVN402Ww%2By%2BgvxYOB0LiC2iO3J9cedWJk1hMIr4IfLSGKprfui8vANzR%2BkWfSd594S%2FFe9A59YKyOA2MFmQTBRXVy6O3xF1e1lPETp5Md%2FbGJCOzrZxdHyReyuk7cgdDDBAewptjJhfTYxql7F9X%2FB4qe9BYWPrvned2fFWfU%2F4G%2F4UBqY9Jj%2BG1CTP%2FaGqOdWFs0Q5cPYZ4bytp", "http://wg41xm05b3.endgamesystems.com/", "Alerts: persistence_autorun_tasks polymorphic procmem_yara static_pe_anomaly antiav_detectfile", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud", "dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell", "Foundry Palantir still has a presence in Colorado", "Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx", "Victims have lost financial assets, jobs, vehicles", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:", "http://dasima-containers.palantirfoundry.com \u2022 http://usw-2-dev.palantirfoundry.com", "Tulach\u2019s ASP.Net Open Source destruction", "https://eliyporasa - Adult Content", "www.anyxxxtube.net - Adult Content IP", "https://palapa.c.id\t (c.id)", "http://www.anyxxxtube.net/search-porn/tsara-brashears - Adult Content", "https://equilibrium.palantirfoundry.com \u2022\u2019https://engage.palantirfoundry.com", "ALF:HSTR:Trojan:Win32/DisableUAC.A!bit", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io", "www.endgame \u2022 http://battlefront.com/matrixgames.html \u2022 prometheus.services.myscript.com - Wild!", "https://nextcloud.paroxity.org/", "https://www.teslarati.com/tesla-hackers", "c.j.location.host \u2022 videodata.video \u2022 referrer.search", "Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com", "go.trckclick.xyz \u2022 att.trk.173trk.com", "FBI files opened up on a targeted phone, Iunseel, only in search history.", "IDS Detections: Query to a *.pw domain - Likely Hostile", "https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "accounts.google.com \u2022 apis.google.com clients2.google.com \u2022 clients2.googleusercontent.com", "edge-mobile-static.azureedge.net", "Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "pornlynx.com \u2022 https://pornlynx.com \u2022 https://www.pornlynx", "ns4-04.azure-dns.info danilovst) ns4-04.azure-dns.info", "medallion-compute.washington.palantircloud.com \u2022 graviera-compute.palantirfedstart.com", "www.anyxxxtube.net - Adult Content", "HTML contains suspicious external redirect patterns details Suspicious redirect patterns detected: Redirect Types: Delayed Redirect Redirects to: /doodles/ Suspicious", "https://www.endgames.us \u2022 https://www.endgames.us/", "Alerts: network_http antisandbox_sleep creates_exe dropper stealth_window", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf", "js-cdn.music.apple.com \u2022 23.78.51.170", "website \u2022 http://oldapps.com/blender.php?old_blender=7584", "http://help.aiseesoft.jp/video-converter-ultimate/", "https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d", "https://sfmg-testing.palantirfoundry.com\t\u2022 https://signup.palantirfoundry.com/", "https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19", "Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name", "Domain: \"snd.click\" possible high risk indicator. Domain uses TLD that is commonly abused for malicious purposes", "iPhone Spyware - https://bam.nr-data.net/1/6f524845d1?a=24279235&v=1169.7b094c0&to=MwYEbUdYXxJQWhULDApMIExbWkUIXldOAQsFF0hPXFxGEgtrDg0OMgoDThteVBU%3D&rst=6546&ck=1&ref=https://chaturbate.com/notabottom/&ap=123&fe=4218&dc=4218&af=err", "https://brand2.centurylinktechnology.com", "https://www.anyxxxtube.net/search-porn/", "ASN 82.80.204.63 www5.incredimail.com \u2022 Israel", "Hours after files were deemed malicious. We powered on targeted Smart TV", "http://www.internationalfrontier.com", "Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw", "http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "External Hosts Israel Unique Countries 2 Unique ASNs 2 IP", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "events.launchdarkly.com \u2022 clientstream.launchdarkly. \u2022 app.launchdarkly.com", "https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934", "Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name", "http://truefoundry.prodigaltech.com/", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/", "loophole.outlook89.accesscam.org", "www.onyx-ware.com \u2022 endgamesystems.com", "https://hello.riskxchange.co/api/mailings/unsubscribe", "https://vtbehaviour.commondatastorage.googleapis.com/6c39ae0368703f254070a0648c0066115140c3e762d9bf5b52833a037a1e3743_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775469752&Signature=Df%2Bamm33qFPdsDg6nWC5FQjse7h4fksSXqONp4nMEItb0gpBwqx66TqcCnFzQplUk6ExMge79qNZR2OElv63sX54D4fSGwI9nvHYhQoiVdZIgf4ct8dIAr%2BYO9jSx0WpPUVFsvf%2FXtXvm6jM5n5v7CGiyFRyAz8PES5g%2FcOlLt%2BDhsc8bhi%2FMU9mAkyyr5nFVPcTmUSHOTNXOeKDUlyRkQE6b9FEbFhUL1h3%2B%2FBVtysh", "Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self", "Delphi Likely Precursor to Scan PING Delphi-Piette Windows Yara Detections Delphi", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi", "guidepaparazzisurface.com", "IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227", "http://docs.duckduckhack.com/walkthroughs/programming-syntax.html", "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "www.fireeye.com", "calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019", "https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html", "https://listeners.usw-16.palantirfoundry.com \u2022 https://pacificlife.palantirfoundry.com/", "207.75.164.210 \u2022 Description: CC=US ASN=AS237 merit network", "Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains", "bulletproof.palantirapollo.com \u2022 vpn-etuleusj2dpr.palantirclou", "www.phantomcameras.cn", "Detected Google homepage HTML served from suspicious domain Matched required Google homepage markers", "www.fireeye.com .", "https://www.google-analytics.com/r/collect?v=1&_v=j83&a=1390847564&t=pageview&_s=1&dl=https%3A%2F%2Fchaturbate.com%2Fnotabottom%2F&ul=en-us&de=utf-8&dt=Chaturbate%20-%20100%25%20Free%20Chat%20%26%20Webcams&sd=32-bit&sr=1024x768&vp=780x439&je=0&_u=YEBAAE~&jid=915940444&gjid=1686072238&cid=922362881.1595496808&tid=UA-23607725-1&_gid=1317601001.1595496808&_r=1&cd1=chaturbate.com&cd2=&cd3=-&cd4=&cd5=anonymous&z=762468946", "Persistent. Is Christopher P. Ahmann, Brian Sabey, State of Colorado", "Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot", "Brian Sabey", "Attacker being used by several legal entities attacking a target\u2019s family", "https://www.teslarati.com/tesla-robotaxi-vs-new-york-taxi-why-the-yellow-cab-a-lot-to-lose/", "Alerts: packer_entropy antivm_queries_computername checks_debugger console_output", "AS8551 bezeq international-Itd 3.163.24.31 www5l.incredimail.com \u2022 Israel", "https://pickyhot.disqus.com/tsara-brashears", "Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_", "https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,", "Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.", "Alerts dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Source: Binary File relevance 10/10 ATT&CK ID T1204.001 | Target contacted CBI re: Suspicious looking Google Homepage.", "A man claiming to have the name Sebastian is communicating with targets love one", "https://www.phantomcameras.cn.bscedge.com", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "CICADA Contextual Inference & Comprehensive Analysis Data Agent", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex", "https://kb.drakesoftware.com/Site/Browse/15183/State", "Alerts: console_output has_pdb pe_unknown_resource_name", "IDS Detections Win32/Unruy.C Activity \u2022 403 Forbidden", "Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog", "Some Colorado communities have been taken over by the State Government", "https://otx.alienvault.com/indicator/ip/3.163.24.10", "https://podcasts.apple.com/us/podcast/lazarus", "Domains Contacted: drive.usercontent.google.com", "https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0", "Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.", "Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn", "marriott-control-prd.accenture.cn", "IDS Detection: Observed Cloudflare DNS over HTTPS \u2022 Domain (cloudflare-dns .com in TLS SNI)", "SERVICE NAME: SSDPSRV \u2022 Delete upnphost\tDelete \u2022 GoogleChromeElevationService", "https://palantir-staging.staging.candidate.app.paulsjob.ai/", "Alerts : nids_alert allocates_rwx creates_exe packer_entropy antivm_memory_available", "podcasts.apple.com \u2022 23.34.32.21", "apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co", "android-cts-7.1_r6-linux_x86-arm.zip [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]", "asp.bet", "Sprouts Farmers Market", "www.apple.com \u2022 23.34.32.199", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com", "Empty FileHash - Malware,Stealer, Related to ShadowBrokers EternalRocks", "www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/", "smtp.google.com \u2022 www.google.com/images/errors/robot.png", "aptia.palantirfoundry.com \u2022 palantirfoundry.com \u2022\u2019agent-infra-mojito.palantirfoundry.com", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "passwordresetalcb.accenture.cn", "cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf", "http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022", "Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)", "IT Mirai | https://otx.alienvault.com/indicator/domain/miraitranslate.com", "EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS", "Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.", "https://httpswww.endgamesystems.com\t\u2022 https://wg41xm05b3.endgamesystems.com", "http://www.aiupnow.com/2023/04/pakistani-hackers-use-linux-malware.html\\", "22.hio52.r.cloudfront.net", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t\u2022", "https://www.teslarati.com/wp-content/themes/teslarati-mag/map/", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99", "IDS Detections ET POLICY Suspicious User-Agent Containing .exe", "https://eliyporasa.life/uelbu/5/151504-harleyxwest-porn - Adult Content", "https://elegantcosmedampyeah.pages.dev/", "https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json", "Yara Detections compromised_site_redirector_fromcharcode , Delphi", "dasima-containers.palantirfoundry.com \u2022 blitzrobots.com", "This is hard to comprehend or put into indelible words.", "Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /", "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "target.id \u2022 tostring.call \u2022 title.search", "Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org", "https://www.mof.gov.cn.lxcvc.com/", "IP\u2019s Contacted: 142.250.74.68 142.250.74.99 18.66.121.69 185.53.179.170 2.22.41.134 204.79.197.200", "External Hosts: 52.57.183.74\t access.pcspeedcat.com\taccess.pcspeedcat.com\tGermany\tAS16509 amazon.com inc\taccess.pcspeedcat.com Germany AS16509 amazon.", "After an attack a different victim had awe , tax refund seized, Insurance became Medicaid, Was audited by the IRs and there was attempts on life w/ bad outcome", "http://up.chenmin.org/login/jquery.min.js", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st", "Server: JFE https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.yixun.com/getkey", "http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/", "https://uhsinc.palantirfoundry.com/ \u2022 https://velocityglobal.palantirfoundry.com", "okta-dev.gov2x.com", "Malicious Application Development: herokuappdev.com (Patter match 8 years +)", "https://wallpapers-nature.com/tsara-brashears/urlscan-io - Adult Content", "Worm:Win32/Benjamin IDS Detections: Win32.Worm.Benjamin.A CnC Checkin ICMP", "http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf", "http://dict.bing.com.cn/cloudwidget/Scripts/Generated/BingTranslate_Hover_Phrase_Selection_ShowIcon.js';script.onload=INIT;document.body.appendChild(script", "https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/", "No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png", "Startul ErrorPageTemplate[1] netcore, BouncyCastle.", "https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd45176426a", "https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls", "Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.", "52.250.42.157 scanning_host", "https://mobile-pocket-guide.centurylinktechnology.com", "Tulach.cc", "http://mail.saynextapp.accesscam.org/", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious", "https://paloma.palantirfoundry.com https://lucyw.palantirfoundry.com \u2022 http://edwards.palantirfoundry.com/", "https://otx.alienvault.com/indicator/file/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "External resources linked to high-risk commonly abused domains detected: mc.yandex.ru | script | src snd.click | src |", "http://dev.browserweb.yandex.kg/ \u2022 https://api.messenger.yandex.az/ \u2022 https://yandex.uz/maps/-/CLWNeAKm", "upstreamx.palantirfoundry.com \u2022 https://usw-2-dev.palantirfoundry.com", "https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3", "https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/", "Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect", "The Blender Foundation", "Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer", "pcup.gov.ph:", "http://foundry.neconsside.com/ \u2022 https://foundry.neconsside.com \u2022 https://foundry.neconsside", "Redirect (Delayed Redirect): setTimeout(function(){location.href= source Binary File relevance 10/10 ATT&CK ID T1189", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "https://colocrossing.com/ \u2022 https://www.colocrossing.com/colocation\t l", "Yara Detections is__elf", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad", "Requires further research", "https://brand.centurylinktechnology.com", "Detections Win.Packed.ImminentMonitorRAT-9892275-0 , HackTool:MSIL/Boilod.C!bit", "sa.www4.irs.gov \u2022 sa1.www4.irs.gov \u2022 sa2.www4.irs.gov \u2022 apps.irs.gov \u2022 freetaxassistance.for.irs.gov \u2022 home.treasury.gov \u2022", "Sabey , Ahmann, Quasi Government, Government", "https://x.com/DenverPolice/status/1999710339584475507?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet", "https://wes.palantirfoundry.com/ \u2022 http://utilities-bootcamp.palantirfoundry.com/", "amazon.com \u2022 pki.goog \u2022 google-analytics.com", "http://geometry.ru/articles/blinkovsexcircle.pdf- Adult Content IP", "http://sissy.com/default.php?qry=xinb0NVH3vxGQfarWy4r54j5FWwjyNsIfAXqPpjmSCTYnrY20orAEt5QcaKNVYpHM3.AFndEsyGlSb_SXAGpMTdue0rkjANJ3fQ0wH3yzmI9qKCDJp39iCno_V.ci7VYf_I4t_Y2ibuGhE_rlOAs3FGeaahClLHQmyX30MRH5AfpY6B5N9LDoau6dxnMaf3qGZEX_xCRYTdVAigxUMX2qRyl16DvSb9DohTpdet4E_v0QjzIjDwGGS4PYEDpjmzIeKlCSItsv09pHL84QDb6V_fvuFw0jX8tfoI8VQmpnaeudPhO0nDmV3c5G7HjNNcF&tgt=NO+TOKEN&searchKey=free+porn&wp=1&skp=3_2402 - Adult Content IP", "cdn.rss.applemarketingtools.com", "Empty FileHash - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "Detected Non-Google domain serving Google homepage details", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "http://sissy.com/default - Adult Content", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "x.com | 162.159.140.229 (162.159.128.0/19) AS 13335 ( CLOUDFLARENET )", "Found in : https://otx.alienvault.com/pulse/69640c0afc9805a6fa2da07b", "http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t- Adult Content", "pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io\t- Adult Content", "https://www.teslarati.com/TESLA-DEBUTS-GROK-AI-UPDATE-2025-26-WHAT-YOU-NEED-TO-KNOW/", "IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "https://pegasus.pahamify.com/ \u2022 https://pegasus.pahamify.com/study-plan/ \u2022 pegasus.pahamify.com", "https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303", "IP\u2019s Contacted: 104.18.11.39 104.73.1.162 142.93.108.213 52.250.42.157 72.21.81.240", "Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca", "Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks", "danilovstyle.ru", "ET TROJAN W32/Kegotip CnC Beacon", "accenture.cn", "cloudfront.net \u2022 d127qq8ld0aiq5.cloudfront.net", "FileHash-SHA256 cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "Source : Binary File ATT&CK ID T1566.002", "jamaicansex.com \u2022 onlinesexmags.com \u2022 sexbible.com \u2022 bestsex.com - Adult Content IP", "https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"", "helloprismatic.com", "Domains Contacted: d38psrni17bvxu.cloudfront.net www2.megawebfind.com www6.megawebfind.com", "I need some help.", "In all seriousness. The severity of injuries and outcomes 1 victim had is aligned cyber attacks by Q.Gov", "IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake", "154.35.132.70\t\u2022 Description: CC=US ASN=AS14987 rethem hosting llc", "External Hosts: 3.163.24.10\t www.pcspeedcat.com\twww.pcspeedcat.com\tUnited States ASNone", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.afa33b71-01ea-477c-bc01-f6a3ab623e9d/master", "142.251.9.95 \u2022 https://clients2.google.com/cr/report \u2022 accounts.google.com \u2022", "https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d/694d9e6a07ba5e76e203a672", "Malware Hosting: 13.107.226.70", "https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=", "Win.Packed.Reline-9875163-0", "Malicious Application Development: herokuappdev.com (pattern matching spans 8+ years)", "Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,", "We have foot soldiers. Be aware", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?", "https://wsps.ourschoolpages.com/Account/ForgotPasswor (typo", "https://api.manus.im/api/oauth2_callback/apple", "http://appleid.apple.com.msg206.site/ http://www.icloud.com.msg206.site/ https://appleid.apple.com.msg206.site/", "http://www.duckduckhack.com \u2022 docs.duckduckhack.com", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net", "IP\u2019s Contacted : 82.80.204.63 3.163.24.31 82.80.204.5", "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K", "165.206.254.134 \u2022 Description: CC=US ASN=AS6122", "Extensions,.Trojan Age Win Version=4.2.0.168 Win32/1 Culture=neutral, amnit", "www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com", "205.181.242.243 \u2022 Description: CC=US ASN=AS3738 state street bank and trust company", "http://www.shopsleuth.com/goal-academy/the-citadel/colorado-springs-co", "https://otx.alienvault.com/indicator/url/https://pegasus.pahamify.com/", "authrootstl.cab common file extension", "United States | ASNone 82.80.204.5 cen.incredibar.com \u2022 Israel", "Worm:Win32/Mofksys.RND!MTB | Yara Detections: SUSP_Imphash_Mar23_2", "https://duck.ai/chat?q=tsara+brashears+hacked&t=iphone:", "verify.gov.tl", "Domains Contacted: accounts.google.com chrome.cloudflare-dns.com clients2.googleusercontent.com", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "sprouts@em.sprouts.com?", "Alerts : nids_malware_alert network_icmp network_irc persistence_autorun network_http", "TELNET SUSPICIOUS Path to BusyBox\", TELNET login failed\", is__elf \u007fELF dead_host", "biblegateway.comwww.biblegateway.com \u2022 www.biblegateway.com", "https://glare.pali om. \u2022 http://engage.palantirfou?", "SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx", "hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann", "Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys /", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com", "https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676", "developer.x.com", "Tipped of new looming airline threats", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "ASP. NET", "http://www.onlinesexmags.com/members/gent/current/ - Adult Content IP", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022", "https://omodeling.wpenginepowered.com/wp-content/uploads/2020/07/modelhub-pornhub-sell-nudes-1024x57", "https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV", "Verification failure observed in automated verification handlers during sandbox replay.", "Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master", "Alerts: dynamic_function_loading ipc_namedpipe createtoolhelp32snapshot_module_enumeration", "https://open.spotify.com/intl-de/track/5KjB1j0u54VXg6M8SN8hH2", "http://usw2.apple.com/ \u2022 https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "All tags auto populated including\u2019 Elon Musk\u2019", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl", "https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd458176426a", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "admin@bigtits.com", "http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan \u2022 www4.irs.gov \u2022 www.drupal.org", "https://otx.alienvault.com/pulse/694d7d426afd8c1c816ddb9e", "Alerts: cape_extracted_content infostealer_cookies recon_fingerprint powershell_download", "Amnesty.org | remote.amnesty.org", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "http://glare.palantirfoundry.com/ \u2022 https://woodward.palantirfoundry.com/", "Alerts: windows_utilities antivm_memory_available pe_features raises_exception", "https://open.spotify.com/track/5KjB1j0u54VXg6M8SN8hH2", "UPX_OEP_place", "Google android-cts-7.1_r6-linux_x86-arm.zip", "Empty FileHash -Matches rule Suspicious History File Operations by Mikhail Larin, oscd.community", "teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com", "www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net", "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as", "https://www.endgamesystems.com/ \u2022 https://www.endgames.com/", "git.spywarewatchdog.org", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "https://hypic-anaivsis.com/sambrerb/a0p9veebo", "https://www.teslarati.com/tesla-model-s-hitch-torklift-ecohitch-3-year-update/", "Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad", "Alerts: antivm_generic_bios antivm_firmware antivm_vmware_in_instruction dumped_buffer", "https://apple.btprmjo.cc/", "https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh", "Alleged CBI staffer refuses to provide evidence of identity theft resolution. Target unaware of. what\u2019s true", "Domains Contacted: cen.incredibar.com www5l.incredimail.com www5.incredimail.com", "Alerts: antivm_memory_available pe_features raises", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]", "marriott-datacenter-prd.accenture.cn", "Foundry Foot Soldiers are still in Colorado targeting innocents", "https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main", "cedevice.io \u2022 decagonsoftware.com", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "https://www.teslarati.com/tesla-lands-87-million-megapack-belgium/", "this.target", "oldapps \u2022 http://oldapps.com/blender.php?old_blender=7584?download", "iPhone Spyware - https://bam.nr-data.net/jserrors/ping/6f524845d1?a=24279235&v=1169.7b094c0&to=MwYEbUdYXxJQWhULDApMIExbWkUIXldOAQsFF0hPXFxGEgtrDg0OMgoDThteVBU%3D&rst=6546&ck=1&ref=https://chaturbate.com/notabottom/", "Christopher P. \u2018Buzz\u2019 Ahmann", "https://www.fidelity.com/ https://www.fidelity.com/", "https://www.freeiconspng.com/thumbs/icloud-logo/icloud-drive-mac-mail-cloud-apple-pc-works-c", "codewiki.google", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "Delphi This program must be run under Win32 Compilers", "http://help.aiseesoft.jp/fonelab/", "asp.net domain pointer", "IP\u2019s Contacted 178.249.97.99 178.249.97.98 178.249.97.23 84.53.172.74 88.221.104.82", "95.211.7.168 \u2022Description: CC=NL ASN=AS60781 leaseweb netherlands b.v.", "https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/", "ELF:Mirai-GH\\ [Trj] , Unix.Trojan.DarkNexus-7679166-0", "(patch.virtualworldweb.com) why does this sound so creepy? DIT , simulation, OWO ,sentient weird.", "http://www.anyxxxtube.net/search-porn/ - Adult Content", "update.googleapis.com \u2022 www.google.com \u2022 clientservices.googleapis.com", "Information gathered equals 2 pulses. Pulse (1) included", "http://www.italianporn.com/ \u2022 italianporn.com - Adult Content IP", "http://firstmile.digitecgalaxus.ch", "I would post his public information. It may be unwise.", "Domains Contacted api.nuget.org", "open.spotify.com \u2022", "https://www.teslarati.com/", "IDS Detections Gh0stCringe CnC Activity M2", "MD5 be5eae9bd85769bce02d6e52a4927bcd Pulses Integrations C EXIF Data: HTML:Title\tINetSim default HTML page", "Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .", "https://creative.miqdigital.com/.well-known/apple-app-site-association", "https://www.colocrossing.com/", "supplierportal.gov2x.com", "https://jviwczq.zc-apple.com/", "Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-", "Scanning Host: 13.107.246.70", "https://www.red-gate.com/products/smartassembly", "By remote view of NEW targeys view, all key calls are routed through him.", "Are these table SolarWinds attackers? Using same tacktics, good? Unsure.", "http://www.crazyfrost.com\t\u2022 http://www.crazyfrost", "FileHash-SHA256\t9f66cab9d7c581cf2dd28b6ae3178bb3d38975ff257c3ffb67c3e89d0f7135ee", "104.21.51.140, 172.67.181.41", "applefilmmaker.com \u2022 appleid.com \u2022 appleiservices.com", "stealth_file cape_detected_threat injection_process_hollowing antiav_detectfile injection_runpe", "http://www.iranianporn.com/ \u2022 iranianporn.com - Adult Content", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net - Adult Content", "https://kt-presales.palantirfoundry.co \u2022 https://glare.palantirfoundry.com", "https://target.tccwest.www.littleswimmers.fr/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)", "Tesla Hackers" ], "malware_families": [ "Alf:program:win32/webcompanion", "Win.malware.jaik-9968280-0", "#lowfi:win32/autoit", "Trendmicro", "Darkmoon", "W32/kegotip cnc", "Pahamify pegasus", "Virtool:win32/ceeinject.gen!ah", "Trojandownloader:win32/cutwail", "Worm:win32/autorun", "Alf:hstr:trojan:win32/disableuac.a!bit", "Win.trojan.ramnit-1847", "#lowfienabledtcontinueafterunpacking", "Trojandownloader:win32/cutwail.bs", "Lumen ip", "Trojan:bat/musecador", "Cve-2023-2868", "Ransom:win32/crowti.a", ": alf:trojan:msil/azorult.ac!", "Win.trojan.injector-12138", "Generic36.adty", "Et", "Cassini", "Win.packed.reline-9875163-0", "Alf:trojan:win32/cryptwrapper.rt!mtb", "Win32:hacktoolx-gen\\ [trj]", "Win32:trojanx-gen\\ [trj]", "Trojan:win32/zombie.a", "Trojan:pdf/phish.rr!mtb", "Win32:evo-gen\\ [susp]", "Ransom:win32/gandcrab", "Sf:shellcode-au\\ [trj]", "Trojan:msil/ursu.kp", "Generic36.ajsm", "Downloader.generic13.bobz", "Win.trojan.installcore-877", "Win.downloader.3867-1", "Win32.injector", "Downloader.generic13.cmtw", "Trojan:win32/ausiv!rfn", "Mirai", "Win.packed.stealerc-10017074-0", "Win.trojan.vbgeneric-6735875-0", "Win.malware.msilperseus-6989564-0", "Win.malware.jaik-9940406-0", "Unix.trojan.darknexus-7679166-0", "Worm:win32/autorun!atmn", "Node traffic", "Htbot", "Win32:malware-gen", "Sf:shellcode-au", "Pandex!gen1", "Virtool:msil/mousewe.a!mtb", "Bouncycastle", "Alf:jasyp:trojan:win32/genmaldown!atmn", "\u2019m", "Win32:trojano-chf\\ [trj]", "Hider.biy", "Alf:hacktool:msil/heartsender.a", "Autorun", "Hacktool:msil/boilod.c!bit", "Zbot", "Exploit:win32/cve-2017-0147", "Win.trojan.fareit-82", "Win.trojan.barys-10005825-0", "Win.malware.snojan-6775202-0", "Win.trojan.agent-245901", "Nufs_unicode", "Trojandownloader:win32/upatre.aa", "Virtool:win32/obfuscator.k", "Win32/virut", "Generic36.aiaa.dropper", "Tesla hackers", "Appleservice", "Alf:heraklezeval:trojan:win32/eqtonex.f", "Trojan:win32/comisproc!gmb i", "Win.trojan.fenomengame-14", "Trojan:win32/miner.ka!mtb", "Win32/ramnit.a", "Worm:win32/lightmoon.h", "Worm:win32/mofksys.rnd!mtb", "Elf:mirai-gh\\ [trj]", "Dnstrojan", "Alf:trojan:win64/psbanker", "Bible gateway", "Win32:malob-bx", "Trojan:win32/conbea!rfn", "Win.malware.incredimail-6804483-0", "Alf:jasyp:trojan:win32/ircbot!atmn", "Slf:win64/cobpipe.a", "Alf:heraklezeval:trojan:win32/clipbanker", "Trojan.tofsee/botx", "Trojandropper:win32/vb.il", "Unix.dropper.mirai-7135870-0", "Worm.autorun-6180", "Trojandropper:win32/qhost", "Unknown malware \u2018can't access file\u2019", "Tulach", "Upatre", "Elf:ddos-s\\ [trj]", "Win.packed.generic-9967832-0", "Win.trojan.fenomengame-8", "Malware packed", "Win.ransomware.tofsee-10015002", "Tofsee attack", "Trojan:win32/eyestye.t", "W32.virut.ci", "Win.trojan.rootkit-4532", "Worm:win32/mydoom", "Alf:jasyp:trojan:win32/adialer", "Doc.downloader.emotetred02220-9938909-0", "Win.trojan.pushdo-15", "Win.downloader.small", "Cymt", "Backdoor:win32/tofsee", "Win.dropper.poisonivy-9876745-0", "Pegasus", "Polyransom", "Win64:trojan-gen", "Win.malware.unruy-6912804-0", "Synacktiv", "Win.malware.generic-9871124-0", "Trojanspy:win32/usteal", "Hacktool:win32/cobaltstrike.a", "Worm:win32/benjamin", "Ms defender\ttrojan:win32/qbot.kvd!mtb", "Win.malware.speedcat-6957425", "Alf:heraklezeval:pua:win32/4shared", "Win.trojan.emotet-9850453-0", "Emotet", "Alf:jasyp:pua:win32/4shared", "Win32/blacked", "#lowfi:hookwowlow", "Eternalrocks", "Autoit", "Alf:heraklezeval:trojan:msil/gravityrat", "Win.trojan.gh0strat-9955419-1", "Win.trojan.cobaltstrike-9044898-1", "Mirai sim swap", "Pws:win32/axespec.a", "Tibs", "Trojanspy:msil/yakbeex.a", "Win.trojan.agent", "Win.packed.eyestye-9754938-0", "Trojandropper:win32/muldrop", "Mofksys", "Ransom:win32/sodinokibicrypt.sk!mtb", "Other malware", "Alf:trojan:win32/anorocuriv.a", "Tofsee", "Trojanspy", "Eyestye", "Unix.trojan.gafgyt-6981154-0", "Trojan:o97m/madeba.a!det" ], "industries": [ "Civil society", "Government", "Insurance", "Telecommunications", "Entertainment", "Technology", "Financial", "Finance", "Healthcare", "Irs", "Retail", "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in" ], "unique_indicators": 350925 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/aabb88.cc", "whois": "http://whois.domaintools.com/aabb88.cc", "domain": "aabb88.cc", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 45, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "14 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e2e5ed5d25f6949b1d752b", "name": "CAPE Sandbox- The Unified Layer", "description": "\"A public key has been issued by the US government to secure the signature of US President Barack Obama and US Secretary of State John Kerry, who both want to use it to send their private messages.\"", "modified": "2026-04-18T04:07:44.254000", "created": "2026-04-18T02:01:17.468000", "tags": [ "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr11", "validity", "subject public", "key info", "key algorithm", "certificate", "eig network", "nethandle", "net162", "net1620000", "layer", "blueh2", "layer orgid", "south", "east city", "settings", "first counter", "default", "inprocserver32", "mbisslshort", "bearer", "mwdb", "bazaar", "sha3384", "ssdeep", "info", "bridge", "accept", "date", "agent", "shutdown", "root", "back" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/1cf39e937e336af49cc01531f7bb7be83dfa289155a8437a51026a0e7d58f82c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776477807&Signature=oSRFzpQidegADbfg0MoAaOppxJPT%2BHBOfJDD0gT3CsqzdA4Tjoyves4A8yyH%2BI2qY4aff864krjBwpMFqHLhr4ph8NiNxA9fALzN1Tp4DVT5dD%2FeWXgVIj8kxAH%2BzCGLgscgTkiLeb5E6Zv0SQy%2By%2B3ASvjo1VRj4FLsixsH6uU6QKX0UmF2IPqI5UtfPUrb76d1fddT1PAGmtP1q6YxY44QADQhIxF6Y4MB4iqEVd2ItuD0eL" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 69, "FileHash-SHA256": 274, "hostname": 328, "CIDR": 1, "URL": 229, "email": 2, "IPv4": 152, "domain": 60, "FileHash-MD5": 587, "CVE": 1 }, "indicator_count": 1703, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b908eb4a06b82d61c7c47d", "name": "Civil Rights. Wow.", "description": "Pulses: A full list of keywords, phrases, and statistics (1.1-2.4 million characters) - the full set of words, which can be accessed with a mouse.<--- pretext my own experimet : 50756c7365733a20412066756c6c206c697374206f66206b6579776f7264732c20706872617365732c20616e6420737461746973746963732028312e312d322e34206d696c6c696f6e206368617261637465727329202d207468652066756c6c20736574206f6620776f7264732c2077686963682063616e20626520616363657373656420776974682061206d6f7573652e\nHashes\nMD5: 887fda95f95104ed9bf8c4e8614e0b7a\nSHA-1: 307f07dc6036d04ef5e0da8a6f9eaefd5282c2c7\nSHA-2 (SHA-256): 22be0871410e9f0057cc2f754796c360cf3b9cd39f682ff733441ace4c726795", "modified": "2026-04-16T08:05:04.592000", "created": "2026-03-17T07:55:23.062000", "tags": [ "ids detections", "pulse pulses", "av detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "tls handshake", "failure yara" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 44, "FileHash-SHA1": 22, "FileHash-SHA256": 147, "hostname": 77, "domain": 143, "URL": 75, "email": 2, "JA3": 2, "CVE": 1 }, "indicator_count": 513, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69decb6dd1bd6da78fc72d0a", "name": "Solarwinds Similarties? Tactics ASP.Net IoC\u2019s ISOLATED", "description": "Does this have similarities to the SolarWinds Attack? Anyone?\n\nASP.NET is a web application framework created by Microsoft for building dynamic web applications.\nIt enables developers to create web pages that can interact with databases and respond to user inputs.\nASP.NET supports various programming languages, including C# and VB.NET.\nContext: ASP.NET is widely used for developing modern web applications and services. It allows developers to create interactive and data-driven web pages that can run on various operating systems, including Windows, Linux, and macOS. The framework is open-source and supports various architectures, including MVC (Model-View-Controller) and Web API, which facilitate the organization and development of complex applications.\nIn many instances ASP.net has been seen connected to malicious Tulach , Apple , a browser agent that transmits data to New Relic's collectors by using either of the domains bam.nr-data.net or bam-cell.nr-data.net.", "modified": "2026-04-14T23:19:09.495000", "created": "2026-04-14T23:19:09.495000", "tags": [ "united", "aaaa", "certificate", "error", "read c", "rgba", "unicode", "memcommit", "delete", "dock", "execution", "command decode", "suricata ipv4", "suricata tcpv4", "flag", "localappdata", "windir", "openurl c", "programfiles", "suricata udpv4", "win64", "click", "strings", "anon", "username", "userprofile", "mitre att", "ck id", "ck matrix", "appdata", "comspec", "model", "path", "april", "hybrid", "general", "learn", "suspicious", "informative", "adversaries", "command", "spawns", "ck techniques", "mtb apr", "exploit", "trojan", "backdoor", "please", "x msedge", "all ipv4", "ransom", "date hash", "avast avg", "win32orbus apr", "dynamicloader", "yara rule", "high", "tofsee", "rndhex", "rndchar", "loaderid", "lidfileupd", "localcfg", "write", "stream", "push", "mtb alerts", "ee fc", "ff d5", "lredmond", "malware", "msie", "windows nt", "wow64", "slcc2", "media center", "yara detections", "av detections", "ids detections", "hostile", "unknown", "extraction", "data upload", "failed", "include review", "stop data", "typ url", "url data", "typ no", "th all", "stop", "port", "destination", "ds detections", "tls sni", "nrv2x", "upxoepplace", "alerts", "contacted", "markus", "hostile alerts", "less see", "all ip", "tulach", "brian sabey", "quasi", "link", "script urls", "record value", "script domains", "fireeye", "create c", "as15169", "next", "all url", "http", "related pulses", "related tags", "google safe", "code", "y se", "included review", "io excluded", "suggeste", "ipv4", "unknown ns", "redacted admin", "fax redacted", "name redacted", "phone redacted", "code redacted", "redacted tech", "christopher ahmann", "solarwinds like?" ], "references": [ "asp.net \u2022 cdnsrc.asp.net", "https://www.countercept.com/assets/Uploads/whitepapers/MWRI-Countercept-Machine-Learning-Whitepaper-2017-04-01.pdf", "http://www.phonefactor.com/PfPaWs/ConfirmActivation", "IPv4 13.107.253.70 exploit_source \u2022 IPv4 13.107.226.70 malware_hosting", "https://wsps.ourschoolpages.com/Account/ForgotPasswor (typo", "https://hybrid-analysis.com/sample/529a0b900eef6657ce6c98b1b5bccebe6db2e021aa02a316b7eb2604df810d3f/69de30ef0a22c3b506077a8c", "www.fireeye.com", "danilovstyle.ru", "ns4-04.azure-dns.info", "ns4-04.azure-dns.info danilovst) ns4-04.azure-dns.info", "www.fireeye.com .", "https://hypic-anaivsis.com/sambrerb/a0p9veebo", "Are these table SolarWinds attackers? Using same tacktics, good? Unsure.", "Tulach\u2019s ASP.Net Open Source destruction" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/SodinokibiCrypt.SK!MTB", "display_name": "Ransom:Win32/SodinokibiCrypt.SK!MTB", "target": "/malware/Ransom:Win32/SodinokibiCrypt.SK!MTB" }, { "id": "Win.Ransomware.Tofsee-10015002", "display_name": "Win.Ransomware.Tofsee-10015002", "target": null }, { "id": "Trojan:Win32/Comisproc!gmb I", "display_name": "Trojan:Win32/Comisproc!gmb I", "target": "/malware/Trojan:Win32/Comisproc!gmb I" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 88, "FileHash-MD5": 211, "FileHash-SHA1": 186, "FileHash-SHA256": 1366, "URL": 1848, "domain": 418, "email": 4, "hostname": 622, "SSLCertFingerprint": 21 }, "indicator_count": 4764, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ddeb45c45f6a3cd721397d", "name": "Active attacks \u2022 Apple \u2022 Tulach", "description": "Including 360+ Apple\nIoC\u2019s from Malicious Tulac.cc + Virtual Servers Pulses. Ongoing history of malicious attacks, custom malware engineer, malicious media , account control. \n\nI was blocked from VirusToltal. It was Tulach Nextcloud posse. What I am doing now s legal. \n\nReferenced below. URL: \"https://accountapple.com/\" contacted related malicious domain: \"accountapple.com\"\nCONTACTED DOMAIN: \"sqllq.com\" has been identified as malicious", "modified": "2026-04-14T07:22:45.250000", "created": "2026-04-14T07:22:45.250000", "tags": [ "url http", "ipv4", "indicator role", "active related", "united", "moved", "gmt content", "certificate", "all domain", "msie", "chrome", "extraction", "data upload", "twitter", "cookie", "extra", "include data", "review locs", "exclude", "suggested os", "onlv", "failed", "stop data", "read c", "unicode", "rgba", "memcommit", "delete", "dock", "write", "execution", "sc type", "extri", "include review", "exclude sugges", "typ data", "a domains", "present apr", "script urls", "files", "files ip", "address", "ios", "mac", "apple", "appleid", "itunes", "next associated", "all ipv4", "included ic", "uny teade", "type hostnar", "hostnar hostnar", "hostnar", "macair", "macairaustralia", "ipad", "ipod", "cryptexportkey", "invalid pointer", "cryptgenkey", "stream", "defender", "delphi", "class", "stack", "format", "unknown", "united states", "phishing", "password", "traffic redirected", "service mod", "service execution", "youtube", "music", "streams", "songs", "played songs", "music streams", "most played", "fonelab", "indicator", "included iocs", "manually add", "review ocs", "exclude inn", "sugges data", "find", "include", "url https", "enter sc", "type", "no matchme", "search otx", "https", "references x", "analyze", "open th", "url data", "se http", "no match", "excluded iocs", "iocs", "ip whitelisted", "whitelisted", "tcp include", "analysis date", "file score", "medium risk", "yara detections", "contacted", "related tags", "x vercel", "file type", "type indicator", "role title", "related pulses", "mulch virtua", "library loade", "included i0", "review ioc", "excluded ic", "suggested", "find sugt", "samuel tulach", "unity engine", "tulach", "sa awareness", "sabey", "sar cut", "autofill", "includer review", "portiana oney", "targeting", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "musickit_1_.js", "lazarus", "injection", "CVE-2017-8570", "prefetch2", "target", "aaaa", "ip address", "record value", "emails", "samuel tuachs", "sapev", "review exclude", "monitored target", "script", "mitre att", "ascii text", "span", "path", "iframe", "april", "hybrid", "general", "local", "click", "strings", "body", "development att", "t1055.012 list planting", "active" ], "references": [ "https://trade.kraken.com/charts/KRAKEN:APT-USD>+y", "https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/", "https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/", "https://podcasts.apple.com/us/podcast/lazarus", "http://help.aiseesoft.jp/video-converter-ultimate/", "http://help.aiseesoft.jp/blu-ray-player", "http://help.aiseesoft.jp/fonelab/", "https://action.aiseesoft.jp/itunes.php", "http://help.aiseesoft.jp/total-video-converter", "http://help.aiseesoft.jp/total-video-converter/", "http://help.aiseesoft.jp/video-converter-ultimate/", "http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/", "http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch", "http://test-firstmile.digitecgalaxus.ch", "https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/", "No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]", "cdn.rss.applemarketingtools.com", "https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json", "1.bing.com.cn", "www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net", "www.phantomcameras.cn", "https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"", "podcasts.apple.com \u2022 23.34.32.21", "www.apple.com \u2022 23.34.32.199", "js-cdn.music.apple.com \u2022 23.78.51.170", "http://firstmile.digitecgalaxus.ch", "Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb", "Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca", "Tulach.cc", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019", "https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json", "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as", "Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains", "asp.net domain pointer", "developer.x.com", "aotx.alienvault.com (aotx.?)", "https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh", "https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1020.001", "name": "Traffic Duplication", "display_name": "T1020.001 - Traffic Duplication" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591.002", "name": "Business Relationships", "display_name": "T1591.002 - Business Relationships" }, { "id": "T1591.001", "name": "Determine Physical Locations", "display_name": "T1591.001 - Determine Physical Locations" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1029, "domain": 396, "email": 7, "URL": 2784, "FileHash-SHA256": 898, "FileHash-MD5": 79, "FileHash-SHA1": 68, "IPv4": 35, "CVE": 1, "SSLCertFingerprint": 13 }, "indicator_count": 5310, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ddcb3c30b80ca6a36304b5", "name": "myIndicator of compromise ", "description": "", "modified": "2026-04-14T05:06:04.305000", "created": "2026-04-14T05:06:04.305000", "tags": [ "get http", "engb", "dns resolutions", "ip traffic", "guid", "blob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "69d214c82964f598d31d166c", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "john1235", "id": "398130", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 531, "FileHash-MD5": 50, "FileHash-SHA1": 32, "FileHash-SHA256": 2200, "URL": 1193, "domain": 483, "IPv4": 395 }, "indicator_count": 4884, "is_author": false, "is_subscribing": null, "subscriber_count": 3, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dc04c12782d2d76c111a93", "name": "VirusTotal \u2022 PsBanker \u2022 Attacked / Blocked", "description": "", "modified": "2026-04-12T20:46:57.338000", "created": "2026-04-12T20:46:57.338000", "tags": [ "indicator role", "active related", "ck ids", "files", "information", "discovery", "mitre att", "pattern match", "ck id", "ck matrix", "ascii text", "united", "binary file", "april", "hybrid", "apikey", "general", "local", "path", "iframe", "click", "protocol", "learn", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "related pulses", "dll read", "function read", "icmp traffic", "machineguid", "systembiosdate", "total", "read", "write", "network_icmp", "js_eval", "recon_fingerprint", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "tls handshake", "execution", "dock", "persistence", "malware", "unknown", "neue", "certificate", "error", "scans show", "record value", "title site", "servers", "emails", "all hostname", "dnsadmin", "data upload", "extraction", "failed", "include review", "exclude sugges", "find s", "typ no", "active", "urls", "ip address", "asn as54113", "registrar", "wscript", "united states", "stcalifornia", "lmountain view", "ogoogle llc", "ogoogle trust", "cngts ca", "whitelisted", "as15169", "hostile", "crash", "contacted", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "detections alf", "hostile yara", "detections none", "less ip", "domains", "ms windows", "intel", "pe32", "regsetvalueexa", "langturkish", "sublangdefault", "port", "destination", "entries", "worm", "delphi", "win32", "body", "explorer", "defender", "regdword", "false", "true", "end sub", "object", "createobject", "sheetschanged", "private sub", "string", "boolean", "cancel", "trojan", "copy", "query", "dns update", "useragent", "myapp", "delphi alerts", "alerts deadhost", "women who code", "tulach", "114.114.114.114", "samuel", "brian sabey" ], "references": [ "https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file", "this.target", "c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1", "amazon.com \u2022 pki.goog \u2022 google-analytics.com", "authrootstl.cab common file extension", "dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell", "https://securityaffairs.com/144927/cyber-crime~#", "https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html", "virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com", "https://clockoutbox.es/password", "http://cr-malware.testpanw.com/url", "IDS Detections: Query to a *.pw domain - Likely Hostile", "Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer", "Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows", "Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_", "Alerts: windows_utilities antivm_memory_available pe_features raises_exception", "IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227", "IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94", "Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog", "Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com", "Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw", "Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections compromised_site_redirector_fromcharcode , Delphi", "Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad", "Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx", "IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29", "Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org", "Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com", "114.114.114.114 = Tulach" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:Trojan:Win64/PsBanker", "display_name": "ALF:Trojan:Win64/PsBanker", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Trojan:O97M/Madeba.A!det", "display_name": "Trojan:O97M/Madeba.A!det", "target": "/malware/Trojan:O97M/Madeba.A!det" }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1114, "hostname": 594, "domain": 200, "FileHash-SHA256": 2379, "FileHash-MD5": 426, "FileHash-SHA1": 259, "IPv4": 322, "SSLCertFingerprint": 24, "email": 2, "IPv6": 1 }, "indicator_count": 5321, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69da656a68549f39be14bd77", "name": "Anonymous ai Chat guided as Duck.ai \u2022 DisableUAC \u2022 Drive by Compromise", "description": "I decided to test most malicious devices I\u2019m researching. I tested 2 browsers on device, an anonymous version of chat GPT 5 popped up (drive by compromise). Labeled: duck.ai in browser bar. I chose to interact with something that came seemingly from nowhere. \n\nDuring each interaction a red recording button appeared. Screen recording in progress on device. I asked anonymous actor about the recording button. Response: \u2018That red square is the browser or site's visual indicator that the page is capturing input or has an active interactive state - it isn't me recording audio. Try these checks:\n\u2022 Look for a site-level microphone/camera permission prompt in your browser address bar.\u2019\n\nThe attackers must be associated with Tulach /\nNextCloud , likely angry that I researched the adversarial nature of the presence in malicious, deeply compromised media. \n\nConsequences: threat actors retaliating because their own behavior and existence in malicious media is being researched. \n#tulach #nextcloud #anonymous_ai_chat", "modified": "2026-04-11T15:14:50.815000", "created": "2026-04-11T15:14:50.815000", "tags": [ "united", "unknown ns", "ip address", "st kitts", "gmt content", "ai chat", "all domain", "encrypt", "mtb mar", "virtool", "x frame", "x xss", "x content", "gmt cache", "twitter", "win32", "locale", "extraction", "gm cache", "include data", "review exclude", "suggestadiacs", "report spam", "duckduckgo", "url http", "urls", "all url", "http", "active", "duck.ai", "duckduckgo ai", "private ai", "chatbot", "free ai", "chat", "anonymous ai", "ai chat", "no sign up", "openai", "anthropic", "llama", "mistral", "open source", "javascript", "ai models", "privacy focused", "recording screen", "ai", "no account ai chat", "data upload", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "development att", "ssl certificate", "over", "defense evasion", "mitre att", "ck matrix", "size", "meta", "april", "hybrid", "general", "local", "path", "click", "strings", "dark", "roboto", "invisible", "desktop", "small", "tls sni", "contacted", "filehash", "ids detections", "yara detections", "alerts", "file sharing", "https domain", "tls handshake", "failure alerts", "less ip", "nextcloud", "hackers", "they mad", "msie", "windows nt", "wow64", "slcc2", "media center", "port", "destination", "malware", "write", "self", "network_icmp", "icmp traffic", "passive dns", "moved", "netherlands", "gmt server", "gmt etag", "user agent", "all ipv4", "pulse submit", "url analysis", "apache", "accept", "writeconsolea", "script", "read c", "search", "show", "medium", "html", "high", "form", "create c", "write c", "registry", "windows", "delete c", "tools", "persistence", "execution", "dock", "malicious", "unknown" ], "references": [ "duck.ai \u2022 https://duck.ai/chat phishing", "go.trckclick.xyz \u2022 att.trk.173trk.com", "anyconnect.online", "ddg.gg \u2022 http://ddg.gg/?q=corezuelo \u2022 http://ddg.gg/?q=embozalar", "files.catbox.moe", "passwordresetalcb.accenture.cn", "https://www.phantomcameras.cn.bscedge.com", "www.cam4.page \u2022 campaigncdn.com \u2022 accesscam.org", "loophole.outlook89.accesscam.org", "https://www.phantomcameras.cn/applications/where/piv", "https://www.phantomcameras.cn.bscedge.com", "52.250.42.157 scanning_host", "https://nextcloud.simonduffey.ch", "https://nextcloud.paroxity.org/", "http://mail.saynextapp.accesscam.org/", "http://dict.bing.com.cn/cloudwidget/Scripts/Generated/BingTranslate_Hover_Phrase_Selection_ShowIcon.js';script.onload=INIT;document.body.appendChild(script", "https://duck.ai/chat?q=tsara+brashears+hacked&t=iphone:", "http://docs.duckduckhack.com/walkthroughs/programming-syntax.html", "http://www.duckduckhack.com \u2022 docs.duckduckhack.com", "http://docs.duckduckhack.com/frontend-reference/cheat-sheet-reference.html", "https://duck.ai/apple-touch-icon.png", "http://r13.c.lencr.org/24.crl \u2022 http://r13.i.lencr.org/", "http://up.chenmin.org/login/jquery.min.js", "ALF:HSTR:Trojan:Win32/DisableUAC.A!bit", "Win.Packed.Reline-9875163-0", "IDS Detections: OpenSSL Demo CA - Internet Widgits Pty (O)", "Alerts: network_icmp nolookup_communication antisandbox_idletime antisandbox_sleep_exception", "Alerts: antivm_generic_bios antivm_firmware antivm_vmware_in_instruction dumped_buffer", "Alerts: network_cnc_http network_http nids_alert allocates_rwx antivm_network_adapters", "Alerts: packer_entropy antivm_queries_computername checks_debugger console_output", "Alerts: antivm_memory_available pe_features raises", "IP\u2019s Contacted: 104.18.11.39 104.73.1.162 142.93.108.213 52.250.42.157 72.21.81.240", "Domains Contacted: www.download.windowsupdate.com www.microsoft.com cacerts.digicert.com duckduckgo.com ,", "Redline: https://otx.alienvault.com/otxapi/indicators/file/screenshot/316c67e7150c6841d0d40a180bba390793ffeb9edfb8ec0321e1a16e97f68722", "https://www.mof.gov.cn.lxcvc.com/", "https://cms.medicarementalhealthcheckin.gov.au", "https://duck.ai/apple-touch-icon.png", "edge-mobile-static.azureedge.net" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALF:HSTR:Trojan:Win32/DisableUAC.A!bit", "display_name": "ALF:HSTR:Trojan:Win32/DisableUAC.A!bit", "target": null }, { "id": "VirTool:MSIL/Mousewe.A!MTB", "display_name": "VirTool:MSIL/Mousewe.A!MTB", "target": "/malware/VirTool:MSIL/Mousewe.A!MTB" }, { "id": "Win.Packed.Reline-9875163-0", "display_name": "Win.Packed.Reline-9875163-0", "target": null } ], "attack_ids": [ { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1462", "name": "Malicious Software Development Tools", "display_name": "T1462 - Malicious Software Development Tools" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1181, "FileHash-SHA1": 195, "IPv4": 50, "domain": 320, "hostname": 529, "FileHash-SHA256": 1702, "FileHash-MD5": 201, "SSLCertFingerprint": 8 }, "indicator_count": 4186, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d3843cba399db62eeae702", "name": "CAPE Sandbox - Stalking", "description": "A full report on the latest Android operating system: PK.3.4.5.1 (c) on 1 January, 2026, to be published by the Google Research Institute (GRI).", "modified": "2026-04-06T10:18:23.324000", "created": "2026-04-06T10:00:28.397000", "tags": [ "renewed", "8gbram", "windows10", "19inlcdmonitor", "desktop pc", "package", "intel core", "hard drive", "dvdrw", "wifi", "title", "blink", "date", "meta", "elite", "body", "https", "mitre attack", "network info", "tls version", "united", "overview", "zenbox android", "verdict", "guest system", "ultimate file", "fraud", "cloud", "next", "program", "processes extra", "overview zenbox", "info file", "file type", "default", "parent pid", "full path", "command line", "registry keys", "commands c", "k dcomlaunch", "files c", "devicecng c", "read registry" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/2533042959ad1fe050d14ab7536126910a2d240992bff397640382472b6a7c69_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775469608&Signature=fK1I2%2FxXVm0l3ZiELwtstes8iVN402Ww%2By%2BgvxYOB0LiC2iO3J9cedWJk1hMIr4IfLSGKprfui8vANzR%2BkWfSd594S%2FFe9A59YKyOA2MFmQTBRXVy6O3xF1e1lPETp5Md%2FbGJCOzrZxdHyReyuk7cgdDDBAewptjJhfTYxql7F9X%2FB4qe9BYWPrvned2fFWfU%2F4G%2F4UBqY9Jj%2BG1CTP%2FaGqOdWFs0Q5cPYZ4bytp", "https://vtbehaviour.commondatastorage.googleapis.com/6c39ae0368703f254070a0648c0066115140c3e762d9bf5b52833a037a1e3743_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775469752&Signature=Df%2Bamm33qFPdsDg6nWC5FQjse7h4fksSXqONp4nMEItb0gpBwqx66TqcCnFzQplUk6ExMge79qNZR2OElv63sX54D4fSGwI9nvHYhQoiVdZIgf4ct8dIAr%2BYO9jSx0WpPUVFsvf%2FXtXvm6jM5n5v7CGiyFRyAz8PES5g%2FcOlLt%2BDhsc8bhi%2FMU9mAkyyr5nFVPcTmUSHOTNXOeKDUlyRkQE6b9FEbFhUL1h3%2B%2FBVtysh", "https://vtbehaviour.commondatastorage.googleapis.com/5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775469810&Signature=Mj5ODxCW7tD5UNn6P11Ta7F2cmDLSJuEB7JSLFg%2FERfANmnRR5L7XzDwXxI5G48vkQFx0%2FBMtjMLwWHn6ZHKlt13rfzkvoOu5fJ%2Fb5lMJqUp1rSQIG0JLL80QAnXyJf2W8pL7MvK97Tr4jsCIUfd8ezliJtV5SmahV6Q8lYu2KJUnANrHkA10RFrcT4O26Vk7gbDsuC7caDXC6U9KXTTB0cpC77%2FV7w86ftN2JPXx6oEHUvSj02qsvhKwKQvmM", "https://vtbehaviour.commondatastorage.googleapis.com/5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775469831&Signature=ZlRZLvCaJ%2F9niupu9DFCvXvfgFpDEOsK%2FsH46CB2zEVUDjcQRNMDp9XXKKx0dekmHQbhl02yqygHPOA8Wty5duGtK216QCvKNkYpbpdOjN7xgAg3AsldciWbqeJr8N4I%2F1%2FPRSdVfB%2BNGaBJKxZG1RQkX206MSvX%2BeY%2FdeEYpq3NYdrPWlxdV0pa3yaqcMrf2s%2FCFSM%2FdO3xt5PKyXWG%2FDCNM5iiuXh8OT2ckhZhf%" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 182, "FileHash-MD5": 781, "FileHash-SHA1": 509, "FileHash-SHA256": 539, "URL": 387, "hostname": 361, "domain": 100, "CIDR": 1, "email": 1 }, "indicator_count": 2861, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d214c82964f598d31d166c", "name": "Habo Analysis System", "description": "", "modified": "2026-04-05T08:44:43.360000", "created": "2026-04-05T07:52:40.107000", "tags": [ "get http", "engb", "dns resolutions", "ip traffic", "guid", "blob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 531, "FileHash-MD5": 50, "FileHash-SHA1": 32, "FileHash-SHA256": 2200, "URL": 1193, "domain": 483, "IPv4": 395 }, "indicator_count": 4884, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://aabb88.cc", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://aabb88.cc", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776638880.4742646 }