{ "type": "URL", "indicator": "https://accounts.google.com/ManageAccount", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://accounts.google.com/ManageAccount", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #1", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #3", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain google.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain google.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3775875038, "indicator": "https://accounts.google.com/ManageAccount", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-24T13:20:48.450000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 108, "CIDR": 6 }, "indicator_count": 33118, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "36 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6953faf8bc5d0bacd899eb5a", "name": "Virus Share - Apple monitors targeted Apple users via Apple devices", "description": "Malware packed! Virus Share Apple monitors targeted Apple users via Apple devices. Adversaries gain access to select users maintaining full CnC. \nDevices are modified , security disabled, adversaries exploit privileges collecting email, cnc of app store , browsers, WebKit, cameras, conversations, streaming cloud accounts , texts , etc. In this example keylogger installed, email collection enabled. Device able to connect to random devices or soundbars w/o WiFi or Bluetooth being enabled. Hight probability (in a notable example) devices may not have connected to client ISP / NSP, cell towers due to a deauthor, signal jamming ,remotely unlocked devices, zombie devices.", "modified": "2026-01-29T15:02:39.082000", "created": "2025-12-30T16:16:56.677000", "tags": [ "yara detections", "wacup support", "taglib library", "av detections", "library exe", "internalname", "nullsoft", "darren owen", "a domains", "musicbrainz", "script urls", "germany", "ip address", "title", "paris", "dnssec", "name robert", "kaye name", "org metabrainz", "foundation inc", "south higuera", "luis obispo", "country us", "rob@metabrainz.org", "robert kaye", "san luis obispo", "united", "aaaa", "servers", "moved", "certificate", "urls", "win32mydoom dec", "trojan", "expiration date", "dynamicloader", "crlf line", "unicode text", "utf8", "ee fc", "ff d5", "yara rule", "ascii text", "f0 ff", "eb e1", "unknown", "write", "malware", "autorun", "suspicious", "backdoor", "found", "gmt connection", "control", "twitter", "verisign", "write c", "show", "time stamping", "read c", "search", "class", "present", "passive dns", "ipv4 add", "pulse pulses", "files", "script script", "a li", "div div", "a div", "content type", "script", "ul div", "life", "meta", "agent", "stack", "present oct", "gmt content", "type", "asn as3561", "msie", "windows nt", "slcc2", "media center", "as15169", "virustotal", "mcafee", "drweb", "vipre", "downloader", "panda", "local", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "command", "ck id", "name tactics", "informative", "adversaries", "defense evasion", "spawns", "t1480 execution", "api call", "monitored target", "united states", "present dec", "lowfi", "trojanspy", "win32upatre dec", "status", "present nov", "worm", "worm", "network", "zombie devices", "prefetch8", "localappdata", "prefetch1", "command decode", "programfiles", "edge", "show process", "show technique", "mitre att", "ck matrix", "process", "potential ip", "network traffic", "t1071", "win64", "general", "path", "analysis tip", "click", "process details" ], "references": [ "VirusShare_d1ed959764dc880eac854dcf699ad1f0 2021", "[.]apple.com", "Yara Detections: ConventionEngine_Anomaly_Short_TripleChar + RSDS", "WACUP Support Library FileVersion\t3.3.3.0 InternalName\tnde.dll", "LegalCopyright:Copyright \u00a9 2003-2007 Nullsoft, Inc.", "Modifications by Darren Owen aka DrO \u00a9 2016-2025 OriginalFilename: nde.dll", "wacup-1-99-27-21136.exe \u2022 SHA256 4c16b4976cb9efe9db96743620763076890be297f7f5522b640984c28ac61d33", "InternalName\ttag.dll OriginalFilename: tag.dll ProductName: WACUP TagLib Library ProductVersion: 1.13.1.26", "IDS Detection: Worm.Mydoom Checkin User-Agent (explwer) Observed DNS Query to .biz TLD", "Alerts: network_bind persistence_autorun polymorphic procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_diskreg antisandbox_sleep dynamic_function_loading network_http More IP\u2019s Contacted 51.81.61.70 202.12.124.216 17.171.208.6 64.70.19.203 67.195.228.106 103.129.252.44 Less Domains Contacted 21 Domains Contacted sprrmnrhen.biz qhphrpesma.info swwsppwqsh.biz pwpnhsawsn.in hhhmnaprsn.net 126.com 126mx00.mxmail.netease.com yahoo.com mta7.am0.yahoodns.net rrwerqrhma.org", "Yara Detections: Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside", "Yara Detections: , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Win.Trojan.Ramnit-5482 Yara Detections: Nullsoft_NSIS Alerts: allocates_rwx has_authenticode pe_features", "mailrelay.203.website.ws \u2022 website.ws Files IP Address: 64.70.19.170 Location: United States", "ASN AS3561 Century Link Communications Llc Nameservers: ns5.ncsdi.ws.", "WebSite.ws \u2018Your Internet Address for Life\u2019", "http://images2.website.ws/kvmlm2/images/13/bg_1bot.png", "MyDoom: 64.70.19.203 Command and Control", "Owner/Provider: Association: AS3561 (large hosting or CDN provider like Level 3/CenturyLink)", "Type: CDN Webserver", "64.70.19.203 is identified in cybersecurity reports & malware analysis as a malicious IP address", "64.70.19.203 associated with botnet Command and Control (C&C) servers." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "!SmartInstallMaker_v504", "display_name": "!SmartInstallMaker_v504", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Win.Malware.Cerbu-9952502-0", "display_name": "Win.Malware.Cerbu-9952502-0", "target": null }, { "id": "Win.Trojan.Ramnit-5482", "display_name": "Win.Trojan.Ramnit-5482", "target": null }, { "id": "Autorun", "display_name": "Autorun", "target": null }, { "id": "Downloader.Generic7.ATSS", "display_name": "Downloader.Generic7.ATSS", "target": null }, { "id": "TrojanDownloader:Win32/Banload", "display_name": "TrojanDownloader:Win32/Banload", "target": "/malware/TrojanDownloader:Win32/Banload" }, { "id": "TELPER:CERT:SoftwareBundler:Win32/Bunpredelt", "display_name": "TELPER:CERT:SoftwareBundler:Win32/Bunpredelt", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Upatre", "display_name": "Trojan:Win32/Upatre", "target": "/malware/Trojan:Win32/Upatre" }, { "id": "Win.Malware.Pits", "display_name": "Win.Malware.Pits", "target": null }, { "id": "Backdoor:Win32/Fynloski", "display_name": "Backdoor:Win32/Fynloski", "target": "/malware/Backdoor:Win32/Fynloski" }, { "id": "#LowFI:VBExpensiveLoop", "display_name": "#LowFI:VBExpensiveLoop", "target": null }, { "id": "TrojanSpy:MSIL/Omaneat.A", "display_name": "TrojanSpy:MSIL/Omaneat.A", "target": "/malware/TrojanSpy:MSIL/Omaneat.A" }, { "id": "Win.Trojan.Nmzbaak8fvob-10038731-0", "display_name": "Win.Trojan.Nmzbaak8fvob-10038731-0", "target": null }, { "id": "TEL:Trojan:Win32/REDFLARE_1", "display_name": "TEL:Trojan:Win32/REDFLARE_1", "target": null }, { "id": "TEL:HSTR:Win32/SetFTAHash", "display_name": "TEL:HSTR:Win32/SetFTAHash", "target": null }, { "id": "Win.Malware.Pits-10035540-0", "display_name": "Win.Malware.Pits-10035540-0", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3861, "URL": 296, "hostname": 213, "FileHash-MD5": 971, "FileHash-SHA1": 864, "email": 16, "domain": 53, "SSLCertFingerprint": 2 }, "indicator_count": 6276, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "121 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6907f7e98289b75f3e5ecaba", "name": "- Treece Alfrey Musat P.C. - Malicious Legal Google Botnet", "description": "Christopher P.\nAhmann\u2019s Google Botnet. Defense attorneys fighting worker\u2019s compensation case and ruining a targets life for years. Malicious.[OTX auto popular-HOSTNAME: Google Video.com (GOOGlevideo.COM), an unauthorised website, has been blocked by the internet service regulator, the regulator of the domain registry.]\n\n#pulsed_by_otx #private_google #legal_goigle #malicious_practices", "modified": "2025-12-03T00:01:23.660000", "created": "2025-11-03T00:31:37.396000", "tags": [ "status", "date", "name servers", "lowfi", "passive dns", "urls", "domain", "susp", "win32", "search", "win64", "error", "url https", "url http", "ipv4", "type indicator", "role title", "added active", "related pulses", "morocco", "united kingdom", "united", "present nov", "aaaa", "present oct", "cname", "brazil", "malaysia", "title", "present jun", "ip address", "creation date", "record value", "emails", "unknown aaaa", "body", "url add", "pulse pulses", "http", "related nids", "files location", "flag united", "trojan", "trojandropper", "virtool", "entries", "next associated", "ipv4 add", "unknown ns", "present jul", "present sep", "present aug", "win32upatre nov", "candyopen", "tlsv1", "port", "destination", "ogoogle trust", "cngts ca", "show", "read c", "youtube", "copy", "dock", "write", "next", "malware", "persistence", "execution", "filehashmd5", "hostname", "filehashsha256", "types of", "germany", "poland", "indicator role", "title added", "active related", "pulses url", "p1377925676", "gaz1", "sid1696503456", "sct1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 400, "URL": 2857, "FileHash-MD5": 217, "FileHash-SHA1": 172, "FileHash-SHA256": 1426, "email": 6, "hostname": 1019, "SSLCertFingerprint": 6 }, "indicator_count": 6103, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69138421066f81131da59cc5", "name": "Malicious Legal Google Botnet - Treece Alfrey Musat P.C.\u2022 Christopher P. Ahmann Spam - Malicious ", "description": "", "modified": "2025-12-03T00:01:23.660000", "created": "2025-11-11T18:44:49.343000", "tags": [ "status", "date", "name servers", "lowfi", "passive dns", "urls", "domain", "susp", "win32", "search", "win64", "error", "url https", "url http", "ipv4", "type indicator", "role title", "added active", "related pulses", "morocco", "united kingdom", "united", "present nov", "aaaa", "present oct", "cname", "brazil", "malaysia", "title", "present jun", "ip address", "creation date", "record value", "emails", "unknown aaaa", "body", "url add", "pulse pulses", "http", "related nids", "files location", "flag united", "trojan", "trojandropper", "virtool", "entries", "next associated", "ipv4 add", "unknown ns", "present jul", "present sep", "present aug", "win32upatre nov", "candyopen", "tlsv1", "port", "destination", "ogoogle trust", "cngts ca", "show", "read c", "youtube", "copy", "dock", "write", "next", "malware", "persistence", "execution", "filehashmd5", "hostname", "filehashsha256", "types of", "germany", "poland", "indicator role", "title added", "active related", "pulses url", "p1377925676", "gaz1", "sid1696503456", "sct1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6907f7e98289b75f3e5ecaba", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 400, "URL": 2857, "FileHash-MD5": 217, "FileHash-SHA1": 172, "FileHash-SHA256": 1426, "email": 6, "hostname": 1019, "SSLCertFingerprint": 6 }, "indicator_count": 6103, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6536fe7706b7eeaa7ab5c271", "name": "CVE-2005-0068", "description": "A summary of the major vulnerabilities in the ICMP software, published by the Australian government on 1 January 2008.. the first such vulnerability to be identified in this year's Security Research Review (SSR).", "modified": "2023-11-28T06:04:19.908000", "created": "2023-10-23T23:15:03.507000", "tags": [ "icmp", "icmp error", "split", "files", "exploits", "targeted", "cve overview", "source quench", "path mtu", "cve20040791" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "URL": 1768, "hostname": 1200, "FileHash-SHA256": 6469, "domain": 2139, "email": 25, "FileHash-MD5": 1296, "FileHash-SHA1": 1287, "JA3": 2 }, "indicator_count": 14193, "is_author": false, "is_subscribing": null, "subscriber_count": 88, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset.", "http://images2.website.ws/kvmlm2/images/13/bg_1bot.png", "Owner/Provider: Association: AS3561 (large hosting or CDN provider like Level 3/CenturyLink)", "IDS Detection: Worm.Mydoom Checkin User-Agent (explwer) Observed DNS Query to .biz TLD", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Modifications by Darren Owen aka DrO \u00a9 2016-2025 OriginalFilename: nde.dll", "LegalCopyright:Copyright \u00a9 2003-2007 Nullsoft, Inc.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "64.70.19.203 associated with botnet Command and Control (C&C) servers.", "MyDoom: 64.70.19.203 Command and Control", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "64.70.19.203 is identified in cybersecurity reports & malware analysis as a malicious IP address", "VirusShare_d1ed959764dc880eac854dcf699ad1f0 2021", "Alerts: network_bind persistence_autorun polymorphic procmem_yara static_pe_anomaly", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "wacup-1-99-27-21136.exe \u2022 SHA256 4c16b4976cb9efe9db96743620763076890be297f7f5522b640984c28ac61d33", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Yara Detections: ConventionEngine_Anomaly_Short_TripleChar + RSDS", "Yara Detections: Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside", "InternalName\ttag.dll OriginalFilename: tag.dll ProductName: WACUP TagLib Library ProductVersion: 1.13.1.26", "Type: CDN Webserver", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Yara Detections: , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Win.Trojan.Ramnit-5482 Yara Detections: Nullsoft_NSIS Alerts: allocates_rwx has_authenticode pe_features", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "mailrelay.203.website.ws \u2022 website.ws Files IP Address: 64.70.19.170 Location: United States", "Alerts: suricata_alert antivm_generic_diskreg antisandbox_sleep dynamic_function_loading network_http More IP\u2019s Contacted 51.81.61.70 202.12.124.216 17.171.208.6 64.70.19.203 67.195.228.106 103.129.252.44 Less Domains Contacted 21 Domains Contacted sprrmnrhen.biz qhphrpesma.info swwsppwqsh.biz pwpnhsawsn.in hhhmnaprsn.net 126.com 126mx00.mxmail.netease.com yahoo.com mta7.am0.yahoodns.net rrwerqrhma.org", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "WACUP Support Library FileVersion\t3.3.3.0 InternalName\tnde.dll", "T1110.001 (Brute Force: Password Guessing)", "Obfuscation: XOR-based String Encryption (0x20)", "ASN AS3561 Century Link Communications Llc Nameservers: ns5.ncsdi.ws.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "WebSite.ws \u2018Your Internet Address for Life\u2019", "[.]apple.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s" ], "malware_families": [ "Trojan:win32/pariham.a", "Trojanspy:msil/omaneat.a", "Tel:trojan:win32/redflare_1", "Win.malware.pits-10035540-0", "Telper:cert:softwarebundler:win32/bunpredelt", "Trojandownloader:win32/banload", "Backdoor:win32/fynloski", "Trojan:win32/mydoom", "Win.malware.pits", "Trojan:win32/upatre", "Worm:win32/mofksys.rnd!mtb", "Autorun", "Win.trojan.ramnit-5482", "Malware family: stealthworker / gobrut", "Downloader.generic7.atss", "Win.malware.cerbu-9952502-0", "!smartinstallmaker_v504", "Win.trojan.nmzbaak8fvob-10038731-0", "Tel:hstr:win32/setftahash", "#lowfi:vbexpensiveloop", "Md5 hash: f8add7e7161460ea2b1970cf4ca535bf" ], "industries": [], "unique_indicators": 46297 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/google.com", "whois": "http://whois.domaintools.com/google.com", "domain": "google.com", "hostname": "accounts.google.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-24T13:20:48.450000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 108, "CIDR": 6 }, "indicator_count": 33118, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "36 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6953faf8bc5d0bacd899eb5a", "name": "Virus Share - Apple monitors targeted Apple users via Apple devices", "description": "Malware packed! Virus Share Apple monitors targeted Apple users via Apple devices. Adversaries gain access to select users maintaining full CnC. \nDevices are modified , security disabled, adversaries exploit privileges collecting email, cnc of app store , browsers, WebKit, cameras, conversations, streaming cloud accounts , texts , etc. In this example keylogger installed, email collection enabled. Device able to connect to random devices or soundbars w/o WiFi or Bluetooth being enabled. Hight probability (in a notable example) devices may not have connected to client ISP / NSP, cell towers due to a deauthor, signal jamming ,remotely unlocked devices, zombie devices.", "modified": "2026-01-29T15:02:39.082000", "created": "2025-12-30T16:16:56.677000", "tags": [ "yara detections", "wacup support", "taglib library", "av detections", "library exe", "internalname", "nullsoft", "darren owen", "a domains", "musicbrainz", "script urls", "germany", "ip address", "title", "paris", "dnssec", "name robert", "kaye name", "org metabrainz", "foundation inc", "south higuera", "luis obispo", "country us", "rob@metabrainz.org", "robert kaye", "san luis obispo", "united", "aaaa", "servers", "moved", "certificate", "urls", "win32mydoom dec", "trojan", "expiration date", "dynamicloader", "crlf line", "unicode text", "utf8", "ee fc", "ff d5", "yara rule", "ascii text", "f0 ff", "eb e1", "unknown", "write", "malware", "autorun", "suspicious", "backdoor", "found", "gmt connection", "control", "twitter", "verisign", "write c", "show", "time stamping", "read c", "search", "class", "present", "passive dns", "ipv4 add", "pulse pulses", "files", "script script", "a li", "div div", "a div", "content type", "script", "ul div", "life", "meta", "agent", "stack", "present oct", "gmt content", "type", "asn as3561", "msie", "windows nt", "slcc2", "media center", "as15169", "virustotal", "mcafee", "drweb", "vipre", "downloader", "panda", "local", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "command", "ck id", "name tactics", "informative", "adversaries", "defense evasion", "spawns", "t1480 execution", "api call", "monitored target", "united states", "present dec", "lowfi", "trojanspy", "win32upatre dec", "status", "present nov", "worm", "worm", "network", "zombie devices", "prefetch8", "localappdata", "prefetch1", "command decode", "programfiles", "edge", "show process", "show technique", "mitre att", "ck matrix", "process", "potential ip", "network traffic", "t1071", "win64", "general", "path", "analysis tip", "click", "process details" ], "references": [ "VirusShare_d1ed959764dc880eac854dcf699ad1f0 2021", "[.]apple.com", "Yara Detections: ConventionEngine_Anomaly_Short_TripleChar + RSDS", "WACUP Support Library FileVersion\t3.3.3.0 InternalName\tnde.dll", "LegalCopyright:Copyright \u00a9 2003-2007 Nullsoft, Inc.", "Modifications by Darren Owen aka DrO \u00a9 2016-2025 OriginalFilename: nde.dll", "wacup-1-99-27-21136.exe \u2022 SHA256 4c16b4976cb9efe9db96743620763076890be297f7f5522b640984c28ac61d33", "InternalName\ttag.dll OriginalFilename: tag.dll ProductName: WACUP TagLib Library ProductVersion: 1.13.1.26", "IDS Detection: Worm.Mydoom Checkin User-Agent (explwer) Observed DNS Query to .biz TLD", "Alerts: network_bind persistence_autorun polymorphic procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_diskreg antisandbox_sleep dynamic_function_loading network_http More IP\u2019s Contacted 51.81.61.70 202.12.124.216 17.171.208.6 64.70.19.203 67.195.228.106 103.129.252.44 Less Domains Contacted 21 Domains Contacted sprrmnrhen.biz qhphrpesma.info swwsppwqsh.biz pwpnhsawsn.in hhhmnaprsn.net 126.com 126mx00.mxmail.netease.com yahoo.com mta7.am0.yahoodns.net rrwerqrhma.org", "Yara Detections: Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside", "Yara Detections: , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Win.Trojan.Ramnit-5482 Yara Detections: Nullsoft_NSIS Alerts: allocates_rwx has_authenticode pe_features", "mailrelay.203.website.ws \u2022 website.ws Files IP Address: 64.70.19.170 Location: United States", "ASN AS3561 Century Link Communications Llc Nameservers: ns5.ncsdi.ws.", "WebSite.ws \u2018Your Internet Address for Life\u2019", "http://images2.website.ws/kvmlm2/images/13/bg_1bot.png", "MyDoom: 64.70.19.203 Command and Control", "Owner/Provider: Association: AS3561 (large hosting or CDN provider like Level 3/CenturyLink)", "Type: CDN Webserver", "64.70.19.203 is identified in cybersecurity reports & malware analysis as a malicious IP address", "64.70.19.203 associated with botnet Command and Control (C&C) servers." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "!SmartInstallMaker_v504", "display_name": "!SmartInstallMaker_v504", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Win.Malware.Cerbu-9952502-0", "display_name": "Win.Malware.Cerbu-9952502-0", "target": null }, { "id": "Win.Trojan.Ramnit-5482", "display_name": "Win.Trojan.Ramnit-5482", "target": null }, { "id": "Autorun", "display_name": "Autorun", "target": null }, { "id": "Downloader.Generic7.ATSS", "display_name": "Downloader.Generic7.ATSS", "target": null }, { "id": "TrojanDownloader:Win32/Banload", "display_name": "TrojanDownloader:Win32/Banload", "target": "/malware/TrojanDownloader:Win32/Banload" }, { "id": "TELPER:CERT:SoftwareBundler:Win32/Bunpredelt", "display_name": "TELPER:CERT:SoftwareBundler:Win32/Bunpredelt", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Upatre", "display_name": "Trojan:Win32/Upatre", "target": "/malware/Trojan:Win32/Upatre" }, { "id": "Win.Malware.Pits", "display_name": "Win.Malware.Pits", "target": null }, { "id": "Backdoor:Win32/Fynloski", "display_name": "Backdoor:Win32/Fynloski", "target": "/malware/Backdoor:Win32/Fynloski" }, { "id": "#LowFI:VBExpensiveLoop", "display_name": "#LowFI:VBExpensiveLoop", "target": null }, { "id": "TrojanSpy:MSIL/Omaneat.A", "display_name": "TrojanSpy:MSIL/Omaneat.A", "target": "/malware/TrojanSpy:MSIL/Omaneat.A" }, { "id": "Win.Trojan.Nmzbaak8fvob-10038731-0", "display_name": "Win.Trojan.Nmzbaak8fvob-10038731-0", "target": null }, { "id": "TEL:Trojan:Win32/REDFLARE_1", "display_name": "TEL:Trojan:Win32/REDFLARE_1", "target": null }, { "id": "TEL:HSTR:Win32/SetFTAHash", "display_name": "TEL:HSTR:Win32/SetFTAHash", "target": null }, { "id": "Win.Malware.Pits-10035540-0", "display_name": "Win.Malware.Pits-10035540-0", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3861, "URL": 296, "hostname": 213, "FileHash-MD5": 971, "FileHash-SHA1": 864, "email": 16, "domain": 53, "SSLCertFingerprint": 2 }, "indicator_count": 6276, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "121 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6907f7e98289b75f3e5ecaba", "name": "- Treece Alfrey Musat P.C. - Malicious Legal Google Botnet", "description": "Christopher P.\nAhmann\u2019s Google Botnet. Defense attorneys fighting worker\u2019s compensation case and ruining a targets life for years. Malicious.[OTX auto popular-HOSTNAME: Google Video.com (GOOGlevideo.COM), an unauthorised website, has been blocked by the internet service regulator, the regulator of the domain registry.]\n\n#pulsed_by_otx #private_google #legal_goigle #malicious_practices", "modified": "2025-12-03T00:01:23.660000", "created": "2025-11-03T00:31:37.396000", "tags": [ "status", "date", "name servers", "lowfi", "passive dns", "urls", "domain", "susp", "win32", "search", "win64", "error", "url https", "url http", "ipv4", "type indicator", "role title", "added active", "related pulses", "morocco", "united kingdom", "united", "present nov", "aaaa", "present oct", "cname", "brazil", "malaysia", "title", "present jun", "ip address", "creation date", "record value", "emails", "unknown aaaa", "body", "url add", "pulse pulses", "http", "related nids", "files location", "flag united", "trojan", "trojandropper", "virtool", "entries", "next associated", "ipv4 add", "unknown ns", "present jul", "present sep", "present aug", "win32upatre nov", "candyopen", "tlsv1", "port", "destination", "ogoogle trust", "cngts ca", "show", "read c", "youtube", "copy", "dock", "write", "next", "malware", "persistence", "execution", "filehashmd5", "hostname", "filehashsha256", "types of", "germany", "poland", "indicator role", "title added", "active related", "pulses url", "p1377925676", "gaz1", "sid1696503456", "sct1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 400, "URL": 2857, "FileHash-MD5": 217, "FileHash-SHA1": 172, "FileHash-SHA256": 1426, "email": 6, "hostname": 1019, "SSLCertFingerprint": 6 }, "indicator_count": 6103, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69138421066f81131da59cc5", "name": "Malicious Legal Google Botnet - Treece Alfrey Musat P.C.\u2022 Christopher P. Ahmann Spam - Malicious ", "description": "", "modified": "2025-12-03T00:01:23.660000", "created": "2025-11-11T18:44:49.343000", "tags": [ "status", "date", "name servers", "lowfi", "passive dns", "urls", "domain", "susp", "win32", "search", "win64", "error", "url https", "url http", "ipv4", "type indicator", "role title", "added active", "related pulses", "morocco", "united kingdom", "united", "present nov", "aaaa", "present oct", "cname", "brazil", "malaysia", "title", "present jun", "ip address", "creation date", "record value", "emails", "unknown aaaa", "body", "url add", "pulse pulses", "http", "related nids", "files location", "flag united", "trojan", "trojandropper", "virtool", "entries", "next associated", "ipv4 add", "unknown ns", "present jul", "present sep", "present aug", "win32upatre nov", "candyopen", "tlsv1", "port", "destination", "ogoogle trust", "cngts ca", "show", "read c", "youtube", "copy", "dock", "write", "next", "malware", "persistence", "execution", "filehashmd5", "hostname", "filehashsha256", "types of", "germany", "poland", "indicator role", "title added", "active related", "pulses url", "p1377925676", "gaz1", "sid1696503456", "sct1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6907f7e98289b75f3e5ecaba", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 400, "URL": 2857, "FileHash-MD5": 217, "FileHash-SHA1": 172, "FileHash-SHA256": 1426, "email": 6, "hostname": 1019, "SSLCertFingerprint": 6 }, "indicator_count": 6103, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6536fe7706b7eeaa7ab5c271", "name": "CVE-2005-0068", "description": "A summary of the major vulnerabilities in the ICMP software, published by the Australian government on 1 January 2008.. the first such vulnerability to be identified in this year's Security Research Review (SSR).", "modified": "2023-11-28T06:04:19.908000", "created": "2023-10-23T23:15:03.507000", "tags": [ "icmp", "icmp error", "split", "files", "exploits", "targeted", "cve overview", "source quench", "path mtu", "cve20040791" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "URL": 1768, "hostname": 1200, "FileHash-SHA256": 6469, "domain": 2139, "email": 25, "FileHash-MD5": 1296, "FileHash-SHA1": 1287, "JA3": 2 }, "indicator_count": 14193, "is_author": false, "is_subscribing": null, "subscriber_count": 88, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://accounts.google.com/ManageAccount", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://accounts.google.com/ManageAccount", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780214274.7207615 }