{ "type": "URL", "indicator": "https://admin.cloud.microsoft/msal_redirect.html", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://admin.cloud.microsoft/msal_redirect.html", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4096649732, "indicator": "https://admin.cloud.microsoft/msal_redirect.html", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69c40496b927d4374c5ce278", "name": "Nissan Data", "description": "Victims C2 car console repeated failure notices.", "modified": "2026-04-24T15:06:33.739000", "created": "2026-03-25T15:51:50.778000", "tags": [ "cachecontrol", "keepalive", "connection", "date thu", "gmt xversion", "etag", "link", "ip address", "status code", "control", "date wed", "get http", "dns resolutions", "ip traffic", "number", "cnmicrosoft ecc", "update secure", "server ca", "cus subject", "stwa lredmond", "omicrosoft c", "user", "data", "datacrashpad", "edge" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "domain": 37, "URL": 637, "hostname": 236, "FileHash-SHA256": 34, "FileHash-SHA1": 9, "CIDR": 3, "email": 24 }, "indicator_count": 1001, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ce1c7b60a3065cc75b7e23", "name": "Chance Encounter Clone CREDIT: UCP_GoA23 Public - same watering hole?", "description": "", "modified": "2026-04-21T05:29:42.247000", "created": "2026-04-02T07:36:27.829000", "tags": [ "raspberry pi", "hdmi", "hdmi mode", "uncomment", "additional", "usb mass", "pi02", "pi zero", "zero", "enable drm", "program", "license", "free software", "foundation", "general public", "gnu general", "public license", "the program", "copyright", "sections", "june", "general", "april", "vice", "drivers", "analog", "digital", "video", "bus support", "media", "accelerometers", "capacitance", "resolver", "android", "flash", "monitoring", "codec", "loop", "light", "linear", "tools", "class", "speakup", "core support", "legacy", "kernel", "this software", "including", "but not", "limited to", "ltd all", "redistributions", "disclaimer", "is provided", "damage", "info", "params", "gpio", "gpio pin", "select", "digital volume", "load", "gpios", "compute module", "spi bus", "front", "clock", "speed", "tiny", "kali", "oled", "systemd", "digi", "miso", "screen", "show", "global property", "bootmenu", "label", "booting", "please", "javascript", "entity", "file list", "size first", "credits text", "readme text", "no meaningful", "url list", "status https", "domain list", "enom", "registrar", "ltd dba", "com laude", "ip address", "ip adresses", "U of A", "GoA", "Treaty 6", "Treaty 7", "Treaty 8", "AHS" ], "references": [ "cmdline.txt", "config.txt", "COPYING.linux", "config-5.15.44-Re4son-v7+", "config-5.15.44-Re4son-v7l+", "config-5.15.44-Re4son-v8l+", "config-5.15.44-Re4son+", "config-5.15.44-Re4son-v8+", "grub_background.sh", "LICENCE.broadcom", "README", "theme.txt", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/details", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/relations", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/behavior", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e", "https://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1050", "name": "New Service", "display_name": "T1050 - New Service" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Education", "Government", "Healthcare", "Telecommunications", "Agriculture", "Finance", "Transportation" ], "TLP": "white", "cloned_from": "698f07428f6e35876e034e41", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 812, "URL": 2492, "hostname": 1171, "FileHash-SHA256": 2057, "CVE": 2, "FileHash-MD5": 14, "FileHash-SHA1": 16, "email": 2, "CIDR": 118 }, "indicator_count": 6684, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698f07428f6e35876e034e41", "name": "Chance Encounter Commuting from U of A to GoA - 02.13.2026", "description": "My 1st Graph: Hidden Boots on my Phone ( Chance Encounter Commuting from U of A to GoA - 02.13.2026 ). \nConclusion: U of A and the Governments of Alberta, and those of Treaty 6/7/8 have been victims of crime.\nhttps://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "modified": "2026-03-15T10:19:15.579000", "created": "2026-02-13T11:13:03.870000", "tags": [ "raspberry pi", "hdmi", "hdmi mode", "uncomment", "additional", "usb mass", "pi02", "pi zero", "zero", "enable drm", "program", "license", "free software", "foundation", "general public", "gnu general", "public license", "the program", "copyright", "sections", "june", "general", "april", "vice", "drivers", "analog", "digital", "video", "bus support", "media", "accelerometers", "capacitance", "resolver", "android", "flash", "monitoring", "codec", "loop", "light", "linear", "tools", "class", "speakup", "core support", "legacy", "kernel", "this software", "including", "but not", "limited to", "ltd all", "redistributions", "disclaimer", "is provided", "damage", "info", "params", "gpio", "gpio pin", "select", "digital volume", "load", "gpios", "compute module", "spi bus", "front", "clock", "speed", "tiny", "kali", "oled", "systemd", "digi", "miso", "screen", "show", "global property", "bootmenu", "label", "booting", "please", "javascript", "entity", "file list", "size first", "credits text", "readme text", "no meaningful", "url list", "status https", "domain list", "enom", "registrar", "ltd dba", "com laude", "ip address", "ip adresses", "U of A", "GoA", "Treaty 6", "Treaty 7", "Treaty 8", "AHS" ], "references": [ "cmdline.txt", "config.txt", "COPYING.linux", "config-5.15.44-Re4son-v7+", "config-5.15.44-Re4son-v7l+", "config-5.15.44-Re4son-v8l+", "config-5.15.44-Re4son+", "config-5.15.44-Re4son-v8+", "grub_background.sh", "LICENCE.broadcom", "README", "theme.txt", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/details", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/relations", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/behavior", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e", "https://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1050", "name": "New Service", "display_name": "T1050 - New Service" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Education", "Government", "Healthcare", "Telecommunications", "Agriculture", "Finance", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 812, "URL": 2492, "hostname": 1171, "FileHash-SHA256": 2057, "CVE": 2, "FileHash-MD5": 14, "FileHash-SHA1": 16, "email": 2, "CIDR": 118 }, "indicator_count": 6684, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "78 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d91b1a8f414040bfba430", "name": "Spyware", "description": "And I've been walking, talking\nBelieving the things that are true\nAnd I've been finding\nThe difference between right and wrong, bad and good\nSee me put things together\nPut them back where they belong\nWhen I look at each other\nHave I always been singing the same song?\n\nShe said\nThis is a perfect world\nRiding on an incline\nI'm staring in your face\nYou'll photograph mine\n\nI-I-I-I-I\nWhoo, ah-ha-ha\nHa-ha-ha-ha-ha-ha\n\nSomebody said that it happens all over the world\nI do believe that it's true (\u2022o\u2022)\n#spyware #MaaS #malvertizing #bullyfor$ #unethical #dangerous_tool", "modified": "2025-08-20T00:01:59.498000", "created": "2025-07-21T01:02:41.049000", "tags": [ "serving ip", "address", "status", "utc na", "utc google", "utc facebook", "custom audience", "tag manager", "ua748443502", "utc gtmwrp73mt", "utc gsrdlm5jnx1", "utc aw937838002", "adsense na", "connect", "file type", "status code", "body length", "kb body", "sha256", "powershell", "b file", "ta0004 defense", "evasion ta0005", "command", "control ta0011", "c0002 wininet", "number", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "corporation cus", "algorithm", "cndigicert sha2", "secure server", "ca odigicert", "inc cus", "subject", "cnwe1 ogoogle", "trust", "cnmicrosoft ecc", "update secure", "server ca", "omicrosoft", "get http", "request", "windows nt", "win64", "khtml", "gecko", "response", "united", "search", "creation date", "expiration date", "name servers", "unknown soa", "germany unknown", "entries", "pulse submit", "url analysis", "date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 304, "hostname": 796, "URL": 2590, "FileHash-SHA256": 2735, "FileHash-MD5": 253, "FileHash-SHA1": 144, "email": 1 }, "indicator_count": 6823, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "286 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687bbd19a26a21a9b43917b5", "name": "Mal_Tofsee - Monitoring via target advertisements", "description": "* Mal_Tofsee\n* Infostealer/Win.RedLine.R479069\nIDS Detections:\nWin32/Tofsee.AX google.com connectivity check\nNon-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 || Malvertisements , monitored target.\n.\t\t\t\t\n* Win32/Tofsee.AX google.com connectivity check\tmultiple IP addresses \t\t\t\n* Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set\t192.168.122.33\t192.168.122.1\t\t\t\t\n* 192.168.122.33\t149.154.167.99\t\t\t\t\n192.168.122.33\t192.168.122.1\t\t\t\t\n* Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set\t192.168.122.33\t1.1.1.1\t\t\t\t\n192.168.122.33\t 87.240.137.207\t\t\t\t\n*\n(OTX -Unable to annotate. Some Pulses =\n Yield: (javascript:void(0);))", "modified": "2025-08-18T15:02:23.260000", "created": "2025-07-19T15:43:21.904000", "tags": [ "url https", "type indicator", "role title", "added active", "related pulses", "url http", "entries", "t1045", "packing", "t1055", "injection", "t1082", "t1063", "t1119", "t1057", "discovery", "t1071", "delete c", "port", "search", "show", "destination", "tofsee", "high", "cape", "grum", "copy", "write", "malware", "status domain", "ip whitelisted", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "command", "found", "t1480 execution", "no expiration", "expiration", "filehashsha256", "ipv4", "filehashmd5", "hostname", "filehashsha1", "iocs" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 663, "domain": 113, "hostname": 212, "FileHash-SHA256": 418, "FileHash-MD5": 38, "FileHash-SHA1": 31 }, "indicator_count": 1475, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "287 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "config-5.15.44-Re4son-v8+", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e/iocs", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/behavior", "COPYING.linux", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/relations", "config.txt", "config-5.15.44-Re4son+", "config-5.15.44-Re4son-v7l+", "LICENCE.broadcom", "config-5.15.44-Re4son-v8l+", "README", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/details", "https://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "cmdline.txt", "theme.txt", "config-5.15.44-Re4son-v7+", "grub_background.sh", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [ "Agriculture", "Finance", "Transportation", "Government", "Telecommunications", "Education", "Healthcare" ], "unique_indicators": 15801 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/cloud.microsoft", "whois": "http://whois.domaintools.com/cloud.microsoft", "domain": "cloud.microsoft", "hostname": "admin.cloud.microsoft" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69c40496b927d4374c5ce278", "name": "Nissan Data", "description": "Victims C2 car console repeated failure notices.", "modified": "2026-04-24T15:06:33.739000", "created": "2026-03-25T15:51:50.778000", "tags": [ "cachecontrol", "keepalive", "connection", "date thu", "gmt xversion", "etag", "link", "ip address", "status code", "control", "date wed", "get http", "dns resolutions", "ip traffic", "number", "cnmicrosoft ecc", "update secure", "server ca", "cus subject", "stwa lredmond", "omicrosoft c", "user", "data", "datacrashpad", "edge" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "domain": 37, "URL": 637, "hostname": 236, "FileHash-SHA256": 34, "FileHash-SHA1": 9, "CIDR": 3, "email": 24 }, "indicator_count": 1001, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ce1c7b60a3065cc75b7e23", "name": "Chance Encounter Clone CREDIT: UCP_GoA23 Public - same watering hole?", "description": "", "modified": "2026-04-21T05:29:42.247000", "created": "2026-04-02T07:36:27.829000", "tags": [ "raspberry pi", "hdmi", "hdmi mode", "uncomment", "additional", "usb mass", "pi02", "pi zero", "zero", "enable drm", "program", "license", "free software", "foundation", "general public", "gnu general", "public license", "the program", "copyright", "sections", "june", "general", "april", "vice", "drivers", "analog", "digital", "video", "bus support", "media", "accelerometers", "capacitance", "resolver", "android", "flash", "monitoring", "codec", "loop", "light", "linear", "tools", "class", "speakup", "core support", "legacy", "kernel", "this software", "including", "but not", "limited to", "ltd all", "redistributions", "disclaimer", "is provided", "damage", "info", "params", "gpio", "gpio pin", "select", "digital volume", "load", "gpios", "compute module", "spi bus", "front", "clock", "speed", "tiny", "kali", "oled", "systemd", "digi", "miso", "screen", "show", "global property", "bootmenu", "label", "booting", "please", "javascript", "entity", "file list", "size first", "credits text", "readme text", "no meaningful", "url list", "status https", "domain list", "enom", "registrar", "ltd dba", "com laude", "ip address", "ip adresses", "U of A", "GoA", "Treaty 6", "Treaty 7", "Treaty 8", "AHS" ], "references": [ "cmdline.txt", "config.txt", "COPYING.linux", "config-5.15.44-Re4son-v7+", "config-5.15.44-Re4son-v7l+", "config-5.15.44-Re4son-v8l+", "config-5.15.44-Re4son+", "config-5.15.44-Re4son-v8+", "grub_background.sh", "LICENCE.broadcom", "README", "theme.txt", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/details", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/relations", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/behavior", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e", "https://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1050", "name": "New Service", "display_name": "T1050 - New Service" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Education", "Government", "Healthcare", "Telecommunications", "Agriculture", "Finance", "Transportation" ], "TLP": "white", "cloned_from": "698f07428f6e35876e034e41", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 812, "URL": 2492, "hostname": 1171, "FileHash-SHA256": 2057, "CVE": 2, "FileHash-MD5": 14, "FileHash-SHA1": 16, "email": 2, "CIDR": 118 }, "indicator_count": 6684, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698f07428f6e35876e034e41", "name": "Chance Encounter Commuting from U of A to GoA - 02.13.2026", "description": "My 1st Graph: Hidden Boots on my Phone ( Chance Encounter Commuting from U of A to GoA - 02.13.2026 ). \nConclusion: U of A and the Governments of Alberta, and those of Treaty 6/7/8 have been victims of crime.\nhttps://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "modified": "2026-03-15T10:19:15.579000", "created": "2026-02-13T11:13:03.870000", "tags": [ "raspberry pi", "hdmi", "hdmi mode", "uncomment", "additional", "usb mass", "pi02", "pi zero", "zero", "enable drm", "program", "license", "free software", "foundation", "general public", "gnu general", "public license", "the program", "copyright", "sections", "june", "general", "april", "vice", "drivers", "analog", "digital", "video", "bus support", "media", "accelerometers", "capacitance", "resolver", "android", "flash", "monitoring", "codec", "loop", "light", "linear", "tools", "class", "speakup", "core support", "legacy", "kernel", "this software", "including", "but not", "limited to", "ltd all", "redistributions", "disclaimer", "is provided", "damage", "info", "params", "gpio", "gpio pin", "select", "digital volume", "load", "gpios", "compute module", "spi bus", "front", "clock", "speed", "tiny", "kali", "oled", "systemd", "digi", "miso", "screen", "show", "global property", "bootmenu", "label", "booting", "please", "javascript", "entity", "file list", "size first", "credits text", "readme text", "no meaningful", "url list", "status https", "domain list", "enom", "registrar", "ltd dba", "com laude", "ip address", "ip adresses", "U of A", "GoA", "Treaty 6", "Treaty 7", "Treaty 8", "AHS" ], "references": [ "cmdline.txt", "config.txt", "COPYING.linux", "config-5.15.44-Re4son-v7+", "config-5.15.44-Re4son-v7l+", "config-5.15.44-Re4son-v8l+", "config-5.15.44-Re4son+", "config-5.15.44-Re4son-v8+", "grub_background.sh", "LICENCE.broadcom", "README", "theme.txt", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/details", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/relations", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/behavior", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e", "https://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1050", "name": "New Service", "display_name": "T1050 - New Service" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Education", "Government", "Healthcare", "Telecommunications", "Agriculture", "Finance", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 812, "URL": 2492, "hostname": 1171, "FileHash-SHA256": 2057, "CVE": 2, "FileHash-MD5": 14, "FileHash-SHA1": 16, "email": 2, "CIDR": 118 }, "indicator_count": 6684, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "78 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d91b1a8f414040bfba430", "name": "Spyware", "description": "And I've been walking, talking\nBelieving the things that are true\nAnd I've been finding\nThe difference between right and wrong, bad and good\nSee me put things together\nPut them back where they belong\nWhen I look at each other\nHave I always been singing the same song?\n\nShe said\nThis is a perfect world\nRiding on an incline\nI'm staring in your face\nYou'll photograph mine\n\nI-I-I-I-I\nWhoo, ah-ha-ha\nHa-ha-ha-ha-ha-ha\n\nSomebody said that it happens all over the world\nI do believe that it's true (\u2022o\u2022)\n#spyware #MaaS #malvertizing #bullyfor$ #unethical #dangerous_tool", "modified": "2025-08-20T00:01:59.498000", "created": "2025-07-21T01:02:41.049000", "tags": [ "serving ip", "address", "status", "utc na", "utc google", "utc facebook", "custom audience", "tag manager", "ua748443502", "utc gtmwrp73mt", "utc gsrdlm5jnx1", "utc aw937838002", "adsense na", "connect", "file type", "status code", "body length", "kb body", "sha256", "powershell", "b file", "ta0004 defense", "evasion ta0005", "command", "control ta0011", "c0002 wininet", "number", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "corporation cus", "algorithm", "cndigicert sha2", "secure server", "ca odigicert", "inc cus", "subject", "cnwe1 ogoogle", "trust", "cnmicrosoft ecc", "update secure", "server ca", "omicrosoft", "get http", "request", "windows nt", "win64", "khtml", "gecko", "response", "united", "search", "creation date", "expiration date", "name servers", "unknown soa", "germany unknown", "entries", "pulse submit", "url analysis", "date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 304, "hostname": 796, "URL": 2590, "FileHash-SHA256": 2735, "FileHash-MD5": 253, "FileHash-SHA1": 144, "email": 1 }, "indicator_count": 6823, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "286 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687bbd19a26a21a9b43917b5", "name": "Mal_Tofsee - Monitoring via target advertisements", "description": "* Mal_Tofsee\n* Infostealer/Win.RedLine.R479069\nIDS Detections:\nWin32/Tofsee.AX google.com connectivity check\nNon-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 || Malvertisements , monitored target.\n.\t\t\t\t\n* Win32/Tofsee.AX google.com connectivity check\tmultiple IP addresses \t\t\t\n* Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set\t192.168.122.33\t192.168.122.1\t\t\t\t\n* 192.168.122.33\t149.154.167.99\t\t\t\t\n192.168.122.33\t192.168.122.1\t\t\t\t\n* Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set\t192.168.122.33\t1.1.1.1\t\t\t\t\n192.168.122.33\t 87.240.137.207\t\t\t\t\n*\n(OTX -Unable to annotate. Some Pulses =\n Yield: (javascript:void(0);))", "modified": "2025-08-18T15:02:23.260000", "created": "2025-07-19T15:43:21.904000", "tags": [ "url https", "type indicator", "role title", "added active", "related pulses", "url http", "entries", "t1045", "packing", "t1055", "injection", "t1082", "t1063", "t1119", "t1057", "discovery", "t1071", "delete c", "port", "search", "show", "destination", "tofsee", "high", "cape", "grum", "copy", "write", "malware", "status domain", "ip whitelisted", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "command", "found", "t1480 execution", "no expiration", "expiration", "filehashsha256", "ipv4", "filehashmd5", "hostname", "filehashsha1", "iocs" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 663, "domain": 113, "hostname": 212, "FileHash-SHA256": 418, "FileHash-MD5": 38, "FileHash-SHA1": 31 }, "indicator_count": 1475, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "287 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://admin.cloud.microsoft/msal_redirect.html", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://admin.cloud.microsoft/msal_redirect.html", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780383550.7273617 }