{ "type": "URL", "indicator": "https://admin.dilmil.co", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://admin.dilmil.co", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3838700839, "indicator": "https://admin.dilmil.co", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "687d5d33d16ab7837e23bc01", "name": "howmanyofme.com - Packed | Palantir", "description": "howmanyofme.com was a honeypot. The names listed are potentially monitored targets. One was verified target.||\nhttp://howmanyofme.com/search/?given=Tsara&sur=Brashears/\nhttp://ww2.howmanyofme.com/people/Carrie_Henn/\nhttp://ww2.howmanyofme.com/people/Rockmond_Dunbar/\nhttp://howmanyofme.com/people/John_Hurt/\nhttp://howmanyofme.com/people/Mary_Gross/\nhttp://howmanyofme.com/people/Kenneth_Tobey/\nhttp://ww2.howmanyofme.com/people/Royce_Clayton/\n\n\n#Palantir # #honeypot #howmanyofme", "modified": "2025-09-18T23:05:18.490000", "created": "2025-07-20T21:18:43.974000", "tags": [ "united", "unknown ns", "a domains", "ip address", "search", "privacy service", "fbo registrant", "date", "entries", "how many", "destination", "port", "windows nt", "msie", "unknown", "et trojan", "poodle attack", "policy sslv3", "united kingdom", "suspicious", "copy", "virustotal", "malware", "write", "hostile", "next", "triton", "super node", "get reloaded", "x11 snf", "png image", "rgba", "post reloaded", "ascii text", "crlf line", "gnu message", "ms windows", "intel", "pe32", "host", "get babylon", "show", "babylon" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7185, "domain": 706, "hostname": 1906, "email": 5, "FileHash-SHA256": 3645, "FileHash-MD5": 330, "FileHash-SHA1": 135, "CVE": 1 }, "indicator_count": 13913, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "213 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68858e8244c8db854e8947c1", "name": "Goodreads Malware", "description": "Goodreads is an older book review website. I found Goodreads[.]com links botnet joining Pulse. Just curious. #goodreads #malware #goodreads_botnet_join #thismightbeabotnet\n#gogray #purpleteamit #malware \n#thismightbeabotnet #ineedtolearnmore", "modified": "2025-08-26T01:03:19.405000", "created": "2025-07-27T02:27:14.517000", "tags": [ "passive dns", "urls", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "united", "flag united", "present jun", "present may", "present apr", "search", "moved", "creation date", "record value", "date", "body", "meta", "indicator role", "title added", "active related", "pulses url", "memcommit", "value1", "partnerid4146", "username", "gamesessionid", "port", "destination", "regsetvalueexa", "mozilla", "write", "persistence", "execution", "malware", "copy", "next", "process32nextw", "show", "entries", "module load", "t1129", "intel", "ms windows", "showing", "t1045", "win32", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "mitre att", "ck techniques", "evasion att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "size", "pattern match", "ascii text", "null", "error", "starfield", "click", "hybrid", "local", "path", "strings", "refresh", "tools", "onload", "span", "smbds ipc", "ms17010", "msf style", "probe ms17010", "generic flags", "yara detections", "nrv2x", "upxoepplace" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 155, "hostname": 1237, "FileHash-SHA256": 1141, "domain": 574, "URL": 4593, "FileHash-SHA1": 139, "email": 1, "SSLCertFingerprint": 8 }, "indicator_count": 7848, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65ea56ae1992b02a25aa5c51", "name": "TrojanSpy:Win32/Nivdort | Affected OTX accounts | Yotta Network", "description": "Part II -Some users OTX accounts connected to the following | Unexpected revelation | A group of hackers masquerading as attorneys, government officials, advocates, fake nsa, security professional, help desk, etc. I don't know the association with otx.alienvault. Unauthorized logins OTX users. accounts. Deleted and modified pulses, etc. Needs further research for me to fully understand.", "modified": "2024-04-06T23:03:19.046000", "created": "2024-03-08T00:07:10.521000", "tags": [ "methodpost", "threat", "iocs", "urls http", "samples", "cnc", "phishing", "ransom", "emotet", "fraud services", "command _and_control", "trojan", "scanning host", "active threat", "malicious", "date hash", "avast avg", "susp", "win32", "paste", "hostnames", "http response", "final url", "ip address", "status code", "body length", "b body", "headers date", "connection", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "ovh sas", "export", "summary iocs", "graph community", "limited", "yotta network", "gvb gelimed", "kb microsoft", "indonesia", "kyriazhs1975", "vj79", "bc https", "rexxfield", "brian sabey", "as21342", "united", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "urls", "msie", "chrome", "creation date", "search", "dnssec", "entries", "body", "date", "as63949 linode", "mtb feb", "checkin m1", "gmt content", "type", "encrypt", "trojan", "artro", "moved", "pulse pulses", "yotta data", "yotta", "private limited", "india", "limited yotta", "number", "as140641", "network", "facebook", "info", "cisco umbrella", "site", "alexa top", "site top", "million", "safe site", "million alexa", "site safe", "cobalt strike", "malicious url", "blacknet rat", "union", "vidar", "malware", "stealer", "bank", "alexa", "deepscan", "phishing", "team", "super", "blacknet", "babar", "detection list", "blacklist http", "sample", "submission", "history first", "analysis", "utc http", "response final", "url http", "kb body", "path", "as396982 google", "bq mar", "win32cve mar", "exploit", "virtool", "status", "name servers", "emails", "servers", "next", "files", "as44273 host", "germany unknown", "expiration date", "showing", "win32upatre mar", "milehighmedia", "ids detections", "possible fake", "av checkin", "initial checkin", "checkin", "utah data", "center", "june", "data center", "responsible", "nsa utah", "march", "closeup view", "july", "view", "february", "prism", "cascade", "darpa", "twitter", "as20940", "aaaa", "as16625 akamai", "nxdomain", "whitelisted", "domain", "as54113", "msil", "cryp", "files show", "entries related", "domains", "as15169 google", "gmt cache", "sameorigin", "trojandropper", "asnone united", "title error", "porkbun", "mtb mar", "trojanspy", "installer", "loader", "hijacker", "targeting", "as30456", "sec ch", "for privacy", "ch ua", "hash avast", "avg clamav", "msdefender mar", "lowfi", "dns replication", "ip detections", "country", "contacted", "graph", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "file size", "open threat", "learn", "html info", "exchange meta", "tags twitter", "alienvault", "script tags", "iframe tags", "google tag", "manager anchor", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "google", "amazon ec2", "email", "city", "server", "amazon data", "amazon", "code", "form", "po box", "tech", "show", "description ype", "collections", "partru", "execution", "fake host" ], "references": [ "Part II -Some users OTX accounts connected to the following | Unexpected revelation |", "Title Salzburg Airport | Public Operations Display Portal | http://quantum.emsbk.com/", "go.sabey.com | sabey.com | smear.cloud | w1.voyeurweb.com | Never stops...", "https://www.milehighmedia.com/legal/2257", "http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "http://schoolcare.dyndns.org/soap/ISCKeyUpdater", "http://callenjoy.net/index.php | watchhers.net | emails.redvue.com | nexus.devnautiluscloud.net | http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "http://45.159.189.105/bot/regex | http://46.109.184.5/search.htm | http://acycseiiqsau.org/ | emsbk.innocraft.cloud | jenkins.devnautiluscloud.net |", "hostmaster.hostmaster.hostmaster.cartography.midst.co.uk | message.htm.com | quantum.emsbk.com http://cms.static.hw.famedownload.com/famedigital/m/", "http://cms.static.hw.famedownload.com/famedigital/m/1b6j9enlerq8k4g8/header-big8.jpg", "CnC IP's: 104.200.21.37 | 106.14.226.91 | 192.187.111.221 | 198.58.118.167 | 208.100.26.245 | 34.174.78.212", "Cookies AWSALB h0mLG52+gDNUdBHb468xx6EZCua7FVRvlZWH7URKSKV27WSs637El46CBcw8RmPBxIAT2jqmmByDbnMIsYobUWhWbNadYFsxVQk/gVDcDfdixV/5aQn0VRon9gXO", "https://nsa.gov1.info/utah-data-center", "https://softwaremill.com/grpc-vs-rest/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Arab Emirates" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null }, { "id": "#Lowfi:LUA:AutoItV3CraftedOverlay", "display_name": "#Lowfi:LUA:AutoItV3CraftedOverlay", "target": null }, { "id": "Crypt3.BWVY", "display_name": "Crypt3.BWVY", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "Dropper.Generic_r.EC", "display_name": "Dropper.Generic_r.EC", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "ALF:Trojan:Win32/Zbot", "display_name": "ALF:Trojan:Win32/Zbot", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1605", "name": "Command-Line Interface", "display_name": "T1605 - Command-Line Interface" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6765, "FileHash-MD5": 688, "FileHash-SHA1": 422, "FileHash-SHA256": 3169, "domain": 2171, "hostname": 1714, "email": 11, "CVE": 2, "CIDR": 2 }, "indicator_count": 14944, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "743 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eadaae65b9123721198d08", "name": "Nivdort | Affected OTX accounts | Yotta Network (Cloned OTX user)", "description": "", "modified": "2024-04-06T23:03:19.046000", "created": "2024-03-08T09:30:22.295000", "tags": [ "methodpost", "threat", "iocs", "urls http", "samples", "cnc", "phishing", "ransom", "emotet", "fraud services", "command _and_control", "trojan", "scanning host", "active threat", "malicious", "date hash", "avast avg", "susp", "win32", "paste", "hostnames", "http response", "final url", "ip address", "status code", "body length", "b body", "headers date", "connection", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "ovh sas", "export", "summary iocs", "graph community", "limited", "yotta network", "gvb gelimed", "kb microsoft", "indonesia", "kyriazhs1975", "vj79", "bc https", "rexxfield", "brian sabey", "as21342", "united", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "urls", "msie", "chrome", "creation date", "search", "dnssec", "entries", "body", "date", "as63949 linode", "mtb feb", "checkin m1", "gmt content", "type", "encrypt", "trojan", "artro", "moved", "pulse pulses", "yotta data", "yotta", "private limited", "india", "limited yotta", "number", "as140641", "network", "facebook", "info", "cisco umbrella", "site", "alexa top", "site top", "million", "safe site", "million alexa", "site safe", "cobalt strike", "malicious url", "blacknet rat", "union", "vidar", "malware", "stealer", "bank", "alexa", "deepscan", "phishing", "team", "super", "blacknet", "babar", "detection list", "blacklist http", "sample", "submission", "history first", "analysis", "utc http", "response final", "url http", "kb body", "path", "as396982 google", "bq mar", "win32cve mar", "exploit", "virtool", "status", "name servers", "emails", "servers", "next", "files", "as44273 host", "germany unknown", "expiration date", "showing", "win32upatre mar", "milehighmedia", "ids detections", "possible fake", "av checkin", "initial checkin", "checkin", "utah data", "center", "june", "data center", "responsible", "nsa utah", "march", "closeup view", "july", "view", "february", "prism", "cascade", "darpa", "twitter", "as20940", "aaaa", "as16625 akamai", "nxdomain", "whitelisted", "domain", "as54113", "msil", "cryp", "files show", "entries related", "domains", "as15169 google", "gmt cache", "sameorigin", "trojandropper", "asnone united", "title error", "porkbun", "mtb mar", "trojanspy", "installer", "loader", "hijacker", "targeting", "as30456", "sec ch", "for privacy", "ch ua", "hash avast", "avg clamav", "msdefender mar", "lowfi", "dns replication", "ip detections", "country", "contacted", "graph", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "file size", "open threat", "learn", "html info", "exchange meta", "tags twitter", "alienvault", "script tags", "iframe tags", "google tag", "manager anchor", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "google", "amazon ec2", "email", "city", "server", "amazon data", "amazon", "code", "form", "po box", "tech", "show", "description ype", "collections", "partru", "execution", "fake host" ], "references": [ "Part II -Some users OTX accounts connected to the following | Unexpected revelation |", "Title Salzburg Airport | Public Operations Display Portal | http://quantum.emsbk.com/", "go.sabey.com | sabey.com | smear.cloud | w1.voyeurweb.com | Never stops...", "https://www.milehighmedia.com/legal/2257", "http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "http://schoolcare.dyndns.org/soap/ISCKeyUpdater", "http://callenjoy.net/index.php | watchhers.net | emails.redvue.com | nexus.devnautiluscloud.net | http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "http://45.159.189.105/bot/regex | http://46.109.184.5/search.htm | http://acycseiiqsau.org/ | emsbk.innocraft.cloud | jenkins.devnautiluscloud.net |", "hostmaster.hostmaster.hostmaster.cartography.midst.co.uk | message.htm.com | quantum.emsbk.com http://cms.static.hw.famedownload.com/famedigital/m/", "http://cms.static.hw.famedownload.com/famedigital/m/1b6j9enlerq8k4g8/header-big8.jpg", "CnC IP's: 104.200.21.37 | 106.14.226.91 | 192.187.111.221 | 198.58.118.167 | 208.100.26.245 | 34.174.78.212", "Cookies AWSALB h0mLG52+gDNUdBHb468xx6EZCua7FVRvlZWH7URKSKV27WSs637El46CBcw8RmPBxIAT2jqmmByDbnMIsYobUWhWbNadYFsxVQk/gVDcDfdixV/5aQn0VRon9gXO", "https://nsa.gov1.info/utah-data-center", "https://softwaremill.com/grpc-vs-rest/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Arab Emirates" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null }, { "id": "#Lowfi:LUA:AutoItV3CraftedOverlay", "display_name": "#Lowfi:LUA:AutoItV3CraftedOverlay", "target": null }, { "id": "Crypt3.BWVY", "display_name": "Crypt3.BWVY", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "Dropper.Generic_r.EC", "display_name": "Dropper.Generic_r.EC", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "ALF:Trojan:Win32/Zbot", "display_name": "ALF:Trojan:Win32/Zbot", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1605", "name": "Command-Line Interface", "display_name": "T1605 - Command-Line Interface" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology", "Financial" ], "TLP": "white", "cloned_from": "65ea56ae1992b02a25aa5c51", "export_count": 63, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6765, "FileHash-MD5": 688, "FileHash-SHA1": 422, "FileHash-SHA256": 3169, "domain": 2171, "hostname": 1714, "email": 11, "CVE": 2, "CIDR": 2 }, "indicator_count": 14944, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "743 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c994c8b145925072b6583a", "name": "Private Loader cyber threat - Sliq.net | https://house.mo.gov", "description": "Link found active in https://house.mo.gov. \nhttps://sg001-harmony.sliq.net/00325/harmony/en/PowerBrowser/RoomRouter?location=chamber&viewMode=3&globalStreamId=1 |", "modified": "2024-03-13T03:00:40.889000", "created": "2024-02-12T03:47:20.138000", "tags": [ "ssl certificate", "threat roundup", "referrer", "historical ssl", "remcos rat", "august", "iocs", "contacted", "qakbot", "june", "service", "privateloader", "amadey", "blacknet rat", "qbot", "cobalt strike", "push", "core", "malformed domains", "sliq", "typosquatting", "malware", "network", "dns", "spyware", "access", "remote", "cyber threat", "virus network", "command and control", "remote connections", "exploits", "injection", "legislature", "trojan", "scanning host", "threat analyzer", "threat", "paste", "urls https", "locationchamber", "viewmode3", "hostnames", "url https", "false layer", "http" ], "references": [ "https://sg001-harmony.sliq.net/00325/harmony/en/PowerBrowser/RoomRouter?location=chamber&viewMode=3&globalStreamId=1", "https://www.facebooksunglassshop.com [pegasus related]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "PrivateLoader", "display_name": "PrivateLoader", "target": null } ], "attack_ids": [ { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Government", "Technology", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 36, "FileHash-SHA256": 1384, "CVE": 5, "URL": 1865, "domain": 222, "hostname": 648 }, "indicator_count": 4216, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "768 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab679e6ff8544ecf11962", "name": "Private Loader cyber threat - Sliq.net | https://house.mo.gov ", "description": "", "modified": "2024-03-13T03:00:40.889000", "created": "2024-02-13T00:23:21.062000", "tags": [ "ssl certificate", "threat roundup", "referrer", "historical ssl", "remcos rat", "august", "iocs", "contacted", "qakbot", "june", "service", "privateloader", "amadey", "blacknet rat", "qbot", "cobalt strike", "push", "core", "malformed domains", "sliq", "typosquatting", "malware", "network", "dns", "spyware", "access", "remote", "cyber threat", "virus network", "command and control", "remote connections", "exploits", "injection", "legislature", "trojan", "scanning host", "threat analyzer", "threat", "paste", "urls https", "locationchamber", "viewmode3", "hostnames", "url https", "false layer", "http" ], "references": [ "https://sg001-harmony.sliq.net/00325/harmony/en/PowerBrowser/RoomRouter?location=chamber&viewMode=3&globalStreamId=1", "https://www.facebooksunglassshop.com [pegasus related]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "PrivateLoader", "display_name": "PrivateLoader", "target": null } ], "attack_ids": [ { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Government", "Technology", "Civil Society" ], "TLP": "white", "cloned_from": "65c994c8b145925072b6583a", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 36, "FileHash-SHA256": 1384, "CVE": 5, "URL": 1865, "domain": 222, "hostname": 648 }, "indicator_count": 4216, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "768 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "go.sabey.com | sabey.com | smear.cloud | w1.voyeurweb.com | Never stops...", "hostmaster.hostmaster.hostmaster.cartography.midst.co.uk | message.htm.com | quantum.emsbk.com http://cms.static.hw.famedownload.com/famedigital/m/", "http://cms.static.hw.famedownload.com/famedigital/m/1b6j9enlerq8k4g8/header-big8.jpg", "http://45.159.189.105/bot/regex | http://46.109.184.5/search.htm | http://acycseiiqsau.org/ | emsbk.innocraft.cloud | jenkins.devnautiluscloud.net |", "https://nsa.gov1.info/utah-data-center", "http://schoolcare.dyndns.org/soap/ISCKeyUpdater", "https://www.facebooksunglassshop.com [pegasus related]", "http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "Part II -Some users OTX accounts connected to the following | Unexpected revelation |", "Cookies AWSALB h0mLG52+gDNUdBHb468xx6EZCua7FVRvlZWH7URKSKV27WSs637El46CBcw8RmPBxIAT2jqmmByDbnMIsYobUWhWbNadYFsxVQk/gVDcDfdixV/5aQn0VRon9gXO", "https://sg001-harmony.sliq.net/00325/harmony/en/PowerBrowser/RoomRouter?location=chamber&viewMode=3&globalStreamId=1", "Title Salzburg Airport | Public Operations Display Portal | http://quantum.emsbk.com/", "http://callenjoy.net/index.php | watchhers.net | emails.redvue.com | nexus.devnautiluscloud.net | http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "https://softwaremill.com/grpc-vs-rest/", "https://www.milehighmedia.com/legal/2257", "CnC IP's: 104.200.21.37 | 106.14.226.91 | 192.187.111.221 | 198.58.118.167 | 208.100.26.245 | 34.174.78.212" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Artro", "#lowfi:lua:autoitv3craftedoverlay", "Worm:win32/mofksys.rnd!mtb", "#virtool:win32/obfuscator.adb", "Alf:heraklezeval:trojan:win32/ymacco.aa47", "Blacknet rat", "Babar", "Dropper.generic_r.ec", "Virtool:win32/injector.gen!bq", "Malware", "Crypt3.bwvy", "Trojan:win32/floxif.e", "Trojanspy", "Androidoverlaymalware - mob-s0012", "Privateloader", "Qbot", "Cobalt strike", "Blacknet", "Win32:malware-gen", "Amadey", "Alf:trojan:win32/zbot", "Qakbot", "Trojanspy:win32/nivdort.cw" ], "industries": [ "Financial", "Government", "Technology", "Civil society", "Telecommunications" ], "unique_indicators": 39408 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/dilmil.co", "whois": "http://whois.domaintools.com/dilmil.co", "domain": "dilmil.co", "hostname": "admin.dilmil.co" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "687d5d33d16ab7837e23bc01", "name": "howmanyofme.com - Packed | Palantir", "description": "howmanyofme.com was a honeypot. The names listed are potentially monitored targets. One was verified target.||\nhttp://howmanyofme.com/search/?given=Tsara&sur=Brashears/\nhttp://ww2.howmanyofme.com/people/Carrie_Henn/\nhttp://ww2.howmanyofme.com/people/Rockmond_Dunbar/\nhttp://howmanyofme.com/people/John_Hurt/\nhttp://howmanyofme.com/people/Mary_Gross/\nhttp://howmanyofme.com/people/Kenneth_Tobey/\nhttp://ww2.howmanyofme.com/people/Royce_Clayton/\n\n\n#Palantir # #honeypot #howmanyofme", "modified": "2025-09-18T23:05:18.490000", "created": "2025-07-20T21:18:43.974000", "tags": [ "united", "unknown ns", "a domains", "ip address", "search", "privacy service", "fbo registrant", "date", "entries", "how many", "destination", "port", "windows nt", "msie", "unknown", "et trojan", "poodle attack", "policy sslv3", "united kingdom", "suspicious", "copy", "virustotal", "malware", "write", "hostile", "next", "triton", "super node", "get reloaded", "x11 snf", "png image", "rgba", "post reloaded", "ascii text", "crlf line", "gnu message", "ms windows", "intel", "pe32", "host", "get babylon", "show", "babylon" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7185, "domain": 706, "hostname": 1906, "email": 5, "FileHash-SHA256": 3645, "FileHash-MD5": 330, "FileHash-SHA1": 135, "CVE": 1 }, "indicator_count": 13913, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "213 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68858e8244c8db854e8947c1", "name": "Goodreads Malware", "description": "Goodreads is an older book review website. I found Goodreads[.]com links botnet joining Pulse. Just curious. #goodreads #malware #goodreads_botnet_join #thismightbeabotnet\n#gogray #purpleteamit #malware \n#thismightbeabotnet #ineedtolearnmore", "modified": "2025-08-26T01:03:19.405000", "created": "2025-07-27T02:27:14.517000", "tags": [ "passive dns", "urls", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "united", "flag united", "present jun", "present may", "present apr", "search", "moved", "creation date", "record value", "date", "body", "meta", "indicator role", "title added", "active related", "pulses url", "memcommit", "value1", "partnerid4146", "username", "gamesessionid", "port", "destination", "regsetvalueexa", "mozilla", "write", "persistence", "execution", "malware", "copy", "next", "process32nextw", "show", "entries", "module load", "t1129", "intel", "ms windows", "showing", "t1045", "win32", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "mitre att", "ck techniques", "evasion att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "size", "pattern match", "ascii text", "null", "error", "starfield", "click", "hybrid", "local", "path", "strings", "refresh", "tools", "onload", "span", "smbds ipc", "ms17010", "msf style", "probe ms17010", "generic flags", "yara detections", "nrv2x", "upxoepplace" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 155, "hostname": 1237, "FileHash-SHA256": 1141, "domain": 574, "URL": 4593, "FileHash-SHA1": 139, "email": 1, "SSLCertFingerprint": 8 }, "indicator_count": 7848, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65ea56ae1992b02a25aa5c51", "name": "TrojanSpy:Win32/Nivdort | Affected OTX accounts | Yotta Network", "description": "Part II -Some users OTX accounts connected to the following | Unexpected revelation | A group of hackers masquerading as attorneys, government officials, advocates, fake nsa, security professional, help desk, etc. I don't know the association with otx.alienvault. Unauthorized logins OTX users. accounts. Deleted and modified pulses, etc. Needs further research for me to fully understand.", "modified": "2024-04-06T23:03:19.046000", "created": "2024-03-08T00:07:10.521000", "tags": [ "methodpost", "threat", "iocs", "urls http", "samples", "cnc", "phishing", "ransom", "emotet", "fraud services", "command _and_control", "trojan", "scanning host", "active threat", "malicious", "date hash", "avast avg", "susp", "win32", "paste", "hostnames", "http response", "final url", "ip address", "status code", "body length", "b body", "headers date", "connection", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "ovh sas", "export", "summary iocs", "graph community", "limited", "yotta network", "gvb gelimed", "kb microsoft", "indonesia", "kyriazhs1975", "vj79", "bc https", "rexxfield", "brian sabey", "as21342", "united", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "urls", "msie", "chrome", "creation date", "search", "dnssec", "entries", "body", "date", "as63949 linode", "mtb feb", "checkin m1", "gmt content", "type", "encrypt", "trojan", "artro", "moved", "pulse pulses", "yotta data", "yotta", "private limited", "india", "limited yotta", "number", "as140641", "network", "facebook", "info", "cisco umbrella", "site", "alexa top", "site top", "million", "safe site", "million alexa", "site safe", "cobalt strike", "malicious url", "blacknet rat", "union", "vidar", "malware", "stealer", "bank", "alexa", "deepscan", "phishing", "team", "super", "blacknet", "babar", "detection list", "blacklist http", "sample", "submission", "history first", "analysis", "utc http", "response final", "url http", "kb body", "path", "as396982 google", "bq mar", "win32cve mar", "exploit", "virtool", "status", "name servers", "emails", "servers", "next", "files", "as44273 host", "germany unknown", "expiration date", "showing", "win32upatre mar", "milehighmedia", "ids detections", "possible fake", "av checkin", "initial checkin", "checkin", "utah data", "center", "june", "data center", "responsible", "nsa utah", "march", "closeup view", "july", "view", "february", "prism", "cascade", "darpa", "twitter", "as20940", "aaaa", "as16625 akamai", "nxdomain", "whitelisted", "domain", "as54113", "msil", "cryp", "files show", "entries related", "domains", "as15169 google", "gmt cache", "sameorigin", "trojandropper", "asnone united", "title error", "porkbun", "mtb mar", "trojanspy", "installer", "loader", "hijacker", "targeting", "as30456", "sec ch", "for privacy", "ch ua", "hash avast", "avg clamav", "msdefender mar", "lowfi", "dns replication", "ip detections", "country", "contacted", "graph", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "file size", "open threat", "learn", "html info", "exchange meta", "tags twitter", "alienvault", "script tags", "iframe tags", "google tag", "manager anchor", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "google", "amazon ec2", "email", "city", "server", "amazon data", "amazon", "code", "form", "po box", "tech", "show", "description ype", "collections", "partru", "execution", "fake host" ], "references": [ "Part II -Some users OTX accounts connected to the following | Unexpected revelation |", "Title Salzburg Airport | Public Operations Display Portal | http://quantum.emsbk.com/", "go.sabey.com | sabey.com | smear.cloud | w1.voyeurweb.com | Never stops...", "https://www.milehighmedia.com/legal/2257", "http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "http://schoolcare.dyndns.org/soap/ISCKeyUpdater", "http://callenjoy.net/index.php | watchhers.net | emails.redvue.com | nexus.devnautiluscloud.net | http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "http://45.159.189.105/bot/regex | http://46.109.184.5/search.htm | http://acycseiiqsau.org/ | emsbk.innocraft.cloud | jenkins.devnautiluscloud.net |", "hostmaster.hostmaster.hostmaster.cartography.midst.co.uk | message.htm.com | quantum.emsbk.com http://cms.static.hw.famedownload.com/famedigital/m/", "http://cms.static.hw.famedownload.com/famedigital/m/1b6j9enlerq8k4g8/header-big8.jpg", "CnC IP's: 104.200.21.37 | 106.14.226.91 | 192.187.111.221 | 198.58.118.167 | 208.100.26.245 | 34.174.78.212", "Cookies AWSALB h0mLG52+gDNUdBHb468xx6EZCua7FVRvlZWH7URKSKV27WSs637El46CBcw8RmPBxIAT2jqmmByDbnMIsYobUWhWbNadYFsxVQk/gVDcDfdixV/5aQn0VRon9gXO", "https://nsa.gov1.info/utah-data-center", "https://softwaremill.com/grpc-vs-rest/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Arab Emirates" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null }, { "id": "#Lowfi:LUA:AutoItV3CraftedOverlay", "display_name": "#Lowfi:LUA:AutoItV3CraftedOverlay", "target": null }, { "id": "Crypt3.BWVY", "display_name": "Crypt3.BWVY", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "Dropper.Generic_r.EC", "display_name": "Dropper.Generic_r.EC", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "ALF:Trojan:Win32/Zbot", "display_name": "ALF:Trojan:Win32/Zbot", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1605", "name": "Command-Line Interface", "display_name": "T1605 - Command-Line Interface" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6765, "FileHash-MD5": 688, "FileHash-SHA1": 422, "FileHash-SHA256": 3169, "domain": 2171, "hostname": 1714, "email": 11, "CVE": 2, "CIDR": 2 }, "indicator_count": 14944, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "743 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eadaae65b9123721198d08", "name": "Nivdort | Affected OTX accounts | Yotta Network (Cloned OTX user)", "description": "", "modified": "2024-04-06T23:03:19.046000", "created": "2024-03-08T09:30:22.295000", "tags": [ "methodpost", "threat", "iocs", "urls http", "samples", "cnc", "phishing", "ransom", "emotet", "fraud services", "command _and_control", "trojan", "scanning host", "active threat", "malicious", "date hash", "avast avg", "susp", "win32", "paste", "hostnames", "http response", "final url", "ip address", "status code", "body length", "b body", "headers date", "connection", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "ovh sas", "export", "summary iocs", "graph community", "limited", "yotta network", "gvb gelimed", "kb microsoft", "indonesia", "kyriazhs1975", "vj79", "bc https", "rexxfield", "brian sabey", "as21342", "united", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "urls", "msie", "chrome", "creation date", "search", "dnssec", "entries", "body", "date", "as63949 linode", "mtb feb", "checkin m1", "gmt content", "type", "encrypt", "trojan", "artro", "moved", "pulse pulses", "yotta data", "yotta", "private limited", "india", "limited yotta", "number", "as140641", "network", "facebook", "info", "cisco umbrella", "site", "alexa top", "site top", "million", "safe site", "million alexa", "site safe", "cobalt strike", "malicious url", "blacknet rat", "union", "vidar", "malware", "stealer", "bank", "alexa", "deepscan", "phishing", "team", "super", "blacknet", "babar", "detection list", "blacklist http", "sample", "submission", "history first", "analysis", "utc http", "response final", "url http", "kb body", "path", "as396982 google", "bq mar", "win32cve mar", "exploit", "virtool", "status", "name servers", "emails", "servers", "next", "files", "as44273 host", "germany unknown", "expiration date", "showing", "win32upatre mar", "milehighmedia", "ids detections", "possible fake", "av checkin", "initial checkin", "checkin", "utah data", "center", "june", "data center", "responsible", "nsa utah", "march", "closeup view", "july", "view", "february", "prism", "cascade", "darpa", "twitter", "as20940", "aaaa", "as16625 akamai", "nxdomain", "whitelisted", "domain", "as54113", "msil", "cryp", "files show", "entries related", "domains", "as15169 google", "gmt cache", "sameorigin", "trojandropper", "asnone united", "title error", "porkbun", "mtb mar", "trojanspy", "installer", "loader", "hijacker", "targeting", "as30456", "sec ch", "for privacy", "ch ua", "hash avast", "avg clamav", "msdefender mar", "lowfi", "dns replication", "ip detections", "country", "contacted", "graph", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "file size", "open threat", "learn", "html info", "exchange meta", "tags twitter", "alienvault", "script tags", "iframe tags", "google tag", "manager anchor", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "google", "amazon ec2", "email", "city", "server", "amazon data", "amazon", "code", "form", "po box", "tech", "show", "description ype", "collections", "partru", "execution", "fake host" ], "references": [ "Part II -Some users OTX accounts connected to the following | Unexpected revelation |", "Title Salzburg Airport | Public Operations Display Portal | http://quantum.emsbk.com/", "go.sabey.com | sabey.com | smear.cloud | w1.voyeurweb.com | Never stops...", "https://www.milehighmedia.com/legal/2257", "http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "http://schoolcare.dyndns.org/soap/ISCKeyUpdater", "http://callenjoy.net/index.php | watchhers.net | emails.redvue.com | nexus.devnautiluscloud.net | http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "http://45.159.189.105/bot/regex | http://46.109.184.5/search.htm | http://acycseiiqsau.org/ | emsbk.innocraft.cloud | jenkins.devnautiluscloud.net |", "hostmaster.hostmaster.hostmaster.cartography.midst.co.uk | message.htm.com | quantum.emsbk.com http://cms.static.hw.famedownload.com/famedigital/m/", "http://cms.static.hw.famedownload.com/famedigital/m/1b6j9enlerq8k4g8/header-big8.jpg", "CnC IP's: 104.200.21.37 | 106.14.226.91 | 192.187.111.221 | 198.58.118.167 | 208.100.26.245 | 34.174.78.212", "Cookies AWSALB h0mLG52+gDNUdBHb468xx6EZCua7FVRvlZWH7URKSKV27WSs637El46CBcw8RmPBxIAT2jqmmByDbnMIsYobUWhWbNadYFsxVQk/gVDcDfdixV/5aQn0VRon9gXO", "https://nsa.gov1.info/utah-data-center", "https://softwaremill.com/grpc-vs-rest/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Arab Emirates" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null }, { "id": "#Lowfi:LUA:AutoItV3CraftedOverlay", "display_name": "#Lowfi:LUA:AutoItV3CraftedOverlay", "target": null }, { "id": "Crypt3.BWVY", "display_name": "Crypt3.BWVY", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "Dropper.Generic_r.EC", "display_name": "Dropper.Generic_r.EC", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "ALF:Trojan:Win32/Zbot", "display_name": "ALF:Trojan:Win32/Zbot", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1605", "name": "Command-Line Interface", "display_name": "T1605 - Command-Line Interface" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology", "Financial" ], "TLP": "white", "cloned_from": "65ea56ae1992b02a25aa5c51", "export_count": 63, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6765, "FileHash-MD5": 688, "FileHash-SHA1": 422, "FileHash-SHA256": 3169, "domain": 2171, "hostname": 1714, "email": 11, "CVE": 2, "CIDR": 2 }, "indicator_count": 14944, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "743 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c994c8b145925072b6583a", "name": "Private Loader cyber threat - Sliq.net | https://house.mo.gov", "description": "Link found active in https://house.mo.gov. \nhttps://sg001-harmony.sliq.net/00325/harmony/en/PowerBrowser/RoomRouter?location=chamber&viewMode=3&globalStreamId=1 |", "modified": "2024-03-13T03:00:40.889000", "created": "2024-02-12T03:47:20.138000", "tags": [ "ssl certificate", "threat roundup", "referrer", "historical ssl", "remcos rat", "august", "iocs", "contacted", "qakbot", "june", "service", "privateloader", "amadey", "blacknet rat", "qbot", "cobalt strike", "push", "core", "malformed domains", "sliq", "typosquatting", "malware", "network", "dns", "spyware", "access", "remote", "cyber threat", "virus network", "command and control", "remote connections", "exploits", "injection", "legislature", "trojan", "scanning host", "threat analyzer", "threat", "paste", "urls https", "locationchamber", "viewmode3", "hostnames", "url https", "false layer", "http" ], "references": [ "https://sg001-harmony.sliq.net/00325/harmony/en/PowerBrowser/RoomRouter?location=chamber&viewMode=3&globalStreamId=1", "https://www.facebooksunglassshop.com [pegasus related]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "PrivateLoader", "display_name": "PrivateLoader", "target": null } ], "attack_ids": [ { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Government", "Technology", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 36, "FileHash-SHA256": 1384, "CVE": 5, "URL": 1865, "domain": 222, "hostname": 648 }, "indicator_count": 4216, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "768 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab679e6ff8544ecf11962", "name": "Private Loader cyber threat - Sliq.net | https://house.mo.gov ", "description": "", "modified": "2024-03-13T03:00:40.889000", "created": "2024-02-13T00:23:21.062000", "tags": [ "ssl certificate", "threat roundup", "referrer", "historical ssl", "remcos rat", "august", "iocs", "contacted", "qakbot", "june", "service", "privateloader", "amadey", "blacknet rat", "qbot", "cobalt strike", "push", "core", "malformed domains", "sliq", "typosquatting", "malware", "network", "dns", "spyware", "access", "remote", "cyber threat", "virus network", "command and control", "remote connections", "exploits", "injection", "legislature", "trojan", "scanning host", "threat analyzer", "threat", "paste", "urls https", "locationchamber", "viewmode3", "hostnames", "url https", "false layer", "http" ], "references": [ "https://sg001-harmony.sliq.net/00325/harmony/en/PowerBrowser/RoomRouter?location=chamber&viewMode=3&globalStreamId=1", "https://www.facebooksunglassshop.com [pegasus related]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "PrivateLoader", "display_name": "PrivateLoader", "target": null } ], "attack_ids": [ { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Government", "Technology", "Civil Society" ], "TLP": "white", "cloned_from": "65c994c8b145925072b6583a", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 36, "FileHash-SHA256": 1384, "CVE": 5, "URL": 1865, "domain": 222, "hostname": 648 }, "indicator_count": 4216, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "768 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://admin.dilmil.co", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://admin.dilmil.co", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776661710.8992038 }