{ "type": "URL", "indicator": "https://admin.havesme.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://admin.havesme.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3779233173, "indicator": "https://admin.havesme.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69bf261cc4e399447d78776c", "name": "Cyber Bully Attackers | Revenge Attacks | Remote attackers | Malware Packed |", "description": "Several government entities, attorneys have sought porn revenge including physical violence, attempted crimes, malicious prosecution case , harassment when a female patient of man formerly known as Jeffrey Scott Reimer of Chester Springs, PA, violently, critically injured patient in a sexually charged assault [URL\thttp://foundry2-lbl.dvr.dn2.n-helix.com\t\t\t\nhttps://foundry2-lbl.dvr.dn2.n-helix.com\t\tfoundry2-lbl.dvr.dn2.n-helix.com\t\t\t\t\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\nhttp://datafoundry.com\t\t\t\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\thttps://209-99-40-223.fwd.datafoundry.com\t\t\t\ndatafoundry.com", "modified": "2026-03-21T23:13:32.760000", "created": "2026-03-21T23:13:32.760000", "tags": [ "sc data", "data upload", "please sub", "include data", "extraction", "failed", "sc pulse", "idron anv", "extr please", "include review", "exclude sugges", "stop show", "typ domain", "united", "virtool", "name servers", "cryp", "emails", "win32", "ip address", "worm", "trojan", "learn", "suspicious", "informative", "ck id", "name tactics", "command", "adversaries", "spawns", "ssl certificate", "initial access", "link initial", "prefetch8", "mitre att", "ck matrix", "flag", "windows nt", "win64", "accept", "encrypt", "form", "hybrid", "bypass", "general", "path", "iframe", "click", "strings", "anchor https", "anchor", "liberal", "sabey", "liberal friends", "meta", "html internet", "html document", "unicode text", "utf8 text", "info initial", "access ta0001", "compromise", "t1189 network", "communication", "get http", "artifacts v", "full reports", "v get", "help dns", "resolutions", "ip traffic", "extr data", "enter sc", "extra data", "referen", "broth", "passive dns", "urls", "http", "hostname", "files domain", "files related", "related tags", "none google", "safe browsing", "inquest labs", "lucas acha", "code integrity", "checks creation", "otx logo", "all hostname", "files", "domain", "protect", "date", "title", "exchange", "se http", "present jan", "present feb", "present dec", "backdoor", "certificate", "all domain", "alibaba cloud", "hichina", "porkbun llc", "cloudflare", "namecheap inc", "namecheap", "domains", "dynadot llc", "ascio", "denmark", "url https", "filehashsha256", "url http", "dopple ai", "snit", "iocs", "otx description", "information", "report spam", "delete service", "poem", "hunter", "malicious", "porn revenge", "brian sabeys", "all report", "spam delete", "rl http", "https", "expiration http", "spam brian", "swipper", "type indicator", "role title", "added active", "related pulses", "filehashmd5", "filehashsha1", "sha256", "scan", "learn more", "indicators show", "tbmvid", "sourcelnms", "zx1724209326040", "xxx videos", "xxxvideohd", "adversary", "packing", "palantir.com", "discovery", "victim won case", "doin it", "palantirian abuse", "apple", "sabey data centers", "insurance", "quasi government", "the brother sabey", "reimer", "law enforcement", "vessel state", "sabey porn", "hall evans", "christopher ahmann", "defamation", "google" ], "references": [ "The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/", "http://watchhers.net/index.php", "http://212.33.237.86/images/1/report.php", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://webmail.police.govmm.org/owa/", "https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl", "https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215", "Mark Brian Sabey", "Melvin Sabey", "Christopher P \u2018Buzz\u2019 Ahmann", "Ronda Cordova", "Unknown Persons impersonating Private Investigators (plural)", "Quasi Government Case", "Victim silenced. Struck by Car Driven by male police let walk", "Denver Police let this attempted murder walk. Cited him as a ghost driver", "Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora", "Sexual and Physical Assaulter - Jeffrey Scott Reimer", "Reimer was a PT. Unknown whereabouts , name or job description", "Denver Police Department Major Crimes closed investigation", "Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim", "I bring up the personal nature of the crime because a delete service has been used", "More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed", "All IoC\u2019s originate from sources named. There are some unknown attackers", "This is a serious crime. I\u2019m certain God WILL pay them.", "https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com", "http://palantirwww.sweetheartvideo.com/ (weirdness)", "http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx", "https://www.datafoundry.com/data-center-contamination-control/", "https://www.datafoundry.com/data-center-contamination-control/", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "http://foundry2-lbl.dvr.dn2.n-helix.com/", "https://207-207-25-201.fwd.datafoundry.com/", "http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd", "http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://rdweb.datafoundry.com/", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "http://foundry2sdbl.dvr.dn2.n-helix.com/", "Updated | What\u2019s left after theft", "207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com", "207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com", "https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse", "https://www.datafoundry.com/category/news/press-releases/", "207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com", "209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com", "www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com", "http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com", "http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/", "https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022", "https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/", "https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com", "Some may may find this content is very disturbing and offensive" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Porn Revenge", "display_name": "Porn Revenge", "target": null }, { "id": "Tons of Malware", "display_name": "Tons of Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1586.001", "name": "Social Media Accounts", "display_name": "T1586.001 - Social Media Accounts" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6034, "domain": 1422, "IPv4": 883, "FileHash-MD5": 274, "FileHash-SHA1": 252, "FileHash-SHA256": 3378, "email": 11, "hostname": 2753, "CVE": 1, "SSLCertFingerprint": 9, "IPv6": 32 }, "indicator_count": 15049, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "28 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bc8015944465ffa1c03148", "name": "Security Affairs affecting Critical Infrastructure", "description": "Security affairs.com found in a State Policy & Financing website research due to social engineering & insurance policies hacking scheme. \u2022 SecurityAffairs.com statement: The website specializes in cybersecurity and its related fields, providing insights into current threats and trends. \nContent:\nIt features news articles, investigative reports, and analyses from experts in the field. \nTopics:\nContent often includes discussions on:\ncybercrime,\ncybersecurity trends ,\nintelligence and geopolitics,\nemerging threats. (I can\u2019t verify because idk).\n\n(Auto populated: 335,923 out of 489,337 Fortinet firewalls vulnerable to CVE-2023-27997)\nAdversary auto populated: Suggested Adversaries:\nMember Ad-Hoc Working ADVERSARIES Group on Cyber Threat Landscapes, Ethical Hacker, Security Evangelist", "modified": "2025-10-06T18:03:15.359000", "created": "2025-09-06T18:40:21.276000", "tags": [ "script urls", "security", "script domains", "ip address", "meta", "stealth window", "reads_self", "creates_largekey", "dynamic_function_loading", "script_created_process", "antivm_generic_disk", "ids", "infostealer_cookies", "infostealer_keylog", "custom malware", "suspicious_command_tools", "antisandbox_mouse_hook", "dynamicloader", "tlsv1", "ogoogle trust", "cngts ca", "tls handshake", "failure", "united", "high", "search", "write", "malware", "unknown", "extraction", "data upload", "extraction data", "enter soudae", "hdi ad", "temdac c", "extri", "include review", "trojandropper", "mtb jun", "passive dns", "files", "location united", "twitter", "exploit", "delete c", "intel", "ms windows", "medium", "pe32", "port", "destination", "present sep", "a domains", "creation date", "error", "title", "android", "known exploited", "google", "salesloft drift", "qantas", "july", "meetc2", "c2 framework", "google calendar", "apis", "critical", "rokrat", "windows", "tags none", "file type", "virustotal api", "screenshots", "comments", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "defense evasion", "spawns", "t1590 gather", "copy md5", "copy sha1", "copy sha256", "additional info", "yara signature", "unicode text", "utf8 text", "idat", "style", "defs", "command decode", "strings", "yxgbc", "core", "flag", "date", "markmonitor", "server", "automattic", "name server", "proxy", "llc name", "windir", "pattern match", "mitre att", "show technique", "ck matrix", "sha1", "show process", "hybrid", "general", "local", "path", "encrypt", "form", "iframe", "click", "server response", "google safe", "results aug", "affairs", "founder", "cybhorus", "cybaze", "member adhoc", "working group", "cyber threat", "landscapes", "ethical hacker", "hoc working", "ssl certificate", "initial access", "href", "ascii text" ], "references": [ "https://securityaffairs.com/", "/181480/cyber-crime/iot-under-siege-the-return-of-the-mirai-based-gayfemboy-botnet.html", "https://securityaffairs.com/106770/deep-web/ubereats-data-leaked-dark-web.html", "https://securityaffairs.com/107190/data-breach/sodinokibi-ransomware-brown-forman.html", "https://securityaffairs.com/115693/apt/chinese-hackers-5g.html", "https://securityaffairs.com/109224/data-breach/food-delivery-service-chowbus-hack.html", "https://securityaffairs.com/112637/cyber-crime/the-hospital-group-revil.html", "https://securityaffairs.com/139472/data-breach/commonspirit-data-breach-623k-patients.html", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html", "Multiple other undocumented malware" ], "public": 1, "adversary": "Hoc Working", "targeted_countries": [], "malware_families": [ { "id": "!#AddsCopyToStartup", "display_name": "!#AddsCopyToStartup", "target": null }, { "id": "!#LowFiWriteMZInUnusualExtension", "display_name": "!#LowFiWriteMZInUnusualExtension", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "\"prepending (enc) ransomware\" (Not an official name)", "display_name": "\"prepending (enc) ransomware\" (Not an official name)", "target": null }, { "id": ".A , ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "display_name": ".A , ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn", "target": null }, { "id": "CVE-2025-42957", "display_name": "CVE-2025-42957", "target": null }, { "id": "CVE-2023-27997", "display_name": "CVE-2023-27997", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government", "Manufacturing", "Critical Infrastructure" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 187, "FileHash-SHA1": 152, "FileHash-SHA256": 1140, "URL": 1258, "domain": 237, "email": 1, "hostname": 470, "SSLCertFingerprint": 17, "CVE": 3 }, "indicator_count": 3465, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bbdb22e3d606ae8fb5cda8", "name": "HCPF | Department of Health Care Policy and Financing", "description": "Project Nemesis - Affects Department of Health Care Policy and Financing | Family representative repeatedly told past bills aren\u2019t being paid by United Healthcare. Argus Insurance (unknown entity) was Policy on record target never had. FR was given information regarding HCPF which was being viewed by past vendor seen in (https://otx.alienvault.com/pulse/68bbb31f6d91989d7fcd9592) | Issues with HCPF have been an issue for some time in isolated scenarios. It\u2019s unclear how at least one person keeps getting their name, bills and life pulled into this. Target PURCHASED a Healthcare policy via agent before major social engineering attacks. Same entity literally robs targets. Gift cards, phone services, cloud storage, account, insurance policies, bank account access, tax refunds, paid claims reversed & taken from target\u2019s account.\nMore research needed. Flaws in new system could jeopardize many. \n#trulymissed #rip #techbrohell #palantir", "modified": "2025-10-06T05:01:18.794000", "created": "2025-09-06T06:56:34.649000", "tags": [ "federal changes", "health first", "colorado", "child health", "plan plus", "newimpact", "medicaidour", "impact", "medicaid page", "medicaid", "beware", "text/html", "trackers", "iframes", "external-resources", "new relic", "g1gv3h3sxc0", "utc gcw970gh4gg", "android", "known exploited", "google", "salesloft drift", "sap s4hana", "cve202542957", "cisa", "sitecore", "linux", "france", "meta", "rokrat", "lizar", "project nemesis", "carbanak", "cobalt strike", "domino", "no expiration", "url https", "type indicator", "role title", "related pulses", "hostname https", "m4e5930", "hostname", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "ascii text", "search", "ogoogle trust", "cngts ca", "execution", "next", "dock", "write", "capture", "persistence", "malware", "roboto", "present feb", "united", "a domains", "present dec", "passive dns", "moved", "script domains", "script urls", "urls", "title", "date", "resolved ips", "http traffic", "http get", "match info", "downloads", "info", "https http", "mitre att", "control ta0011", "protocol t1071", "protocol t1095", "endgame systems" ], "references": [ "Researched: https://hcpf.colorado.gov/", "www.onyx-ware.com \u2022 https://www.endgamesystems.com/", "millet-usgc-1.palantirfedstart.com", "https://securityaffairs.com/109671/hacking/50000-home-cameras-hacked.html", "https://passwords.google/?utm_medium=hpp&utm_source=google&utm_campaign=sid2023aunonenms", "https://passwords.google/?utm_medium=hpp&utm", "https://securityaffairs.com/181338/security/google-fixed-chrome-flaw-found-by-big-sleep-ai.html", "Researched publicly available information provided by representative of a target\u2019s estate", "System has placed affected on multiple policies cancelling private policy without notice.", "Paid for plan long after entity put target on a state plan. Target audited for making too much money (framed)", "Provided documented evidence of appealed state issued plan and disclosed financials.", "Won appeal. Denied stimulus until passing another audit showing taxable income and filed taxes", "I hope this goes smoothly. I believe will be a nightmare as witnessed. I hope I\u2019m wrong.", "State (or random \u2022_- hackers) erased evidence of targets insurance all paid for by target.", "Target also owned an online brokerage & lead company, was agent & insurance marketer for years.", "September began with false information, defaulted claims , denials from authorized services rendered years prior.", "If someone has Medicare it\u2019s wise to check with carrier & providers to see policies generated by AI" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lizar", "display_name": "Lizar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Hospitality", "Financial", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1395, "URL": 4304, "CVE": 1, "domain": 694, "FileHash-SHA256": 1790, "FileHash-MD5": 183, "FileHash-SHA1": 103, "SSLCertFingerprint": 5 }, "indicator_count": 8475, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67ebfc921491771b15be63e3", "name": "CnC Spyware | Pegasus Related | Ciberespionage Campaign | Skynet | Samsung | Google | DNS Hijacking", "description": "Presume ser una campa\u00f1a de ciberespionaje orquestada por una organizaci\u00f3n gubernamental, dirigida hacia m\u00faltiples objetivos individuales (civiles) que consideran sospechosos. El software utilizado es similar a Pegasus, Skynet, Graphite para dispositivos Android y Mirai, Emotet, Berbew para dispositivos Linux y Windows. Los \"modus operandi\" abarcan m\u00faltiples tipos de ataques en los que participan ISP's y empresas grandes como Google. La propagaci\u00f3n de malware se realiza a trav\u00e9s de SMS con un enlace que dirige a una web con un exploit de d\u00eda cero, o tambi\u00e9n al abrir un PDF malicioso con las mismas caracter\u00edsticas. La ingenier\u00eda social juega un papel fundamental en este tipo de ataques. El tr\u00e1fico parece ser enmascarado en DNS 8.8.8.8 para no ser detectado.", "modified": "2025-05-05T16:00:41.799000", "created": "2025-04-01T14:47:46.507000", "tags": [ "Government", "Pegasus", "Graphite", "Skynet", "Malware", "Campaign", "Samsung", "Android", "Unix", "Linux", "Browser", "Windows", "Zeroday", "Trojan" ], "references": [], "public": 1, "adversary": "Government", "targeted_countries": [ "Spain", "United States of America" ], "malware_families": [ { "id": "Pegasus for Android - S0316", "display_name": "Pegasus for Android - S0316", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Backdoor:Win32/Mirai", "display_name": "Backdoor:Win32/Mirai", "target": "/malware/Backdoor:Win32/Mirai" }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Backdoor:Win32/Berbew", "display_name": "Backdoor:Win32/Berbew", "target": "/malware/Backdoor:Win32/Berbew" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "TEL:Spyware:AndroidOS/SpyMax", "display_name": "TEL:Spyware:AndroidOS/SpyMax", "target": null }, { "id": "AndroRAT - MOB-S0008", "display_name": "AndroRAT - MOB-S0008", "target": null }, { "id": "Samsung", "display_name": "Samsung", "target": null }, { "id": "GoogleDrive RAT", "display_name": "GoogleDrive RAT", "target": null }, { "id": "#Lowfi:HSTR:BrowserModifier:ConsentBypass", "display_name": "#Lowfi:HSTR:BrowserModifier:ConsentBypass", "target": null }, { "id": "Backdoor:Win32/DnsDoor", "display_name": "Backdoor:Win32/DnsDoor", "target": "/malware/Backdoor:Win32/DnsDoor" }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:JS/DNSChanger", "display_name": "Trojan:JS/DNSChanger", "target": "/malware/Trojan:JS/DNSChanger" }, { "id": "#PowerShell:EncodedCommand", "display_name": "#PowerShell:EncodedCommand", "target": null }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null } ], "attack_ids": [ { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1590.002", "name": "DNS", "display_name": "T1590.002 - DNS" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1069.001", "name": "Local Groups", "display_name": "T1069.001 - Local Groups" }, { "id": "T1568.001", "name": "Fast Flux DNS", "display_name": "T1568.001 - Fast Flux DNS" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1404", "name": "Exploit OS Vulnerability", "display_name": "T1404 - Exploit OS Vulnerability" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1076", "name": "Remote Desktop Protocol", "display_name": "T1076 - Remote Desktop Protocol" } ], "industries": [ "Government", "Civil", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "depdgaus", "id": "315837", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3592, "domain": 712, "hostname": 1246, "FileHash-SHA256": 900 }, "indicator_count": 6450, "is_author": false, "is_subscribing": null, "subscriber_count": 10, "modified_text": "349 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cd05cd3c9d0cc0b9ed215f", "name": "Emotet - https://www.gambinospizza.com | Brian Sabey \u2022 HallRender", "description": "\u2022Emotet botnets were observed dropping Trickbot to deliver ransomware payloads against some victims and Qakbot Trojans to steal banking credentials and data from other targets.\n\n\u2022Scammer 'Attorney' Brian Sabey | HallRender associated ; utilizes every form of social engineering to gain full access to phone numbers, email, banking, network, relatives, contacts, PHI, PII, modifies services.\n.", "modified": "2024-04-15T08:03:32.381000", "created": "2024-02-14T18:26:21.427000", "tags": [ "united", "unknown", "status", "sec ch", "as44273 host", "search", "aaaa", "showing", "ch ua", "record value", "ssl certificate", "threat roundup", "contacted", "communicating", "historical ssl", "referrer", "resolutions", "http", "execution", "gopher", "pattern match", "breakpoint", "command decode", "desktop", "base", "gambino", "pizza", "suricata ipv4", "mitre att", "date", "meta", "footer", "february", "general", "model", "comspec", "click", "strings", "main", "brian sabey", "hallrender", "trojan", "worm", "frankfurt", "germany", "asn15169", "google", "asn16509", "amazon02", "asn396982", "kansas city", "franchise url", "gmbh version", "status page", "service privacy", "legal", "impressum", "reverse dns", "general full", "url https", "resource", "hash", "protocol h2", "asn13335", "cloudflarenet", "software", "domains", "hashes", "learn", "issues tab", "value", "variables", "typeof function", "topropertykey", "bricksintersect", "bricksfunction", "domainpath name", "request chain", "chain", "nl page", "url history", "javascript", "page url", "redirected", "poweshell", "bruschettab", "mobsterstageda", "calzonec", "threat analyzer", "threat", "paste", "iocs", "hostnames", "beefpizzac", "superitaliansub", "cname", "msie", "chrome", "asnone united", "as6336 turn", "nxdomain", "whitelisted", "creation date", "turn", "body", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "registrar abuse", "iana id", "registrar url", "registrar whois", "contact email", "registry domain", "contact phone", "dnssec", "code", "type name", "win32 exe", "recreation", "whois record", "infected", "page dow", "poser", "scammer", "security", "malvertizing", "betting", "illegal activity", "linux", "teen porn", "child exploitation", "script urls", "a domains", "as10796 charter", "find your", "next franchise", "x content", "backend", "as13768 aptum", "moved", "passive dns", "urls", "as2635", "as14061", "scan endpoints", "all octoseek", "url http", "pulse pulses", "ip address", "related nids", "files location", "date hash", "avast avg", "nastya", "entries", "emotet", "windows nt", "show", "etpro trojan", "channel", "artemis", "medium", "delete", "copy", "virustotal", "trojan", "write", "trojanproxy", "vipre", "panda", "malware", "malware infection", "dga", "algorithm generated domains", "command and control", "pe32 executable", "tag", "tagging", "porn tagging", "as3356 level", "tahoma arial", "servers", "as1136 kpn", "next", "et", "remote", "confirm http", "sectrack", "openssl", "fulldisc", "secunia", "confirm https", "openssl tls", "multiple", "remote", "misc https", "impact", "heartbleed", "external source", "name hyperlink", "hp hpsbmu02998", "hp hpsbmu03019", "hp hpsbmu03030", "hp hpsbmu03018", "title", "lowfi", "title error", "body doctype", "html public", "w3cdtd html", "html head", "mozilla", "720.282.2025", "masquerading", "ninite feb", "mtb feb", "telper", "trojandropper", "ninite", "create c", "read c", "default", "create", "unicode", "dock", "xport" ], "references": [ "www.gambinospizza.com", "0qMrDxlbqY9THmtdz56XQ2fTe-p9H49lftTmBXmn1WY9Z16q1vJdZdjO5Wnq_Pn3gEAAP__hu8yPQ", "https://apps.apple.com/us/app/gambinos-pizza/id1500338496 \u2022 apps.apple.com", "https://play.google.com/store/apps/details?id=com.e9117073d4e0.www", "targeting.unrulymedia.com \u2022 http://theteenhealthdoc.com", "https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&", "https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg \u2022 https://www.hallrender.com/xmlrpc.php?rsd", "https://teenlist.toplistcreator.eu/in.php?nr=15170//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu", "http://fboomporn.com/teens/51826-gloryholeswallow-flora-floras-1st-gloryhole-visit-fullhd-1080p.html \u2022 teenystar18.toplistcreator.eu", "theteenhealthdoc.com \u2022 http://jailbait.toplistcreator.eu/link.php?link=teenystar18.toplistcreator.eu&nr=522 \u2022 franchisefifteen.com", "https://fboomporn.com/engine/opensearch.php \u2022 http://porn.hub-accessories.site/ \u2022 https://pic.porn.hub-accessories.site", "http://porn.toplistcreator.eu/in.php", "ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t\t\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.63", "Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.10", "https://tag.1rx.io/rmp/215626/0/mvo?z=1r&hbv=8.16,2.1\ttag.1rx.io \u2022 192.208.222.110", "http://email.acm.mg.hydrantid.com/c/eJxUyTGygyAQBuDTQMksPyhYULzGe-C6LzCKOoYmt88kXdrvWxPlEJ3TkmygcbQBHrokFk-R4WwexpBl-J8Ce8uygBdeJqtrAsGTdWQB8jA0yQDEL0qMrD", "CVE-2014-0160 \u2022 CVE-2017-11882", "a17-250-248-150.www.bing.com \u2022 appledirectory.www.bing.com", "animate-citadel-t3gbc9x3gzd7invrzh8w00zm.herokudns.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Comspec", "display_name": "Trojan:Win32/Comspec", "target": "/malware/Trojan:Win32/Comspec" }, { "id": "XLS:Nastya\\ [Trj]", "display_name": "XLS:Nastya\\ [Trj]", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Crypt4.YGM", "display_name": "Crypt4.YGM", "target": null }, { "id": "ZBot", "display_name": "ZBot", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Heartbleed Bug", "display_name": "Heartbleed Bug", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 118, "FileHash-SHA1": 106, "domain": 3271, "hostname": 2451, "URL": 8652, "email": 8, "FileHash-SHA256": 3153, "CVE": 4 }, "indicator_count": 17763, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "734 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com", "http://foundry2-lbl.dvr.dn2.n-helix.com/", "Victim silenced. Struck by Car Driven by male police let walk", "www.onyx-ware.com \u2022 https://www.endgamesystems.com/", "Unknown Persons impersonating Private Investigators (plural)", "https://securityaffairs.com/181338/security/google-fixed-chrome-flaw-found-by-big-sleep-ai.html", "Ronda Cordova", "http://watchhers.net/index.php", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://webmail.police.govmm.org/owa/", "https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022", "https://play.google.com/store/apps/details?id=com.e9117073d4e0.www", "www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com", "System has placed affected on multiple policies cancelling private policy without notice.", "https://securityaffairs.com/", "millet-usgc-1.palantirfedstart.com", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "Provided documented evidence of appealed state issued plan and disclosed financials.", "Won appeal. Denied stimulus until passing another audit showing taxable income and filed taxes", "September began with false information, defaulted claims , denials from authorized services rendered years prior.", "Researched: https://hcpf.colorado.gov/", "http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com", "/181480/cyber-crime/iot-under-siege-the-return-of-the-mirai-based-gayfemboy-botnet.html", "209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com", "http://email.acm.mg.hydrantid.com/c/eJxUyTGygyAQBuDTQMksPyhYULzGe-C6LzCKOoYmt88kXdrvWxPlEJ3TkmygcbQBHrokFk-R4WwexpBl-J8Ce8uygBdeJqtrAsGTdWQB8jA0yQDEL0qMrD", "If someone has Medicare it\u2019s wise to check with carrier & providers to see policies generated by AI", "Mark Brian Sabey", "https://securityaffairs.com/115693/apt/chinese-hackers-5g.html", "https://www.datafoundry.com/category/news/press-releases/", "https://passwords.google/?utm_medium=hpp&utm_source=google&utm_campaign=sid2023aunonenms", "https://securityaffairs.com/139472/data-breach/commonspirit-data-breach-623k-patients.html", "https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/", "More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed", "https://passwords.google/?utm_medium=hpp&utm", "https://securityaffairs.com/106770/deep-web/ubereats-data-leaked-dark-web.html", "animate-citadel-t3gbc9x3gzd7invrzh8w00zm.herokudns.com", "https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215", "Denver Police let this attempted murder walk. Cited him as a ghost driver", "https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com", "https://securityaffairs.com/109224/data-breach/food-delivery-service-chowbus-hack.html", "http://palantirwww.sweetheartvideo.com/ (weirdness)", "https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg \u2022 https://www.hallrender.com/xmlrpc.php?rsd", "ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t\t\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.63", "http://foundry2sdbl.dvr.dn2.n-helix.com/", "Christopher P \u2018Buzz\u2019 Ahmann", "www.gambinospizza.com", "https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse", "https://207-207-25-201.fwd.datafoundry.com/", "https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&", "http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/", "The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/", "https://rdweb.datafoundry.com/", "https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx", "Melvin Sabey", "All IoC\u2019s originate from sources named. There are some unknown attackers", "207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com", "http://porn.toplistcreator.eu/in.php", "https://apps.apple.com/us/app/gambinos-pizza/id1500338496 \u2022 apps.apple.com", "https://teenlist.toplistcreator.eu/in.php?nr=15170//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu", "http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com", "https://securityaffairs.com/107190/data-breach/sodinokibi-ransomware-brown-forman.html", "http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd", "Target also owned an online brokerage & lead company, was agent & insurance marketer for years.", "Researched publicly available information provided by representative of a target\u2019s estate", "Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim", "https://securityaffairs.com/109671/hacking/50000-home-cameras-hacked.html", "Some may may find this content is very disturbing and offensive", "State (or random \u2022_- hackers) erased evidence of targets insurance all paid for by target.", "207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com", "I bring up the personal nature of the crime because a delete service has been used", "https://fboomporn.com/engine/opensearch.php \u2022 http://porn.hub-accessories.site/ \u2022 https://pic.porn.hub-accessories.site", "http://212.33.237.86/images/1/report.php", "Denver Police Department Major Crimes closed investigation", "targeting.unrulymedia.com \u2022 http://theteenhealthdoc.com", "Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora", "CVE-2014-0160 \u2022 CVE-2017-11882", "https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl", "Multiple other undocumented malware", "https://www.datafoundry.com/data-center-contamination-control/", "http://fboomporn.com/teens/51826-gloryholeswallow-flora-floras-1st-gloryhole-visit-fullhd-1080p.html \u2022 teenystar18.toplistcreator.eu", "Updated | What\u2019s left after theft", "https://tag.1rx.io/rmp/215626/0/mvo?z=1r&hbv=8.16,2.1\ttag.1rx.io \u2022 192.208.222.110", "This is a serious crime. I\u2019m certain God WILL pay them.", "Sexual and Physical Assaulter - Jeffrey Scott Reimer", "Reimer was a PT. Unknown whereabouts , name or job description", "https://securityaffairs.com/112637/cyber-crime/the-hospital-group-revil.html", "Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.10", "http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com", "I hope this goes smoothly. I believe will be a nightmare as witnessed. I hope I\u2019m wrong.", "0qMrDxlbqY9THmtdz56XQ2fTe-p9H49lftTmBXmn1WY9Z16q1vJdZdjO5Wnq_Pn3gEAAP__hu8yPQ", "Paid for plan long after entity put target on a state plan. Target audited for making too much money (framed)", "theteenhealthdoc.com \u2022 http://jailbait.toplistcreator.eu/link.php?link=teenystar18.toplistcreator.eu&nr=522 \u2022 franchisefifteen.com", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "a17-250-248-150.www.bing.com \u2022 appledirectory.www.bing.com", "Quasi Government Case", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Government", "Hoc Working" ], "malware_families": [ "Pegasus for android - mob-s0032", "Trojandownloader:linux/mirai", "!#lowfiwritemzinunusualextension", "Zbot", "Pegasus for android - s0316", "Trojan:win32/qqpass", "Pws:win32/ymacco.aa50", "Lizar", "Carbanak", "Porn revenge", "Et", "Project nemesis", "Alf:heraklezeval:trojan:win32/salgorea!rfn", "!#addscopytostartup", "Tel:spyware:androidos/spymax", "Xls:nastya\\ [trj]", "Tons of malware", "Emotet", "Samsung", "Trojan:win32/comspec", "Cobalt strike", "Backdoor:linux/mirai", "#lowfi:hstr:browsermodifier:consentbypass", "Cve-2023-27997", "Dnspionage", "Googledrive rat", ".a , alf:heraklezeval:pws:win32/ldpinch!rfn", "Trojan:js/berbew", "Alf:backdoor:java/webshell", "Trojan:js/dnschanger", "Heartbleed bug", "#powershell:encodedcommand", "Backdoor:win32/dnsdoor", "Crypt4.ygm", "Backdoor:win32/berbew", "Androrat - mob-s0008", "#hstr:hacktool:win32/remoteshell", "\"prepending (enc) ransomware\" (not an official name)", "Cve-2025-42957", "Backdoor:win32/mirai", "Domino", "Ddos:linux/mirai" ], "industries": [ "Hospitality", "Civil", "Financial", "Healthcare", "Critical infrastructure", "Government", "Manufacturing" ], "unique_indicators": 47845 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/havesme.com", "whois": "http://whois.domaintools.com/havesme.com", "domain": "havesme.com", "hostname": "admin.havesme.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69bf261cc4e399447d78776c", "name": "Cyber Bully Attackers | Revenge Attacks | Remote attackers | Malware Packed |", "description": "Several government entities, attorneys have sought porn revenge including physical violence, attempted crimes, malicious prosecution case , harassment when a female patient of man formerly known as Jeffrey Scott Reimer of Chester Springs, PA, violently, critically injured patient in a sexually charged assault [URL\thttp://foundry2-lbl.dvr.dn2.n-helix.com\t\t\t\nhttps://foundry2-lbl.dvr.dn2.n-helix.com\t\tfoundry2-lbl.dvr.dn2.n-helix.com\t\t\t\t\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\nhttp://datafoundry.com\t\t\t\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\thttps://209-99-40-223.fwd.datafoundry.com\t\t\t\ndatafoundry.com", "modified": "2026-03-21T23:13:32.760000", "created": "2026-03-21T23:13:32.760000", "tags": [ "sc data", "data upload", "please sub", "include data", "extraction", "failed", "sc pulse", "idron anv", "extr please", "include review", "exclude sugges", "stop show", "typ domain", "united", "virtool", "name servers", "cryp", "emails", "win32", "ip address", "worm", "trojan", "learn", "suspicious", "informative", "ck id", "name tactics", "command", "adversaries", "spawns", "ssl certificate", "initial access", "link initial", "prefetch8", "mitre att", "ck matrix", "flag", "windows nt", "win64", "accept", "encrypt", "form", "hybrid", "bypass", "general", "path", "iframe", "click", "strings", "anchor https", "anchor", "liberal", "sabey", "liberal friends", "meta", "html internet", "html document", "unicode text", "utf8 text", "info initial", "access ta0001", "compromise", "t1189 network", "communication", "get http", "artifacts v", "full reports", "v get", "help dns", "resolutions", "ip traffic", "extr data", "enter sc", "extra data", "referen", "broth", "passive dns", "urls", "http", "hostname", "files domain", "files related", "related tags", "none google", "safe browsing", "inquest labs", "lucas acha", "code integrity", "checks creation", "otx logo", "all hostname", "files", "domain", "protect", "date", "title", "exchange", "se http", "present jan", "present feb", "present dec", "backdoor", "certificate", "all domain", "alibaba cloud", "hichina", "porkbun llc", "cloudflare", "namecheap inc", "namecheap", "domains", "dynadot llc", "ascio", "denmark", "url https", "filehashsha256", "url http", "dopple ai", "snit", "iocs", "otx description", "information", "report spam", "delete service", "poem", "hunter", "malicious", "porn revenge", "brian sabeys", "all report", "spam delete", "rl http", "https", "expiration http", "spam brian", "swipper", "type indicator", "role title", "added active", "related pulses", "filehashmd5", "filehashsha1", "sha256", "scan", "learn more", "indicators show", "tbmvid", "sourcelnms", "zx1724209326040", "xxx videos", "xxxvideohd", "adversary", "packing", "palantir.com", "discovery", "victim won case", "doin it", "palantirian abuse", "apple", "sabey data centers", "insurance", "quasi government", "the brother sabey", "reimer", "law enforcement", "vessel state", "sabey porn", "hall evans", "christopher ahmann", "defamation", "google" ], "references": [ "The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/", "http://watchhers.net/index.php", "http://212.33.237.86/images/1/report.php", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://webmail.police.govmm.org/owa/", "https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl", "https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215", "Mark Brian Sabey", "Melvin Sabey", "Christopher P \u2018Buzz\u2019 Ahmann", "Ronda Cordova", "Unknown Persons impersonating Private Investigators (plural)", "Quasi Government Case", "Victim silenced. Struck by Car Driven by male police let walk", "Denver Police let this attempted murder walk. Cited him as a ghost driver", "Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora", "Sexual and Physical Assaulter - Jeffrey Scott Reimer", "Reimer was a PT. Unknown whereabouts , name or job description", "Denver Police Department Major Crimes closed investigation", "Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim", "I bring up the personal nature of the crime because a delete service has been used", "More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed", "All IoC\u2019s originate from sources named. There are some unknown attackers", "This is a serious crime. I\u2019m certain God WILL pay them.", "https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com", "http://palantirwww.sweetheartvideo.com/ (weirdness)", "http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx", "https://www.datafoundry.com/data-center-contamination-control/", "https://www.datafoundry.com/data-center-contamination-control/", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "http://foundry2-lbl.dvr.dn2.n-helix.com/", "https://207-207-25-201.fwd.datafoundry.com/", "http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd", "http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://rdweb.datafoundry.com/", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "http://foundry2sdbl.dvr.dn2.n-helix.com/", "Updated | What\u2019s left after theft", "207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com", "207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com", "https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse", "https://www.datafoundry.com/category/news/press-releases/", "207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com", "209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com", "www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com", "http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com", "http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/", "https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022", "https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/", "https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com", "Some may may find this content is very disturbing and offensive" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Porn Revenge", "display_name": "Porn Revenge", "target": null }, { "id": "Tons of Malware", "display_name": "Tons of Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1586.001", "name": "Social Media Accounts", "display_name": "T1586.001 - Social Media Accounts" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6034, "domain": 1422, "IPv4": 883, "FileHash-MD5": 274, "FileHash-SHA1": 252, "FileHash-SHA256": 3378, "email": 11, "hostname": 2753, "CVE": 1, "SSLCertFingerprint": 9, "IPv6": 32 }, "indicator_count": 15049, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "28 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bc8015944465ffa1c03148", "name": "Security Affairs affecting Critical Infrastructure", "description": "Security affairs.com found in a State Policy & Financing website research due to social engineering & insurance policies hacking scheme. \u2022 SecurityAffairs.com statement: The website specializes in cybersecurity and its related fields, providing insights into current threats and trends. \nContent:\nIt features news articles, investigative reports, and analyses from experts in the field. \nTopics:\nContent often includes discussions on:\ncybercrime,\ncybersecurity trends ,\nintelligence and geopolitics,\nemerging threats. (I can\u2019t verify because idk).\n\n(Auto populated: 335,923 out of 489,337 Fortinet firewalls vulnerable to CVE-2023-27997)\nAdversary auto populated: Suggested Adversaries:\nMember Ad-Hoc Working ADVERSARIES Group on Cyber Threat Landscapes, Ethical Hacker, Security Evangelist", "modified": "2025-10-06T18:03:15.359000", "created": "2025-09-06T18:40:21.276000", "tags": [ "script urls", "security", "script domains", "ip address", "meta", "stealth window", "reads_self", "creates_largekey", "dynamic_function_loading", "script_created_process", "antivm_generic_disk", "ids", "infostealer_cookies", "infostealer_keylog", "custom malware", "suspicious_command_tools", "antisandbox_mouse_hook", "dynamicloader", "tlsv1", "ogoogle trust", "cngts ca", "tls handshake", "failure", "united", "high", "search", "write", "malware", "unknown", "extraction", "data upload", "extraction data", "enter soudae", "hdi ad", "temdac c", "extri", "include review", "trojandropper", "mtb jun", "passive dns", "files", "location united", "twitter", "exploit", "delete c", "intel", "ms windows", "medium", "pe32", "port", "destination", "present sep", "a domains", "creation date", "error", "title", "android", "known exploited", "google", "salesloft drift", "qantas", "july", "meetc2", "c2 framework", "google calendar", "apis", "critical", "rokrat", "windows", "tags none", "file type", "virustotal api", "screenshots", "comments", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "defense evasion", "spawns", "t1590 gather", "copy md5", "copy sha1", "copy sha256", "additional info", "yara signature", "unicode text", "utf8 text", "idat", "style", "defs", "command decode", "strings", "yxgbc", "core", "flag", "date", "markmonitor", "server", "automattic", "name server", "proxy", "llc name", "windir", "pattern match", "mitre att", "show technique", "ck matrix", "sha1", "show process", "hybrid", "general", "local", "path", "encrypt", "form", "iframe", "click", "server response", "google safe", "results aug", "affairs", "founder", "cybhorus", "cybaze", "member adhoc", "working group", "cyber threat", "landscapes", "ethical hacker", "hoc working", "ssl certificate", "initial access", "href", "ascii text" ], "references": [ "https://securityaffairs.com/", "/181480/cyber-crime/iot-under-siege-the-return-of-the-mirai-based-gayfemboy-botnet.html", "https://securityaffairs.com/106770/deep-web/ubereats-data-leaked-dark-web.html", "https://securityaffairs.com/107190/data-breach/sodinokibi-ransomware-brown-forman.html", "https://securityaffairs.com/115693/apt/chinese-hackers-5g.html", "https://securityaffairs.com/109224/data-breach/food-delivery-service-chowbus-hack.html", "https://securityaffairs.com/112637/cyber-crime/the-hospital-group-revil.html", "https://securityaffairs.com/139472/data-breach/commonspirit-data-breach-623k-patients.html", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html", "Multiple other undocumented malware" ], "public": 1, "adversary": "Hoc Working", "targeted_countries": [], "malware_families": [ { "id": "!#AddsCopyToStartup", "display_name": "!#AddsCopyToStartup", "target": null }, { "id": "!#LowFiWriteMZInUnusualExtension", "display_name": "!#LowFiWriteMZInUnusualExtension", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "\"prepending (enc) ransomware\" (Not an official name)", "display_name": "\"prepending (enc) ransomware\" (Not an official name)", "target": null }, { "id": ".A , ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "display_name": ".A , ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn", "target": null }, { "id": "CVE-2025-42957", "display_name": "CVE-2025-42957", "target": null }, { "id": "CVE-2023-27997", "display_name": "CVE-2023-27997", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government", "Manufacturing", "Critical Infrastructure" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 187, "FileHash-SHA1": 152, "FileHash-SHA256": 1140, "URL": 1258, "domain": 237, "email": 1, "hostname": 470, "SSLCertFingerprint": 17, "CVE": 3 }, "indicator_count": 3465, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bbdb22e3d606ae8fb5cda8", "name": "HCPF | Department of Health Care Policy and Financing", "description": "Project Nemesis - Affects Department of Health Care Policy and Financing | Family representative repeatedly told past bills aren\u2019t being paid by United Healthcare. Argus Insurance (unknown entity) was Policy on record target never had. FR was given information regarding HCPF which was being viewed by past vendor seen in (https://otx.alienvault.com/pulse/68bbb31f6d91989d7fcd9592) | Issues with HCPF have been an issue for some time in isolated scenarios. It\u2019s unclear how at least one person keeps getting their name, bills and life pulled into this. Target PURCHASED a Healthcare policy via agent before major social engineering attacks. Same entity literally robs targets. Gift cards, phone services, cloud storage, account, insurance policies, bank account access, tax refunds, paid claims reversed & taken from target\u2019s account.\nMore research needed. Flaws in new system could jeopardize many. \n#trulymissed #rip #techbrohell #palantir", "modified": "2025-10-06T05:01:18.794000", "created": "2025-09-06T06:56:34.649000", "tags": [ "federal changes", "health first", "colorado", "child health", "plan plus", "newimpact", "medicaidour", "impact", "medicaid page", "medicaid", "beware", "text/html", "trackers", "iframes", "external-resources", "new relic", "g1gv3h3sxc0", "utc gcw970gh4gg", "android", "known exploited", "google", "salesloft drift", "sap s4hana", "cve202542957", "cisa", "sitecore", "linux", "france", "meta", "rokrat", "lizar", "project nemesis", "carbanak", "cobalt strike", "domino", "no expiration", "url https", "type indicator", "role title", "related pulses", "hostname https", "m4e5930", "hostname", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "ascii text", "search", "ogoogle trust", "cngts ca", "execution", "next", "dock", "write", "capture", "persistence", "malware", "roboto", "present feb", "united", "a domains", "present dec", "passive dns", "moved", "script domains", "script urls", "urls", "title", "date", "resolved ips", "http traffic", "http get", "match info", "downloads", "info", "https http", "mitre att", "control ta0011", "protocol t1071", "protocol t1095", "endgame systems" ], "references": [ "Researched: https://hcpf.colorado.gov/", "www.onyx-ware.com \u2022 https://www.endgamesystems.com/", "millet-usgc-1.palantirfedstart.com", "https://securityaffairs.com/109671/hacking/50000-home-cameras-hacked.html", "https://passwords.google/?utm_medium=hpp&utm_source=google&utm_campaign=sid2023aunonenms", "https://passwords.google/?utm_medium=hpp&utm", "https://securityaffairs.com/181338/security/google-fixed-chrome-flaw-found-by-big-sleep-ai.html", "Researched publicly available information provided by representative of a target\u2019s estate", "System has placed affected on multiple policies cancelling private policy without notice.", "Paid for plan long after entity put target on a state plan. Target audited for making too much money (framed)", "Provided documented evidence of appealed state issued plan and disclosed financials.", "Won appeal. Denied stimulus until passing another audit showing taxable income and filed taxes", "I hope this goes smoothly. I believe will be a nightmare as witnessed. I hope I\u2019m wrong.", "State (or random \u2022_- hackers) erased evidence of targets insurance all paid for by target.", "Target also owned an online brokerage & lead company, was agent & insurance marketer for years.", "September began with false information, defaulted claims , denials from authorized services rendered years prior.", "If someone has Medicare it\u2019s wise to check with carrier & providers to see policies generated by AI" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lizar", "display_name": "Lizar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Hospitality", "Financial", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1395, "URL": 4304, "CVE": 1, "domain": 694, "FileHash-SHA256": 1790, "FileHash-MD5": 183, "FileHash-SHA1": 103, "SSLCertFingerprint": 5 }, "indicator_count": 8475, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67ebfc921491771b15be63e3", "name": "CnC Spyware | Pegasus Related | Ciberespionage Campaign | Skynet | Samsung | Google | DNS Hijacking", "description": "Presume ser una campa\u00f1a de ciberespionaje orquestada por una organizaci\u00f3n gubernamental, dirigida hacia m\u00faltiples objetivos individuales (civiles) que consideran sospechosos. El software utilizado es similar a Pegasus, Skynet, Graphite para dispositivos Android y Mirai, Emotet, Berbew para dispositivos Linux y Windows. Los \"modus operandi\" abarcan m\u00faltiples tipos de ataques en los que participan ISP's y empresas grandes como Google. La propagaci\u00f3n de malware se realiza a trav\u00e9s de SMS con un enlace que dirige a una web con un exploit de d\u00eda cero, o tambi\u00e9n al abrir un PDF malicioso con las mismas caracter\u00edsticas. La ingenier\u00eda social juega un papel fundamental en este tipo de ataques. El tr\u00e1fico parece ser enmascarado en DNS 8.8.8.8 para no ser detectado.", "modified": "2025-05-05T16:00:41.799000", "created": "2025-04-01T14:47:46.507000", "tags": [ "Government", "Pegasus", "Graphite", "Skynet", "Malware", "Campaign", "Samsung", "Android", "Unix", "Linux", "Browser", "Windows", "Zeroday", "Trojan" ], "references": [], "public": 1, "adversary": "Government", "targeted_countries": [ "Spain", "United States of America" ], "malware_families": [ { "id": "Pegasus for Android - S0316", "display_name": "Pegasus for Android - S0316", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Backdoor:Win32/Mirai", "display_name": "Backdoor:Win32/Mirai", "target": "/malware/Backdoor:Win32/Mirai" }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Backdoor:Win32/Berbew", "display_name": "Backdoor:Win32/Berbew", "target": "/malware/Backdoor:Win32/Berbew" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "TEL:Spyware:AndroidOS/SpyMax", "display_name": "TEL:Spyware:AndroidOS/SpyMax", "target": null }, { "id": "AndroRAT - MOB-S0008", "display_name": "AndroRAT - MOB-S0008", "target": null }, { "id": "Samsung", "display_name": "Samsung", "target": null }, { "id": "GoogleDrive RAT", "display_name": "GoogleDrive RAT", "target": null }, { "id": "#Lowfi:HSTR:BrowserModifier:ConsentBypass", "display_name": "#Lowfi:HSTR:BrowserModifier:ConsentBypass", "target": null }, { "id": "Backdoor:Win32/DnsDoor", "display_name": "Backdoor:Win32/DnsDoor", "target": "/malware/Backdoor:Win32/DnsDoor" }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:JS/DNSChanger", "display_name": "Trojan:JS/DNSChanger", "target": "/malware/Trojan:JS/DNSChanger" }, { "id": "#PowerShell:EncodedCommand", "display_name": "#PowerShell:EncodedCommand", "target": null }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null } ], "attack_ids": [ { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1590.002", "name": "DNS", "display_name": "T1590.002 - DNS" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1069.001", "name": "Local Groups", "display_name": "T1069.001 - Local Groups" }, { "id": "T1568.001", "name": "Fast Flux DNS", "display_name": "T1568.001 - Fast Flux DNS" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1404", "name": "Exploit OS Vulnerability", "display_name": "T1404 - Exploit OS Vulnerability" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1076", "name": "Remote Desktop Protocol", "display_name": "T1076 - Remote Desktop Protocol" } ], "industries": [ "Government", "Civil", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "depdgaus", "id": "315837", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3592, "domain": 712, "hostname": 1246, "FileHash-SHA256": 900 }, "indicator_count": 6450, "is_author": false, "is_subscribing": null, "subscriber_count": 10, "modified_text": "349 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cd05cd3c9d0cc0b9ed215f", "name": "Emotet - https://www.gambinospizza.com | Brian Sabey \u2022 HallRender", "description": "\u2022Emotet botnets were observed dropping Trickbot to deliver ransomware payloads against some victims and Qakbot Trojans to steal banking credentials and data from other targets.\n\n\u2022Scammer 'Attorney' Brian Sabey | HallRender associated ; utilizes every form of social engineering to gain full access to phone numbers, email, banking, network, relatives, contacts, PHI, PII, modifies services.\n.", "modified": "2024-04-15T08:03:32.381000", "created": "2024-02-14T18:26:21.427000", "tags": [ "united", "unknown", "status", "sec ch", "as44273 host", "search", "aaaa", "showing", "ch ua", "record value", "ssl certificate", "threat roundup", "contacted", "communicating", "historical ssl", "referrer", "resolutions", "http", "execution", "gopher", "pattern match", "breakpoint", "command decode", "desktop", "base", "gambino", "pizza", "suricata ipv4", "mitre att", "date", "meta", "footer", "february", "general", "model", "comspec", "click", "strings", "main", "brian sabey", "hallrender", "trojan", "worm", "frankfurt", "germany", "asn15169", "google", "asn16509", "amazon02", "asn396982", "kansas city", "franchise url", "gmbh version", "status page", "service privacy", "legal", "impressum", "reverse dns", "general full", "url https", "resource", "hash", "protocol h2", "asn13335", "cloudflarenet", "software", "domains", "hashes", "learn", "issues tab", "value", "variables", "typeof function", "topropertykey", "bricksintersect", "bricksfunction", "domainpath name", "request chain", "chain", "nl page", "url history", "javascript", "page url", "redirected", "poweshell", "bruschettab", "mobsterstageda", "calzonec", "threat analyzer", "threat", "paste", "iocs", "hostnames", "beefpizzac", "superitaliansub", "cname", "msie", "chrome", "asnone united", "as6336 turn", "nxdomain", "whitelisted", "creation date", "turn", "body", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "registrar abuse", "iana id", "registrar url", "registrar whois", "contact email", "registry domain", "contact phone", "dnssec", "code", "type name", "win32 exe", "recreation", "whois record", "infected", "page dow", "poser", "scammer", "security", "malvertizing", "betting", "illegal activity", "linux", "teen porn", "child exploitation", "script urls", "a domains", "as10796 charter", "find your", "next franchise", "x content", "backend", "as13768 aptum", "moved", "passive dns", "urls", "as2635", "as14061", "scan endpoints", "all octoseek", "url http", "pulse pulses", "ip address", "related nids", "files location", "date hash", "avast avg", "nastya", "entries", "emotet", "windows nt", "show", "etpro trojan", "channel", "artemis", "medium", "delete", "copy", "virustotal", "trojan", "write", "trojanproxy", "vipre", "panda", "malware", "malware infection", "dga", "algorithm generated domains", "command and control", "pe32 executable", "tag", "tagging", "porn tagging", "as3356 level", "tahoma arial", "servers", "as1136 kpn", "next", "et", "remote", "confirm http", "sectrack", "openssl", "fulldisc", "secunia", "confirm https", "openssl tls", "multiple", "remote", "misc https", "impact", "heartbleed", "external source", "name hyperlink", "hp hpsbmu02998", "hp hpsbmu03019", "hp hpsbmu03030", "hp hpsbmu03018", "title", "lowfi", "title error", "body doctype", "html public", "w3cdtd html", "html head", "mozilla", "720.282.2025", "masquerading", "ninite feb", "mtb feb", "telper", "trojandropper", "ninite", "create c", "read c", "default", "create", "unicode", "dock", "xport" ], "references": [ "www.gambinospizza.com", "0qMrDxlbqY9THmtdz56XQ2fTe-p9H49lftTmBXmn1WY9Z16q1vJdZdjO5Wnq_Pn3gEAAP__hu8yPQ", "https://apps.apple.com/us/app/gambinos-pizza/id1500338496 \u2022 apps.apple.com", "https://play.google.com/store/apps/details?id=com.e9117073d4e0.www", "targeting.unrulymedia.com \u2022 http://theteenhealthdoc.com", "https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&", "https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg \u2022 https://www.hallrender.com/xmlrpc.php?rsd", "https://teenlist.toplistcreator.eu/in.php?nr=15170//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu", "http://fboomporn.com/teens/51826-gloryholeswallow-flora-floras-1st-gloryhole-visit-fullhd-1080p.html \u2022 teenystar18.toplistcreator.eu", "theteenhealthdoc.com \u2022 http://jailbait.toplistcreator.eu/link.php?link=teenystar18.toplistcreator.eu&nr=522 \u2022 franchisefifteen.com", "https://fboomporn.com/engine/opensearch.php \u2022 http://porn.hub-accessories.site/ \u2022 https://pic.porn.hub-accessories.site", "http://porn.toplistcreator.eu/in.php", "ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t\t\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.63", "Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.10", "https://tag.1rx.io/rmp/215626/0/mvo?z=1r&hbv=8.16,2.1\ttag.1rx.io \u2022 192.208.222.110", "http://email.acm.mg.hydrantid.com/c/eJxUyTGygyAQBuDTQMksPyhYULzGe-C6LzCKOoYmt88kXdrvWxPlEJ3TkmygcbQBHrokFk-R4WwexpBl-J8Ce8uygBdeJqtrAsGTdWQB8jA0yQDEL0qMrD", "CVE-2014-0160 \u2022 CVE-2017-11882", "a17-250-248-150.www.bing.com \u2022 appledirectory.www.bing.com", "animate-citadel-t3gbc9x3gzd7invrzh8w00zm.herokudns.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Comspec", "display_name": "Trojan:Win32/Comspec", "target": "/malware/Trojan:Win32/Comspec" }, { "id": "XLS:Nastya\\ [Trj]", "display_name": "XLS:Nastya\\ [Trj]", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Crypt4.YGM", "display_name": "Crypt4.YGM", "target": null }, { "id": "ZBot", "display_name": "ZBot", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Heartbleed Bug", "display_name": "Heartbleed Bug", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 118, "FileHash-SHA1": 106, "domain": 3271, "hostname": 2451, "URL": 8652, "email": 8, "FileHash-SHA256": 3153, "CVE": 4 }, "indicator_count": 17763, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "734 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://admin.havesme.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://admin.havesme.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776629971.881366 }