{ "type": "URL", "indicator": "https://allkolya.top/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://allkolya.top/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4103389820, "indicator": "https://allkolya.top/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "68858e8244c8db854e8947c1", "name": "Goodreads Malware", "description": "Goodreads is an older book review website. I found Goodreads[.]com links botnet joining Pulse. Just curious. #goodreads #malware #goodreads_botnet_join #thismightbeabotnet\n#gogray #purpleteamit #malware \n#thismightbeabotnet #ineedtolearnmore", "modified": "2025-08-26T01:03:19.405000", "created": "2025-07-27T02:27:14.517000", "tags": [ "passive dns", "urls", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "united", "flag united", "present jun", "present may", "present apr", "search", "moved", "creation date", "record value", "date", "body", "meta", "indicator role", "title added", "active related", "pulses url", "memcommit", "value1", "partnerid4146", "username", "gamesessionid", "port", "destination", "regsetvalueexa", "mozilla", "write", "persistence", "execution", "malware", "copy", "next", "process32nextw", "show", "entries", "module load", "t1129", "intel", "ms windows", "showing", "t1045", "win32", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "mitre att", "ck techniques", "evasion att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "size", "pattern match", "ascii text", "null", "error", "starfield", "click", "hybrid", "local", "path", "strings", "refresh", "tools", "onload", "span", "smbds ipc", "ms17010", "msf style", "probe ms17010", "generic flags", "yara detections", "nrv2x", "upxoepplace" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 155, "hostname": 1237, "FileHash-SHA256": 1141, "domain": 574, "URL": 4593, "FileHash-SHA1": 139, "email": 1, "SSLCertFingerprint": 8 }, "indicator_count": 7848, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68851d56edbe226314c31445", "name": "LinuxTsunami - Mirai_Botnet_Malware", "description": "[EXE:CPUByteOrder - Little endian]\n\u2022 ELF:Mirai-APD\\ [Trj]\n\u2022 Unix.Trojan.Mirai-1\nIDS Detections: SUSPICIOUS Path to BusyBox TELNET login failed ||\n\u2022 Yara Detections: Mirai_Botnet_Malware , SUSP_XORed_Mozilla , is__elf , Linux_Mirai Alerts dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout ||\n\nInteresting: 162.93.126.142\nLocation: \nUnited States of America\n[ASN: AS6949 charles schwab & co inc]\n*Unix.Trojan.Mirai-1\n\nAssociated Files: [5e2b1e9f7aa3dbfe8494a1ffd30e8a552f06d47f03e8ce17d4fb3b63c67991a1] \u2022 ELF:Mirai-APD\\ [Trj]\t\t\u2022 Unix.Trojan.Mirai-1 || 5\n\u2022 Backdoor:Linux/Tsunami.C!MTB\nIDS Detections:\nIRC Nick change on non-standard port\nTeamTNT IRC Bot Joining Channel\nIRC Channel JOIN on non-standard port\nIRC authorization message\nYara Detections:\nis__elf ||\n\nLinuxTsunami\nAlerts: \nnetwork_irc\nnolookup_communication\nIP\u2019s Contacted:\n194.31.98.17\nDomains Contacted:\nc6a7d807.vpn.njalla.net\n#hackers #lawfirms #mirai #botnets #remote_control #quasi", "modified": "2025-08-25T17:00:22.985000", "created": "2025-07-26T18:24:22.495000", "tags": [ "pulse", "http", "ip address", "passive dns", "related nids", "urls", "files location", "czechia flag", "czechia related", "pulses otx", "ipv4 add", "pulse pulses", "files", "hosting", "czechia asn", "as2118", "pulses", "related tags", "port", "destination", "light", "high", "tcp syn", "meerkat", "resolverror", "yara detections", "malware", "icmp traffic", "path", "copy", "pv4 add", "pulse submit", "url analysis", "location united", "america flag", "united", "america asn", "ck id", "name tactics", "suspicious", "informative", "learn", "spawns", "command", "found", "defense evasion", "t1480 execution", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "ascii text", "pattern match", "mitre att", "show technique", "null", "refresh", "body", "span", "hybrid", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "google safe", "browsing", "windows error", "april", "october", "september", "sandbox reports", "rejectedfailed", "timestamp input", "message status", "actions april", "june", "august", "july", "internal error", "entries", "show", "search", "backdoor", "teamtnt irc", "bot joining", "intel", "notice", "irc server", "tsunami", "domain", "creation date", "privacy inc", "customer", "domain add", "p address", "process details", "domains", "a domains", "script urls", "date", "status", "meta", "ov ssl", "record value", "showing", "certificate", "hostname add", "present may", "present jun", "present oct", "present jul", "present mar", "present nov", "present sep", "present feb", "next associated", "urls show", "date checked", "url hostname", "server response" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 73, "FileHash-SHA1": 77, "FileHash-SHA256": 404, "URL": 647, "domain": 124, "hostname": 487, "CVE": 1, "email": 3 }, "indicator_count": 1816, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688398926252d91f97c75b05", "name": "Registrar Abuse \u2022 Typosquatting \u2022 Masquerading -suspected with PalantirFoundry.com links", "description": "Registrar Abuse \u2022 Typosquatting \u2022 Masquerading - possible? re:PalantirFoundry.com links registered by \u2018Palantir Technologies Inc.\u2019 I\u2019ve included 200 + palantirfoundry.com links.\nThe product is sold, I don\u2019t know if product can be rebranded, private labeled. Finding requires much more research. I have no option but to suspect any link palantirfoundry.com may be registrar abuse and masquerading as seen before. Most of the connections are have changed or moved. The damage these links do is as stated in previous pulses, dangerous, spyware with nothing changed the amount of damage, danger or the maliciousness of threat actor. Everything malicious result found re: recently pulsed palantirfoundry.com are accurate. ||\n(https://edenglobalpartners.palantirfoundry.com/multipass/login/all?redirect-uri=%2Fworkspace)\nredirects to Palantir branded website [https://hybrid-analysis.com/sample/e844b801e1c217720ff8c81b2ba47f6e14796f635d2dc430fd8813354310cf34/688391055d0c6d5b770f18d8]", "modified": "2025-08-24T14:04:57.110000", "created": "2025-07-25T14:45:38.136000", "tags": [ "url https", "url http", "gather victim", "run keys", "startup", "folder", "t1057", "discovery", "t1071", "protocol", "united", "sweden", "germany", "search", "type indicator", "role title", "added active", "related pulses", "extraction", "data upload", "failed", "extr data", "include review", "exclude", "sugges data", "uniy incuue", "mitre att", "present jul", "status", "date", "united kingdom", "unknown a", "moved", "certificate", "ip address", "body", "passive dns", "urls", "creation date", "emails", "files", "domain", "files ip", "address", "location united", "asn as16509", "entries", "urls show", "date checked", "url hostname", "server response", "google safe", "results jul", "read c", "medium", "flashpix", "show", "showing", "delete", "yara detections", "icmp traffic", "registry", "python", "write", "persistence", "execution", "copy", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "development att", "show process", "prefetch8", "show technique", "ck matrix", "localappdata", "process", "pattern match", "general", "hybrid", "path", "click", "strings" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 750, "domain": 67, "hostname": 631, "FileHash-MD5": 25, "FileHash-SHA1": 9, "email": 4, "FileHash-SHA256": 219, "SSLCertFingerprint": 2 }, "indicator_count": 1707, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 11057 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/allkolya.top", "whois": "http://whois.domaintools.com/allkolya.top", "domain": "allkolya.top", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "68858e8244c8db854e8947c1", "name": "Goodreads Malware", "description": "Goodreads is an older book review website. I found Goodreads[.]com links botnet joining Pulse. Just curious. #goodreads #malware #goodreads_botnet_join #thismightbeabotnet\n#gogray #purpleteamit #malware \n#thismightbeabotnet #ineedtolearnmore", "modified": "2025-08-26T01:03:19.405000", "created": "2025-07-27T02:27:14.517000", "tags": [ "passive dns", "urls", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "united", "flag united", "present jun", "present may", "present apr", "search", "moved", "creation date", "record value", "date", "body", "meta", "indicator role", "title added", "active related", "pulses url", "memcommit", "value1", "partnerid4146", "username", "gamesessionid", "port", "destination", "regsetvalueexa", "mozilla", "write", "persistence", "execution", "malware", "copy", "next", "process32nextw", "show", "entries", "module load", "t1129", "intel", "ms windows", "showing", "t1045", "win32", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "mitre att", "ck techniques", "evasion att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "size", "pattern match", "ascii text", "null", "error", "starfield", "click", "hybrid", "local", "path", "strings", "refresh", "tools", "onload", "span", "smbds ipc", "ms17010", "msf style", "probe ms17010", "generic flags", "yara detections", "nrv2x", "upxoepplace" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 155, "hostname": 1237, "FileHash-SHA256": 1141, "domain": 574, "URL": 4593, "FileHash-SHA1": 139, "email": 1, "SSLCertFingerprint": 8 }, "indicator_count": 7848, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68851d56edbe226314c31445", "name": "LinuxTsunami - Mirai_Botnet_Malware", "description": "[EXE:CPUByteOrder - Little endian]\n\u2022 ELF:Mirai-APD\\ [Trj]\n\u2022 Unix.Trojan.Mirai-1\nIDS Detections: SUSPICIOUS Path to BusyBox TELNET login failed ||\n\u2022 Yara Detections: Mirai_Botnet_Malware , SUSP_XORed_Mozilla , is__elf , Linux_Mirai Alerts dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout ||\n\nInteresting: 162.93.126.142\nLocation: \nUnited States of America\n[ASN: AS6949 charles schwab & co inc]\n*Unix.Trojan.Mirai-1\n\nAssociated Files: [5e2b1e9f7aa3dbfe8494a1ffd30e8a552f06d47f03e8ce17d4fb3b63c67991a1] \u2022 ELF:Mirai-APD\\ [Trj]\t\t\u2022 Unix.Trojan.Mirai-1 || 5\n\u2022 Backdoor:Linux/Tsunami.C!MTB\nIDS Detections:\nIRC Nick change on non-standard port\nTeamTNT IRC Bot Joining Channel\nIRC Channel JOIN on non-standard port\nIRC authorization message\nYara Detections:\nis__elf ||\n\nLinuxTsunami\nAlerts: \nnetwork_irc\nnolookup_communication\nIP\u2019s Contacted:\n194.31.98.17\nDomains Contacted:\nc6a7d807.vpn.njalla.net\n#hackers #lawfirms #mirai #botnets #remote_control #quasi", "modified": "2025-08-25T17:00:22.985000", "created": "2025-07-26T18:24:22.495000", "tags": [ "pulse", "http", "ip address", "passive dns", "related nids", "urls", "files location", "czechia flag", "czechia related", "pulses otx", "ipv4 add", "pulse pulses", "files", "hosting", "czechia asn", "as2118", "pulses", "related tags", "port", "destination", "light", "high", "tcp syn", "meerkat", "resolverror", "yara detections", "malware", "icmp traffic", "path", "copy", "pv4 add", "pulse submit", "url analysis", "location united", "america flag", "united", "america asn", "ck id", "name tactics", "suspicious", "informative", "learn", "spawns", "command", "found", "defense evasion", "t1480 execution", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "ascii text", "pattern match", "mitre att", "show technique", "null", "refresh", "body", "span", "hybrid", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "google safe", "browsing", "windows error", "april", "october", "september", "sandbox reports", "rejectedfailed", "timestamp input", "message status", "actions april", "june", "august", "july", "internal error", "entries", "show", "search", "backdoor", "teamtnt irc", "bot joining", "intel", "notice", "irc server", "tsunami", "domain", "creation date", "privacy inc", "customer", "domain add", "p address", "process details", "domains", "a domains", "script urls", "date", "status", "meta", "ov ssl", "record value", "showing", "certificate", "hostname add", "present may", "present jun", "present oct", "present jul", "present mar", "present nov", "present sep", "present feb", "next associated", "urls show", "date checked", "url hostname", "server response" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 73, "FileHash-SHA1": 77, "FileHash-SHA256": 404, "URL": 647, "domain": 124, "hostname": 487, "CVE": 1, "email": 3 }, "indicator_count": 1816, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688398926252d91f97c75b05", "name": "Registrar Abuse \u2022 Typosquatting \u2022 Masquerading -suspected with PalantirFoundry.com links", "description": "Registrar Abuse \u2022 Typosquatting \u2022 Masquerading - possible? re:PalantirFoundry.com links registered by \u2018Palantir Technologies Inc.\u2019 I\u2019ve included 200 + palantirfoundry.com links.\nThe product is sold, I don\u2019t know if product can be rebranded, private labeled. Finding requires much more research. I have no option but to suspect any link palantirfoundry.com may be registrar abuse and masquerading as seen before. Most of the connections are have changed or moved. The damage these links do is as stated in previous pulses, dangerous, spyware with nothing changed the amount of damage, danger or the maliciousness of threat actor. Everything malicious result found re: recently pulsed palantirfoundry.com are accurate. ||\n(https://edenglobalpartners.palantirfoundry.com/multipass/login/all?redirect-uri=%2Fworkspace)\nredirects to Palantir branded website [https://hybrid-analysis.com/sample/e844b801e1c217720ff8c81b2ba47f6e14796f635d2dc430fd8813354310cf34/688391055d0c6d5b770f18d8]", "modified": "2025-08-24T14:04:57.110000", "created": "2025-07-25T14:45:38.136000", "tags": [ "url https", "url http", "gather victim", "run keys", "startup", "folder", "t1057", "discovery", "t1071", "protocol", "united", "sweden", "germany", "search", "type indicator", "role title", "added active", "related pulses", "extraction", "data upload", "failed", "extr data", "include review", "exclude", "sugges data", "uniy incuue", "mitre att", "present jul", "status", "date", "united kingdom", "unknown a", "moved", "certificate", "ip address", "body", "passive dns", "urls", "creation date", "emails", "files", "domain", "files ip", "address", "location united", "asn as16509", "entries", "urls show", "date checked", "url hostname", "server response", "google safe", "results jul", "read c", "medium", "flashpix", "show", "showing", "delete", "yara detections", "icmp traffic", "registry", "python", "write", "persistence", "execution", "copy", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "development att", "show process", "prefetch8", "show technique", "ck matrix", "localappdata", "process", "pattern match", "general", "hybrid", "path", "click", "strings" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 750, "domain": 67, "hostname": 631, "FileHash-MD5": 25, "FileHash-SHA1": 9, "email": 4, "FileHash-SHA256": 219, "SSLCertFingerprint": 2 }, "indicator_count": 1707, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://allkolya.top/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://allkolya.top/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776639435.7956834 }