{
"type": "URL",
"indicator": "https://analytics.pangle-ads.com",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://analytics.pangle-ads.com",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3948619293,
"indicator": "https://analytics.pangle-ads.com",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 5,
"pulses": [
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "138 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "686b074599cb3cfbd5813614",
"name": "TikTok - Win32:RansomX-gen [Ransom]",
"description": "#ransom/lockfile.mk #trojan #zombie#ransom #malicious #malware #malicious #intel #apple #ios #ai #malware",
"modified": "2025-08-05T23:03:23.051000",
"created": "2025-07-06T23:31:17.865000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 803,
"domain": 246,
"FileHash-SHA256": 1979,
"FileHash-MD5": 31,
"URL": 1664,
"FileHash-SHA1": 34,
"CIDR": 3,
"email": 3,
"CVE": 2
},
"indicator_count": 4765,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "298 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "684a3719a2708183b1b16d00",
"name": "Follow Bot (black-basta_cova_cryptb) affects threat researcher(s)account(s)",
"description": "Surprised: \nFollow bot account affects threat researcher(s)account(s). % path , attempts DoS. Threatening account name,. \n\n\n(00285c99b52d41679b1aa3b8a80895b037df8a7500f4ad97ce06068eac4a95b7 | =\nfollow) \n|| {2025-05-20_bf3a6ba6e3421a7214ffbfe97642a578_amadey_black-basta_cova_cryptbot_elex_luca-stealer\nFastCopy5.9.0.exe}\n\nET DNS Query for .cc \n PROTOCOL-ICMP PATH MTU denial of service attempt\nPROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set",
"modified": "2025-07-12T01:02:11.925000",
"created": "2025-06-12T02:10:33.839000",
"tags": [
"gtmkvjvztk",
"open threat",
"learn",
"levelblue",
"exchange meta",
"tags twitter",
"alienvault",
"script tags",
"iframe tags",
"google tag",
"html internet",
"html document",
"ascii text",
"ta0004 defense",
"evasion ta0005",
"command",
"control ta0011",
"number",
"cnmicrosoft ecc",
"update secure",
"server ca",
"cus subject",
"stwa lredmond",
"omicrosoft c",
"resolved ips",
"get http",
"dns resolutions",
"request",
"response",
"windows nt",
"win64",
"khtml",
"gecko",
"defense evasion",
"ta0009 command",
"impact ta0040",
"catalog tree",
"analysis ob0001",
"analysis ob0002",
"ob0007 impact",
"ob0012 file",
"system oc0001",
"process oc0003",
"data oc0004",
"oc0008",
"get https",
"vis1",
"oid2",
"post https",
"cjutxg",
"base64uidenc",
"error https"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 27,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 162,
"FileHash-SHA1": 28,
"FileHash-SHA256": 2459,
"domain": 889,
"hostname": 1217,
"URL": 4326,
"FilePath": 1
},
"indicator_count": 9082,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "323 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "66ce3eb4b4f1fc9eafb4b572",
"name": "DDoS:Linux/Lightaidra | Mirai Botnet on US a State Computer",
"description": "*Mirai Botnet on Colorado State computer. Im starting to wonder if potential problem cases are diverted to a botnet.\n1. Overlaps with a Colorado victim. Similar issues. I Recently became a senior in expensive Colorado, never compensated for workers compensation injury exacerbated when suddenly tossed a 60 lb weighted ball under care. Denied diagnoses of severe injury after toss. Complained, case closed, lawyers denied case after accepting case. Referred to JeffCo seeking assisted living resources. Was sent various packets with a variety of phone numbers, email addresses, etc. She keeps speaking to same man no matter what option chosen. Denied workforce training due to severity of injuries, No SSI or SSDI until years later. \n2. I can't pulse half of what I've researched without using multiple resources. No more 'contacted' made when new serious issues found. Pulses being modified. I rarely modify any pulse.",
"modified": "2024-09-26T20:01:27.723000",
"created": "2024-08-27T21:01:40.251000",
"tags": [
"memcommit",
"read c",
"nospltezraxuf",
"writeconsolea",
"write",
"CVE-2023-22518",
"tesla",
"ye ye",
"incapril",
"yed ye",
"yet ye",
"yexe ye",
"security",
"search",
"function read",
"dll read",
"installer",
"april",
"copy",
"win32",
"template",
"creation date",
"servers",
"passive dns",
"urls",
"name servers",
"scan endpoints",
"all scoreblue",
"hostname",
"pulse pulses",
"date",
"windows",
"medium",
"shellexecuteexw",
"hash",
"show",
"writeconsolew",
"entries",
"displayname",
"sddl",
"service",
"august",
"malware",
"url http",
"http",
"ip address",
"related nids",
"files location",
"domain",
"status",
"nxdomain",
"whitelisted",
"certificate",
"backdoor",
"record value",
"body",
"as15133 verizon",
"united",
"unknown",
"mtb aug",
"gmt server",
"ecacc sed5906",
"ransom",
"trojan",
"high",
"cname",
"as8075",
"ipv4",
"files",
"asn as55720",
"date hash",
"default",
"delete",
"yara detections",
"msvisualcpp60",
"related pulses",
"rootkit",
"as16276",
"canada unknown",
"pulses",
"expiration date",
"exploit",
"showing",
"aaaa",
"france unknown",
"mtb sep",
"worm",
"msil",
"mirai",
"as36081 state",
"reverse dns",
"port",
"destination",
"south korea",
"taiwan as3462",
"as4766 korea",
"asnone",
"japan as17676",
"china as4134",
"china as4837",
"file samples",
"files matching",
"next",
"copyright",
"levelblue",
"as20940",
"as15169 google",
"ave suite",
"purpose p5",
"country united",
"code us",
"as41231",
"united kingdom",
"ddos",
"sha256",
"filehash",
"av detections",
"location london",
"great britain",
"gnulinux apt",
"yara rule",
"ids detections",
"top source",
"address",
"as23969",
"thailand"
],
"references": [
"In this instance a senior citizen needing assisted living resources redirected & social engineered by addresses originated from: jefferson.co.us",
"Noted: Calls redirected, call jumps ahead of 25+ callers in wait, keeps getting same agent, told approved for services never applied for or received",
"Exploits: IPv4 20.99.186.246 | 52.109.0.140 | CVE CVE-2023-22518 | Trojans: AgentTesla.KM , Cobalt Strike , Ransom: WannaCrypt , Malware: Dxqo",
"Domain Name: IUQERFSODP9IFJAPOSDFJHGOSURIJFAEWRWERGWEA.COM Emails: BotnetSinkhole@gmail.com",
"Emails: abuse@namecheap.com Name: Botnet Sinkhole | Address: Botnet Sinkhole City: Los Angeles Country: USA",
"Dnssec:Unsigned | Name Servers | BRUCE.NS.CLOUDFLARE.COM",
"Notable: Mirai - 192.70.175.110 Security Operations (DORA?) oit_isocsecurity@state.co.us | state.co.us | Reverse DNS dns1.state.co.us",
"Unix.Trojan.Mirai-6976991-0 : FileHash-SHA256 a282f250e59f8754335993293bfbfcc154cdb67ff0e234162f40a6cce5c4290c",
"ELF:Mirai-AII\\ [Trj] | FileHash-SHA256 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9",
"Overlaps: 4 others mailed information email address.",
"Ransom:Win32/WannaCrypt.H",
"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com | CVE-2017-0147",
"AS36081 State of Colorado General Government Computer",
"Yara Detections Mirai_Botnet_Malware Alerts: dead_host network_icmp osquery_detection nolookup_communication",
"ELF:Mirai-AII\\ [Trj] | FileHash-SHA256: 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9",
"Detections Executable and linking format (ELF) file download Over HTTP |",
"FileHash-SHA256 : 256760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9",
"Yara Detections: UPXProtectorv10x2 , UPX , ELFHighEntropy , elf_empty_sections Alerts: dead_host | ELF:Mirai-AII\\ [Trj]",
"77882 IP\u2019s Contacted: 1.1.69.67 1.10.237.208 1.101.233.31 1.102.46.59 1.103.37.126 1.105.106.252 1.106.108.182 1.106.193.143 1.109.132.165 1.11.116.209",
"Domains Contacted: ntp.ubuntu.com | IDS Detections GNU/Linux APT User-Agent Outbound likely related to package management | 91.189.89.198",
"Yara Detections: gafgyt IP\u2019s Contacted: 91.189.89.198 Domains Contacted :ntp.ubuntu.com",
"FileHash-SHA256: a0f50a7b0f9717589000b3414017bdcfcb9d3f6a3e5e03fe49c4dc8035e0d25c",
"Related Domains: townofignacio.com | coloradoagriculture.com | coloradoworkforce.com | coworkforce.com | coloradoccjj.com | dns1.state.co.us",
"https://www.rapidinterviews.com/api/jobs/redirect/public-transit-bus-drivers-with-utah-transit-authority-in-stansbury-park-apc-1932",
"https://us.thebigjobsite.com/redirectfeedjob?jobid=2A5F97A6BAE0AA90DC418C2119E1E0EB&source=onestepjobsxmlus&utm_source=onestepjobsxmlus&jobSiteK",
"redirect.wuxs.icu",
"https://a-a.redirector.navexglobal.com/navex_hosting/404.html",
"https://engage.navexglobal.com/topclass1/login.do?redirectTo=/expand.do?template=JasperReports&view=library"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:Trojan:MSIL/AgentTesla.KM",
"display_name": "ALF:Trojan:MSIL/AgentTesla.KM",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Malware.Dxqo-6984072-0",
"display_name": "Win.Malware.Dxqo-6984072-0",
"target": null
},
{
"id": "Ransom:Win32/WannaCrypt",
"display_name": "Ransom:Win32/WannaCrypt",
"target": "/malware/Ransom:Win32/WannaCrypt"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Backdoor:Win32/Fynloski",
"display_name": "Backdoor:Win32/Fynloski",
"target": "/malware/Backdoor:Win32/Fynloski"
},
{
"id": "Worm:Win32/Mofksys",
"display_name": "Worm:Win32/Mofksys",
"target": "/malware/Worm:Win32/Mofksys"
},
{
"id": "TELPER:DDoS:Linux/Lightaidra",
"display_name": "TELPER:DDoS:Linux/Lightaidra",
"target": null
}
],
"attack_ids": [
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1009",
"name": "Binary Padding",
"display_name": "T1009 - Binary Padding"
},
{
"id": "T1499",
"name": "Endpoint Denial of Service",
"display_name": "T1499 - Endpoint Denial of Service"
},
{
"id": "T1498",
"name": "Network Denial of Service",
"display_name": "T1498 - Network Denial of Service"
},
{
"id": "T1464",
"name": "Jamming or Denial of Service",
"display_name": "T1464 - Jamming or Denial of Service"
}
],
"industries": [
"Telecom"
],
"TLP": "green",
"cloned_from": null,
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"FileHash-MD5": 675,
"FileHash-SHA1": 664,
"FileHash-SHA256": 3327,
"URL": 2448,
"domain": 656,
"hostname": 1281,
"email": 11
},
"indicator_count": 9064,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 232,
"modified_text": "612 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"In this instance a senior citizen needing assisted living resources redirected & social engineered by addresses originated from: jefferson.co.us",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com | CVE-2017-0147",
"ELF:Mirai-AII\\ [Trj] | FileHash-SHA256 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"Related Domains: townofignacio.com | coloradoagriculture.com | coloradoworkforce.com | coworkforce.com | coloradoccjj.com | dns1.state.co.us",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://es.pornhat.com/models/the-sex-creator/",
"Emails: abuse@namecheap.com Name: Botnet Sinkhole | Address: Botnet Sinkhole City: Los Angeles Country: USA",
"https://meumundogay-com.sexogratis.page/locker",
"iamrobert.com Y.A.S.",
"Ransom:Win32/WannaCrypt.H",
"Notable: Mirai - 192.70.175.110 Security Operations (DORA?) oit_isocsecurity@state.co.us | state.co.us | Reverse DNS dns1.state.co.us",
"Domain Name: IUQERFSODP9IFJAPOSDFJHGOSURIJFAEWRWERGWEA.COM Emails: BotnetSinkhole@gmail.com",
"Domains Contacted: ntp.ubuntu.com | IDS Detections GNU/Linux APT User-Agent Outbound likely related to package management | 91.189.89.198",
"Can the DoD no questions asked target a SA victim",
"ELF:Mirai-AII\\ [Trj] | FileHash-SHA256: 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"Dnssec:Unsigned | Name Servers | BRUCE.NS.CLOUDFLARE.COM",
"There is fear in silence or speaking out",
"FileHash-SHA256 : 256760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9",
"Unix.Trojan.Mirai-6976991-0 : FileHash-SHA256 a282f250e59f8754335993293bfbfcc154cdb67ff0e234162f40a6cce5c4290c",
"I am very upset. Whoever is doing this is sick.",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"https://www.rapidinterviews.com/api/jobs/redirect/public-transit-bus-drivers-with-utah-transit-authority-in-stansbury-park-apc-1932",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"Noted: Calls redirected, call jumps ahead of 25+ callers in wait, keeps getting same agent, told approved for services never applied for or received",
"Yara Detections: UPXProtectorv10x2 , UPX , ELFHighEntropy , elf_empty_sections Alerts: dead_host | ELF:Mirai-AII\\ [Trj]",
"https://us.thebigjobsite.com/redirectfeedjob?jobid=2A5F97A6BAE0AA90DC418C2119E1E0EB&source=onestepjobsxmlus&utm_source=onestepjobsxmlus&jobSiteK",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"77882 IP\u2019s Contacted: 1.1.69.67 1.10.237.208 1.101.233.31 1.102.46.59 1.103.37.126 1.105.106.252 1.106.108.182 1.106.193.143 1.109.132.165 1.11.116.209",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"Yara Detections: gafgyt IP\u2019s Contacted: 91.189.89.198 Domains Contacted :ntp.ubuntu.com",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"Target agreed and complied with all lie detector measures.",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"Yara Detections Mirai_Botnet_Malware Alerts: dead_host network_icmp osquery_detection nolookup_communication",
"If someone is believed to be a threat they have right to due process.",
"Exploits: IPv4 20.99.186.246 | 52.109.0.140 | CVE CVE-2023-22518 | Trojans: AgentTesla.KM , Cobalt Strike , Ransom: WannaCrypt , Malware: Dxqo",
"Detections Executable and linking format (ELF) file download Over HTTP |",
"redirect.wuxs.icu",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"AS36081 State of Colorado General Government Computer",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"FileHash-SHA256: a0f50a7b0f9717589000b3414017bdcfcb9d3f6a3e5e03fe49c4dc8035e0d25c",
"https://a-a.redirector.navexglobal.com/navex_hosting/404.html",
"https://engage.navexglobal.com/topclass1/login.do?redirectTo=/expand.do?template=JasperReports&view=library",
"Overlaps: 4 others mailed information email address.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Telper:ddos:linux/lightaidra",
"Win.trojan.cobaltstrike-9044898-1",
"Alf:trojan:msil/agenttesla.km",
"Worm:win32/mofksys",
"Win.malware.dxqo-6984072-0",
"Malware",
"Apnic",
"Ransom:win32/wannacrypt",
"Backdoor:win32/fynloski",
"Mirai"
],
"industries": [
"Telecom"
],
"unique_indicators": 41425
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/pangle-ads.com",
"whois": "http://whois.domaintools.com/pangle-ads.com",
"domain": "pangle-ads.com",
"hostname": "analytics.pangle-ads.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 5,
"pulses": [
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "138 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "686b074599cb3cfbd5813614",
"name": "TikTok - Win32:RansomX-gen [Ransom]",
"description": "#ransom/lockfile.mk #trojan #zombie#ransom #malicious #malware #malicious #intel #apple #ios #ai #malware",
"modified": "2025-08-05T23:03:23.051000",
"created": "2025-07-06T23:31:17.865000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 803,
"domain": 246,
"FileHash-SHA256": 1979,
"FileHash-MD5": 31,
"URL": 1664,
"FileHash-SHA1": 34,
"CIDR": 3,
"email": 3,
"CVE": 2
},
"indicator_count": 4765,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "298 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "684a3719a2708183b1b16d00",
"name": "Follow Bot (black-basta_cova_cryptb) affects threat researcher(s)account(s)",
"description": "Surprised: \nFollow bot account affects threat researcher(s)account(s). % path , attempts DoS. Threatening account name,. \n\n\n(00285c99b52d41679b1aa3b8a80895b037df8a7500f4ad97ce06068eac4a95b7 | =\nfollow) \n|| {2025-05-20_bf3a6ba6e3421a7214ffbfe97642a578_amadey_black-basta_cova_cryptbot_elex_luca-stealer\nFastCopy5.9.0.exe}\n\nET DNS Query for .cc \n PROTOCOL-ICMP PATH MTU denial of service attempt\nPROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set",
"modified": "2025-07-12T01:02:11.925000",
"created": "2025-06-12T02:10:33.839000",
"tags": [
"gtmkvjvztk",
"open threat",
"learn",
"levelblue",
"exchange meta",
"tags twitter",
"alienvault",
"script tags",
"iframe tags",
"google tag",
"html internet",
"html document",
"ascii text",
"ta0004 defense",
"evasion ta0005",
"command",
"control ta0011",
"number",
"cnmicrosoft ecc",
"update secure",
"server ca",
"cus subject",
"stwa lredmond",
"omicrosoft c",
"resolved ips",
"get http",
"dns resolutions",
"request",
"response",
"windows nt",
"win64",
"khtml",
"gecko",
"defense evasion",
"ta0009 command",
"impact ta0040",
"catalog tree",
"analysis ob0001",
"analysis ob0002",
"ob0007 impact",
"ob0012 file",
"system oc0001",
"process oc0003",
"data oc0004",
"oc0008",
"get https",
"vis1",
"oid2",
"post https",
"cjutxg",
"base64uidenc",
"error https"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 27,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 162,
"FileHash-SHA1": 28,
"FileHash-SHA256": 2459,
"domain": 889,
"hostname": 1217,
"URL": 4326,
"FilePath": 1
},
"indicator_count": 9082,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "323 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "66ce3eb4b4f1fc9eafb4b572",
"name": "DDoS:Linux/Lightaidra | Mirai Botnet on US a State Computer",
"description": "*Mirai Botnet on Colorado State computer. Im starting to wonder if potential problem cases are diverted to a botnet.\n1. Overlaps with a Colorado victim. Similar issues. I Recently became a senior in expensive Colorado, never compensated for workers compensation injury exacerbated when suddenly tossed a 60 lb weighted ball under care. Denied diagnoses of severe injury after toss. Complained, case closed, lawyers denied case after accepting case. Referred to JeffCo seeking assisted living resources. Was sent various packets with a variety of phone numbers, email addresses, etc. She keeps speaking to same man no matter what option chosen. Denied workforce training due to severity of injuries, No SSI or SSDI until years later. \n2. I can't pulse half of what I've researched without using multiple resources. No more 'contacted' made when new serious issues found. Pulses being modified. I rarely modify any pulse.",
"modified": "2024-09-26T20:01:27.723000",
"created": "2024-08-27T21:01:40.251000",
"tags": [
"memcommit",
"read c",
"nospltezraxuf",
"writeconsolea",
"write",
"CVE-2023-22518",
"tesla",
"ye ye",
"incapril",
"yed ye",
"yet ye",
"yexe ye",
"security",
"search",
"function read",
"dll read",
"installer",
"april",
"copy",
"win32",
"template",
"creation date",
"servers",
"passive dns",
"urls",
"name servers",
"scan endpoints",
"all scoreblue",
"hostname",
"pulse pulses",
"date",
"windows",
"medium",
"shellexecuteexw",
"hash",
"show",
"writeconsolew",
"entries",
"displayname",
"sddl",
"service",
"august",
"malware",
"url http",
"http",
"ip address",
"related nids",
"files location",
"domain",
"status",
"nxdomain",
"whitelisted",
"certificate",
"backdoor",
"record value",
"body",
"as15133 verizon",
"united",
"unknown",
"mtb aug",
"gmt server",
"ecacc sed5906",
"ransom",
"trojan",
"high",
"cname",
"as8075",
"ipv4",
"files",
"asn as55720",
"date hash",
"default",
"delete",
"yara detections",
"msvisualcpp60",
"related pulses",
"rootkit",
"as16276",
"canada unknown",
"pulses",
"expiration date",
"exploit",
"showing",
"aaaa",
"france unknown",
"mtb sep",
"worm",
"msil",
"mirai",
"as36081 state",
"reverse dns",
"port",
"destination",
"south korea",
"taiwan as3462",
"as4766 korea",
"asnone",
"japan as17676",
"china as4134",
"china as4837",
"file samples",
"files matching",
"next",
"copyright",
"levelblue",
"as20940",
"as15169 google",
"ave suite",
"purpose p5",
"country united",
"code us",
"as41231",
"united kingdom",
"ddos",
"sha256",
"filehash",
"av detections",
"location london",
"great britain",
"gnulinux apt",
"yara rule",
"ids detections",
"top source",
"address",
"as23969",
"thailand"
],
"references": [
"In this instance a senior citizen needing assisted living resources redirected & social engineered by addresses originated from: jefferson.co.us",
"Noted: Calls redirected, call jumps ahead of 25+ callers in wait, keeps getting same agent, told approved for services never applied for or received",
"Exploits: IPv4 20.99.186.246 | 52.109.0.140 | CVE CVE-2023-22518 | Trojans: AgentTesla.KM , Cobalt Strike , Ransom: WannaCrypt , Malware: Dxqo",
"Domain Name: IUQERFSODP9IFJAPOSDFJHGOSURIJFAEWRWERGWEA.COM Emails: BotnetSinkhole@gmail.com",
"Emails: abuse@namecheap.com Name: Botnet Sinkhole | Address: Botnet Sinkhole City: Los Angeles Country: USA",
"Dnssec:Unsigned | Name Servers | BRUCE.NS.CLOUDFLARE.COM",
"Notable: Mirai - 192.70.175.110 Security Operations (DORA?) oit_isocsecurity@state.co.us | state.co.us | Reverse DNS dns1.state.co.us",
"Unix.Trojan.Mirai-6976991-0 : FileHash-SHA256 a282f250e59f8754335993293bfbfcc154cdb67ff0e234162f40a6cce5c4290c",
"ELF:Mirai-AII\\ [Trj] | FileHash-SHA256 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9",
"Overlaps: 4 others mailed information email address.",
"Ransom:Win32/WannaCrypt.H",
"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com | CVE-2017-0147",
"AS36081 State of Colorado General Government Computer",
"Yara Detections Mirai_Botnet_Malware Alerts: dead_host network_icmp osquery_detection nolookup_communication",
"ELF:Mirai-AII\\ [Trj] | FileHash-SHA256: 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9",
"Detections Executable and linking format (ELF) file download Over HTTP |",
"FileHash-SHA256 : 256760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9",
"Yara Detections: UPXProtectorv10x2 , UPX , ELFHighEntropy , elf_empty_sections Alerts: dead_host | ELF:Mirai-AII\\ [Trj]",
"77882 IP\u2019s Contacted: 1.1.69.67 1.10.237.208 1.101.233.31 1.102.46.59 1.103.37.126 1.105.106.252 1.106.108.182 1.106.193.143 1.109.132.165 1.11.116.209",
"Domains Contacted: ntp.ubuntu.com | IDS Detections GNU/Linux APT User-Agent Outbound likely related to package management | 91.189.89.198",
"Yara Detections: gafgyt IP\u2019s Contacted: 91.189.89.198 Domains Contacted :ntp.ubuntu.com",
"FileHash-SHA256: a0f50a7b0f9717589000b3414017bdcfcb9d3f6a3e5e03fe49c4dc8035e0d25c",
"Related Domains: townofignacio.com | coloradoagriculture.com | coloradoworkforce.com | coworkforce.com | coloradoccjj.com | dns1.state.co.us",
"https://www.rapidinterviews.com/api/jobs/redirect/public-transit-bus-drivers-with-utah-transit-authority-in-stansbury-park-apc-1932",
"https://us.thebigjobsite.com/redirectfeedjob?jobid=2A5F97A6BAE0AA90DC418C2119E1E0EB&source=onestepjobsxmlus&utm_source=onestepjobsxmlus&jobSiteK",
"redirect.wuxs.icu",
"https://a-a.redirector.navexglobal.com/navex_hosting/404.html",
"https://engage.navexglobal.com/topclass1/login.do?redirectTo=/expand.do?template=JasperReports&view=library"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:Trojan:MSIL/AgentTesla.KM",
"display_name": "ALF:Trojan:MSIL/AgentTesla.KM",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Malware.Dxqo-6984072-0",
"display_name": "Win.Malware.Dxqo-6984072-0",
"target": null
},
{
"id": "Ransom:Win32/WannaCrypt",
"display_name": "Ransom:Win32/WannaCrypt",
"target": "/malware/Ransom:Win32/WannaCrypt"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Backdoor:Win32/Fynloski",
"display_name": "Backdoor:Win32/Fynloski",
"target": "/malware/Backdoor:Win32/Fynloski"
},
{
"id": "Worm:Win32/Mofksys",
"display_name": "Worm:Win32/Mofksys",
"target": "/malware/Worm:Win32/Mofksys"
},
{
"id": "TELPER:DDoS:Linux/Lightaidra",
"display_name": "TELPER:DDoS:Linux/Lightaidra",
"target": null
}
],
"attack_ids": [
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1009",
"name": "Binary Padding",
"display_name": "T1009 - Binary Padding"
},
{
"id": "T1499",
"name": "Endpoint Denial of Service",
"display_name": "T1499 - Endpoint Denial of Service"
},
{
"id": "T1498",
"name": "Network Denial of Service",
"display_name": "T1498 - Network Denial of Service"
},
{
"id": "T1464",
"name": "Jamming or Denial of Service",
"display_name": "T1464 - Jamming or Denial of Service"
}
],
"industries": [
"Telecom"
],
"TLP": "green",
"cloned_from": null,
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"FileHash-MD5": 675,
"FileHash-SHA1": 664,
"FileHash-SHA256": 3327,
"URL": 2448,
"domain": 656,
"hostname": 1281,
"email": 11
},
"indicator_count": 9064,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 232,
"modified_text": "612 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://analytics.pangle-ads.com",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://analytics.pangle-ads.com",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780264321.874866
}