{
"type": "URL",
"indicator": "https://anandsingh.redlounge.io",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://anandsingh.redlounge.io",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4224736242,
"indicator": "https://anandsingh.redlounge.io",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 2,
"pulses": [
{
"id": "69da656a68549f39be14bd77",
"name": "Anonymous ai Chat guided as Duck.ai \u2022 DisableUAC \u2022 Drive by Compromise",
"description": "I decided to test most malicious devices I\u2019m researching. I tested 2 browsers on device, an anonymous version of chat GPT 5 popped up (drive by compromise). Labeled: duck.ai in browser bar. I chose to interact with something that came seemingly from nowhere. \n\nDuring each interaction a red recording button appeared. Screen recording in progress on device. I asked anonymous actor about the recording button. Response: \u2018That red square is the browser or site's visual indicator that the page is capturing input or has an active interactive state - it isn't me recording audio. Try these checks:\n\u2022 Look for a site-level microphone/camera permission prompt in your browser address bar.\u2019\n\nThe attackers must be associated with Tulach /\nNextCloud , likely angry that I researched the adversarial nature of the presence in malicious, deeply compromised media. \n\nConsequences: threat actors retaliating because their own behavior and existence in malicious media is being researched. \n#tulach #nextcloud #anonymous_ai_chat",
"modified": "2026-05-11T09:01:15.454000",
"created": "2026-04-11T15:14:50.815000",
"tags": [
"united",
"unknown ns",
"ip address",
"st kitts",
"gmt content",
"ai chat",
"all domain",
"encrypt",
"mtb mar",
"virtool",
"x frame",
"x xss",
"x content",
"gmt cache",
"twitter",
"win32",
"locale",
"extraction",
"gm cache",
"include data",
"review exclude",
"suggestadiacs",
"report spam",
"duckduckgo",
"url http",
"urls",
"all url",
"http",
"active",
"duck.ai",
"duckduckgo ai",
"private ai",
"chatbot",
"free ai",
"chat",
"anonymous ai",
"ai chat",
"no sign up",
"openai",
"anthropic",
"llama",
"mistral",
"open source",
"javascript",
"ai models",
"privacy focused",
"recording screen",
"ai",
"no account ai chat",
"data upload",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"development att",
"ssl certificate",
"over",
"defense evasion",
"mitre att",
"ck matrix",
"size",
"meta",
"april",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"dark",
"roboto",
"invisible",
"desktop",
"small",
"tls sni",
"contacted",
"filehash",
"ids detections",
"yara detections",
"alerts",
"file sharing",
"https domain",
"tls handshake",
"failure alerts",
"less ip",
"nextcloud",
"hackers",
"they mad",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"port",
"destination",
"malware",
"write",
"self",
"network_icmp",
"icmp traffic",
"passive dns",
"moved",
"netherlands",
"gmt server",
"gmt etag",
"user agent",
"all ipv4",
"pulse submit",
"url analysis",
"apache",
"accept",
"writeconsolea",
"script",
"read c",
"search",
"show",
"medium",
"html",
"high",
"form",
"create c",
"write c",
"registry",
"windows",
"delete c",
"tools",
"persistence",
"execution",
"dock",
"malicious",
"unknown"
],
"references": [
"duck.ai \u2022 https://duck.ai/chat phishing",
"go.trckclick.xyz \u2022 att.trk.173trk.com",
"anyconnect.online",
"ddg.gg \u2022 http://ddg.gg/?q=corezuelo \u2022 http://ddg.gg/?q=embozalar",
"files.catbox.moe",
"passwordresetalcb.accenture.cn",
"https://www.phantomcameras.cn.bscedge.com",
"www.cam4.page \u2022 campaigncdn.com \u2022 accesscam.org",
"loophole.outlook89.accesscam.org",
"https://www.phantomcameras.cn/applications/where/piv",
"https://www.phantomcameras.cn.bscedge.com",
"52.250.42.157 scanning_host",
"https://nextcloud.simonduffey.ch",
"https://nextcloud.paroxity.org/",
"http://mail.saynextapp.accesscam.org/",
"http://dict.bing.com.cn/cloudwidget/Scripts/Generated/BingTranslate_Hover_Phrase_Selection_ShowIcon.js';script.onload=INIT;document.body.appendChild(script",
"https://duck.ai/chat?q=tsara+brashears+hacked&t=iphone:",
"http://docs.duckduckhack.com/walkthroughs/programming-syntax.html",
"http://www.duckduckhack.com \u2022 docs.duckduckhack.com",
"http://docs.duckduckhack.com/frontend-reference/cheat-sheet-reference.html",
"https://duck.ai/apple-touch-icon.png",
"http://r13.c.lencr.org/24.crl \u2022 http://r13.i.lencr.org/",
"http://up.chenmin.org/login/jquery.min.js",
"ALF:HSTR:Trojan:Win32/DisableUAC.A!bit",
"Win.Packed.Reline-9875163-0",
"IDS Detections: OpenSSL Demo CA - Internet Widgits Pty (O)",
"Alerts: network_icmp nolookup_communication antisandbox_idletime antisandbox_sleep_exception",
"Alerts: antivm_generic_bios antivm_firmware antivm_vmware_in_instruction dumped_buffer",
"Alerts: network_cnc_http network_http nids_alert allocates_rwx antivm_network_adapters",
"Alerts: packer_entropy antivm_queries_computername checks_debugger console_output",
"Alerts: antivm_memory_available pe_features raises",
"IP\u2019s Contacted: 104.18.11.39 104.73.1.162 142.93.108.213 52.250.42.157 72.21.81.240",
"Domains Contacted: www.download.windowsupdate.com www.microsoft.com cacerts.digicert.com duckduckgo.com ,",
"Redline: https://otx.alienvault.com/otxapi/indicators/file/screenshot/316c67e7150c6841d0d40a180bba390793ffeb9edfb8ec0321e1a16e97f68722",
"https://www.mof.gov.cn.lxcvc.com/",
"https://cms.medicarementalhealthcheckin.gov.au",
"https://duck.ai/apple-touch-icon.png",
"edge-mobile-static.azureedge.net"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "ALF:HSTR:Trojan:Win32/DisableUAC.A!bit",
"display_name": "ALF:HSTR:Trojan:Win32/DisableUAC.A!bit",
"target": null
},
{
"id": "VirTool:MSIL/Mousewe.A!MTB",
"display_name": "VirTool:MSIL/Mousewe.A!MTB",
"target": "/malware/VirTool:MSIL/Mousewe.A!MTB"
},
{
"id": "Win.Packed.Reline-9875163-0",
"display_name": "Win.Packed.Reline-9875163-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1459",
"name": "Device Unlock Code Guessing or Brute Force",
"display_name": "T1459 - Device Unlock Code Guessing or Brute Force"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1048",
"name": "Exfiltration Over Alternative Protocol",
"display_name": "T1048 - Exfiltration Over Alternative Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1048.003",
"name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
"display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1462",
"name": "Malicious Software Development Tools",
"display_name": "T1462 - Malicious Software Development Tools"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1181,
"FileHash-SHA1": 195,
"domain": 320,
"hostname": 529,
"FileHash-SHA256": 1702,
"FileHash-MD5": 201,
"SSLCertFingerprint": 8
},
"indicator_count": 4136,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "20 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"Alerts: network_cnc_http network_http nids_alert allocates_rwx antivm_network_adapters",
"ddg.gg \u2022 http://ddg.gg/?q=corezuelo \u2022 http://ddg.gg/?q=embozalar",
"https://duck.ai/chat?q=tsara+brashears+hacked&t=iphone:",
"http://dict.bing.com.cn/cloudwidget/Scripts/Generated/BingTranslate_Hover_Phrase_Selection_ShowIcon.js';script.onload=INIT;document.body.appendChild(script",
"http://up.chenmin.org/login/jquery.min.js",
"Redline: https://otx.alienvault.com/otxapi/indicators/file/screenshot/316c67e7150c6841d0d40a180bba390793ffeb9edfb8ec0321e1a16e97f68722",
"https://www.phantomcameras.cn/applications/where/piv",
"IDS Detections: OpenSSL Demo CA - Internet Widgits Pty (O)",
"edge-mobile-static.azureedge.net",
"passwordresetalcb.accenture.cn",
"http://r13.c.lencr.org/24.crl \u2022 http://r13.i.lencr.org/",
"go.trckclick.xyz \u2022 att.trk.173trk.com",
"http://docs.duckduckhack.com/walkthroughs/programming-syntax.html",
"https://l.us-1.a.mimecastprotect.com/l",
"ALF:HSTR:Trojan:Win32/DisableUAC.A!bit",
"http://mail.saynextapp.accesscam.org/",
"52.250.42.157 scanning_host",
"Win.Packed.Reline-9875163-0",
"Requires further research.",
"duck.ai \u2022 https://duck.ai/chat phishing",
"anyconnect.online",
"https://www.phantomcameras.cn.bscedge.com",
"Alerts: antivm_generic_bios antivm_firmware antivm_vmware_in_instruction dumped_buffer",
"https://cms.medicarementalhealthcheckin.gov.au",
"http://docs.duckduckhack.com/frontend-reference/cheat-sheet-reference.html",
"https://www.mof.gov.cn.lxcvc.com/",
"div>
",
"loophole.outlook89.accesscam.org",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"https://nextcloud.paroxity.org/",
"It appears there are 5-7 known affected that I was able to find",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"IP\u2019s Contacted: 104.18.11.39 104.73.1.162 142.93.108.213 52.250.42.157 72.21.81.240",
"Alerts: network_icmp nolookup_communication antisandbox_idletime antisandbox_sleep_exception",
"Alerts: antivm_memory_available pe_features raises",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"files.catbox.moe",
"Domains Contacted: www.download.windowsupdate.com www.microsoft.com cacerts.digicert.com duckduckgo.com ,",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"https://nextcloud.simonduffey.ch",
"Alerts: packer_entropy antivm_queries_computername checks_debugger console_output",
"http://www.duckduckhack.com \u2022 docs.duckduckhack.com",
"https://duck.ai/apple-touch-icon.png",
"www.cam4.page \u2022 campaigncdn.com \u2022 accesscam.org"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Win.packed.reline-9875163-0",
"Alf:hstr:trojan:win32/disableuac.a!bit",
"#lowfi:lua:dllsuspiciousexport.a",
"Trojan:win32/smkldr.h!mtb",
"Mydoom",
"Icedid",
"Win32:malware-gen",
"Virtool:msil/mousewe.a!mtb"
],
"industries": [
"Telecommunications",
"Technology",
"Telecom",
"Legal"
],
"unique_indicators": 16646
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/redlounge.io",
"whois": "http://whois.domaintools.com/redlounge.io",
"domain": "redlounge.io",
"hostname": "anandsingh.redlounge.io"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 2,
"pulses": [
{
"id": "69da656a68549f39be14bd77",
"name": "Anonymous ai Chat guided as Duck.ai \u2022 DisableUAC \u2022 Drive by Compromise",
"description": "I decided to test most malicious devices I\u2019m researching. I tested 2 browsers on device, an anonymous version of chat GPT 5 popped up (drive by compromise). Labeled: duck.ai in browser bar. I chose to interact with something that came seemingly from nowhere. \n\nDuring each interaction a red recording button appeared. Screen recording in progress on device. I asked anonymous actor about the recording button. Response: \u2018That red square is the browser or site's visual indicator that the page is capturing input or has an active interactive state - it isn't me recording audio. Try these checks:\n\u2022 Look for a site-level microphone/camera permission prompt in your browser address bar.\u2019\n\nThe attackers must be associated with Tulach /\nNextCloud , likely angry that I researched the adversarial nature of the presence in malicious, deeply compromised media. \n\nConsequences: threat actors retaliating because their own behavior and existence in malicious media is being researched. \n#tulach #nextcloud #anonymous_ai_chat",
"modified": "2026-05-11T09:01:15.454000",
"created": "2026-04-11T15:14:50.815000",
"tags": [
"united",
"unknown ns",
"ip address",
"st kitts",
"gmt content",
"ai chat",
"all domain",
"encrypt",
"mtb mar",
"virtool",
"x frame",
"x xss",
"x content",
"gmt cache",
"twitter",
"win32",
"locale",
"extraction",
"gm cache",
"include data",
"review exclude",
"suggestadiacs",
"report spam",
"duckduckgo",
"url http",
"urls",
"all url",
"http",
"active",
"duck.ai",
"duckduckgo ai",
"private ai",
"chatbot",
"free ai",
"chat",
"anonymous ai",
"ai chat",
"no sign up",
"openai",
"anthropic",
"llama",
"mistral",
"open source",
"javascript",
"ai models",
"privacy focused",
"recording screen",
"ai",
"no account ai chat",
"data upload",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"development att",
"ssl certificate",
"over",
"defense evasion",
"mitre att",
"ck matrix",
"size",
"meta",
"april",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"dark",
"roboto",
"invisible",
"desktop",
"small",
"tls sni",
"contacted",
"filehash",
"ids detections",
"yara detections",
"alerts",
"file sharing",
"https domain",
"tls handshake",
"failure alerts",
"less ip",
"nextcloud",
"hackers",
"they mad",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"port",
"destination",
"malware",
"write",
"self",
"network_icmp",
"icmp traffic",
"passive dns",
"moved",
"netherlands",
"gmt server",
"gmt etag",
"user agent",
"all ipv4",
"pulse submit",
"url analysis",
"apache",
"accept",
"writeconsolea",
"script",
"read c",
"search",
"show",
"medium",
"html",
"high",
"form",
"create c",
"write c",
"registry",
"windows",
"delete c",
"tools",
"persistence",
"execution",
"dock",
"malicious",
"unknown"
],
"references": [
"duck.ai \u2022 https://duck.ai/chat phishing",
"go.trckclick.xyz \u2022 att.trk.173trk.com",
"anyconnect.online",
"ddg.gg \u2022 http://ddg.gg/?q=corezuelo \u2022 http://ddg.gg/?q=embozalar",
"files.catbox.moe",
"passwordresetalcb.accenture.cn",
"https://www.phantomcameras.cn.bscedge.com",
"www.cam4.page \u2022 campaigncdn.com \u2022 accesscam.org",
"loophole.outlook89.accesscam.org",
"https://www.phantomcameras.cn/applications/where/piv",
"https://www.phantomcameras.cn.bscedge.com",
"52.250.42.157 scanning_host",
"https://nextcloud.simonduffey.ch",
"https://nextcloud.paroxity.org/",
"http://mail.saynextapp.accesscam.org/",
"http://dict.bing.com.cn/cloudwidget/Scripts/Generated/BingTranslate_Hover_Phrase_Selection_ShowIcon.js';script.onload=INIT;document.body.appendChild(script",
"https://duck.ai/chat?q=tsara+brashears+hacked&t=iphone:",
"http://docs.duckduckhack.com/walkthroughs/programming-syntax.html",
"http://www.duckduckhack.com \u2022 docs.duckduckhack.com",
"http://docs.duckduckhack.com/frontend-reference/cheat-sheet-reference.html",
"https://duck.ai/apple-touch-icon.png",
"http://r13.c.lencr.org/24.crl \u2022 http://r13.i.lencr.org/",
"http://up.chenmin.org/login/jquery.min.js",
"ALF:HSTR:Trojan:Win32/DisableUAC.A!bit",
"Win.Packed.Reline-9875163-0",
"IDS Detections: OpenSSL Demo CA - Internet Widgits Pty (O)",
"Alerts: network_icmp nolookup_communication antisandbox_idletime antisandbox_sleep_exception",
"Alerts: antivm_generic_bios antivm_firmware antivm_vmware_in_instruction dumped_buffer",
"Alerts: network_cnc_http network_http nids_alert allocates_rwx antivm_network_adapters",
"Alerts: packer_entropy antivm_queries_computername checks_debugger console_output",
"Alerts: antivm_memory_available pe_features raises",
"IP\u2019s Contacted: 104.18.11.39 104.73.1.162 142.93.108.213 52.250.42.157 72.21.81.240",
"Domains Contacted: www.download.windowsupdate.com www.microsoft.com cacerts.digicert.com duckduckgo.com ,",
"Redline: https://otx.alienvault.com/otxapi/indicators/file/screenshot/316c67e7150c6841d0d40a180bba390793ffeb9edfb8ec0321e1a16e97f68722",
"https://www.mof.gov.cn.lxcvc.com/",
"https://cms.medicarementalhealthcheckin.gov.au",
"https://duck.ai/apple-touch-icon.png",
"edge-mobile-static.azureedge.net"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "ALF:HSTR:Trojan:Win32/DisableUAC.A!bit",
"display_name": "ALF:HSTR:Trojan:Win32/DisableUAC.A!bit",
"target": null
},
{
"id": "VirTool:MSIL/Mousewe.A!MTB",
"display_name": "VirTool:MSIL/Mousewe.A!MTB",
"target": "/malware/VirTool:MSIL/Mousewe.A!MTB"
},
{
"id": "Win.Packed.Reline-9875163-0",
"display_name": "Win.Packed.Reline-9875163-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1459",
"name": "Device Unlock Code Guessing or Brute Force",
"display_name": "T1459 - Device Unlock Code Guessing or Brute Force"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1048",
"name": "Exfiltration Over Alternative Protocol",
"display_name": "T1048 - Exfiltration Over Alternative Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1048.003",
"name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
"display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1462",
"name": "Malicious Software Development Tools",
"display_name": "T1462 - Malicious Software Development Tools"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1181,
"FileHash-SHA1": 195,
"domain": 320,
"hostname": 529,
"FileHash-SHA256": 1702,
"FileHash-MD5": 201,
"SSLCertFingerprint": 8
},
"indicator_count": 4136,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "20 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://anandsingh.redlounge.io",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://anandsingh.redlounge.io",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780223060.109719
}