{ "type": "URL", "indicator": "https://android.googlesource.com/toolchain/clang", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://android.googlesource.com/toolchain/clang", "type": "url", "type_title": "URL", "validation": [ { "source": "whitelist", "message": "Whitelisted domain googlesource.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain googlesource.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 4277044605, "indicator": "https://android.googlesource.com/toolchain/clang", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "69eae966e2994ca9410416e7", "name": "CAPE Sandbox - Watson", "description": "[full list of details about Akamai, the web hosting company, that has been abused on the internet for more than 20 years.. and the names of its users have been published.] pretext. Watson frequents. wizard8.", "modified": "2026-05-24T05:16:16.520000", "created": "2026-04-24T03:54:14.835000", "tags": [ "akamai", "city", "noc united", "orgid", "akamai ref", "net23", "net230000", "cidr", "orgabusehandle", "orgtechhandle" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 382, "FileHash-SHA1": 361, "FileHash-SHA256": 1250, "URL": 1436, "domain": 425, "hostname": 783, "CIDR": 1, "email": 29, "CVE": 1, "URI": 2 }, "indicator_count": 4670, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69eae9650c9cb6a669783d00", "name": "CAPE Sandbox - Watson", "description": "[full list of details about Akamai, the web hosting company, that has been abused on the internet for more than 20 years.. and the names of its users have been published.] pretext. Watson frequents. wizard8.", "modified": "2026-05-24T03:55:24.140000", "created": "2026-04-24T03:54:13.049000", "tags": [ "akamai", "city", "noc united", "orgid", "akamai ref", "net23", "net230000", "cidr", "orgabusehandle", "orgtechhandle" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 158, "FileHash-SHA1": 127, "FileHash-SHA256": 775, "URL": 70, "domain": 12, "hostname": 80, "CIDR": 1, "email": 2, "CVE": 1 }, "indicator_count": 1226, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a102870d637030bb72796c8", "name": "VirusTotal report\n for sample.apk", "description": "Evasive malware campaign using corrupt/legacy certificates to bypass automated detection.Volume: Over 100,000 active Indicators of Compromise (IOCs) identified via public OSINT data.Activity: Coordinated infrastructure migration away from US/EU networks using newly mapped geospatial endpoints.Detection & Sandbox EvasionThe Bypass: The payload successfully triggers zero findings in major evasive sandboxes.API Delta: CAPE environments show highest sensitivity. APIs.Vendor Split:11 Vendors: Detect suspicious behavior mapping to MITRE ATT&CK, but do not flag a virus.15 Vendors: Explicitly mark the malicious payload as safe.Trust Abuse: Exploitation of legacy Verisign roots and regional cert authorities to spoof validity.Infra@Geospatial RoutingMigration: Traffic shifted heavily away from US/EU endpoints this week.Target Net: Infrastructure relocated to specific alternate regional network assets confirmed by geospatial endpoint analysis.", "modified": "2026-05-22T13:21:07.776000", "created": "2026-05-22T09:57:04.900000", "tags": [ "file type", "https", "performs dns", "urls", "tls version", "mitre attack", "network info", "malicious", "accesses", "layer protocol", "loads", "persistence", "defense evasion", "info", "next", "windows sandbox", "clear filters", "android sandbox", "Busybox", "Third party", "Android 9", "Sample", "Currently running" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4c667f59ffca45888ea55b2cb2bb0970c1216e0b9916aec79a3dcd6e5da61480_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779442472&Signature=SaTOoC0NF8oY11e9qXMGg5%2B78gPDYTpT%2FIIdOnF5ZXtOR%2FXBaHAOPMqFpzKAaA46jnPDMP2%2BxeBReZShlVIM16tHDRJXUIeNKQfMp%2BioRtZPiqUJ1sSpuvbvTgTzOxUBYCr%2BUtSzE9W04eThRjEOoh7uYYGS1KhA6lxJywpaYcL7MP5JitlfW2TwW7g%2BMYPjamuzxmvl6vIUER9rR71%2BN9bqT66C6aH2tHUP6w1GfCdu%2BHvdkP9V", "https://vtbehaviour.commondatastorage.googleapis.com/4c667f59ffca45888ea55b2cb2bb0970c1216e0b9916aec79a3dcd6e5da61480_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779442500&Signature=fP5tZPDDBIe1x4Zro6ajevLrk0Kr6UttvPFBABVUgWl1YCEy7e3B3VWegBmVdx23z2FsZI5dV6LgUIfQ1Odevykd7MOFGren1GKexcs3fVjW%2FyuWOXEf%2F2PTm2r%2BM8qmY3Is%2B2%2FqP6wcrjLoxXPVVc68wtjVDOAYxcCG8E0SofK9Q9Y7waT9gGWaMnE%2B7x1tQBSlmh08OYA%2BJXKpkcae2VNEIyy6w%2Fk28ijmBymTn", "https://vtbehaviour.commondatastorage.googleapis.com/4c667f59ffca45888ea55b2cb2bb0970c1216e0b9916aec79a3dcd6e5da61480_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779442547&Signature=RWta5nM9gINoI9wa3uQpH5FikunD7%2Ft5pNj8BNz%2Bt91LiKioV9aDfWd%2B2tRfyqFfaKsQHg4Ew6CVAH9IHhIJ9757vPmJmqMFY0%2Ftt87DDrV6ZpbubrZj3m9fZxdMjfJdw9t0uBpY82bXHzY5SzMY%2B4d79brRE9o%2BG5zCSPAmFbyPqdkyFEhEgKVEm7eYxW9sWWZs4tC%2FD4rKkI7y6NaaoNtobT1SzREk%2FEUr%2FX%" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 48, "FileHash-SHA256": 390, "IPv4": 25, "URL": 54, "domain": 288, "hostname": 567, "email": 1, "CIDR": 2, "CVE": 1 }, "indicator_count": 1387, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a102871420aaa28fb02c005", "name": "VirusTotal report\n for sample.apk", "description": "Evasive malware campaign using corrupt/legacy certificates to bypass automated detection.Volume: Over 100,000 active Indicators of Compromise (IOCs) identified via public OSINT data.Activity: Coordinated infrastructure migration away from US/EU networks using newly mapped geospatial endpoints.Detection & Sandbox EvasionThe Bypass: The payload successfully triggers zero findings in major evasive sandboxes.API Delta: CAPE environments show highest sensitivity. APIs.Vendor Split:11 Vendors: Detect suspicious behavior mapping to MITRE ATT&CK, but do not flag a virus.15 Vendors: Explicitly mark the malicious payload as safe.Trust Abuse: Exploitation of legacy Verisign roots and regional cert authorities to spoof validity.Infra@Geospatial RoutingMigration: Traffic shifted heavily away from US/EU endpoints this week.Target Net: Infrastructure relocated to specific alternate regional network assets confirmed by geospatial endpoint analysis.", "modified": "2026-05-22T10:00:34.513000", "created": "2026-05-22T09:57:05.375000", "tags": [ "file type", "https", "performs dns", "urls", "tls version", "mitre attack", "network info", "malicious", "accesses", "layer protocol", "loads", "persistence", "defense evasion", "info", "next", "windows sandbox", "clear filters", "android sandbox", "Busybox", "Third party", "Android 9", "Sample", "Currently running" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4c667f59ffca45888ea55b2cb2bb0970c1216e0b9916aec79a3dcd6e5da61480_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779442472&Signature=SaTOoC0NF8oY11e9qXMGg5%2B78gPDYTpT%2FIIdOnF5ZXtOR%2FXBaHAOPMqFpzKAaA46jnPDMP2%2BxeBReZShlVIM16tHDRJXUIeNKQfMp%2BioRtZPiqUJ1sSpuvbvTgTzOxUBYCr%2BUtSzE9W04eThRjEOoh7uYYGS1KhA6lxJywpaYcL7MP5JitlfW2TwW7g%2BMYPjamuzxmvl6vIUER9rR71%2BN9bqT66C6aH2tHUP6w1GfCdu%2BHvdkP9V", "https://vtbehaviour.commondatastorage.googleapis.com/4c667f59ffca45888ea55b2cb2bb0970c1216e0b9916aec79a3dcd6e5da61480_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779442500&Signature=fP5tZPDDBIe1x4Zro6ajevLrk0Kr6UttvPFBABVUgWl1YCEy7e3B3VWegBmVdx23z2FsZI5dV6LgUIfQ1Odevykd7MOFGren1GKexcs3fVjW%2FyuWOXEf%2F2PTm2r%2BM8qmY3Is%2B2%2FqP6wcrjLoxXPVVc68wtjVDOAYxcCG8E0SofK9Q9Y7waT9gGWaMnE%2B7x1tQBSlmh08OYA%2BJXKpkcae2VNEIyy6w%2Fk28ijmBymTn", "https://vtbehaviour.commondatastorage.googleapis.com/4c667f59ffca45888ea55b2cb2bb0970c1216e0b9916aec79a3dcd6e5da61480_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779442547&Signature=RWta5nM9gINoI9wa3uQpH5FikunD7%2Ft5pNj8BNz%2Bt91LiKioV9aDfWd%2B2tRfyqFfaKsQHg4Ew6CVAH9IHhIJ9757vPmJmqMFY0%2Ftt87DDrV6ZpbubrZj3m9fZxdMjfJdw9t0uBpY82bXHzY5SzMY%2B4d79brRE9o%2BG5zCSPAmFbyPqdkyFEhEgKVEm7eYxW9sWWZs4tC%2FD4rKkI7y6NaaoNtobT1SzREk%2FEUr%2FX%" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 2, "FileHash-SHA256": 264, "IPv4": 25, "URL": 37, "domain": 6, "hostname": 21 }, "indicator_count": 363, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1028727b30a87de45714e5", "name": "VirusTotal report\n for sample.apk", "description": "Evasive malware campaign using corrupt/legacy certificates to bypass automated detection.Volume: Over 100,000 active Indicators of Compromise (IOCs) identified via public OSINT data.Activity: Coordinated infrastructure migration away from US/EU networks using newly mapped geospatial endpoints.Detection & Sandbox EvasionThe Bypass: The payload successfully triggers zero findings in major evasive sandboxes.API Delta: CAPE environments show highest sensitivity. APIs.Vendor Split:11 Vendors: Detect suspicious behavior mapping to MITRE ATT&CK, but do not flag a virus.15 Vendors: Explicitly mark the malicious payload as safe.Trust Abuse: Exploitation of legacy Verisign roots and regional cert authorities to spoof validity.Infra@Geospatial RoutingMigration: Traffic shifted heavily away from US/EU endpoints this week.Target Net: Infrastructure relocated to specific alternate regional network assets confirmed by geospatial endpoint analysis.", "modified": "2026-05-22T10:00:33.167000", "created": "2026-05-22T09:57:06.342000", "tags": [ "file type", "https", "performs dns", "urls", "tls version", "mitre attack", "network info", "malicious", "accesses", "layer protocol", "loads", "persistence", "defense evasion", "info", "next", "windows sandbox", "clear filters", "android sandbox", "Busybox", "Third party", "Android 9", "Sample", "Currently running" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4c667f59ffca45888ea55b2cb2bb0970c1216e0b9916aec79a3dcd6e5da61480_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779442472&Signature=SaTOoC0NF8oY11e9qXMGg5%2B78gPDYTpT%2FIIdOnF5ZXtOR%2FXBaHAOPMqFpzKAaA46jnPDMP2%2BxeBReZShlVIM16tHDRJXUIeNKQfMp%2BioRtZPiqUJ1sSpuvbvTgTzOxUBYCr%2BUtSzE9W04eThRjEOoh7uYYGS1KhA6lxJywpaYcL7MP5JitlfW2TwW7g%2BMYPjamuzxmvl6vIUER9rR71%2BN9bqT66C6aH2tHUP6w1GfCdu%2BHvdkP9V", "https://vtbehaviour.commondatastorage.googleapis.com/4c667f59ffca45888ea55b2cb2bb0970c1216e0b9916aec79a3dcd6e5da61480_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779442500&Signature=fP5tZPDDBIe1x4Zro6ajevLrk0Kr6UttvPFBABVUgWl1YCEy7e3B3VWegBmVdx23z2FsZI5dV6LgUIfQ1Odevykd7MOFGren1GKexcs3fVjW%2FyuWOXEf%2F2PTm2r%2BM8qmY3Is%2B2%2FqP6wcrjLoxXPVVc68wtjVDOAYxcCG8E0SofK9Q9Y7waT9gGWaMnE%2B7x1tQBSlmh08OYA%2BJXKpkcae2VNEIyy6w%2Fk28ijmBymTn", "https://vtbehaviour.commondatastorage.googleapis.com/4c667f59ffca45888ea55b2cb2bb0970c1216e0b9916aec79a3dcd6e5da61480_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779442547&Signature=RWta5nM9gINoI9wa3uQpH5FikunD7%2Ft5pNj8BNz%2Bt91LiKioV9aDfWd%2B2tRfyqFfaKsQHg4Ew6CVAH9IHhIJ9757vPmJmqMFY0%2Ftt87DDrV6ZpbubrZj3m9fZxdMjfJdw9t0uBpY82bXHzY5SzMY%2B4d79brRE9o%2BG5zCSPAmFbyPqdkyFEhEgKVEm7eYxW9sWWZs4tC%2FD4rKkI7y6NaaoNtobT1SzREk%2FEUr%2FX%" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 2, "FileHash-SHA256": 264, "IPv4": 25, "URL": 37, "domain": 6, "hostname": 21 }, "indicator_count": 363, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a102871b84e37f4ad09c0ed", "name": "VirusTotal report\n for sample.apk", "description": "Evasive malware campaign using corrupt/legacy certificates to bypass automated detection.Volume: Over 100,000 active Indicators of Compromise (IOCs) identified via public OSINT data.Activity: Coordinated infrastructure migration away from US/EU networks using newly mapped geospatial endpoints.Detection & Sandbox EvasionThe Bypass: The payload successfully triggers zero findings in major evasive sandboxes.API Delta: CAPE environments show highest sensitivity. APIs.Vendor Split:11 Vendors: Detect suspicious behavior mapping to MITRE ATT&CK, but do not flag a virus.15 Vendors: Explicitly mark the malicious payload as safe.Trust Abuse: Exploitation of legacy Verisign roots and regional cert authorities to spoof validity.Infra@Geospatial RoutingMigration: Traffic shifted heavily away from US/EU endpoints this week.Target Net: Infrastructure relocated to specific alternate regional network assets confirmed by geospatial endpoint analysis.", "modified": "2026-05-22T10:00:32.893000", "created": "2026-05-22T09:57:05.834000", "tags": [ "file type", "https", "performs dns", "urls", "tls version", "mitre attack", "network info", "malicious", "accesses", "layer protocol", "loads", "persistence", "defense evasion", "info", "next", "windows sandbox", "clear filters", "android sandbox", "Busybox", "Third party", "Android 9", "Sample", "Currently running" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4c667f59ffca45888ea55b2cb2bb0970c1216e0b9916aec79a3dcd6e5da61480_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779442472&Signature=SaTOoC0NF8oY11e9qXMGg5%2B78gPDYTpT%2FIIdOnF5ZXtOR%2FXBaHAOPMqFpzKAaA46jnPDMP2%2BxeBReZShlVIM16tHDRJXUIeNKQfMp%2BioRtZPiqUJ1sSpuvbvTgTzOxUBYCr%2BUtSzE9W04eThRjEOoh7uYYGS1KhA6lxJywpaYcL7MP5JitlfW2TwW7g%2BMYPjamuzxmvl6vIUER9rR71%2BN9bqT66C6aH2tHUP6w1GfCdu%2BHvdkP9V", "https://vtbehaviour.commondatastorage.googleapis.com/4c667f59ffca45888ea55b2cb2bb0970c1216e0b9916aec79a3dcd6e5da61480_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779442500&Signature=fP5tZPDDBIe1x4Zro6ajevLrk0Kr6UttvPFBABVUgWl1YCEy7e3B3VWegBmVdx23z2FsZI5dV6LgUIfQ1Odevykd7MOFGren1GKexcs3fVjW%2FyuWOXEf%2F2PTm2r%2BM8qmY3Is%2B2%2FqP6wcrjLoxXPVVc68wtjVDOAYxcCG8E0SofK9Q9Y7waT9gGWaMnE%2B7x1tQBSlmh08OYA%2BJXKpkcae2VNEIyy6w%2Fk28ijmBymTn", "https://vtbehaviour.commondatastorage.googleapis.com/4c667f59ffca45888ea55b2cb2bb0970c1216e0b9916aec79a3dcd6e5da61480_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779442547&Signature=RWta5nM9gINoI9wa3uQpH5FikunD7%2Ft5pNj8BNz%2Bt91LiKioV9aDfWd%2B2tRfyqFfaKsQHg4Ew6CVAH9IHhIJ9757vPmJmqMFY0%2Ftt87DDrV6ZpbubrZj3m9fZxdMjfJdw9t0uBpY82bXHzY5SzMY%2B4d79brRE9o%2BG5zCSPAmFbyPqdkyFEhEgKVEm7eYxW9sWWZs4tC%2FD4rKkI7y6NaaoNtobT1SzREk%2FEUr%2FX%" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 2, "FileHash-SHA256": 264, "IPv4": 25, "URL": 37, "domain": 6, "hostname": 21 }, "indicator_count": 363, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf3f877a03179a827b8479", "name": "VirusTotal report\n for sample.apk", "description": "The full text of the transcript of all the statements made by the BBC News NI team on Thursday, 1 January 2018.. and the full details of these statements:-a-chocolate.", "modified": "2026-04-21T01:33:06.350000", "created": "2026-03-22T01:01:59.880000", "tags": [ "file type", "https", "mitre attack", "network info", "accesses", "sim provider", "mccmnc", "mobile", "iso country", "urls", "persistence", "cloud", "malicious" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/7765913690bc595c8eddc0832f74ac4d9e8405a03eb98110064fbcce822165aa_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774141583&Signature=l73hLrW3VgaADcZZ0BAmhZrjVfdvnoHaSJV0alVR9N31DdJk9P%2Bnhf1o9rXIEbwcWujTfVh10qgKizNSNONKxXE%2FKCzhIR6TWb3HrdC6eglsQYmciZy9OH98G3SxNX4Ntd876PKGJovWlUH%2FXlsLUo%2FfSbyLxGCf9D5X8ZrShRyF7c8UYJzpVLramPnE9FNxdPVKf1y%2FIJr1SujIHDUBakj3V2Vjz50A5fOIyJrLyUycP2TAk9" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 124, "FileHash-MD5": 1, "FileHash-SHA1": 1, "URL": 23, "domain": 6, "hostname": 10 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "40 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf3fb654cd4ae2f1f7eb82", "name": "VirusTotal report\n for sample.apk", "description": "A Malware Analysis System Evasion Tool (MSA) is being used by the BBC to detect and track Cydia, a version of the Android operating system, which is currently running on iOS. <