{ "type": "URL", "indicator": "https://anfibiaplantula.com/cgi-sys/suspendedpage.cgi", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://anfibiaplantula.com/cgi-sys/suspendedpage.cgi", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4111307452, "indicator": "https://anfibiaplantula.com/cgi-sys/suspendedpage.cgi", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "6a19ab3077e26f1ba3c8cd51", "name": "Credit Q.Vashti \"Unknown - Established hacker group. Affects banking\" clone", "description": "", "modified": "2026-05-31T05:26:42.780000", "created": "2026-05-29T15:05:20.198000", "tags": [ "united", "search", "entries", "unknown ns", "ip address", "creation date", "record value", "date", "showing", "moved", "body", "encrypt", "lowfi", "trojanspy", "checkin", "passive dns", "trojan", "next associated", "cryp", "win32", "phishing", "virtool", "hstr", "backdoor", "ipv4", "pulse pulses", "associated urls", "show", "date checked", "url hostname", "server response", "google safe", "results feb", "header http2", "accept encoding", "gmt related", "domains show", "domain related", "response ip", "address google", "safe browsing", "entries http", "scans show", "title", "link", "present mar", "meta", "starfield", "dynamicloader", "qaeaav12", "medium", "high", "malware", "windows wget", "qbeipbdii", "write", "suspicious", "copy", "yara rule", "gravityrat", "detectvm", "x00 x00", "x00x00", "doviacmd", "rootjob", "getfiles", "updateserver", "ethernetid", "unknown", "yara detections", "filehash", "sha256 add", "av detections", "ids detections", "alerts", "analysis date", "file score", "oinetsim", "oudevelopment", "write c", "demo", "mtb sep", "trojandropper", "cookie", "path max", "age86400 set", "win32qqpass sep", "results aug", "script urls", "script domains", "a domains", "cache control", "cache status", "fury", "zenedge", "present jun", "present dec", "present jan", "present nov", "for privacy", "present may", "name servers", "no expiration", "filehashmd5", "filehashsha256", "filehashsha1", "iocs", "extract", "enter source", "url or", "text drag", "drop or", "domain", "expiration", "url http", "hostname", "email abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "688f1ce317fc8b3f9d5d5f33", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 459, "FileHash-MD5": 553, "FileHash-SHA256": 1042, "URL": 1429, "hostname": 478, "domain": 521, "email": 3, "SSLCertFingerprint": 1, "JA3": 1 }, "indicator_count": 4487, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b81d14b78bfc09f117f169", "name": "Signed Exchanges on Google Search | Google Search Central Documentation: Google for Developers", "description": "Signed Exchanges on Google Search | Google Search Central Documentation: Google for Developers | Googlebot | Matches a pattern and is related to a network of \nfoundations and business websites affected by . spyware, or bot networks, many involve social engineering, hacking , online phishing. Researching commonly reveals monitored target/s. (most, not all businesses operating even if temporary)", "modified": "2025-10-03T04:01:28.777000", "created": "2025-09-03T10:48:52.736000", "tags": [ "google search", "google sxg", "javascript", "google", "sxgs", "googlebot", "html", "paint", "implement sxg", "chrome", "ipv4", "path max", "age86400 set", "cookie", "script urls", "passive dns", "script domains", "united", "mtb sep", "trojandropper", "win32qqpass sep", "trojan", "url hostname", "server response", "ip address", "results jul", "learn", "command", "suspicious", "informative", "ck id", "name tactics", "spawns", "t1480 execution", "file defense", "file discovery", "sha1", "sha256", "click", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "pattern match", "mitre att", "ck matrix", "ascii text", "network traffic", "t1071", "t1057", "general", "local", "path", "pehash external", "api key", "comments", "vendor finding", "notes clamav", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "delphi", "win32", "powershell", "adult content", "call", "monitoring", "monitored target" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "TrojanDropper:Win32/Cutwail.gen", "display_name": "TrojanDropper:Win32/Cutwail.gen", "target": "/malware/TrojanDropper:Win32/Cutwail.gen" }, { "id": "trojan:Win32/Formbook!MTB", "display_name": "trojan:Win32/Formbook!MTB", "target": "/malware/trojan:Win32/Formbook!MTB" }, { "id": "TrojanSpy:Win32/Bancos.DI", "display_name": "TrojanSpy:Win32/Bancos.DI", "target": "/malware/TrojanSpy:Win32/Bancos.DI" }, { "id": "Win32/QQpass", "display_name": "Win32/QQpass", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0033", "name": "Lateral Movement", "display_name": "TA0033 - Lateral Movement" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 250, "domain": 83, "hostname": 115, "FileHash-MD5": 149, "FileHash-SHA256": 334, "FileHash-SHA1": 149, "email": 1 }, "indicator_count": 1081, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "240 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688fa1290b459ca0e307fcbd", "name": "http://www.jeffreyrusertjeffersoncounty.net/", "description": "Does this mean a someone who SA\u2019d and critically injured someone was given legal access to also spy on his victim? \nFurther investigation needed. Now ther is a little phone symbol blinking on my device. Weirdness.", "modified": "2025-09-02T10:03:26.815000", "created": "2025-08-03T17:49:29.657000", "tags": [ "status", "creation date", "date", "domain add", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as396982", "whois registrar", "pulses", "related tags", "indicator facts", "historical otx", "pulse", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "mitre att", "ck techniques", "spawns", "falcon sandbox", "hybrid", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "ascii text", "size", "null", "refresh", "body", "span", "august", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "config", "runner", "us seen", "general info", "geo kansas", "city", "missouri", "united", "as396982", "us note", "route", "ptr record", "live", "november", "value emails", "dnssec", "domain name", "llc status", "whois server", "showing", "entries", "olet", "encrypt", "cnr3", "cnr10", "cnr11", "ilike search", "id logged", "common name", "issuer name", "encrypt https", "expired", "key usage", "tls web", "identifier", "search criteria", "timestamp entry", "log operator", "log url", "google https", "poison", "info", "certificate", "linter", "precertificate", "tls server", "subject dn", "ascii", "sha256 hash", "graph", "sectigo https", "ca mechanism", "provider status", "revocation date", "log id", "criteria id", "16566017041", "summary leaf", "15317728412", "15385730680", "sequence", "octet string", "pkcs", "integer", "null bit", "string", "boolean", "pkix key", "pkix", "observed" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 69, "URL": 226, "hostname": 64, "email": 1, "FileHash-SHA256": 143, "FileHash-MD5": 28, "FileHash-SHA1": 35, "CIDR": 1, "SSLCertFingerprint": 4 }, "indicator_count": 571, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "271 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688f1ce317fc8b3f9d5d5f33", "name": "Unknown - Established hacker group. Affects banking, financial and much more.", "description": "Crowdsourced. Identifies as a Dark Web gang stalking entity. Research suggests that this is a very organized, possibly quasi governmental entity with shadowy state figures that social engineer targets. Even though they have been considered scammers and they are grifters, they are very established, dangerous and a very large force with claims of military alignments which has not yet been fully confirmed.\n\nThis group is anything you want them to be, attorney, accountant, technician, nurse, uber driver.", "modified": "2025-09-02T08:02:34.108000", "created": "2025-08-03T08:25:07.135000", "tags": [ "united", "search", "entries", "unknown ns", "ip address", "creation date", "record value", "date", "showing", "moved", "body", "encrypt", "lowfi", "trojanspy", "checkin", "passive dns", "trojan", "next associated", "cryp", "win32", "phishing", "virtool", "hstr", "backdoor", "ipv4", "pulse pulses", "associated urls", "show", "date checked", "url hostname", "server response", "google safe", "results feb", "header http2", "accept encoding", "gmt related", "domains show", "domain related", "response ip", "address google", "safe browsing", "entries http", "scans show", "title", "link", "present mar", "meta", "starfield", "dynamicloader", "qaeaav12", "medium", "high", "malware", "windows wget", "qbeipbdii", "write", "suspicious", "copy", "yara rule", "gravityrat", "detectvm", "x00 x00", "x00x00", "doviacmd", "rootjob", "getfiles", "updateserver", "ethernetid", "unknown", "yara detections", "filehash", "sha256 add", "av detections", "ids detections", "alerts", "analysis date", "file score", "oinetsim", "oudevelopment", "write c", "demo", "mtb sep", "trojandropper", "cookie", "path max", "age86400 set", "win32qqpass sep", "results aug", "script urls", "script domains", "a domains", "cache control", "cache status", "fury", "zenedge", "present jun", "present dec", "present jan", "present nov", "for privacy", "present may", "name servers", "no expiration", "filehashmd5", "filehashsha256", "filehashsha1", "iocs", "extract", "enter source", "url or", "text drag", "drop or", "domain", "expiration", "url http", "hostname", "email abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 459, "FileHash-MD5": 553, "FileHash-SHA256": 1042, "URL": 1426, "hostname": 476, "domain": 521, "email": 3, "SSLCertFingerprint": 1 }, "indicator_count": 4481, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "271 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Trojandropper:win32/cutwail.gen", "Win.malware.snojan-6775202-0", "Win32/qqpass", "Trojanspy:win32/bancos.di", "Trojan:win32/formbook!mtb", "Formbook" ], "industries": [], "unique_indicators": 5677 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/anfibiaplantula.com", "whois": "http://whois.domaintools.com/anfibiaplantula.com", "domain": "anfibiaplantula.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "6a19ab3077e26f1ba3c8cd51", "name": "Credit Q.Vashti \"Unknown - Established hacker group. Affects banking\" clone", "description": "", "modified": "2026-05-31T05:26:42.780000", "created": "2026-05-29T15:05:20.198000", "tags": [ "united", "search", "entries", "unknown ns", "ip address", "creation date", "record value", "date", "showing", "moved", "body", "encrypt", "lowfi", "trojanspy", "checkin", "passive dns", "trojan", "next associated", "cryp", "win32", "phishing", "virtool", "hstr", "backdoor", "ipv4", "pulse pulses", "associated urls", "show", "date checked", "url hostname", "server response", "google safe", "results feb", "header http2", "accept encoding", "gmt related", "domains show", "domain related", "response ip", "address google", "safe browsing", "entries http", "scans show", "title", "link", "present mar", "meta", "starfield", "dynamicloader", "qaeaav12", "medium", "high", "malware", "windows wget", "qbeipbdii", "write", "suspicious", "copy", "yara rule", "gravityrat", "detectvm", "x00 x00", "x00x00", "doviacmd", "rootjob", "getfiles", "updateserver", "ethernetid", "unknown", "yara detections", "filehash", "sha256 add", "av detections", "ids detections", "alerts", "analysis date", "file score", "oinetsim", "oudevelopment", "write c", "demo", "mtb sep", "trojandropper", "cookie", "path max", "age86400 set", "win32qqpass sep", "results aug", "script urls", "script domains", "a domains", "cache control", "cache status", "fury", "zenedge", "present jun", "present dec", "present jan", "present nov", "for privacy", "present may", "name servers", "no expiration", "filehashmd5", "filehashsha256", "filehashsha1", "iocs", "extract", "enter source", "url or", "text drag", "drop or", "domain", "expiration", "url http", "hostname", "email abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "688f1ce317fc8b3f9d5d5f33", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 459, "FileHash-MD5": 553, "FileHash-SHA256": 1042, "URL": 1429, "hostname": 478, "domain": 521, "email": 3, "SSLCertFingerprint": 1, "JA3": 1 }, "indicator_count": 4487, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b81d14b78bfc09f117f169", "name": "Signed Exchanges on Google Search | Google Search Central Documentation: Google for Developers", "description": "Signed Exchanges on Google Search | Google Search Central Documentation: Google for Developers | Googlebot | Matches a pattern and is related to a network of \nfoundations and business websites affected by . spyware, or bot networks, many involve social engineering, hacking , online phishing. Researching commonly reveals monitored target/s. (most, not all businesses operating even if temporary)", "modified": "2025-10-03T04:01:28.777000", "created": "2025-09-03T10:48:52.736000", "tags": [ "google search", "google sxg", "javascript", "google", "sxgs", "googlebot", "html", "paint", "implement sxg", "chrome", "ipv4", "path max", "age86400 set", "cookie", "script urls", "passive dns", "script domains", "united", "mtb sep", "trojandropper", "win32qqpass sep", "trojan", "url hostname", "server response", "ip address", "results jul", "learn", "command", "suspicious", "informative", "ck id", "name tactics", "spawns", "t1480 execution", "file defense", "file discovery", "sha1", "sha256", "click", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "pattern match", "mitre att", "ck matrix", "ascii text", "network traffic", "t1071", "t1057", "general", "local", "path", "pehash external", "api key", "comments", "vendor finding", "notes clamav", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "delphi", "win32", "powershell", "adult content", "call", "monitoring", "monitored target" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "TrojanDropper:Win32/Cutwail.gen", "display_name": "TrojanDropper:Win32/Cutwail.gen", "target": "/malware/TrojanDropper:Win32/Cutwail.gen" }, { "id": "trojan:Win32/Formbook!MTB", "display_name": "trojan:Win32/Formbook!MTB", "target": "/malware/trojan:Win32/Formbook!MTB" }, { "id": "TrojanSpy:Win32/Bancos.DI", "display_name": "TrojanSpy:Win32/Bancos.DI", "target": "/malware/TrojanSpy:Win32/Bancos.DI" }, { "id": "Win32/QQpass", "display_name": "Win32/QQpass", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0033", "name": "Lateral Movement", "display_name": "TA0033 - Lateral Movement" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 250, "domain": 83, "hostname": 115, "FileHash-MD5": 149, "FileHash-SHA256": 334, "FileHash-SHA1": 149, "email": 1 }, "indicator_count": 1081, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "240 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688fa1290b459ca0e307fcbd", "name": "http://www.jeffreyrusertjeffersoncounty.net/", "description": "Does this mean a someone who SA\u2019d and critically injured someone was given legal access to also spy on his victim? \nFurther investigation needed. Now ther is a little phone symbol blinking on my device. Weirdness.", "modified": "2025-09-02T10:03:26.815000", "created": "2025-08-03T17:49:29.657000", "tags": [ "status", "creation date", "date", "domain add", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as396982", "whois registrar", "pulses", "related tags", "indicator facts", "historical otx", "pulse", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "mitre att", "ck techniques", "spawns", "falcon sandbox", "hybrid", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "ascii text", "size", "null", "refresh", "body", "span", "august", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "config", "runner", "us seen", "general info", "geo kansas", "city", "missouri", "united", "as396982", "us note", "route", "ptr record", "live", "november", "value emails", "dnssec", "domain name", "llc status", "whois server", "showing", "entries", "olet", "encrypt", "cnr3", "cnr10", "cnr11", "ilike search", "id logged", "common name", "issuer name", "encrypt https", "expired", "key usage", "tls web", "identifier", "search criteria", "timestamp entry", "log operator", "log url", "google https", "poison", "info", "certificate", "linter", "precertificate", "tls server", "subject dn", "ascii", "sha256 hash", "graph", "sectigo https", "ca mechanism", "provider status", "revocation date", "log id", "criteria id", "16566017041", "summary leaf", "15317728412", "15385730680", "sequence", "octet string", "pkcs", "integer", "null bit", "string", "boolean", "pkix key", "pkix", "observed" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 69, "URL": 226, "hostname": 64, "email": 1, "FileHash-SHA256": 143, "FileHash-MD5": 28, "FileHash-SHA1": 35, "CIDR": 1, "SSLCertFingerprint": 4 }, "indicator_count": 571, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "271 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688f1ce317fc8b3f9d5d5f33", "name": "Unknown - Established hacker group. Affects banking, financial and much more.", "description": "Crowdsourced. Identifies as a Dark Web gang stalking entity. Research suggests that this is a very organized, possibly quasi governmental entity with shadowy state figures that social engineer targets. Even though they have been considered scammers and they are grifters, they are very established, dangerous and a very large force with claims of military alignments which has not yet been fully confirmed.\n\nThis group is anything you want them to be, attorney, accountant, technician, nurse, uber driver.", "modified": "2025-09-02T08:02:34.108000", "created": "2025-08-03T08:25:07.135000", "tags": [ "united", "search", "entries", "unknown ns", "ip address", "creation date", "record value", "date", "showing", "moved", "body", "encrypt", "lowfi", "trojanspy", "checkin", "passive dns", "trojan", "next associated", "cryp", "win32", "phishing", "virtool", "hstr", "backdoor", "ipv4", "pulse pulses", "associated urls", "show", "date checked", "url hostname", "server response", "google safe", "results feb", "header http2", "accept encoding", "gmt related", "domains show", "domain related", "response ip", "address google", "safe browsing", "entries http", "scans show", "title", "link", "present mar", "meta", "starfield", "dynamicloader", "qaeaav12", "medium", "high", "malware", "windows wget", "qbeipbdii", "write", "suspicious", "copy", "yara rule", "gravityrat", "detectvm", "x00 x00", "x00x00", "doviacmd", "rootjob", "getfiles", "updateserver", "ethernetid", "unknown", "yara detections", "filehash", "sha256 add", "av detections", "ids detections", "alerts", "analysis date", "file score", "oinetsim", "oudevelopment", "write c", "demo", "mtb sep", "trojandropper", "cookie", "path max", "age86400 set", "win32qqpass sep", "results aug", "script urls", "script domains", "a domains", "cache control", "cache status", "fury", "zenedge", "present jun", "present dec", "present jan", "present nov", "for privacy", "present may", "name servers", "no expiration", "filehashmd5", "filehashsha256", "filehashsha1", "iocs", "extract", "enter source", "url or", "text drag", "drop or", "domain", "expiration", "url http", "hostname", "email abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 459, "FileHash-MD5": 553, "FileHash-SHA256": 1042, "URL": 1426, "hostname": 476, "domain": 521, "email": 3, "SSLCertFingerprint": 1 }, "indicator_count": 4481, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "271 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://anfibiaplantula.com/cgi-sys/suspendedpage.cgi", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://anfibiaplantula.com/cgi-sys/suspendedpage.cgi", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780270725.7238932 }