{ "type": "URL", "indicator": "https://api.ephone.ai/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://api.ephone.ai/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4136652528, "indicator": "https://api.ephone.ai/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69a2127d12dce12538b57d72", "name": "FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets ~ Apple Jacked Targets", "description": "Remote Attack - FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets.\n\nChecked search history on a targeted device and found an FBI link apparently delivered via unknown AI technology.\n|| yara detections\nzur foerderung\nA\n+ Add Tag\n\u8840\nCount: 1\nGRO Probability: 1\nText: Suricata Alerts Event\nCategory Description CID\nIND131.188.40.12g otx.alienvault.com\nlocal:49181 (TCP) Misc\nAttack ET TOR Known Tor\nRelay/Router (Not Exit)\n\"A\" | [[Next pulse will list on malware, rats , bats, Trojans used]", "modified": "2026-03-29T20:03:36.333000", "created": "2026-02-27T21:54:05.261000", "tags": [ "pattern match", "heuristic match", "all url", "files domain", "pulses otx", "germany unknown", "aaaa", "ip address", "emails", "gmt server", "vary", "modified", "accept", "title", "present feb", "present jan", "united", "part", "moved", "passive dns", "cname", "final", "bill", "antivm", "xlsx", "xlsm", "urls", "otx logo", "all hostname", "server", "organization", "city", "stateprovince", "postal code", "phone", "registrar abuse", "privacy admin", "paris admin", "april", "direct", "february", "http", "dfn verein", "zur foerderung", "domain", "page url", "tags", "de summary", "erlangen", "germany", "securitytrails", "de seen", "general info", "geo erlangen", "as as680", "de note", "route", "data upload", "extraction", "failed", "extra data", "referen", "include review", "exclude data", "summary", "url age", "as680", "se source", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "over", "ascii text", "mitre att", "size", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "node traffic", "tlsv1", "search", "rgba", "medium", "read c", "module load", "t1129", "execution", "next", "dock", "write", "persistence", "calls", "apis", "reads", "model", "value", "getprocaddress", "show technique", "ck matrix", "access type", "windir", "regexp", "open", "date", "format", "virtual disk drive", "sha256", "sha1", "body", "filehashsha1", "found", "unknown", "stop", "root", "form", "9999", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "bad traffic", "et info", "tls handshake", "failure", "flag", "analysis tip", "openurl c", "msie", "windows nt", "wow64", "slcc2", "media center", "show", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "malicious yara", "detections none", "less ip", "dynamicloader", "get na", "c3bhaw", "high", "copy", "guard", "push", "Palantir", "Foundry", "Whitehouse", "X.Com", "Justice.gov", "Apple", "AI", "node traffic" ], "references": [ "tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net", "https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022", "http://truefoundry.prodigaltech.com/", "git.spywarewatchdog.org", "marriott-control-prd.accenture.cn", "marriott-datacenter-prd.accenture.cn", "accenture.cn", "c.j.location.host \u2022 videodata.video \u2022 referrer.search", "target.id \u2022 tostring.call \u2022 title.search", "https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737", "https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019", "http://truefoundry.prodigaltech.com/", "Attacker being used by several legal entities attacking a target\u2019s family", "Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render", "Luxury Apartments and Townhome communities do use Foundry Palantir", "Some Colorado communities have been taken over by the State Government", "Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)", "Denver Justice System. Palantir allegedly moved potato Headquarters to Miami", "Foundry Foot Soldiers are still in Colorado targeting innocents", "Foundry Palantir still has a presence in Colorado", "I need some help.", "Accurately tipped about air travel safety. In past. Proven true.", "Tipped of new looming airline threats", "Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.", "Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.", "FBI files opened up on a targeted phone, Iunseel, only in search history.", "Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /", "No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!", "Hours after files were deemed malicious. We powered on targeted Smart TV", "You have to go through a series of steps to change themes and wallpapers , including powering off TV", "Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .", "A man claiming to have the name Sebastian is communicating with targets love one", "Uses code, no phone calls. Connected via instagram.", "I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious", "By remote view of NEW targeys view, all key calls are routed through him.", "Targets associated warned. Not very open to advice.", "I would post his public information. It may be unwise.", "Connects to all NEW targets key contacts main targets contacts.", "We have foot soldiers. Be aware", "https://www.justice.gov/opa/pr/departmen.t", "https://api.manus.im/api/oauth2_callback/apple", "https://apple.btprmjo.cc/", "https://creative.miqdigital.com/.well-known/apple-app-site-association", "internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf", "http://www.internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf", "https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~", "Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Node Traffic", "display_name": "Node Traffic", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1055.011", "name": "Extra Window Memory Injection", "display_name": "T1055.011 - Extra Window Memory Injection" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1055.004", "name": "Asynchronous Procedure Call", "display_name": "T1055.004 - Asynchronous Procedure Call" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1055.014", "name": "VDSO Hijacking", "display_name": "T1055.014 - VDSO Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5643, "domain": 700, "hostname": 1918, "FileHash-SHA256": 1161, "FileHash-MD5": 235, "email": 4, "FileHash-SHA1": 200, "CVE": 1, "CIDR": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9873, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69aa019f4509897e354fe029", "name": "credit Q Vashti Cloned Pulse ", "description": "", "modified": "2026-03-29T20:03:36.333000", "created": "2026-03-05T22:20:15.324000", "tags": [ "pattern match", "heuristic match", "all url", "files domain", "pulses otx", "germany unknown", "aaaa", "ip address", "emails", "gmt server", "vary", "modified", "accept", "title", "present feb", "present jan", "united", "part", "moved", "passive dns", "cname", "final", "bill", "antivm", "xlsx", "xlsm", "urls", "otx logo", "all hostname", "server", "organization", "city", "stateprovince", "postal code", "phone", "registrar abuse", "privacy admin", "paris admin", "april", "direct", "february", "http", "dfn verein", "zur foerderung", "domain", "page url", "tags", "de summary", "erlangen", "germany", "securitytrails", "de seen", "general info", "geo erlangen", "as as680", "de note", "route", "data upload", "extraction", "failed", "extra data", "referen", "include review", "exclude data", "summary", "url age", "as680", "se source", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "over", "ascii text", "mitre att", "size", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "node traffic", "tlsv1", "search", "rgba", "medium", "read c", "module load", "t1129", "execution", "next", "dock", "write", "persistence", "calls", "apis", "reads", "model", "value", "getprocaddress", "show technique", "ck matrix", "access type", "windir", "regexp", "open", "date", "format", "virtual disk drive", "sha256", "sha1", "body", "filehashsha1", "found", "unknown", "stop", "root", "form", "9999", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "bad traffic", "et info", "tls handshake", "failure", "flag", "analysis tip", "openurl c", "msie", "windows nt", "wow64", "slcc2", "media center", "show", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "malicious yara", "detections none", "less ip", "dynamicloader", "get na", "c3bhaw", "high", "copy", "guard", "push", "Palantir", "Foundry", "Whitehouse", "X.Com", "Justice.gov", "Apple", "AI", "node traffic" ], "references": [ "tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net", "https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022", "http://truefoundry.prodigaltech.com/", "git.spywarewatchdog.org", "marriott-control-prd.accenture.cn", "marriott-datacenter-prd.accenture.cn", "accenture.cn", "c.j.location.host \u2022 videodata.video \u2022 referrer.search", "target.id \u2022 tostring.call \u2022 title.search", "https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737", "https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019", "http://truefoundry.prodigaltech.com/", "Attacker being used by several legal entities attacking a target\u2019s family", "Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render", "Luxury Apartments and Townhome communities do use Foundry Palantir", "Some Colorado communities have been taken over by the State Government", "Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)", "Denver Justice System. Palantir allegedly moved potato Headquarters to Miami", "Foundry Foot Soldiers are still in Colorado targeting innocents", "Foundry Palantir still has a presence in Colorado", "I need some help.", "Accurately tipped about air travel safety. In past. Proven true.", "Tipped of new looming airline threats", "Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.", "Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.", "FBI files opened up on a targeted phone, Iunseel, only in search history.", "Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /", "No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!", "Hours after files were deemed malicious. We powered on targeted Smart TV", "You have to go through a series of steps to change themes and wallpapers , including powering off TV", "Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .", "A man claiming to have the name Sebastian is communicating with targets love one", "Uses code, no phone calls. Connected via instagram.", "I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious", "By remote view of NEW targeys view, all key calls are routed through him.", "Targets associated warned. Not very open to advice.", "I would post his public information. It may be unwise.", "Connects to all NEW targets key contacts main targets contacts.", "We have foot soldiers. Be aware", "https://www.justice.gov/opa/pr/departmen.t", "https://api.manus.im/api/oauth2_callback/apple", "https://apple.btprmjo.cc/", "https://creative.miqdigital.com/.well-known/apple-app-site-association", "internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf", "http://www.internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf", "https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~", "Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Node Traffic", "display_name": "Node Traffic", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1055.011", "name": "Extra Window Memory Injection", "display_name": "T1055.011 - Extra Window Memory Injection" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1055.004", "name": "Asynchronous Procedure Call", "display_name": "T1055.004 - Asynchronous Procedure Call" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1055.014", "name": "VDSO Hijacking", "display_name": "T1055.014 - VDSO Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": "69a2127d12dce12538b57d72", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5644, "domain": 701, "hostname": 1920, "FileHash-SHA256": 1161, "FileHash-MD5": 235, "email": 4, "FileHash-SHA1": 200, "CVE": 1, "CIDR": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9877, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68dd9423f9208dcc8701e12e", "name": "Maktub Locker TOR Status Check \u2022 Cab \\ Drive by( dbi.com) Malicious pic", "description": "After 911 told me I was bounced to the Denver, Co Station 5 , located 45 & Peoria in Denver , Colorado , not even close. \nThe phone number changed, only 911 access. Clue: I saw an Amber alert in n target phone when I powered it on. No all notices always turned off. Made a call\non contact list and screen changed to a plain faced interface. \n\nAfter finding a mother foundry link on targets phone I grew curious about a CEO\u2019s strange story of Palantir\u2019s Karp Theil roommate situation in Law School but I could only find one picture on of them on a campus in their late 40\u2019s. He\u2019s African American mixed. The picture of his mother in hacked phone is 215 yo. No information federal oversight as CEO right? Or limited information on crazy hacked device? \n\nClicked on link then OMGness\n\n#whatIfind #onhackeddevice #targeting", "modified": "2025-10-31T19:03:21.338000", "created": "2025-10-01T20:50:43.002000", "tags": [ "iocs", "logo", "passive dns", "related tags", "none google", "ipv4", "gogle", "twitter", "x.com", "ransomware", "fbi \u2019site\u2019", "python", "cloud", "regopenkeyexw", "read c", "port", "destination", "cryptexportkey", "count read", "tor get", "malware", "write", "format", "redacted for", "server", "privacy tech", "privacy admin", "country", "postal code", "organization", "date", "email", "code", "aaaa", "value a", "key identifier", "v3 serial", "number", "cus ogoogle", "trust", "cnwe1 validity", "subject public", "key info", "key algorithm", "ec oid", "maktub", "cnc", "python-projekt", "x post", "link", "android", "iphone", "google", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "ssl certificate", "spawns", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "size", "mitre att", "show technique", "ck matrix", "title", "path", "hybrid", "general", "local", "form", "click", "strings", "body" ], "references": [ "FBI.GOV - VT I\u2019m looking @ says website is legitimate & not misused - hmm", "Entity CLOUD14", "CLOUDFLARENET - 104.16.148.244 , 104.19.148.244", "https://otx.alienvault.com/indicator/file/ba30376f915afa868763f84299fae5d2", "https://hybrid-analysis.com/sample/f2b943e81f1b284cf9dabb4ff156526a02ecca485ac117714867d92b262c8fdd/68dd867e3bc50d9068072c05", "Hashtags left on Hybrid Analysis (above) weren\u2019t posted by me", "Maktub Locker TOR Status Check \u2022 TOR Consensus Data Requested \u2022 TOR 1.0 Server Key Retrieval", "Tor Get Server Request \u2022 TLS Handshake Failure High Priority", "Yara Detections: stack_string Alerts: dead_host", "Alerts: network_icmp nolookup_communication modifies_proxy_wpad network_cnc_http network_http", "Alerts: allocates_rwx creates_hidden_file dropper has_wmi protection_rx antivm_network_adapters", "Alerts: packer_entropy queries_programs wmi_antivm checks_debugger generates_crypto_key recon_fingerprint pe_unknown_resource_name raises_exception" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Code Virus Ransomware", "display_name": "Code Virus Ransomware", "target": null }, { "id": "AVAST- Win32:Filecoder-AD\\ [Trj]", "display_name": "AVAST- Win32:Filecoder-AD\\ [Trj]", "target": null }, { "id": "CLAMAV - Win.Malware.Cabby-6803812", "display_name": "CLAMAV - Win.Malware.Cabby-6803812", "target": null }, { "id": "Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn", "display_name": "Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn", "target": "/malware/Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 574, "domain": 147, "FileHash-MD5": 156, "FileHash-SHA1": 130, "FileHash-SHA256": 539, "URL": 982, "SSLCertFingerprint": 4, "email": 2 }, "indicator_count": 2534, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68dc68684ad290e0c21a88ab", "name": "Cab / Drive by Compromise Part 2 After 1st scan results.", "description": "104.16.148.244\n, \n104.16.149.244\nLocation\n\nUnited States\nASN\nAS13335 cloudflare\nNameservers\nns-cloud-e4.googledomains.com.\n, \nns-cloud-e1.googledomains.com.\n, \nns-cloud-e3.googledomains.com.\n, \nns-cloud-e2.googledomains.com.\nWhois:\n\n\nDomain Name\tFBI.GOV\nStatus\tACTIVE\n\n Whitelisted\t\tA\t\t2025-09-10 07:17\t2025-09-10 07:17\t\tcountry flag United States\n Whitelisted\t\tAAAA\t\t2025-08-24 05:36\t2025-08-24 05:36\t\tcountry flag United States\n\nhttps://le.fbi.gov\t\tConnection Error\t\tNot Present\t\nSep 30, 2025\thttps://littlerock.fbi.gov\t\t\n[Lol, OTX auto populated: A summary of key facts and statistics about a cyber-attack on the US government, as compiled by the Department of Homeland Security (DHS) and the Office of National Statistics (OBS).]", "modified": "2025-10-30T00:02:15.510000", "created": "2025-09-30T23:31:52.265000", "tags": [ "present sep", "united", "ip address", "aaaa", "next associated", "location united", "asn as13335", "less", "pulses" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 42, "domain": 31, "hostname": 46, "URL": 71 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "171 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)", "By remote view of NEW targeys view, all key calls are routed through him.", "I need some help.", "We have foot soldiers. Be aware", "https://creative.miqdigital.com/.well-known/apple-app-site-association", "target.id \u2022 tostring.call \u2022 title.search", "http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf", "Attacker being used by several legal entities attacking a target\u2019s family", "Alerts: network_icmp nolookup_communication modifies_proxy_wpad network_cnc_http network_http", "https://www.justice.gov/opa/pr/departmen.t", "Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97", "Alerts: packer_entropy queries_programs wmi_antivm checks_debugger generates_crypto_key recon_fingerprint pe_unknown_resource_name raises_exception", "Some Colorado communities have been taken over by the State Government", "No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!", "accenture.cn", "https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022", "Hours after files were deemed malicious. We powered on targeted Smart TV", "FBI files opened up on a targeted phone, Iunseel, only in search history.", "https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737", "http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf", "Uses code, no phone calls. Connected via instagram.", "CLOUDFLARENET - 104.16.148.244 , 104.19.148.244", "Hashtags left on Hybrid Analysis (above) weren\u2019t posted by me", "Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.", "https://api.manus.im/api/oauth2_callback/apple", "I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9", "tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net", "https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~", "marriott-control-prd.accenture.cn", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "Targets associated warned. Not very open to advice.", "I would post his public information. It may be unwise.", "https://otx.alienvault.com/indicator/file/ba30376f915afa868763f84299fae5d2", "http://truefoundry.prodigaltech.com/", "You have to go through a series of steps to change themes and wallpapers , including powering off TV", "Foundry Foot Soldiers are still in Colorado targeting innocents", "Denver Justice System. Palantir allegedly moved potato Headquarters to Miami", "Foundry Palantir still has a presence in Colorado", "A man claiming to have the name Sebastian is communicating with targets love one", "http://www.internationalfrontier.com", "https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19", "Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .", "FBI.GOV - VT I\u2019m looking @ says website is legitimate & not misused - hmm", "Luxury Apartments and Townhome communities do use Foundry Palantir", "Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.", "git.spywarewatchdog.org", "Tipped of new looming airline threats", "https://hybrid-analysis.com/sample/f2b943e81f1b284cf9dabb4ff156526a02ecca485ac117714867d92b262c8fdd/68dd867e3bc50d9068072c05", "Maktub Locker TOR Status Check \u2022 TOR Consensus Data Requested \u2022 TOR 1.0 Server Key Retrieval", "Connects to all NEW targets key contacts main targets contacts.", "Alerts: allocates_rwx creates_hidden_file dropper has_wmi protection_rx antivm_network_adapters", "marriott-datacenter-prd.accenture.cn", "https://apple.btprmjo.cc/", "calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019", "Tor Get Server Request \u2022 TLS Handshake Failure High Priority", "internationalfrontier.com", "Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render", "Accurately tipped about air travel safety. In past. Proven true.", "Yara Detections: stack_string Alerts: dead_host", "Entity CLOUD14", "c.j.location.host \u2022 videodata.video \u2022 referrer.search", "Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Code virus ransomware", "Avast- win32:filecoder-ad\\ [trj]", "Node traffic", "Clamav - win.malware.cabby-6803812", "Ms defender - trojandownloader:win32/dalexis!rfn!rfn" ], "industries": [], "unique_indicators": 11956 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/ephone.ai", "whois": "http://whois.domaintools.com/ephone.ai", "domain": "ephone.ai", "hostname": "api.ephone.ai" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69a2127d12dce12538b57d72", "name": "FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets ~ Apple Jacked Targets", "description": "Remote Attack - FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets.\n\nChecked search history on a targeted device and found an FBI link apparently delivered via unknown AI technology.\n|| yara detections\nzur foerderung\nA\n+ Add Tag\n\u8840\nCount: 1\nGRO Probability: 1\nText: Suricata Alerts Event\nCategory Description CID\nIND131.188.40.12g otx.alienvault.com\nlocal:49181 (TCP) Misc\nAttack ET TOR Known Tor\nRelay/Router (Not Exit)\n\"A\" | [[Next pulse will list on malware, rats , bats, Trojans used]", "modified": "2026-03-29T20:03:36.333000", "created": "2026-02-27T21:54:05.261000", "tags": [ "pattern match", "heuristic match", "all url", "files domain", "pulses otx", "germany unknown", "aaaa", "ip address", "emails", "gmt server", "vary", "modified", "accept", "title", "present feb", "present jan", "united", "part", "moved", "passive dns", "cname", "final", "bill", "antivm", "xlsx", "xlsm", "urls", "otx logo", "all hostname", "server", "organization", "city", "stateprovince", "postal code", "phone", "registrar abuse", "privacy admin", "paris admin", "april", "direct", "february", "http", "dfn verein", "zur foerderung", "domain", "page url", "tags", "de summary", "erlangen", "germany", "securitytrails", "de seen", "general info", "geo erlangen", "as as680", "de note", "route", "data upload", "extraction", "failed", "extra data", "referen", "include review", "exclude data", "summary", "url age", "as680", "se source", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "over", "ascii text", "mitre att", "size", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "node traffic", "tlsv1", "search", "rgba", "medium", "read c", "module load", "t1129", "execution", "next", "dock", "write", "persistence", "calls", "apis", "reads", "model", "value", "getprocaddress", "show technique", "ck matrix", "access type", "windir", "regexp", "open", "date", "format", "virtual disk drive", "sha256", "sha1", "body", "filehashsha1", "found", "unknown", "stop", "root", "form", "9999", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "bad traffic", "et info", "tls handshake", "failure", "flag", "analysis tip", "openurl c", "msie", "windows nt", "wow64", "slcc2", "media center", "show", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "malicious yara", "detections none", "less ip", "dynamicloader", "get na", "c3bhaw", "high", "copy", "guard", "push", "Palantir", "Foundry", "Whitehouse", "X.Com", "Justice.gov", "Apple", "AI", "node traffic" ], "references": [ "tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net", "https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022", "http://truefoundry.prodigaltech.com/", "git.spywarewatchdog.org", "marriott-control-prd.accenture.cn", "marriott-datacenter-prd.accenture.cn", "accenture.cn", "c.j.location.host \u2022 videodata.video \u2022 referrer.search", "target.id \u2022 tostring.call \u2022 title.search", "https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737", "https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019", "http://truefoundry.prodigaltech.com/", "Attacker being used by several legal entities attacking a target\u2019s family", "Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render", "Luxury Apartments and Townhome communities do use Foundry Palantir", "Some Colorado communities have been taken over by the State Government", "Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)", "Denver Justice System. Palantir allegedly moved potato Headquarters to Miami", "Foundry Foot Soldiers are still in Colorado targeting innocents", "Foundry Palantir still has a presence in Colorado", "I need some help.", "Accurately tipped about air travel safety. In past. Proven true.", "Tipped of new looming airline threats", "Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.", "Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.", "FBI files opened up on a targeted phone, Iunseel, only in search history.", "Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /", "No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!", "Hours after files were deemed malicious. We powered on targeted Smart TV", "You have to go through a series of steps to change themes and wallpapers , including powering off TV", "Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .", "A man claiming to have the name Sebastian is communicating with targets love one", "Uses code, no phone calls. Connected via instagram.", "I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious", "By remote view of NEW targeys view, all key calls are routed through him.", "Targets associated warned. Not very open to advice.", "I would post his public information. It may be unwise.", "Connects to all NEW targets key contacts main targets contacts.", "We have foot soldiers. Be aware", "https://www.justice.gov/opa/pr/departmen.t", "https://api.manus.im/api/oauth2_callback/apple", "https://apple.btprmjo.cc/", "https://creative.miqdigital.com/.well-known/apple-app-site-association", "internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf", "http://www.internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf", "https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~", "Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Node Traffic", "display_name": "Node Traffic", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1055.011", "name": "Extra Window Memory Injection", "display_name": "T1055.011 - Extra Window Memory Injection" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1055.004", "name": "Asynchronous Procedure Call", "display_name": "T1055.004 - Asynchronous Procedure Call" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1055.014", "name": "VDSO Hijacking", "display_name": "T1055.014 - VDSO Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5643, "domain": 700, "hostname": 1918, "FileHash-SHA256": 1161, "FileHash-MD5": 235, "email": 4, "FileHash-SHA1": 200, "CVE": 1, "CIDR": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9873, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69aa019f4509897e354fe029", "name": "credit Q Vashti Cloned Pulse ", "description": "", "modified": "2026-03-29T20:03:36.333000", "created": "2026-03-05T22:20:15.324000", "tags": [ "pattern match", "heuristic match", "all url", "files domain", "pulses otx", "germany unknown", "aaaa", "ip address", "emails", "gmt server", "vary", "modified", "accept", "title", "present feb", "present jan", "united", "part", "moved", "passive dns", "cname", "final", "bill", "antivm", "xlsx", "xlsm", "urls", "otx logo", "all hostname", "server", "organization", "city", "stateprovince", "postal code", "phone", "registrar abuse", "privacy admin", "paris admin", "april", "direct", "february", "http", "dfn verein", "zur foerderung", "domain", "page url", "tags", "de summary", "erlangen", "germany", "securitytrails", "de seen", "general info", "geo erlangen", "as as680", "de note", "route", "data upload", "extraction", "failed", "extra data", "referen", "include review", "exclude data", "summary", "url age", "as680", "se source", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "over", "ascii text", "mitre att", "size", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "node traffic", "tlsv1", "search", "rgba", "medium", "read c", "module load", "t1129", "execution", "next", "dock", "write", "persistence", "calls", "apis", "reads", "model", "value", "getprocaddress", "show technique", "ck matrix", "access type", "windir", "regexp", "open", "date", "format", "virtual disk drive", "sha256", "sha1", "body", "filehashsha1", "found", "unknown", "stop", "root", "form", "9999", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "bad traffic", "et info", "tls handshake", "failure", "flag", "analysis tip", "openurl c", "msie", "windows nt", "wow64", "slcc2", "media center", "show", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "malicious yara", "detections none", "less ip", "dynamicloader", "get na", "c3bhaw", "high", "copy", "guard", "push", "Palantir", "Foundry", "Whitehouse", "X.Com", "Justice.gov", "Apple", "AI", "node traffic" ], "references": [ "tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net", "https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022", "http://truefoundry.prodigaltech.com/", "git.spywarewatchdog.org", "marriott-control-prd.accenture.cn", "marriott-datacenter-prd.accenture.cn", "accenture.cn", "c.j.location.host \u2022 videodata.video \u2022 referrer.search", "target.id \u2022 tostring.call \u2022 title.search", "https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737", "https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019", "http://truefoundry.prodigaltech.com/", "Attacker being used by several legal entities attacking a target\u2019s family", "Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render", "Luxury Apartments and Townhome communities do use Foundry Palantir", "Some Colorado communities have been taken over by the State Government", "Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)", "Denver Justice System. Palantir allegedly moved potato Headquarters to Miami", "Foundry Foot Soldiers are still in Colorado targeting innocents", "Foundry Palantir still has a presence in Colorado", "I need some help.", "Accurately tipped about air travel safety. In past. Proven true.", "Tipped of new looming airline threats", "Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.", "Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.", "FBI files opened up on a targeted phone, Iunseel, only in search history.", "Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /", "No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!", "Hours after files were deemed malicious. We powered on targeted Smart TV", "You have to go through a series of steps to change themes and wallpapers , including powering off TV", "Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .", "A man claiming to have the name Sebastian is communicating with targets love one", "Uses code, no phone calls. Connected via instagram.", "I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious", "By remote view of NEW targeys view, all key calls are routed through him.", "Targets associated warned. Not very open to advice.", "I would post his public information. It may be unwise.", "Connects to all NEW targets key contacts main targets contacts.", "We have foot soldiers. Be aware", "https://www.justice.gov/opa/pr/departmen.t", "https://api.manus.im/api/oauth2_callback/apple", "https://apple.btprmjo.cc/", "https://creative.miqdigital.com/.well-known/apple-app-site-association", "internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf", "http://www.internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf", "https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~", "Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Node Traffic", "display_name": "Node Traffic", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1055.011", "name": "Extra Window Memory Injection", "display_name": "T1055.011 - Extra Window Memory Injection" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1055.004", "name": "Asynchronous Procedure Call", "display_name": "T1055.004 - Asynchronous Procedure Call" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1055.014", "name": "VDSO Hijacking", "display_name": "T1055.014 - VDSO Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": "69a2127d12dce12538b57d72", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5644, "domain": 701, "hostname": 1920, "FileHash-SHA256": 1161, "FileHash-MD5": 235, "email": 4, "FileHash-SHA1": 200, "CVE": 1, "CIDR": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9877, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68dd9423f9208dcc8701e12e", "name": "Maktub Locker TOR Status Check \u2022 Cab \\ Drive by( dbi.com) Malicious pic", "description": "After 911 told me I was bounced to the Denver, Co Station 5 , located 45 & Peoria in Denver , Colorado , not even close. \nThe phone number changed, only 911 access. Clue: I saw an Amber alert in n target phone when I powered it on. No all notices always turned off. Made a call\non contact list and screen changed to a plain faced interface. \n\nAfter finding a mother foundry link on targets phone I grew curious about a CEO\u2019s strange story of Palantir\u2019s Karp Theil roommate situation in Law School but I could only find one picture on of them on a campus in their late 40\u2019s. He\u2019s African American mixed. The picture of his mother in hacked phone is 215 yo. No information federal oversight as CEO right? Or limited information on crazy hacked device? \n\nClicked on link then OMGness\n\n#whatIfind #onhackeddevice #targeting", "modified": "2025-10-31T19:03:21.338000", "created": "2025-10-01T20:50:43.002000", "tags": [ "iocs", "logo", "passive dns", "related tags", "none google", "ipv4", "gogle", "twitter", "x.com", "ransomware", "fbi \u2019site\u2019", "python", "cloud", "regopenkeyexw", "read c", "port", "destination", "cryptexportkey", "count read", "tor get", "malware", "write", "format", "redacted for", "server", "privacy tech", "privacy admin", "country", "postal code", "organization", "date", "email", "code", "aaaa", "value a", "key identifier", "v3 serial", "number", "cus ogoogle", "trust", "cnwe1 validity", "subject public", "key info", "key algorithm", "ec oid", "maktub", "cnc", "python-projekt", "x post", "link", "android", "iphone", "google", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "ssl certificate", "spawns", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "size", "mitre att", "show technique", "ck matrix", "title", "path", "hybrid", "general", "local", "form", "click", "strings", "body" ], "references": [ "FBI.GOV - VT I\u2019m looking @ says website is legitimate & not misused - hmm", "Entity CLOUD14", "CLOUDFLARENET - 104.16.148.244 , 104.19.148.244", "https://otx.alienvault.com/indicator/file/ba30376f915afa868763f84299fae5d2", "https://hybrid-analysis.com/sample/f2b943e81f1b284cf9dabb4ff156526a02ecca485ac117714867d92b262c8fdd/68dd867e3bc50d9068072c05", "Hashtags left on Hybrid Analysis (above) weren\u2019t posted by me", "Maktub Locker TOR Status Check \u2022 TOR Consensus Data Requested \u2022 TOR 1.0 Server Key Retrieval", "Tor Get Server Request \u2022 TLS Handshake Failure High Priority", "Yara Detections: stack_string Alerts: dead_host", "Alerts: network_icmp nolookup_communication modifies_proxy_wpad network_cnc_http network_http", "Alerts: allocates_rwx creates_hidden_file dropper has_wmi protection_rx antivm_network_adapters", "Alerts: packer_entropy queries_programs wmi_antivm checks_debugger generates_crypto_key recon_fingerprint pe_unknown_resource_name raises_exception" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Code Virus Ransomware", "display_name": "Code Virus Ransomware", "target": null }, { "id": "AVAST- Win32:Filecoder-AD\\ [Trj]", "display_name": "AVAST- Win32:Filecoder-AD\\ [Trj]", "target": null }, { "id": "CLAMAV - Win.Malware.Cabby-6803812", "display_name": "CLAMAV - Win.Malware.Cabby-6803812", "target": null }, { "id": "Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn", "display_name": "Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn", "target": "/malware/Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 574, "domain": 147, "FileHash-MD5": 156, "FileHash-SHA1": 130, "FileHash-SHA256": 539, "URL": 982, "SSLCertFingerprint": 4, "email": 2 }, "indicator_count": 2534, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68dc68684ad290e0c21a88ab", "name": "Cab / Drive by Compromise Part 2 After 1st scan results.", "description": "104.16.148.244\n, \n104.16.149.244\nLocation\n\nUnited States\nASN\nAS13335 cloudflare\nNameservers\nns-cloud-e4.googledomains.com.\n, \nns-cloud-e1.googledomains.com.\n, \nns-cloud-e3.googledomains.com.\n, \nns-cloud-e2.googledomains.com.\nWhois:\n\n\nDomain Name\tFBI.GOV\nStatus\tACTIVE\n\n Whitelisted\t\tA\t\t2025-09-10 07:17\t2025-09-10 07:17\t\tcountry flag United States\n Whitelisted\t\tAAAA\t\t2025-08-24 05:36\t2025-08-24 05:36\t\tcountry flag United States\n\nhttps://le.fbi.gov\t\tConnection Error\t\tNot Present\t\nSep 30, 2025\thttps://littlerock.fbi.gov\t\t\n[Lol, OTX auto populated: A summary of key facts and statistics about a cyber-attack on the US government, as compiled by the Department of Homeland Security (DHS) and the Office of National Statistics (OBS).]", "modified": "2025-10-30T00:02:15.510000", "created": "2025-09-30T23:31:52.265000", "tags": [ "present sep", "united", "ip address", "aaaa", "next associated", "location united", "asn as13335", "less", "pulses" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 42, "domain": 31, "hostname": 46, "URL": 71 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "171 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://api.ephone.ai/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://api.ephone.ai/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776640744.125959 }