{ "type": "URL", "indicator": "https://api.kinoffond.us", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://api.kinoffond.us", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4134419186, "indicator": "https://api.kinoffond.us", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "69d8a665177b8f64c7ce5fca", "name": "LibraryLoader \u2022 Samuel Tulach | Abuse of malicious sssets engineered by DevOp & Security Researcher", "description": "Samuel Tulach is involved in various projects related to government work, particularly in areas like DevSecOps and app modernization. \nOverview of Samuel Tulach's \"uploader.exe\"\nThe file \"uploader.exe\" created by Samuel Tulach has been identified as malicious by several security engines. This classification indicates that the file poses a potential threat to users' systems.\nSecurity Engine Flags. Several security engines have flagged \"uploader.exe\" as malicious.\nSecureAge APEX\tMalicious\nSentinelOne\tMalicious\nImplications of Malicious Flags\nPotential Risks: Files flagged as malicious can lead to various security issues, including data theft, unauthorized access, or system damage.\nRecommended Actions: Users should avoid downloading or executing this file. If already downloaded, it is advisable to delete it and run a full system scan using reputable antivirus software.", "modified": "2026-04-10T07:27:33.587000", "created": "2026-04-10T07:27:33.587000", "tags": [ "x vercel", "united", "america", "germany malware", "family", "ck ids", "packing", "tulach", "ocsp", "extraction", "data upload", "enter sc", "extra data", "include review", "exclude sugges", "find s", "failed", "typ no", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "defense evasion", "pattern match", "mitre att", "ascii text", "span", "title", "meta", "path", "april", "hybrid", "general", "local", "encrypt", "click", "strings", "main", "footer", "pcsb", "naga", "magda", "no expiration", "url https", "domain", "github pages", "a domains", "passive dns", "mtb jan", "class", "sea x", "accept encoding", "trojanspy", "accept", "otx logo", "all ipv4", "urls", "files", "america flag", "space", "ck matrix", "handle", "winvmaddress", "cdecl crashpad", "null", "software", "comment", "entity", "internal", "blank", "magic", "infinity", "first", "valentine", "error", "webview", "front", "patched", "root", "tristate", "libraryloader", "packing t1045", "icmp traffic", "memcommit", "pe section", "low software", "pe resource", "filehash", "win32", "malware", "write", "backdoor", "present apr", "lowfi", "aaaa", "lowfijavazkm", "x.com", "dynamicloader", "crlf line", "unicode text", "utf8", "ee fc", "ff d5", "yara rule", "f0 ff", "eb e1", "unknown", "trojan", "zeppelin", "autorun", "united states", "china unknown", "div div", "ip address", "record value", "samuel tulach", "czechia unknown", "italy unknown", "gmt server", "all domain", "next associated", "reverse dns", "location czech", "all filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "file type", "telfhash", "virustotal api", "vendor finding", "notes clamav", "files matching", "number", "t1045", "search", "directui", "element", "medium", "classinfobase", "value", "write c", "hwndhost", "sapeav12", "worm", "explorer", "insert", "movie", "mtb apr", "mtb mar", "trojandropper", "displayname", "windows", "high", "delete c", "tofsee", "stream", "push", "url http", "c mar", "virtool", "c jan", "c dec", "toolbar", "ransom", "article", "windows nt", "gmtvia", "html", "bad traffic", "et info", "tls handshake", "belgium", "present dec", "present feb", "intel", "elf upx", "medium risk", "info", "moved", "hostname add", "whois registrar", "media", "delphi", "guard", "code", "devsecops", "github", "github internet", "archive samuel", "tulach", "government work", "key areas", "devops process", "security engine", "flags", "apex malicious", "implications", "malicious flags", "potential risks", "name servers", "apple id", "script urls", "show process", "secure", "win64", "khtml", "gecko", "programfiles", "cookie", "comspec", "model", "june", "spawns", "id name", "malicious", "gui", "anti cheats", "game tech", "c++" ], "references": [ "https://nextcloud.tulach.cc/ \u2022 https://nextcloud.tulach.cc/", "bleepingcomputer.com \u2022 CliffsNotes", "x.com - Malware Packed", "nr-data.net \u2022 www.youtube.com", "Alerts network_icmp allocates_rwx packer_entropy pe_features pe_unknown_resource_name Related Pulses", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "discord.com \u2022 discord.gg", "api.item.yixun.com", "Unix.Trojan.Mirai-9441505-0 Yara Detections is__elf \u2022 217.11.249.145", "Domains Contacted: fenbushijujuefuwu.com", "angryblackwomyn.com", "https://medium.com/the-pink/how-a-white-womans-anger-makes-her-racism-spill-out-563853905a42", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/41ad1d349716b3e62f914c0907323ae8e0a37198d237a02d71a0d5e05ffaa727", "https://www.forpsi.com domain forpsi.com\t Domain asp.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "www.youtube.com/watch?v=GyuMozsVyYs (why would targets channel be controlled by Tulach)", "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw", "x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290", "cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz", "porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop", "https://api.w.org/ \u2022 api.w.org", "remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png", "https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-assets-Twitter.b90ee19de735e00fb4a0.js", "developer.x.com \u2022 https://twitter.com/githubstatus", "https://twitter.com/juvlarN", "appleid.cdn-apple.com", "https://static.digitecgalaxus.ch/Files/communication/app-download-badges/apple_email_rasterized_2x/fr.png", "Samuel Tulach , an engineer writes about game security, Unity engine, and anti-cheat systems on his blog at tulach.cc", "Mr. Tulach \u2022 known for his work in cybersecurity, particularly in reverse engineering & malware analysis", "\"uploader.exe\" created by Samuel Tulach has been identified as malicious by several security engines", "Due to Samuel Tulach\u2019s good reputation , assume his assets are being abused by threat actors targeting", "I haven\u2019t yet concluded why Tulach.cc is deeply interwoven in a malicious media campaign", "Samuel Tulach\u2019s assets have been tightly connected to M. Brian Sabey, Esq", "The next pulse will show Apple IoC\u2019s related to Tulach.cc" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LibraryLoader", "display_name": "LibraryLoader", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Azorult.FW!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Azorult.FW!rfn", "target": null }, { "id": "Win.Packed.Botx-10021462-0", "display_name": "Win.Packed.Botx-10021462-0", "target": null }, { "id": "Win.Malware.Cymt-10023133-0", "display_name": "Win.Malware.Cymt-10023133-0", "target": null }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Malware.Generickdz-9937235-0", "display_name": "Win.Malware.Generickdz-9937235-0", "target": null }, { "id": "Win.Malware.Razy-6979265-0", "display_name": "Win.Malware.Razy-6979265-0", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "TrojanSpy:Win32/Nivdort.DE", "display_name": "TrojanSpy:Win32/Nivdort.DE", "target": "/malware/TrojanSpy:Win32/Nivdort.DE" }, { "id": "SLF:Win32/Elenquay.A", "display_name": "SLF:Win32/Elenquay.A", "target": "/malware/SLF:Win32/Elenquay.A" }, { "id": "Win.Dropper.QuasarRAT-10023124-0", "display_name": "Win.Dropper.QuasarRAT-10023124-0", "target": null }, { "id": "Win.Trojan.Zegost-9769410-0", "display_name": "Win.Trojan.Zegost-9769410-0", "target": null }, { "id": "ALF:HSTR:VirTool:Win32/Obfuscator!PECancer", "display_name": "ALF:HSTR:VirTool:Win32/Obfuscator!PECancer", "target": null }, { "id": "Win.Malware.Moonlight-9919383-0", "display_name": "Win.Malware.Moonlight-9919383-0", "target": null }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#LowfiJavaZKM", "display_name": "#LowfiJavaZKM", "target": null }, { "id": "Win.Malware.Swisyn-7610494-0", "display_name": "Win.Malware.Swisyn-7610494-0", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "Win.Packed.Stealerc-10017074-0", "display_name": "Win.Packed.Stealerc-10017074-0", "target": null }, { "id": "#Lowfi:Win32/AutoIt", "display_name": "#Lowfi:Win32/AutoIt", "target": "/malware/#Lowfi:Win32/AutoIt" }, { "id": "Html.Trojan.Ascii212_44_64_202-1", "display_name": "Html.Trojan.Ascii212_44_64_202-1", "target": null }, { "id": "ALFPER:HSTR:WizremURL.A1", "display_name": "ALFPER:HSTR:WizremURL.A1", "target": null }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Win.Malware.Midie-6847893-0", "display_name": "Win.Malware.Midie-6847893-0", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win.Malware.Aauto-9839281-0", "display_name": "Win.Malware.Aauto-9839281-0", "target": null }, { "id": "Win.Trojan.Agent-1371484", "display_name": "Win.Trojan.Agent-1371484", "target": null }, { "id": "SLFPER:SoftwareBundler:Win32/ICLoader.A", "display_name": "SLFPER:SoftwareBundler:Win32/ICLoader.A", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_412f60c8!ibt", "display_name": "ALF:Trojan:Win32/Cassini_412f60c8!ibt", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2710, "domain": 1227, "hostname": 1206, "FileHash-SHA256": 3867, "IPv4": 318, "FileHash-MD5": 593, "FileHash-SHA1": 459, "IPv6": 1, "SSLCertFingerprint": 19, "email": 20, "CVE": 1 }, "indicator_count": 10421, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6907cc66855b7dfe1306b0d8", "name": "Inject : Defense Counsel attaches to Apple Notebooks - Targeting", "description": "TAM Legal attacking Tsara Brashears and associated. Christopher P. Ahmann Esq Is the Special Counsel assigned to pester , smear, tamper with, terrorize, arrange murders, dispatch stalkers, deny care, swatting , botnets, attach to devices , deflect award for life ending injuries to you and your Mafia, choose malicious media companies (Hall Render) to smear Jeffrey Scott Reimers assault victim. This is silencing. Not everyone has someone to speak. Back off. You\u2019re sick. Enjoying that money, while Tsara slept on air mattress during a couch tour. Demyelinating, from denied disclosed of cord compression; like George Floyd. You should turn yourself in, write a HUGA check , shut down this criminal operation , find Jesus , self exit to a place out away from you targets , go to your bunker forever. You are a God Forsaken terrorist hitman! You\u2019re all SO sick!\nEnd Game Now.", "modified": "2026-01-01T07:03:18.851000", "created": "2025-11-02T21:25:58.814000", "tags": [ "present nov", "unknown aaaa", "ip address", "win32", "america asn", "twitter", "united states", "america", "ipv4", "united", "a domains", "443 ma86400", "super", "read c", "memcommit", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "regsetvalueexa", "hack", "write", "february", "local", "unknown", "persistence", "execution", "xport", "kb body", "present aug", "present sep", "present oct", "for privacy", "false", "expirestue", "path", "p2404", "accept", "p11762282638", "host", "gmt range", "gmt ifnonematch", "p11762466264", "p11762417453", "nothing", "shutdown", "process32nextw", "langturkish", "sublangdefault", "regdword", "rtrcdata", "microsoft excel", "delphi", "worm", "malware", "error", "next", "format", "suspicious", "less see", "contacted", "all ip", "domains", "all related", "pulses otx", "related tags", "file type", "pexe", "christopher ahmann", "tam legal", "treece", "hacking", "highjacking", "modified", "quasi government", "ai google", "inject", "adversaries", "government", "insurance", "apple" ], "references": [ "External Apple Connection: Notepad.pw", "Sex Tools: m.pornsexer.xxx.3.1.adiosfil.roksit.net |", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t h", "takedown-communication-api.prod-c15a-awsuse.ppops.net", "L\u00b0\u00b0k @ You, okay Chris\u2026abgubdf.apple.cloudns.biz \u2022 cloudns.biz \u2022 https://abgubdf.apple.cloudns", "http://www.mof.gov.cn.lxcvc.com/ \u2022 https://r//www.csrc.gov.cn.lxcvc.com/", "http://www.mohurd.gov.cn.lxcvc.com/", "config.uca.cloud.unity3d.com", "0.0.iphone.8dyf8rf5k3.fr.mobiletrend.rtl2.adsenseformobileapps.com", "http://mp7tf.best-cell-phone-plans-for-seniors.cfd/", "sipphone.com", "uk5seki2ygz3kyfgliqe37477miq6jsf.nlsexolehxry4opotgpq" ], "public": 1, "adversary": "TAM Legal Christopher P. Ahmann Chief Terrorist", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.004bf-6866449-0", "display_name": "Win.Malware.004bf-6866449-0", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "Worn:Win32/AutoRun.XXY!bit", "display_name": "Worn:Win32/AutoRun.XXY!bit", "target": "/malware/Worn:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2615, "URL": 7521, "hostname": 1775, "domain": 689, "FileHash-MD5": 448, "FileHash-SHA1": 295, "SSLCertFingerprint": 12, "email": 1 }, "indicator_count": 13356, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e9b142a8508d5257d1662", "name": "Criminal Defender Chris Ahmann responsible for continued Apple hackathons removing IoC\u2019 l Targeting Tsara Brashears evidence of crime . Hit Man", "description": "", "modified": "2026-01-01T07:03:18.851000", "created": "2025-12-02T07:53:56.560000", "tags": [ "present nov", "unknown aaaa", "ip address", "win32", "america asn", "twitter", "united states", "america", "ipv4", "united", "a domains", "443 ma86400", "super", "read c", "memcommit", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "regsetvalueexa", "hack", "write", "february", "local", "unknown", "persistence", "execution", "xport", "kb body", "present aug", "present sep", "present oct", "for privacy", "false", "expirestue", "path", "p2404", "accept", "p11762282638", "host", "gmt range", "gmt ifnonematch", "p11762466264", "p11762417453", "nothing", "shutdown", "process32nextw", "langturkish", "sublangdefault", "regdword", "rtrcdata", "microsoft excel", "delphi", "worm", "malware", "error", "next", "format", "suspicious", "less see", "contacted", "all ip", "domains", "all related", "pulses otx", "related tags", "file type", "pexe", "christopher ahmann", "tam legal", "treece", "hacking", "highjacking", "modified", "quasi government", "ai google", "inject", "adversaries", "government", "insurance", "apple" ], "references": [ "External Apple Connection: Notepad.pw", "Sex Tools: m.pornsexer.xxx.3.1.adiosfil.roksit.net |", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t h", "takedown-communication-api.prod-c15a-awsuse.ppops.net", "L\u00b0\u00b0k @ You, okay Chris\u2026abgubdf.apple.cloudns.biz \u2022 cloudns.biz \u2022 https://abgubdf.apple.cloudns", "http://www.mof.gov.cn.lxcvc.com/ \u2022 https://r//www.csrc.gov.cn.lxcvc.com/", "http://www.mohurd.gov.cn.lxcvc.com/", "config.uca.cloud.unity3d.com", "0.0.iphone.8dyf8rf5k3.fr.mobiletrend.rtl2.adsenseformobileapps.com", "http://mp7tf.best-cell-phone-plans-for-seniors.cfd/", "sipphone.com", "uk5seki2ygz3kyfgliqe37477miq6jsf.nlsexolehxry4opotgpq" ], "public": 1, "adversary": "TAM Legal Christopher P. Ahmann Chief Terrorist", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.004bf-6866449-0", "display_name": "Win.Malware.004bf-6866449-0", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "Worn:Win32/AutoRun.XXY!bit", "display_name": "Worn:Win32/AutoRun.XXY!bit", "target": "/malware/Worn:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "6907cc66855b7dfe1306b0d8", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2615, "URL": 7437, "hostname": 1765, "domain": 686, "FileHash-MD5": 448, "FileHash-SHA1": 295, "SSLCertFingerprint": 12, "email": 1 }, "indicator_count": 13259, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e2d950ac7d1e2a3454a4f", "name": "Gooogle Accounts | Drive-by Compromise \u2022 Ransomware \u2022 Phishing Attack", "description": "Google accounts Drive-by Compromise. Affected Google accounts redirects to a suspicious non - Google homepage. |\nRansomware | Adware | Phishing | Injection | \nExploits seen affecting both OS and iOS devices. Threat actors able to remotely access iOS device, unlock, access iCloud. System root control, fully infected devices, Attackers continue to ravage devices w/ drive by compromise, unsafe adware, malware text, etc., Seeks to remove malicious IoC\u2019s on mock accounts , password stealers", "modified": "2025-12-31T23:04:59.378000", "created": "2025-12-02T00:06:45.807000", "tags": [ "iocs", "drop", "network traffic", "ck id", "mitre att", "ck matrix", "network related", "detected", "t1566", "t1204", "united", "click", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "learn", "suspicious", "informative", "name tactics", "adversaries", "command", "initial access", "spawns", "found", "binary file", "t1189", "regsetvalueexa", "regdword", "post http", "medium", "high", "regbinary", "loader", "dock", "write", "malware", "unknown", "romania unknown", "present may", "msie", "chrome", "body", "passive dns", "ip address", "present jun", "welcome", "accept", "encrypt", "gmt content", "ipv4 add", "url analysis", "urls", "files", "reverse dns", "unknown aaaa", "certificate", "hostname add", "error", "flag", "domain address", "contacted hosts", "type", "india unknown", "record value", "body html", "head title", "title", "entries", "read c", "high defense", "evasion", "yara detections", "virtool", "win32", "ahmann", "hacker group", "law firm", "order", "google", "smart assembly" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VirTool:MSIL/Injector.BF", "display_name": "VirTool:MSIL/Injector.BF", "target": "/malware/VirTool:MSIL/Injector.BF" }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1087.003", "name": "Email Account", "display_name": "T1087.003 - Email Account" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 112, "FileHash-SHA256": 589, "URL": 1795, "SSLCertFingerprint": 3, "domain": 319, "hostname": 847, "email": 1 }, "indicator_count": 3781, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68db395368d6c4042517f3f3", "name": "Target Saver M1 Agent TSA Spy \u2022 Mastadon - Hit Tip! Thanks!", "description": "Hot Tip! I would love to give a shout out to the person who provided this information, I\u2019m not sure if they want to remain anonymous or not. Thank SO Much!\n\nSpyware and a source for distributing malicious media. Complete foothold\non networks, browsers, phones, search history and everything, massive streaming pornography distributed, members and contributors. \n\nVery important tip. I will analyze and break down into digestible pulse sizes.", "modified": "2025-12-27T15:01:22.545000", "created": "2025-09-30T01:58:43.592000", "tags": [ "http traffic", "match info", "http get", "info performs", "dns query", "https http", "mitre att", "evasion ta0005", "creates", "info", "oc0006 http", "wininet c0005", "resolved ips", "get http", "html document", "unicode text", "dynamicloader", "fe ff", "medium", "x00bx00", "uswv", "k uswv", "search", "high", "delete c", "yara detections", "redline", "guard", "write", "united", "present sep", "aaaa", "passive dns", "urls", "next associated", "found", "x content", "hacktool", "trojan", "error", "lowfi", "win32", "worm", "ip address", "mtb apr", "ransom", "virtool", "ain add", "directui", "element", "classinfobase", "ccbase", "hwndhost", "yara rule", "hpavvalue", "qaejh", "name servers", "cryp", "emails", "next related", "domain related", "no expiration", "url http", "url https", "indicator role", "hostname", "email", "present jun", "present aug", "present jul", "servers", "title", "encrypt", "altsvc h3", "date tue", "acceptranges", "reportto", "server", "gmt expires", "gmt contenttype", "script", "expiresthu", "maxage63072000", "pragma", "google safe", "unknown ns", "files", "location united", "asn as15169", "trojandropper", "susp", "creation date", "asn as133618", "tags", "related tags", "indicator facts", "backdoor", "ipv4 add", "click", "artro", "target saver", "trojanspy", "reverse dns", "america flag", "443 ma2592000", "hostname add", "verdict", "present mar", "present jan", "present dec", "present apr", "ipv4", "type indicator", "role title", "related pulses", "iocs", "moved", "downloads", "apple", "microsoft", "hexagonsystem", "mastadon", "status", "twitter", "gmt content", "easyredir cache", "v4 add", "redacted for", "privacy tech", "privacy admin", "registrar abuse", "available from", "algorithm", "key identifier", "x509v3 subject", "entity", "code", "date", "dnssec", "showing", "unknown aaaa", "sha256", "sha1", "ascii text", "ck id", "show technique", "ck matrix", "meta", "hybrid", "general", "local", "path", "strings", "copy md5", "copy sha1", "copy sha256", "certificate" ], "references": [ "FileHash-SHA256 025ca2c59c26197f3c1cd746469a5b9fe219a748716abd90daee792f34037d63", "mastodon.social", "https://families.google/intl/pt-PT_ALL/familylink/", "http://service.adultprovide.com/docs/records.htm?site=bigtitsboss", "slscr.update.microsoft.com \u2022client.wns.windows.com \u2022 c.pki.goog \u2022 login.live.com", "https://discuss.ai.google.dev/c/gemma/10", "https://uj140.keap-link003.com/v2/render/acc9c3f6b0340c8e01d0d3d0e1662c9e/eJxtjjsLwjAUhf_LnTP0hdRspYQSWkXEwU1Ce4XUmob0Riil_90o0snxPD7OWYDQKEOyAw6-j7MIGDhstdVoqBwNqfYbprs4T3IGgzaPyo3eAl_-sVv-cbM0yfYRA5otho44FLKBddOXc1HW8ljdTvIqmgDjU5N4heEJODmPDJS1aLrfjxpn4Hc1TLi-ARRkO0Y=/pixel.png", "https://m.bigwetbutts.com/ tmi", "Spyware: FileHash-SHA256 035e393630953b89c602e7cfa3409da790e99309c2d916336147cf9c59ee1b89", "Mirai: simswap.in", "66.254.114.41 \u2022 brazzersnetwork.com \u2022 brazzers.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 www.pornhub.com", "https://buildings.hexagongeosystems.com \u2022 https://connect.hexagongeosystems.com", "https://load.ss.hexagongeosystems.com \u2022 https://rail.hexagongeosystems.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "#Lowfi:HSTR:VirTool:Win32/GenDecnryptAlgo.S02", "display_name": "#Lowfi:HSTR:VirTool:Win32/GenDecnryptAlgo.S02", "target": null }, { "id": "Win.Ransomware.Bitman-9862733-0", "display_name": "Win.Ransomware.Bitman-9862733-0", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Target Saver", "display_name": "Target Saver", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Hacktool", "display_name": "Hacktool", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [ "Media", "Legal", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2964, "hostname": 1164, "URL": 4334, "domain": 956, "FileHash-MD5": 476, "FileHash-SHA1": 451, "CVE": 1, "email": 20, "SSLCertFingerprint": 2 }, "indicator_count": 10368, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "113 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68e32dd0c55bf224eb99dd58", "name": "Appspot.com - Google account fraud & infostealing", "description": "Fake Google email accounts. I\u2019ve reviewed a handful of targets with this issue. If starting with a new device, signed up for a new google account,\nthe users are automatically logged out, forced to sign in again, checked security features where you can see an unauthorized autonomous general\nphone, or iPhone or MacBook was also signed in in a different location. Even if you delete the device or email account, I\u2019ve seen the intruder handle CnC of all backups of photos and clouds. \n\n\n\n[OTX auto populated - The full list of domain names: APPSPot.COM.com, which was created on the same day as the Google search engine, has been published by the internet regulator, the IANA.]", "modified": "2025-11-05T01:01:26.928000", "created": "2025-10-06T02:47:44.098000", "tags": [ "aaaa", "susp", "trojan", "google", "server", "domain status", "registrar abuse", "domain name", "us registrant", "email", "contact email", "rdap database", "google app", "google hosted", "please", "vulnerabilities", "join", "bring", "api explorer", "engine", "admin sdk", "info", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "ssl certificate", "ascii text", "united", "pattern match", "mitre att", "general", "local", "path", "click", "strings", "porn", "phishing", "fraud", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "download", "apt", "ansi", "dumps", "file string", "seen", "disabled hash", "close", "hosts", "contact", "tellwise", "passive dns", "urls", "pulse pulses", "files", "verdict", "domain", "files ip", "address", "location united", "asn as15169", "extraction", "data upload", "extra", "referen http", "changed data", "failed", "include review", "t07 exclude", "extri data", "changed", "exclude", "find s", "tvnes data", "status", "present nov", "name servers", "entries", "geoid no", "present dec", "date", "error", "title", "sugges", "typ no", "no entrieotound", "scam", "foundry", "sabey type", "denver", "quasi", "phoenix", "australia" ], "references": [ "appspot.com \u2022 hyper7install.appspot.com", "https://hybrid-analysis.com/sample/c61237fcb798f05e6af32a6aa13f8e795aac47559d601eb7f93ad65bcf58b418/68e30c476b91a8000b0dd786", "http://acounts.google.com/v/signin/identifier?continue=hts%253%252F2Fconsole.cloud.google.com2Fapengine&dsh=5-1106814258%2539876543210", "Changed last several digits of gmail account # In example", "http://console.cloud.google.com/appengine", "https://310940000.android.com.twitter.android.adsenseformobileapps.com/", "https://www.netify.ai/resources/domains \u2022 192-168-0-21.3pt3m9ng2hf.ddns.manage.alta.inc", "device-local-de06e551-6b23-4aa3-bb67-6972ae6d30b5.remotewd.com 192.168.0.21", "116e33e0-8832-11ec-aef5-99a1d044639a-local.solinkcloud.com", "jaycobundaberg.eclipseaurahub.com.au 192.168.0.21", "grafana.ledocloud.com\u2022 192.168.0.21", "192-168-0-21.siliconevalley1.direct.quickconnect.to" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32/Madang", "display_name": "Win32/Madang", "target": null }, { "id": "Win.Downloader.Small-1966", "display_name": "Win.Downloader.Small-1966", "target": null }, { "id": "Win32:SaliCode", "display_name": "Win32:SaliCode", "target": null }, { "id": "Virtool:Win32/Vbinder.CO", "display_name": "Virtool:Win32/Vbinder.CO", "target": "/malware/Virtool:Win32/Vbinder.CO" }, { "id": "!Themida", "display_name": "!Themida", "target": null }, { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "Win32/Scrarev.C", "display_name": "Win32/Scrarev.C", "target": null }, { "id": "Trojan:MSIL/RapidStealer.A", "display_name": "Trojan:MSIL/RapidStealer.A", "target": "/malware/Trojan:MSIL/RapidStealer.A" } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 222, "FileHash-MD5": 146, "FileHash-SHA1": 317, "FileHash-SHA256": 1120, "email": 3, "hostname": 881, "URL": 1338, "SSLCertFingerprint": 7 }, "indicator_count": 4034, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "165 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d37e35f99d852d38beb769", "name": "Cryptex Port Key \u2022 RedLine Stealer affects Threat Research Platform/s", "description": "#attack? #honeypot?", "modified": "2025-10-24T04:02:54.218000", "created": "2025-09-24T05:14:28.101000", "tags": [ "x00x00n", "memcommit", "regopenkeyexw", "regsz", "else", "ipnnoysrdi tr", "writeconsolew", "cryptexportkey", "invalid pointer", "x1ex00x00n", "redline stealer", "service", "powershell", "tools", "persistence", "execution", "dock", "write", "updater", "malware", "passive dns", "urls", "url add", "ip address", "related nids", "files location", "hong kong", "united", "present jul", "present dec", "search", "present may", "a domains", "name servers", "unknown aaaa", "trojan", "present jan", "present sep", "moved", "title", "span td", "td td", "tr tr", "a li", "ipv4 internet", "span", "meta", "gmt content", "ipv4 add", "reverse dns", "trojanx", "location hong kong", "software", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "development att", "ascii text", "pattern match", "mitre att", "ck matrix", "sha1", "odigicert inc", "network traffic", "general", "local", "path", "encrypt", "copy md5", "copy sha1", "copy sha256", "sha256", "size", "crlf line", "urlhttps", "extracted files", "acquires", "networking", "readiness" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1086", "name": "PowerShell", "display_name": "T1086 - PowerShell" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 150, "FileHash-SHA1": 148, "FileHash-SHA256": 3059, "domain": 1277, "URL": 4166, "hostname": 1251, "SSLCertFingerprint": 10, "email": 1 }, "indicator_count": 10062, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw", "Domains Contacted: fenbushijujuefuwu.com", "The next pulse will show Apple IoC\u2019s related to Tulach.cc", "http://www.mohurd.gov.cn.lxcvc.com/", "remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png", "Due to Samuel Tulach\u2019s good reputation , assume his assets are being abused by threat actors targeting", "developer.x.com \u2022 https://twitter.com/githubstatus", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/41ad1d349716b3e62f914c0907323ae8e0a37198d237a02d71a0d5e05ffaa727", "FileHash-SHA256 025ca2c59c26197f3c1cd746469a5b9fe219a748716abd90daee792f34037d63", "https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-assets-Twitter.b90ee19de735e00fb4a0.js", "Unix.Trojan.Mirai-9441505-0 Yara Detections is__elf \u2022 217.11.249.145", "https://hybrid-analysis.com/sample/c61237fcb798f05e6af32a6aa13f8e795aac47559d601eb7f93ad65bcf58b418/68e30c476b91a8000b0dd786", "x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290", "bleepingcomputer.com \u2022 CliffsNotes", "I haven\u2019t yet concluded why Tulach.cc is deeply interwoven in a malicious media campaign", "https://nextcloud.tulach.cc/ \u2022 https://nextcloud.tulach.cc/", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "Changed last several digits of gmail account # In example", "slscr.update.microsoft.com \u2022client.wns.windows.com \u2022 c.pki.goog \u2022 login.live.com", "192-168-0-21.siliconevalley1.direct.quickconnect.to", "discord.com \u2022 discord.gg", "angryblackwomyn.com", "Samuel Tulach\u2019s assets have been tightly connected to M. Brian Sabey, Esq", "https://medium.com/the-pink/how-a-white-womans-anger-makes-her-racism-spill-out-563853905a42", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://families.google/intl/pt-PT_ALL/familylink/", "https://buildings.hexagongeosystems.com \u2022 https://connect.hexagongeosystems.com", "https://www.forpsi.com domain forpsi.com\t Domain asp.net", "api.item.yixun.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 www.pornhub.com", "pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://m.bigwetbutts.com/ tmi", "mastodon.social", "jaycobundaberg.eclipseaurahub.com.au 192.168.0.21", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "www.youtube.com/watch?v=GyuMozsVyYs (why would targets channel be controlled by Tulach)", "sipphone.com", "porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop", "https://api.w.org/ \u2022 api.w.org", "https://twitter.com/juvlarN", "uk5seki2ygz3kyfgliqe37477miq6jsf.nlsexolehxry4opotgpq", "https://load.ss.hexagongeosystems.com \u2022 https://rail.hexagongeosystems.com", "Sex Tools: m.pornsexer.xxx.3.1.adiosfil.roksit.net |", "http://service.adultprovide.com/docs/records.htm?site=bigtitsboss", "https://310940000.android.com.twitter.android.adsenseformobileapps.com/", "nr-data.net \u2022 www.youtube.com", "http://acounts.google.com/v/signin/identifier?continue=hts%253%252F2Fconsole.cloud.google.com2Fapengine&dsh=5-1106814258%2539876543210", "\"uploader.exe\" created by Samuel Tulach has been identified as malicious by several security engines", "Mirai: simswap.in", "116e33e0-8832-11ec-aef5-99a1d044639a-local.solinkcloud.com", "https://discuss.ai.google.dev/c/gemma/10", "http://mp7tf.best-cell-phone-plans-for-seniors.cfd/", "grafana.ledocloud.com\u2022 192.168.0.21", "cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz", "appleid.cdn-apple.com", "takedown-communication-api.prod-c15a-awsuse.ppops.net", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t h", "https://static.digitecgalaxus.ch/Files/communication/app-download-badges/apple_email_rasterized_2x/fr.png", "Samuel Tulach , an engineer writes about game security, Unity engine, and anti-cheat systems on his blog at tulach.cc", "Alerts network_icmp allocates_rwx packer_entropy pe_features pe_unknown_resource_name Related Pulses", "config.uca.cloud.unity3d.com", "Mr. Tulach \u2022 known for his work in cybersecurity, particularly in reverse engineering & malware analysis", "Spyware: FileHash-SHA256 035e393630953b89c602e7cfa3409da790e99309c2d916336147cf9c59ee1b89", "x.com - Malware Packed", "0.0.iphone.8dyf8rf5k3.fr.mobiletrend.rtl2.adsenseformobileapps.com", "appspot.com \u2022 hyper7install.appspot.com", "66.254.114.41 \u2022 brazzersnetwork.com \u2022 brazzers.com", "L\u00b0\u00b0k @ You, okay Chris\u2026abgubdf.apple.cloudns.biz \u2022 cloudns.biz \u2022 https://abgubdf.apple.cloudns", "http://www.mof.gov.cn.lxcvc.com/ \u2022 https://r//www.csrc.gov.cn.lxcvc.com/", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "https://uj140.keap-link003.com/v2/render/acc9c3f6b0340c8e01d0d3d0e1662c9e/eJxtjjsLwjAUhf_LnTP0hdRspYQSWkXEwU1Ce4XUmob0Riil_90o0snxPD7OWYDQKEOyAw6-j7MIGDhstdVoqBwNqfYbprs4T3IGgzaPyo3eAl_-sVv-cbM0yfYRA5otho44FLKBddOXc1HW8ljdTvIqmgDjU5N4heEJODmPDJS1aLrfjxpn4Hc1TLi-ARRkO0Y=/pixel.png", "External Apple Connection: Notepad.pw", "device-local-de06e551-6b23-4aa3-bb67-6972ae6d30b5.remotewd.com 192.168.0.21", "http://console.cloud.google.com/appengine", "https://www.netify.ai/resources/domains \u2022 192-168-0-21.3pt3m9ng2hf.ddns.manage.alta.inc" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "TAM Legal Christopher P. Ahmann Chief Terrorist" ], "malware_families": [ "Win.packed.botx-10021462-0", "Slf:win32/elenquay.a", "Win.ransomware.bitman-9862733-0", "Win.malware.aauto-9839281-0", "Other malware", "Win32:salicode", "Unix.trojan.mirai-9441505-0", "Virtool:win32/vbinder.co", "Pws:win32/ymacco.aa50", "Win.malware.midie-6847893-0", "Alf:trojan:win32/cassini_412f60c8!ibt", "Worn:win32/autorun.xxy!bit", "Alf:hstr:virtool:win32/obfuscator!pecancer", "Alf:heraklezeval:trojan:win32/clipbanker", "Win.packed.stealerc-10017074-0", "Trojanspy", "Target saver", "Worm:win32/lightmoon.h", "Win.packer.pkr_ce1a-9980177-0", "Alf:heraklezeval:trojan:win32/azorult.fw!rfn", "Trojanspy:win32/nivdort", "Win.malware.swisyn-7610494-0", "Alfper:hstr:wizremurl.a1", "Trojanspy:win32/nivdort.de", "Win.packed.generic-9967832-0", "Custom malware", "Ransomware", "!themida", "Trojan:msil/rapidstealer.a", "Win32/madang", "Win.dropper.quasarrat-10023124-0", "Slfper:softwarebundler:win32/icloader.a", "Win.malware.jaik-9968280-0", "Artro", "Win.trojan.agent-1371484", "Virus:win32/sality.at", "Win32/scrarev.c", "Libraryloader", "Win.trojan.barys-10005825-0", "Win.malware.004bf-6866449-0", "Win.downloader.small-1966", "Trojandownloader:win32/nemucod", "Win.trojan.tofsee-7102058-0", "Win.malware.razy-6979265-0", "Virtool:msil/injector.bf", "#lowfijavazkm", "Win.trojan.vbgeneric-6735875-0", "Hacktool", "#lowfi:win32/autoit", "Worm:win32/mofksys.rnd!mtb", "Win.malware.moonlight-9919383-0", "Html.trojan.ascii212_44_64_202-1", "Win.malware.generickdz-9937235-0", "Backdoor:win32/tofsee.t", "#lowfi:hstr:virtool:win32/gendecnryptalgo.s02", "Win.trojan.zegost-9769410-0", "Backdoor:win32/tofsee.", "Trojandropper:win32/muldrop.v!mtb", "Win.malware.cymt-10023133-0", "Trojan:win32/mydoom" ], "industries": [ "Telecommunications", "Media", "Legal", "Healthcare", "Government", "Technology" ], "unique_indicators": 43535 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/kinoffond.us", "whois": "http://whois.domaintools.com/kinoffond.us", "domain": "kinoffond.us", "hostname": "api.kinoffond.us" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "69d8a665177b8f64c7ce5fca", "name": "LibraryLoader \u2022 Samuel Tulach | Abuse of malicious sssets engineered by DevOp & Security Researcher", "description": "Samuel Tulach is involved in various projects related to government work, particularly in areas like DevSecOps and app modernization. \nOverview of Samuel Tulach's \"uploader.exe\"\nThe file \"uploader.exe\" created by Samuel Tulach has been identified as malicious by several security engines. This classification indicates that the file poses a potential threat to users' systems.\nSecurity Engine Flags. Several security engines have flagged \"uploader.exe\" as malicious.\nSecureAge APEX\tMalicious\nSentinelOne\tMalicious\nImplications of Malicious Flags\nPotential Risks: Files flagged as malicious can lead to various security issues, including data theft, unauthorized access, or system damage.\nRecommended Actions: Users should avoid downloading or executing this file. If already downloaded, it is advisable to delete it and run a full system scan using reputable antivirus software.", "modified": "2026-04-10T07:27:33.587000", "created": "2026-04-10T07:27:33.587000", "tags": [ "x vercel", "united", "america", "germany malware", "family", "ck ids", "packing", "tulach", "ocsp", "extraction", "data upload", "enter sc", "extra data", "include review", "exclude sugges", "find s", "failed", "typ no", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "defense evasion", "pattern match", "mitre att", "ascii text", "span", "title", "meta", "path", "april", "hybrid", "general", "local", "encrypt", "click", "strings", "main", "footer", "pcsb", "naga", "magda", "no expiration", "url https", "domain", "github pages", "a domains", "passive dns", "mtb jan", "class", "sea x", "accept encoding", "trojanspy", "accept", "otx logo", "all ipv4", "urls", "files", "america flag", "space", "ck matrix", "handle", "winvmaddress", "cdecl crashpad", "null", "software", "comment", "entity", "internal", "blank", "magic", "infinity", "first", "valentine", "error", "webview", "front", "patched", "root", "tristate", "libraryloader", "packing t1045", "icmp traffic", "memcommit", "pe section", "low software", "pe resource", "filehash", "win32", "malware", "write", "backdoor", "present apr", "lowfi", "aaaa", "lowfijavazkm", "x.com", "dynamicloader", "crlf line", "unicode text", "utf8", "ee fc", "ff d5", "yara rule", "f0 ff", "eb e1", "unknown", "trojan", "zeppelin", "autorun", "united states", "china unknown", "div div", "ip address", "record value", "samuel tulach", "czechia unknown", "italy unknown", "gmt server", "all domain", "next associated", "reverse dns", "location czech", "all filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "file type", "telfhash", "virustotal api", "vendor finding", "notes clamav", "files matching", "number", "t1045", "search", "directui", "element", "medium", "classinfobase", "value", "write c", "hwndhost", "sapeav12", "worm", "explorer", "insert", "movie", "mtb apr", "mtb mar", "trojandropper", "displayname", "windows", "high", "delete c", "tofsee", "stream", "push", "url http", "c mar", "virtool", "c jan", "c dec", "toolbar", "ransom", "article", "windows nt", "gmtvia", "html", "bad traffic", "et info", "tls handshake", "belgium", "present dec", "present feb", "intel", "elf upx", "medium risk", "info", "moved", "hostname add", "whois registrar", "media", "delphi", "guard", "code", "devsecops", "github", "github internet", "archive samuel", "tulach", "government work", "key areas", "devops process", "security engine", "flags", "apex malicious", "implications", "malicious flags", "potential risks", "name servers", "apple id", "script urls", "show process", "secure", "win64", "khtml", "gecko", "programfiles", "cookie", "comspec", "model", "june", "spawns", "id name", "malicious", "gui", "anti cheats", "game tech", "c++" ], "references": [ "https://nextcloud.tulach.cc/ \u2022 https://nextcloud.tulach.cc/", "bleepingcomputer.com \u2022 CliffsNotes", "x.com - Malware Packed", "nr-data.net \u2022 www.youtube.com", "Alerts network_icmp allocates_rwx packer_entropy pe_features pe_unknown_resource_name Related Pulses", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "discord.com \u2022 discord.gg", "api.item.yixun.com", "Unix.Trojan.Mirai-9441505-0 Yara Detections is__elf \u2022 217.11.249.145", "Domains Contacted: fenbushijujuefuwu.com", "angryblackwomyn.com", "https://medium.com/the-pink/how-a-white-womans-anger-makes-her-racism-spill-out-563853905a42", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/41ad1d349716b3e62f914c0907323ae8e0a37198d237a02d71a0d5e05ffaa727", "https://www.forpsi.com domain forpsi.com\t Domain asp.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "www.youtube.com/watch?v=GyuMozsVyYs (why would targets channel be controlled by Tulach)", "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw", "x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290", "cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz", "porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop", "https://api.w.org/ \u2022 api.w.org", "remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png", "https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-assets-Twitter.b90ee19de735e00fb4a0.js", "developer.x.com \u2022 https://twitter.com/githubstatus", "https://twitter.com/juvlarN", "appleid.cdn-apple.com", "https://static.digitecgalaxus.ch/Files/communication/app-download-badges/apple_email_rasterized_2x/fr.png", "Samuel Tulach , an engineer writes about game security, Unity engine, and anti-cheat systems on his blog at tulach.cc", "Mr. Tulach \u2022 known for his work in cybersecurity, particularly in reverse engineering & malware analysis", "\"uploader.exe\" created by Samuel Tulach has been identified as malicious by several security engines", "Due to Samuel Tulach\u2019s good reputation , assume his assets are being abused by threat actors targeting", "I haven\u2019t yet concluded why Tulach.cc is deeply interwoven in a malicious media campaign", "Samuel Tulach\u2019s assets have been tightly connected to M. Brian Sabey, Esq", "The next pulse will show Apple IoC\u2019s related to Tulach.cc" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LibraryLoader", "display_name": "LibraryLoader", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Azorult.FW!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Azorult.FW!rfn", "target": null }, { "id": "Win.Packed.Botx-10021462-0", "display_name": "Win.Packed.Botx-10021462-0", "target": null }, { "id": "Win.Malware.Cymt-10023133-0", "display_name": "Win.Malware.Cymt-10023133-0", "target": null }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Malware.Generickdz-9937235-0", "display_name": "Win.Malware.Generickdz-9937235-0", "target": null }, { "id": "Win.Malware.Razy-6979265-0", "display_name": "Win.Malware.Razy-6979265-0", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "TrojanSpy:Win32/Nivdort.DE", "display_name": "TrojanSpy:Win32/Nivdort.DE", "target": "/malware/TrojanSpy:Win32/Nivdort.DE" }, { "id": "SLF:Win32/Elenquay.A", "display_name": "SLF:Win32/Elenquay.A", "target": "/malware/SLF:Win32/Elenquay.A" }, { "id": "Win.Dropper.QuasarRAT-10023124-0", "display_name": "Win.Dropper.QuasarRAT-10023124-0", "target": null }, { "id": "Win.Trojan.Zegost-9769410-0", "display_name": "Win.Trojan.Zegost-9769410-0", "target": null }, { "id": "ALF:HSTR:VirTool:Win32/Obfuscator!PECancer", "display_name": "ALF:HSTR:VirTool:Win32/Obfuscator!PECancer", "target": null }, { "id": "Win.Malware.Moonlight-9919383-0", "display_name": "Win.Malware.Moonlight-9919383-0", "target": null }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#LowfiJavaZKM", "display_name": "#LowfiJavaZKM", "target": null }, { "id": "Win.Malware.Swisyn-7610494-0", "display_name": "Win.Malware.Swisyn-7610494-0", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "Win.Packed.Stealerc-10017074-0", "display_name": "Win.Packed.Stealerc-10017074-0", "target": null }, { "id": "#Lowfi:Win32/AutoIt", "display_name": "#Lowfi:Win32/AutoIt", "target": "/malware/#Lowfi:Win32/AutoIt" }, { "id": "Html.Trojan.Ascii212_44_64_202-1", "display_name": "Html.Trojan.Ascii212_44_64_202-1", "target": null }, { "id": "ALFPER:HSTR:WizremURL.A1", "display_name": "ALFPER:HSTR:WizremURL.A1", "target": null }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Win.Malware.Midie-6847893-0", "display_name": "Win.Malware.Midie-6847893-0", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win.Malware.Aauto-9839281-0", "display_name": "Win.Malware.Aauto-9839281-0", "target": null }, { "id": "Win.Trojan.Agent-1371484", "display_name": "Win.Trojan.Agent-1371484", "target": null }, { "id": "SLFPER:SoftwareBundler:Win32/ICLoader.A", "display_name": "SLFPER:SoftwareBundler:Win32/ICLoader.A", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_412f60c8!ibt", "display_name": "ALF:Trojan:Win32/Cassini_412f60c8!ibt", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2710, "domain": 1227, "hostname": 1206, "FileHash-SHA256": 3867, "IPv4": 318, "FileHash-MD5": 593, "FileHash-SHA1": 459, "IPv6": 1, "SSLCertFingerprint": 19, "email": 20, "CVE": 1 }, "indicator_count": 10421, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6907cc66855b7dfe1306b0d8", "name": "Inject : Defense Counsel attaches to Apple Notebooks - Targeting", "description": "TAM Legal attacking Tsara Brashears and associated. Christopher P. Ahmann Esq Is the Special Counsel assigned to pester , smear, tamper with, terrorize, arrange murders, dispatch stalkers, deny care, swatting , botnets, attach to devices , deflect award for life ending injuries to you and your Mafia, choose malicious media companies (Hall Render) to smear Jeffrey Scott Reimers assault victim. This is silencing. Not everyone has someone to speak. Back off. You\u2019re sick. Enjoying that money, while Tsara slept on air mattress during a couch tour. Demyelinating, from denied disclosed of cord compression; like George Floyd. You should turn yourself in, write a HUGA check , shut down this criminal operation , find Jesus , self exit to a place out away from you targets , go to your bunker forever. You are a God Forsaken terrorist hitman! You\u2019re all SO sick!\nEnd Game Now.", "modified": "2026-01-01T07:03:18.851000", "created": "2025-11-02T21:25:58.814000", "tags": [ "present nov", "unknown aaaa", "ip address", "win32", "america asn", "twitter", "united states", "america", "ipv4", "united", "a domains", "443 ma86400", "super", "read c", "memcommit", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "regsetvalueexa", "hack", "write", "february", "local", "unknown", "persistence", "execution", "xport", "kb body", "present aug", "present sep", "present oct", "for privacy", "false", "expirestue", "path", "p2404", "accept", "p11762282638", "host", "gmt range", "gmt ifnonematch", "p11762466264", "p11762417453", "nothing", "shutdown", "process32nextw", "langturkish", "sublangdefault", "regdword", "rtrcdata", "microsoft excel", "delphi", "worm", "malware", "error", "next", "format", "suspicious", "less see", "contacted", "all ip", "domains", "all related", "pulses otx", "related tags", "file type", "pexe", "christopher ahmann", "tam legal", "treece", "hacking", "highjacking", "modified", "quasi government", "ai google", "inject", "adversaries", "government", "insurance", "apple" ], "references": [ "External Apple Connection: Notepad.pw", "Sex Tools: m.pornsexer.xxx.3.1.adiosfil.roksit.net |", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t h", "takedown-communication-api.prod-c15a-awsuse.ppops.net", "L\u00b0\u00b0k @ You, okay Chris\u2026abgubdf.apple.cloudns.biz \u2022 cloudns.biz \u2022 https://abgubdf.apple.cloudns", "http://www.mof.gov.cn.lxcvc.com/ \u2022 https://r//www.csrc.gov.cn.lxcvc.com/", "http://www.mohurd.gov.cn.lxcvc.com/", "config.uca.cloud.unity3d.com", "0.0.iphone.8dyf8rf5k3.fr.mobiletrend.rtl2.adsenseformobileapps.com", "http://mp7tf.best-cell-phone-plans-for-seniors.cfd/", "sipphone.com", "uk5seki2ygz3kyfgliqe37477miq6jsf.nlsexolehxry4opotgpq" ], "public": 1, "adversary": "TAM Legal Christopher P. Ahmann Chief Terrorist", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.004bf-6866449-0", "display_name": "Win.Malware.004bf-6866449-0", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "Worn:Win32/AutoRun.XXY!bit", "display_name": "Worn:Win32/AutoRun.XXY!bit", "target": "/malware/Worn:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2615, "URL": 7521, "hostname": 1775, "domain": 689, "FileHash-MD5": 448, "FileHash-SHA1": 295, "SSLCertFingerprint": 12, "email": 1 }, "indicator_count": 13356, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e9b142a8508d5257d1662", "name": "Criminal Defender Chris Ahmann responsible for continued Apple hackathons removing IoC\u2019 l Targeting Tsara Brashears evidence of crime . Hit Man", "description": "", "modified": "2026-01-01T07:03:18.851000", "created": "2025-12-02T07:53:56.560000", "tags": [ "present nov", "unknown aaaa", "ip address", "win32", "america asn", "twitter", "united states", "america", "ipv4", "united", "a domains", "443 ma86400", "super", "read c", "memcommit", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "regsetvalueexa", "hack", "write", "february", "local", "unknown", "persistence", "execution", "xport", "kb body", "present aug", "present sep", "present oct", "for privacy", "false", "expirestue", "path", "p2404", "accept", "p11762282638", "host", "gmt range", "gmt ifnonematch", "p11762466264", "p11762417453", "nothing", "shutdown", "process32nextw", "langturkish", "sublangdefault", "regdword", "rtrcdata", "microsoft excel", "delphi", "worm", "malware", "error", "next", "format", "suspicious", "less see", "contacted", "all ip", "domains", "all related", "pulses otx", "related tags", "file type", "pexe", "christopher ahmann", "tam legal", "treece", "hacking", "highjacking", "modified", "quasi government", "ai google", "inject", "adversaries", "government", "insurance", "apple" ], "references": [ "External Apple Connection: Notepad.pw", "Sex Tools: m.pornsexer.xxx.3.1.adiosfil.roksit.net |", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t h", "takedown-communication-api.prod-c15a-awsuse.ppops.net", "L\u00b0\u00b0k @ You, okay Chris\u2026abgubdf.apple.cloudns.biz \u2022 cloudns.biz \u2022 https://abgubdf.apple.cloudns", "http://www.mof.gov.cn.lxcvc.com/ \u2022 https://r//www.csrc.gov.cn.lxcvc.com/", "http://www.mohurd.gov.cn.lxcvc.com/", "config.uca.cloud.unity3d.com", "0.0.iphone.8dyf8rf5k3.fr.mobiletrend.rtl2.adsenseformobileapps.com", "http://mp7tf.best-cell-phone-plans-for-seniors.cfd/", "sipphone.com", "uk5seki2ygz3kyfgliqe37477miq6jsf.nlsexolehxry4opotgpq" ], "public": 1, "adversary": "TAM Legal Christopher P. Ahmann Chief Terrorist", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.004bf-6866449-0", "display_name": "Win.Malware.004bf-6866449-0", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "Worn:Win32/AutoRun.XXY!bit", "display_name": "Worn:Win32/AutoRun.XXY!bit", "target": "/malware/Worn:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "6907cc66855b7dfe1306b0d8", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2615, "URL": 7437, "hostname": 1765, "domain": 686, "FileHash-MD5": 448, "FileHash-SHA1": 295, "SSLCertFingerprint": 12, "email": 1 }, "indicator_count": 13259, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e2d950ac7d1e2a3454a4f", "name": "Gooogle Accounts | Drive-by Compromise \u2022 Ransomware \u2022 Phishing Attack", "description": "Google accounts Drive-by Compromise. Affected Google accounts redirects to a suspicious non - Google homepage. |\nRansomware | Adware | Phishing | Injection | \nExploits seen affecting both OS and iOS devices. Threat actors able to remotely access iOS device, unlock, access iCloud. System root control, fully infected devices, Attackers continue to ravage devices w/ drive by compromise, unsafe adware, malware text, etc., Seeks to remove malicious IoC\u2019s on mock accounts , password stealers", "modified": "2025-12-31T23:04:59.378000", "created": "2025-12-02T00:06:45.807000", "tags": [ "iocs", "drop", "network traffic", "ck id", "mitre att", "ck matrix", "network related", "detected", "t1566", "t1204", "united", "click", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "learn", "suspicious", "informative", "name tactics", "adversaries", "command", "initial access", "spawns", "found", "binary file", "t1189", "regsetvalueexa", "regdword", "post http", "medium", "high", "regbinary", "loader", "dock", "write", "malware", "unknown", "romania unknown", "present may", "msie", "chrome", "body", "passive dns", "ip address", "present jun", "welcome", "accept", "encrypt", "gmt content", "ipv4 add", "url analysis", "urls", "files", "reverse dns", "unknown aaaa", "certificate", "hostname add", "error", "flag", "domain address", "contacted hosts", "type", "india unknown", "record value", "body html", "head title", "title", "entries", "read c", "high defense", "evasion", "yara detections", "virtool", "win32", "ahmann", "hacker group", "law firm", "order", "google", "smart assembly" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VirTool:MSIL/Injector.BF", "display_name": "VirTool:MSIL/Injector.BF", "target": "/malware/VirTool:MSIL/Injector.BF" }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1087.003", "name": "Email Account", "display_name": "T1087.003 - Email Account" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 112, "FileHash-SHA256": 589, "URL": 1795, "SSLCertFingerprint": 3, "domain": 319, "hostname": 847, "email": 1 }, "indicator_count": 3781, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68db395368d6c4042517f3f3", "name": "Target Saver M1 Agent TSA Spy \u2022 Mastadon - Hit Tip! Thanks!", "description": "Hot Tip! I would love to give a shout out to the person who provided this information, I\u2019m not sure if they want to remain anonymous or not. Thank SO Much!\n\nSpyware and a source for distributing malicious media. Complete foothold\non networks, browsers, phones, search history and everything, massive streaming pornography distributed, members and contributors. \n\nVery important tip. I will analyze and break down into digestible pulse sizes.", "modified": "2025-12-27T15:01:22.545000", "created": "2025-09-30T01:58:43.592000", "tags": [ "http traffic", "match info", "http get", "info performs", "dns query", "https http", "mitre att", "evasion ta0005", "creates", "info", "oc0006 http", "wininet c0005", "resolved ips", "get http", "html document", "unicode text", "dynamicloader", "fe ff", "medium", "x00bx00", "uswv", "k uswv", "search", "high", "delete c", "yara detections", "redline", "guard", "write", "united", "present sep", "aaaa", "passive dns", "urls", "next associated", "found", "x content", "hacktool", "trojan", "error", "lowfi", "win32", "worm", "ip address", "mtb apr", "ransom", "virtool", "ain add", "directui", "element", "classinfobase", "ccbase", "hwndhost", "yara rule", "hpavvalue", "qaejh", "name servers", "cryp", "emails", "next related", "domain related", "no expiration", "url http", "url https", "indicator role", "hostname", "email", "present jun", "present aug", "present jul", "servers", "title", "encrypt", "altsvc h3", "date tue", "acceptranges", "reportto", "server", "gmt expires", "gmt contenttype", "script", "expiresthu", "maxage63072000", "pragma", "google safe", "unknown ns", "files", "location united", "asn as15169", "trojandropper", "susp", "creation date", "asn as133618", "tags", "related tags", "indicator facts", "backdoor", "ipv4 add", "click", "artro", "target saver", "trojanspy", "reverse dns", "america flag", "443 ma2592000", "hostname add", "verdict", "present mar", "present jan", "present dec", "present apr", "ipv4", "type indicator", "role title", "related pulses", "iocs", "moved", "downloads", "apple", "microsoft", "hexagonsystem", "mastadon", "status", "twitter", "gmt content", "easyredir cache", "v4 add", "redacted for", "privacy tech", "privacy admin", "registrar abuse", "available from", "algorithm", "key identifier", "x509v3 subject", "entity", "code", "date", "dnssec", "showing", "unknown aaaa", "sha256", "sha1", "ascii text", "ck id", "show technique", "ck matrix", "meta", "hybrid", "general", "local", "path", "strings", "copy md5", "copy sha1", "copy sha256", "certificate" ], "references": [ "FileHash-SHA256 025ca2c59c26197f3c1cd746469a5b9fe219a748716abd90daee792f34037d63", "mastodon.social", "https://families.google/intl/pt-PT_ALL/familylink/", "http://service.adultprovide.com/docs/records.htm?site=bigtitsboss", "slscr.update.microsoft.com \u2022client.wns.windows.com \u2022 c.pki.goog \u2022 login.live.com", "https://discuss.ai.google.dev/c/gemma/10", "https://uj140.keap-link003.com/v2/render/acc9c3f6b0340c8e01d0d3d0e1662c9e/eJxtjjsLwjAUhf_LnTP0hdRspYQSWkXEwU1Ce4XUmob0Riil_90o0snxPD7OWYDQKEOyAw6-j7MIGDhstdVoqBwNqfYbprs4T3IGgzaPyo3eAl_-sVv-cbM0yfYRA5otho44FLKBddOXc1HW8ljdTvIqmgDjU5N4heEJODmPDJS1aLrfjxpn4Hc1TLi-ARRkO0Y=/pixel.png", "https://m.bigwetbutts.com/ tmi", "Spyware: FileHash-SHA256 035e393630953b89c602e7cfa3409da790e99309c2d916336147cf9c59ee1b89", "Mirai: simswap.in", "66.254.114.41 \u2022 brazzersnetwork.com \u2022 brazzers.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 www.pornhub.com", "https://buildings.hexagongeosystems.com \u2022 https://connect.hexagongeosystems.com", "https://load.ss.hexagongeosystems.com \u2022 https://rail.hexagongeosystems.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "#Lowfi:HSTR:VirTool:Win32/GenDecnryptAlgo.S02", "display_name": "#Lowfi:HSTR:VirTool:Win32/GenDecnryptAlgo.S02", "target": null }, { "id": "Win.Ransomware.Bitman-9862733-0", "display_name": "Win.Ransomware.Bitman-9862733-0", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Target Saver", "display_name": "Target Saver", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Hacktool", "display_name": "Hacktool", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [ "Media", "Legal", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2964, "hostname": 1164, "URL": 4334, "domain": 956, "FileHash-MD5": 476, "FileHash-SHA1": 451, "CVE": 1, "email": 20, "SSLCertFingerprint": 2 }, "indicator_count": 10368, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "113 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68e32dd0c55bf224eb99dd58", "name": "Appspot.com - Google account fraud & infostealing", "description": "Fake Google email accounts. I\u2019ve reviewed a handful of targets with this issue. If starting with a new device, signed up for a new google account,\nthe users are automatically logged out, forced to sign in again, checked security features where you can see an unauthorized autonomous general\nphone, or iPhone or MacBook was also signed in in a different location. Even if you delete the device or email account, I\u2019ve seen the intruder handle CnC of all backups of photos and clouds. \n\n\n\n[OTX auto populated - The full list of domain names: APPSPot.COM.com, which was created on the same day as the Google search engine, has been published by the internet regulator, the IANA.]", "modified": "2025-11-05T01:01:26.928000", "created": "2025-10-06T02:47:44.098000", "tags": [ "aaaa", "susp", "trojan", "google", "server", "domain status", "registrar abuse", "domain name", "us registrant", "email", "contact email", "rdap database", "google app", "google hosted", "please", "vulnerabilities", "join", "bring", "api explorer", "engine", "admin sdk", "info", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "ssl certificate", "ascii text", "united", "pattern match", "mitre att", "general", "local", "path", "click", "strings", "porn", "phishing", "fraud", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "download", "apt", "ansi", "dumps", "file string", "seen", "disabled hash", "close", "hosts", "contact", "tellwise", "passive dns", "urls", "pulse pulses", "files", "verdict", "domain", "files ip", "address", "location united", "asn as15169", "extraction", "data upload", "extra", "referen http", "changed data", "failed", "include review", "t07 exclude", "extri data", "changed", "exclude", "find s", "tvnes data", "status", "present nov", "name servers", "entries", "geoid no", "present dec", "date", "error", "title", "sugges", "typ no", "no entrieotound", "scam", "foundry", "sabey type", "denver", "quasi", "phoenix", "australia" ], "references": [ "appspot.com \u2022 hyper7install.appspot.com", "https://hybrid-analysis.com/sample/c61237fcb798f05e6af32a6aa13f8e795aac47559d601eb7f93ad65bcf58b418/68e30c476b91a8000b0dd786", "http://acounts.google.com/v/signin/identifier?continue=hts%253%252F2Fconsole.cloud.google.com2Fapengine&dsh=5-1106814258%2539876543210", "Changed last several digits of gmail account # In example", "http://console.cloud.google.com/appengine", "https://310940000.android.com.twitter.android.adsenseformobileapps.com/", "https://www.netify.ai/resources/domains \u2022 192-168-0-21.3pt3m9ng2hf.ddns.manage.alta.inc", "device-local-de06e551-6b23-4aa3-bb67-6972ae6d30b5.remotewd.com 192.168.0.21", "116e33e0-8832-11ec-aef5-99a1d044639a-local.solinkcloud.com", "jaycobundaberg.eclipseaurahub.com.au 192.168.0.21", "grafana.ledocloud.com\u2022 192.168.0.21", "192-168-0-21.siliconevalley1.direct.quickconnect.to" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32/Madang", "display_name": "Win32/Madang", "target": null }, { "id": "Win.Downloader.Small-1966", "display_name": "Win.Downloader.Small-1966", "target": null }, { "id": "Win32:SaliCode", "display_name": "Win32:SaliCode", "target": null }, { "id": "Virtool:Win32/Vbinder.CO", "display_name": "Virtool:Win32/Vbinder.CO", "target": "/malware/Virtool:Win32/Vbinder.CO" }, { "id": "!Themida", "display_name": "!Themida", "target": null }, { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "Win32/Scrarev.C", "display_name": "Win32/Scrarev.C", "target": null }, { "id": "Trojan:MSIL/RapidStealer.A", "display_name": "Trojan:MSIL/RapidStealer.A", "target": "/malware/Trojan:MSIL/RapidStealer.A" } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 222, "FileHash-MD5": 146, "FileHash-SHA1": 317, "FileHash-SHA256": 1120, "email": 3, "hostname": 881, "URL": 1338, "SSLCertFingerprint": 7 }, "indicator_count": 4034, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "165 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d37e35f99d852d38beb769", "name": "Cryptex Port Key \u2022 RedLine Stealer affects Threat Research Platform/s", "description": "#attack? #honeypot?", "modified": "2025-10-24T04:02:54.218000", "created": "2025-09-24T05:14:28.101000", "tags": [ "x00x00n", "memcommit", "regopenkeyexw", "regsz", "else", "ipnnoysrdi tr", "writeconsolew", "cryptexportkey", "invalid pointer", "x1ex00x00n", "redline stealer", "service", "powershell", "tools", "persistence", "execution", "dock", "write", "updater", "malware", "passive dns", "urls", "url add", "ip address", "related nids", "files location", "hong kong", "united", "present jul", "present dec", "search", "present may", "a domains", "name servers", "unknown aaaa", "trojan", "present jan", "present sep", "moved", "title", "span td", "td td", "tr tr", "a li", "ipv4 internet", "span", "meta", "gmt content", "ipv4 add", "reverse dns", "trojanx", "location hong kong", "software", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "development att", "ascii text", "pattern match", "mitre att", "ck matrix", "sha1", "odigicert inc", "network traffic", "general", "local", "path", "encrypt", "copy md5", "copy sha1", "copy sha256", "sha256", "size", "crlf line", "urlhttps", "extracted files", "acquires", "networking", "readiness" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1086", "name": "PowerShell", "display_name": "T1086 - PowerShell" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 150, "FileHash-SHA1": 148, "FileHash-SHA256": 3059, "domain": 1277, "URL": 4166, "hostname": 1251, "SSLCertFingerprint": 10, "email": 1 }, "indicator_count": 10062, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://api.kinoffond.us", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://api.kinoffond.us", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776641235.9167774 }