{ "type": "URL", "indicator": "https://app.socrates.com/share/person/96168844448...", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://app.socrates.com/share/person/96168844448...", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4069785421, "indicator": "https://app.socrates.com/share/person/96168844448...", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-05-17T15:52:35.396000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all." ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28000, "FileHash-SHA256": 48374, "FileHash-MD5": 42596, "FileHash-SHA1": 23243, "hostname": 35654, "URL": 75758, "SSLCertFingerprint": 30, "CVE": 7585, "email": 316, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "URI": 5, "IPv4": 574, "Mutex": 1 }, "indicator_count": 288350, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "65 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 152, "modified_text": "65 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f7582b2454d926e77db68c", "name": "AWS does have issues - Indictor removal service impacting threat hunting services", "description": "Malicious. I hope the pulse posted yesterday didn\u2019t lead to AWS outage. I learned about it a few a few hours ago. AWS does have issues, like having a monopoly and the type of services allowed to exist on their servers. I never saw the links until I learned. I appreciate tips , opinions , and sharing.received. An issue found on targets old iOS 14 device ,due to deletions . This had me researching a link that is related to multiple links researched before. Impacts: Threat hunting services. * Worm:Win32/AutoRun.XXY!bit (Emotet and Neshta relationship). There are many other malicious indicators.", "modified": "2025-11-20T06:00:01.014000", "created": "2025-10-21T09:53:47.767000", "tags": [ "url http", "url https", "united", "sweden", "canada", "search", "type indicator", "added active", "related pulses", "aws", "passive dns", "urls", "files domain", "files related", "related tags", "none google", "safe browsing", "present jun", "present sep", "present aug", "present jul", "present oct", "present may", "ip address", "uruguay unknown", "india showing", "next associated", "urls show", "date checked", "url hostname", "server response", "google safe", "unknown", "write", "read", "unknown www", "et trojan", "suspicious", "read c", "myagrent", "get myagrent", "win32", "malware", "ids detections", "et", "dynamicloader", "medium", "write c", "high", "pcratgh0st cnc", "backdoor family", "show", "ms windows", "trojandropper", "code", "next", "polymorphic", "indicator role", "title added", "active related", "report spam", "threat hunters", "brian", "sabey created", "day ago", "white indicator", "sabey", "worm", "emotet", "tags", "malware family", "ck ids", "t1140", "information", "t1045", "packing", "t1060", "dns", "role title", "filehashmd5", "malware attacks", "find encrypted", "pulses url", "q oct", "dns", "ators show", "tbmvid", "sourcelnms", "ipv4", "types", "indicators show" ], "references": [ "business-support.intel.com \u2022 dns0.org \u2022 http://g-ns-1047.awsdns-20.org/", "Alerts: physical_drive_access deletes_executed_files anomalous_deletefile", "Alerts: suspicious_iocontrol_codes polymorphic static_pe_anomaly suricata_alert", "Alerts: injection_rwx antivm_checks_available_memory queries_computer_name", "Alerts: resumethread_remote_process antivm_generic_disk antisandbox_sleep dynamic_function_loading", "Alerts: enumerates_running_processes reads_self packer_unknown_pe_section_name contains_pe_overlay dropper queries_keyboard_layout", "102 Yara Detections: XOR_embeded_exefile_xored_with_round_256_bytes_key", "More PE Packer Microsoft Visual C++ Compilation | File Type PEXE - PE32 executable (GUI) Intel 80386, for MS Windows", "IDS Detections: Backdoor family PCRat/Gh0st CnC traffic Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)", "Contacted ipp.getcash2018.com conf.f.360.cn", "All IP\u2019s Contacted 27.102.115.143 199.232.210.172 Domains", "IDS Detections: Backdoor family PCRat/Gh0st CnC traffic Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)", "New? patch-aws-8y03-v202542-266-2.space.prod.a0core.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "TrojanDropper:Win32/Zegost.B", "display_name": "TrojanDropper:Win32/Zegost.B", "target": "/malware/TrojanDropper:Win32/Zegost.B" }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "Trojan:Win32/Fugrafa", "display_name": "Trojan:Win32/Fugrafa", "target": "/malware/Trojan:Win32/Fugrafa" }, { "id": "Win32:MalwareX-gen", "display_name": "Win32:MalwareX-gen", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1224, "URL": 2979, "domain": 609, "FileHash-SHA256": 765, "FileHash-SHA1": 350, "FileHash-MD5": 374, "CVE": 1, "email": 1 }, "indicator_count": 6303, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "192 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68efedf37890e1b32d60eb55", "name": "Assurant Insurance \u2022 Injection, Crypt , ProRat , Tofsee and a version Mirai affecting Assurant , T-Mobile & me", "description": "Injection, Crypt , ProRat , Tofsee and a version Mirai affecting Assurant and T-Mobile and me. There is truth to the tip I received. This is the 3rd time all of my networks went down , even my phone disconnected and phone number changed temporarily. \n\nJosh T found again. Online profile possibly staged. Stated he is a gamer , self trained in Lua, , CS major in Canada. He is a malicious hacker and streamer and probably an entity. Eric _E iCloud related. Found DoD & Mil hackers related. I haven\u2019t taken the time to authenticate.. Very malicious and talented hackers attacking. I can\u2019t ignore the .mil and DoD items that populated in previous pulses. \n \n[OTX Auto Populated-Trojan-gen-Glupteba, Danabot, Prorat, and other names have been identified as the names of those affected by the latest cyber-attack on the internet.]", "modified": "2025-11-14T17:02:12.746000", "created": "2025-10-15T18:54:43.205000", "tags": [ "ipv4", "email abuse", "email info", "active related", "passive dns", "files related", "related tags", "none google", "external", "present aug", "present sep", "present jun", "present jul", "present oct", "ipv4 https", "crosscountry", "mortgagefamily", "port", "read c", "destination", "high", "intel", "ms windows", "stream", "explorer", "write", "malware", "united", "asnone", "et trojan", "windows nt", "suspicious", "win64", "zune", "et", "netherlands", "segoe ui", "found content", "length", "content type", "ipv4 add", "pulse pulses", "urls", "error", "ip address", "pulse submit", "url analysis", "files", "domain", "ip related", "pulses none", "learn", "ck id", "name tactics", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "ssl certificate", "execution", "path", "secure", "show technique", "mitre att", "ck matrix", "maxage31536000", "expirestue", "brand", "microsoft edge", "date", "cookie", "sha1", "ascii text", "sha256", "pattern match", "hybrid", "local", "click", "strings", "show process", "flag", "programfiles", "command decode", "comspec", "model", "general", "starfield", "encrypt", "iframe", "development att", "backdoor", "win32", "reverse dns", "location india", "india asn", "trojan", "mtb win32" ], "references": [ "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "you.are.poor.i.got.trap.money?", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Romania", "South Africa" ], "malware_families": [ { "id": "BC.Win.Packer.Troll-11", "display_name": "BC.Win.Packer.Troll-11", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Crypt3.BOJE", "display_name": "Crypt3.BOJE", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Trojan:Win32/Glupteba.OV!MTB", "display_name": "Trojan:Win32/Glupteba.OV!MTB", "target": "/malware/Trojan:Win32/Glupteba.OV!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "ProRat", "display_name": "ProRat", "target": null }, { "id": "Backdoor:Win32/Prorat.L", "display_name": "Backdoor:Win32/Prorat.L", "target": "/malware/Backdoor:Win32/Prorat.L" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Crypt5.BBYH", "display_name": "Crypt5.BBYH", "target": null }, { "id": "Crypt4.AHSW", "display_name": "Crypt4.AHSW", "target": null }, { "id": "Crypt3.COIZ", "display_name": "Crypt3.COIZ", "target": null }, { "id": "Crypt3.CMTM", "display_name": "Crypt3.CMTM", "target": null }, { "id": "Crypt3.CKTO", "display_name": "Crypt3.CKTO", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXGR", "display_name": "Crypt3.BXGR", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BOQD", "display_name": "Crypt3.BOQD", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "Crypt3.BOIU", "display_name": "Crypt3.BOIU", "target": null }, { "id": "Inject2.BHBW", "display_name": "Inject2.BHBW", "target": null }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10010, "FileHash-MD5": 150, "FileHash-SHA1": 144, "FileHash-SHA256": 2869, "domain": 2046, "email": 6, "hostname": 3705, "SSLCertFingerprint": 19 }, "indicator_count": 18949, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68efee5ba882db423d3bad8f", "name": "Assurant & T-Mobile BLYP Checkin ET MALWARE TROJAN \u2022 Kryptic", "description": "", "modified": "2025-11-14T17:02:12.746000", "created": "2025-10-15T18:56:27.950000", "tags": [ "ipv4", "email abuse", "email info", "active related", "passive dns", "files related", "related tags", "none google", "external", "present aug", "present sep", "present jun", "present jul", "present oct", "ipv4 https", "crosscountry", "mortgagefamily", "port", "read c", "destination", "high", "intel", "ms windows", "stream", "explorer", "write", "malware", "united", "asnone", "et trojan", "windows nt", "suspicious", "win64", "zune", "et", "netherlands", "segoe ui", "found content", "length", "content type", "ipv4 add", "pulse pulses", "urls", "error", "ip address", "pulse submit", "url analysis", "files", "domain", "ip related", "pulses none", "learn", "ck id", "name tactics", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "ssl certificate", "execution", "path", "secure", "show technique", "mitre att", "ck matrix", "maxage31536000", "expirestue", "brand", "microsoft edge", "date", "cookie", "sha1", "ascii text", "sha256", "pattern match", "hybrid", "local", "click", "strings", "show process", "flag", "programfiles", "command decode", "comspec", "model", "general", "starfield", "encrypt", "iframe", "development att", "backdoor", "win32", "reverse dns", "location india", "india asn", "trojan", "mtb win32" ], "references": [ "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "you.are.poor.i.got.trap.money?", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Romania", "South Africa" ], "malware_families": [ { "id": "BC.Win.Packer.Troll-11", "display_name": "BC.Win.Packer.Troll-11", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Crypt3.BOJE", "display_name": "Crypt3.BOJE", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Trojan:Win32/Glupteba.OV!MTB", "display_name": "Trojan:Win32/Glupteba.OV!MTB", "target": "/malware/Trojan:Win32/Glupteba.OV!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "ProRat", "display_name": "ProRat", "target": null }, { "id": "Backdoor:Win32/Prorat.L", "display_name": "Backdoor:Win32/Prorat.L", "target": "/malware/Backdoor:Win32/Prorat.L" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Crypt5.BBYH", "display_name": "Crypt5.BBYH", "target": null }, { "id": "Crypt4.AHSW", "display_name": "Crypt4.AHSW", "target": null }, { "id": "Crypt3.COIZ", "display_name": "Crypt3.COIZ", "target": null }, { "id": "Crypt3.CMTM", "display_name": "Crypt3.CMTM", "target": null }, { "id": "Crypt3.CKTO", "display_name": "Crypt3.CKTO", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXGR", "display_name": "Crypt3.BXGR", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BOQD", "display_name": "Crypt3.BOQD", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "Crypt3.BOIU", "display_name": "Crypt3.BOIU", "target": null }, { "id": "Inject2.BHBW", "display_name": "Inject2.BHBW", "target": null }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Insurance" ], "TLP": "white", "cloned_from": "68efedf37890e1b32d60eb55", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10010, "FileHash-MD5": 150, "FileHash-SHA1": 144, "FileHash-SHA256": 2869, "domain": 2046, "email": 6, "hostname": 3705, "SSLCertFingerprint": 19 }, "indicator_count": 18949, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68eff0848071708f9ee0c0bd", "name": "Gamarue \u2022 G3nasom\u2022 Simda\u2022 Ganelp affecting Assurant and T-Mobile Part 3", "description": "", "modified": "2025-11-14T17:02:12.746000", "created": "2025-10-15T19:05:40.466000", "tags": [ "ipv4", "email abuse", "email info", "active related", "passive dns", "files related", "related tags", "none google", "external", "present aug", "present sep", "present jun", "present jul", "present oct", "ipv4 https", "crosscountry", "mortgagefamily", "port", "read c", "destination", "high", "intel", "ms windows", "stream", "explorer", "write", "malware", "united", "asnone", "et trojan", "windows nt", "suspicious", "win64", "zune", "et", "netherlands", "segoe ui", "found content", "length", "content type", "ipv4 add", "pulse pulses", "urls", "error", "ip address", "pulse submit", "url analysis", "files", "domain", "ip related", "pulses none", "learn", "ck id", "name tactics", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "ssl certificate", "execution", "path", "secure", "show technique", "mitre att", "ck matrix", "maxage31536000", "expirestue", "brand", "microsoft edge", "date", "cookie", "sha1", "ascii text", "sha256", "pattern match", "hybrid", "local", "click", "strings", "show process", "flag", "programfiles", "command decode", "comspec", "model", "general", "starfield", "encrypt", "iframe", "development att", "backdoor", "win32", "reverse dns", "location india", "india asn", "trojan", "mtb win32" ], "references": [ "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "you.are.poor.i.got.trap.money?", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Romania", "South Africa" ], "malware_families": [ { "id": "BC.Win.Packer.Troll-11", "display_name": "BC.Win.Packer.Troll-11", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Crypt3.BOJE", "display_name": "Crypt3.BOJE", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Trojan:Win32/Glupteba.OV!MTB", "display_name": "Trojan:Win32/Glupteba.OV!MTB", "target": "/malware/Trojan:Win32/Glupteba.OV!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "ProRat", "display_name": "ProRat", "target": null }, { "id": "Backdoor:Win32/Prorat.L", "display_name": "Backdoor:Win32/Prorat.L", "target": "/malware/Backdoor:Win32/Prorat.L" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Crypt5.BBYH", "display_name": "Crypt5.BBYH", "target": null }, { "id": "Crypt4.AHSW", "display_name": "Crypt4.AHSW", "target": null }, { "id": "Crypt3.COIZ", "display_name": "Crypt3.COIZ", "target": null }, { "id": "Crypt3.CMTM", "display_name": "Crypt3.CMTM", "target": null }, { "id": "Crypt3.CKTO", "display_name": "Crypt3.CKTO", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXGR", "display_name": "Crypt3.BXGR", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BOQD", "display_name": "Crypt3.BOQD", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "Crypt3.BOIU", "display_name": "Crypt3.BOIU", "target": null }, { "id": "Inject2.BHBW", "display_name": "Inject2.BHBW", "target": null }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Insurance" ], "TLP": "white", "cloned_from": "68efee5ba882db423d3bad8f", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10010, "FileHash-MD5": 150, "FileHash-SHA1": 144, "FileHash-SHA256": 2869, "domain": 2046, "email": 6, "hostname": 3705, "SSLCertFingerprint": 19 }, "indicator_count": 18949, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b114fbbc637a8288f22ff1", "name": "intone.com -", "description": "Company tried to recruiter me the same way st consulting did at Montefiore,", "modified": "2025-09-28T02:07:03.607000", "created": "2025-08-29T02:48:27.616000", "tags": [ "virustotal", "resolver ip", "technology", "date", "domain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "gameprofits.io", "id": "170823", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_170823/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 367, "URL": 395, "hostname": 200, "FileHash-SHA256": 143 }, "indicator_count": 1105, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "245 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687f0f210ec1de4316b22522", "name": "Strange Medical Facility with Overt Bad Actors Spying on Disabled", "description": "Strange Medical Facility with Overt Bad Actors already Spying on Disabled. Everything including bathroom is monitored.\nfounderintech.com\nwww.galbutfamilyfoundation.com\t\nwpengine.com\t\nhttps://foundry2sdbl.dvr.dn2.n-helix.com\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\npegasusthruster.com\t\nhttps://www.pegasusthruster.com/\t\nsmtp.pegasustech.net\nhttp://pegasusthruster.com/shoppegasus/includes/att", "modified": "2025-08-21T03:02:43.704000", "created": "2025-07-22T04:10:09.158000", "tags": [ "date", "submit url", "analysis", "passive dns", "urls", "files", "ip address", "asn as13335", "whois registrar", "creation date", "extraction", "data", "extri", "include review", "iocs", "data upload", "united", "unknown aaaa", "search", "showing", "moved", "a domains", "record value", "body" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6560, "FileHash-MD5": 121, "FileHash-SHA1": 125, "FileHash-SHA256": 3989, "domain": 1616, "hostname": 1876, "email": 3, "CVE": 2 }, "indicator_count": 14292, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "283 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "682d481cb7ed0e71682f8309", "name": "Plumix 41:1c:fc:08:65:49:a7:e3:91:67:ab:94:82:bf:2c:0f:af:e4:24:2a 2018-08-08 bis 2292-05-22", "description": "Plumix.com\nSerwer nazw domen\nns2.nazwa.pl , ns1.nazwa.pl", "modified": "2025-06-20T03:02:24.594000", "created": "2025-05-21T03:27:24.351000", "tags": [ "dht penomocnik", "anycast voip", "dht kopalnia", "chmura dht", "amazonaes", "akamai poczona", "chmura chmura", "dnparking dht", "porwany", "dnparking", "amazon02 spam", "4 zapisy", "cname", "mx a" ], "references": [ "Plumix.com", "https://www.virustotal.com/graph/embed/gcbfc9c0da50d4e0b826b5d57" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "SSLCertFingerprint": 1, "hostname": 387, "domain": 338, "FileHash-SHA256": 198, "URL": 958 }, "indicator_count": 1882, "is_author": false, "is_subscribing": null, "subscriber_count": 125, "modified_text": "345 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "business-support.intel.com \u2022 dns0.org \u2022 http://g-ns-1047.awsdns-20.org/", "Contacted ipp.getcash2018.com conf.f.360.cn", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "Alerts: suspicious_iocontrol_codes polymorphic static_pe_anomaly suricata_alert", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "Verification failure observed in automated verification handlers during sandbox replay.", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all.", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "https://www.virustotal.com/graph/embed/gcbfc9c0da50d4e0b826b5d57", "New? patch-aws-8y03-v202542-266-2.space.prod.a0core.net", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "102 Yara Detections: XOR_embeded_exefile_xored_with_round_256_bytes_key", "Alerts: injection_rwx antivm_checks_available_memory queries_computer_name", "All IP\u2019s Contacted 27.102.115.143 199.232.210.172 Domains", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "IDS Detections: Backdoor family PCRat/Gh0st CnC traffic Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)", "you.are.poor.i.got.trap.money?", "Plumix.com", "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Alerts: enumerates_running_processes reads_self packer_unknown_pe_section_name contains_pe_overlay dropper queries_keyboard_layout", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "Alerts: physical_drive_access deletes_executed_files anomalous_deletefile", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "More PE Packer Microsoft Visual C++ Compilation | File Type PEXE - PE32 executable (GUI) Intel 80386, for MS Windows", "Alerts: resumethread_remote_process antivm_generic_disk antisandbox_sleep dynamic_function_loading", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Et", "Crypt3.bxgr", "Danabot", "Crypt5.bbyh", "Inject2.bhbw", "Trojandropper:win32/zegost.b", "Crypt3.bxmj", "Trojan:win32/fugrafa", "Crypt3.boje", "Backdoor:win32/prorat.l", "Crypt3.bxvc", "Zegost", "Bc.win.packer.troll-11", "Inject2.bive", "Tofsee", "Crypt3.boqd", "Win32:malwarex-gen", "Atros3.ahfb", "Prorat", "Crypt3.boiu", "Worm:win32/autorun.xxy!bit", "Crypt3.cmtm", "Trojan:win32/glupteba.ov!mtb", "Win32:trojan", "Crypt3.blxp", "Win32:malware-gen", "Crypt3.ckto", "Crypt3.coiz", "Crypt4.ahsw" ], "industries": [ "Insurance", "Telecommunications", "Technology", "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in" ], "unique_indicators": 171353 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/socrates.com", "whois": "http://whois.domaintools.com/socrates.com", "domain": "socrates.com", "hostname": "app.socrates.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-05-17T15:52:35.396000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all." ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28000, "FileHash-SHA256": 48374, "FileHash-MD5": 42596, "FileHash-SHA1": 23243, "hostname": 35654, "URL": 75758, "SSLCertFingerprint": 30, "CVE": 7585, "email": 316, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "URI": 5, "IPv4": 574, "Mutex": 1 }, "indicator_count": 288350, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "65 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 152, "modified_text": "65 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f7582b2454d926e77db68c", "name": "AWS does have issues - Indictor removal service impacting threat hunting services", "description": "Malicious. I hope the pulse posted yesterday didn\u2019t lead to AWS outage. I learned about it a few a few hours ago. AWS does have issues, like having a monopoly and the type of services allowed to exist on their servers. I never saw the links until I learned. I appreciate tips , opinions , and sharing.received. An issue found on targets old iOS 14 device ,due to deletions . This had me researching a link that is related to multiple links researched before. Impacts: Threat hunting services. * Worm:Win32/AutoRun.XXY!bit (Emotet and Neshta relationship). There are many other malicious indicators.", "modified": "2025-11-20T06:00:01.014000", "created": "2025-10-21T09:53:47.767000", "tags": [ "url http", "url https", "united", "sweden", "canada", "search", "type indicator", "added active", "related pulses", "aws", "passive dns", "urls", "files domain", "files related", "related tags", "none google", "safe browsing", "present jun", "present sep", "present aug", "present jul", "present oct", "present may", "ip address", "uruguay unknown", "india showing", "next associated", "urls show", "date checked", "url hostname", "server response", "google safe", "unknown", "write", "read", "unknown www", "et trojan", "suspicious", "read c", "myagrent", "get myagrent", "win32", "malware", "ids detections", "et", "dynamicloader", "medium", "write c", "high", "pcratgh0st cnc", "backdoor family", "show", "ms windows", "trojandropper", "code", "next", "polymorphic", "indicator role", "title added", "active related", "report spam", "threat hunters", "brian", "sabey created", "day ago", "white indicator", "sabey", "worm", "emotet", "tags", "malware family", "ck ids", "t1140", "information", "t1045", "packing", "t1060", "dns", "role title", "filehashmd5", "malware attacks", "find encrypted", "pulses url", "q oct", "dns", "ators show", "tbmvid", "sourcelnms", "ipv4", "types", "indicators show" ], "references": [ "business-support.intel.com \u2022 dns0.org \u2022 http://g-ns-1047.awsdns-20.org/", "Alerts: physical_drive_access deletes_executed_files anomalous_deletefile", "Alerts: suspicious_iocontrol_codes polymorphic static_pe_anomaly suricata_alert", "Alerts: injection_rwx antivm_checks_available_memory queries_computer_name", "Alerts: resumethread_remote_process antivm_generic_disk antisandbox_sleep dynamic_function_loading", "Alerts: enumerates_running_processes reads_self packer_unknown_pe_section_name contains_pe_overlay dropper queries_keyboard_layout", "102 Yara Detections: XOR_embeded_exefile_xored_with_round_256_bytes_key", "More PE Packer Microsoft Visual C++ Compilation | File Type PEXE - PE32 executable (GUI) Intel 80386, for MS Windows", "IDS Detections: Backdoor family PCRat/Gh0st CnC traffic Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)", "Contacted ipp.getcash2018.com conf.f.360.cn", "All IP\u2019s Contacted 27.102.115.143 199.232.210.172 Domains", "IDS Detections: Backdoor family PCRat/Gh0st CnC traffic Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)", "New? patch-aws-8y03-v202542-266-2.space.prod.a0core.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "TrojanDropper:Win32/Zegost.B", "display_name": "TrojanDropper:Win32/Zegost.B", "target": "/malware/TrojanDropper:Win32/Zegost.B" }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "Trojan:Win32/Fugrafa", "display_name": "Trojan:Win32/Fugrafa", "target": "/malware/Trojan:Win32/Fugrafa" }, { "id": "Win32:MalwareX-gen", "display_name": "Win32:MalwareX-gen", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1224, "URL": 2979, "domain": 609, "FileHash-SHA256": 765, "FileHash-SHA1": 350, "FileHash-MD5": 374, "CVE": 1, "email": 1 }, "indicator_count": 6303, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "192 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68efedf37890e1b32d60eb55", "name": "Assurant Insurance \u2022 Injection, Crypt , ProRat , Tofsee and a version Mirai affecting Assurant , T-Mobile & me", "description": "Injection, Crypt , ProRat , Tofsee and a version Mirai affecting Assurant and T-Mobile and me. There is truth to the tip I received. This is the 3rd time all of my networks went down , even my phone disconnected and phone number changed temporarily. \n\nJosh T found again. Online profile possibly staged. Stated he is a gamer , self trained in Lua, , CS major in Canada. He is a malicious hacker and streamer and probably an entity. Eric _E iCloud related. Found DoD & Mil hackers related. I haven\u2019t taken the time to authenticate.. Very malicious and talented hackers attacking. I can\u2019t ignore the .mil and DoD items that populated in previous pulses. \n \n[OTX Auto Populated-Trojan-gen-Glupteba, Danabot, Prorat, and other names have been identified as the names of those affected by the latest cyber-attack on the internet.]", "modified": "2025-11-14T17:02:12.746000", "created": "2025-10-15T18:54:43.205000", "tags": [ "ipv4", "email abuse", "email info", "active related", "passive dns", "files related", "related tags", "none google", "external", "present aug", "present sep", "present jun", "present jul", "present oct", "ipv4 https", "crosscountry", "mortgagefamily", "port", "read c", "destination", "high", "intel", "ms windows", "stream", "explorer", "write", "malware", "united", "asnone", "et trojan", "windows nt", "suspicious", "win64", "zune", "et", "netherlands", "segoe ui", "found content", "length", "content type", "ipv4 add", "pulse pulses", "urls", "error", "ip address", "pulse submit", "url analysis", "files", "domain", "ip related", "pulses none", "learn", "ck id", "name tactics", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "ssl certificate", "execution", "path", "secure", "show technique", "mitre att", "ck matrix", "maxage31536000", "expirestue", "brand", "microsoft edge", "date", "cookie", "sha1", "ascii text", "sha256", "pattern match", "hybrid", "local", "click", "strings", "show process", "flag", "programfiles", "command decode", "comspec", "model", "general", "starfield", "encrypt", "iframe", "development att", "backdoor", "win32", "reverse dns", "location india", "india asn", "trojan", "mtb win32" ], "references": [ "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "you.are.poor.i.got.trap.money?", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Romania", "South Africa" ], "malware_families": [ { "id": "BC.Win.Packer.Troll-11", "display_name": "BC.Win.Packer.Troll-11", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Crypt3.BOJE", "display_name": "Crypt3.BOJE", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Trojan:Win32/Glupteba.OV!MTB", "display_name": "Trojan:Win32/Glupteba.OV!MTB", "target": "/malware/Trojan:Win32/Glupteba.OV!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "ProRat", "display_name": "ProRat", "target": null }, { "id": "Backdoor:Win32/Prorat.L", "display_name": "Backdoor:Win32/Prorat.L", "target": "/malware/Backdoor:Win32/Prorat.L" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Crypt5.BBYH", "display_name": "Crypt5.BBYH", "target": null }, { "id": "Crypt4.AHSW", "display_name": "Crypt4.AHSW", "target": null }, { "id": "Crypt3.COIZ", "display_name": "Crypt3.COIZ", "target": null }, { "id": "Crypt3.CMTM", "display_name": "Crypt3.CMTM", "target": null }, { "id": "Crypt3.CKTO", "display_name": "Crypt3.CKTO", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXGR", "display_name": "Crypt3.BXGR", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BOQD", "display_name": "Crypt3.BOQD", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "Crypt3.BOIU", "display_name": "Crypt3.BOIU", "target": null }, { "id": "Inject2.BHBW", "display_name": "Inject2.BHBW", "target": null }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10010, "FileHash-MD5": 150, "FileHash-SHA1": 144, "FileHash-SHA256": 2869, "domain": 2046, "email": 6, "hostname": 3705, "SSLCertFingerprint": 19 }, "indicator_count": 18949, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68efee5ba882db423d3bad8f", "name": "Assurant & T-Mobile BLYP Checkin ET MALWARE TROJAN \u2022 Kryptic", "description": "", "modified": "2025-11-14T17:02:12.746000", "created": "2025-10-15T18:56:27.950000", "tags": [ "ipv4", "email abuse", "email info", "active related", "passive dns", "files related", "related tags", "none google", "external", "present aug", "present sep", "present jun", "present jul", "present oct", "ipv4 https", "crosscountry", "mortgagefamily", "port", "read c", "destination", "high", "intel", "ms windows", "stream", "explorer", "write", "malware", "united", "asnone", "et trojan", "windows nt", "suspicious", "win64", "zune", "et", "netherlands", "segoe ui", "found content", "length", "content type", "ipv4 add", "pulse pulses", "urls", "error", "ip address", "pulse submit", "url analysis", "files", "domain", "ip related", "pulses none", "learn", "ck id", "name tactics", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "ssl certificate", "execution", "path", "secure", "show technique", "mitre att", "ck matrix", "maxage31536000", "expirestue", "brand", "microsoft edge", "date", "cookie", "sha1", "ascii text", "sha256", "pattern match", "hybrid", "local", "click", "strings", "show process", "flag", "programfiles", "command decode", "comspec", "model", "general", "starfield", "encrypt", "iframe", "development att", "backdoor", "win32", "reverse dns", "location india", "india asn", "trojan", "mtb win32" ], "references": [ "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "you.are.poor.i.got.trap.money?", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Romania", "South Africa" ], "malware_families": [ { "id": "BC.Win.Packer.Troll-11", "display_name": "BC.Win.Packer.Troll-11", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Crypt3.BOJE", "display_name": "Crypt3.BOJE", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Trojan:Win32/Glupteba.OV!MTB", "display_name": "Trojan:Win32/Glupteba.OV!MTB", "target": "/malware/Trojan:Win32/Glupteba.OV!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "ProRat", "display_name": "ProRat", "target": null }, { "id": "Backdoor:Win32/Prorat.L", "display_name": "Backdoor:Win32/Prorat.L", "target": "/malware/Backdoor:Win32/Prorat.L" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Crypt5.BBYH", "display_name": "Crypt5.BBYH", "target": null }, { "id": "Crypt4.AHSW", "display_name": "Crypt4.AHSW", "target": null }, { "id": "Crypt3.COIZ", "display_name": "Crypt3.COIZ", "target": null }, { "id": "Crypt3.CMTM", "display_name": "Crypt3.CMTM", "target": null }, { "id": "Crypt3.CKTO", "display_name": "Crypt3.CKTO", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXGR", "display_name": "Crypt3.BXGR", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BOQD", "display_name": "Crypt3.BOQD", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "Crypt3.BOIU", "display_name": "Crypt3.BOIU", "target": null }, { "id": "Inject2.BHBW", "display_name": "Inject2.BHBW", "target": null }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Insurance" ], "TLP": "white", "cloned_from": "68efedf37890e1b32d60eb55", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10010, "FileHash-MD5": 150, "FileHash-SHA1": 144, "FileHash-SHA256": 2869, "domain": 2046, "email": 6, "hostname": 3705, "SSLCertFingerprint": 19 }, "indicator_count": 18949, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68eff0848071708f9ee0c0bd", "name": "Gamarue \u2022 G3nasom\u2022 Simda\u2022 Ganelp affecting Assurant and T-Mobile Part 3", "description": "", "modified": "2025-11-14T17:02:12.746000", "created": "2025-10-15T19:05:40.466000", "tags": [ "ipv4", "email abuse", "email info", "active related", "passive dns", "files related", "related tags", "none google", "external", "present aug", "present sep", "present jun", "present jul", "present oct", "ipv4 https", "crosscountry", "mortgagefamily", "port", "read c", "destination", "high", "intel", "ms windows", "stream", "explorer", "write", "malware", "united", "asnone", "et trojan", "windows nt", "suspicious", "win64", "zune", "et", "netherlands", "segoe ui", "found content", "length", "content type", "ipv4 add", "pulse pulses", "urls", "error", "ip address", "pulse submit", "url analysis", "files", "domain", "ip related", "pulses none", "learn", "ck id", "name tactics", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "ssl certificate", "execution", "path", "secure", "show technique", "mitre att", "ck matrix", "maxage31536000", "expirestue", "brand", "microsoft edge", "date", "cookie", "sha1", "ascii text", "sha256", "pattern match", "hybrid", "local", "click", "strings", "show process", "flag", "programfiles", "command decode", "comspec", "model", "general", "starfield", "encrypt", "iframe", "development att", "backdoor", "win32", "reverse dns", "location india", "india asn", "trojan", "mtb win32" ], "references": [ "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "you.are.poor.i.got.trap.money?", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Romania", "South Africa" ], "malware_families": [ { "id": "BC.Win.Packer.Troll-11", "display_name": "BC.Win.Packer.Troll-11", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Crypt3.BOJE", "display_name": "Crypt3.BOJE", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Trojan:Win32/Glupteba.OV!MTB", "display_name": "Trojan:Win32/Glupteba.OV!MTB", "target": "/malware/Trojan:Win32/Glupteba.OV!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "ProRat", "display_name": "ProRat", "target": null }, { "id": "Backdoor:Win32/Prorat.L", "display_name": "Backdoor:Win32/Prorat.L", "target": "/malware/Backdoor:Win32/Prorat.L" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Crypt5.BBYH", "display_name": "Crypt5.BBYH", "target": null }, { "id": "Crypt4.AHSW", "display_name": "Crypt4.AHSW", "target": null }, { "id": "Crypt3.COIZ", "display_name": "Crypt3.COIZ", "target": null }, { "id": "Crypt3.CMTM", "display_name": "Crypt3.CMTM", "target": null }, { "id": "Crypt3.CKTO", "display_name": "Crypt3.CKTO", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXGR", "display_name": "Crypt3.BXGR", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BOQD", "display_name": "Crypt3.BOQD", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "Crypt3.BOIU", "display_name": "Crypt3.BOIU", "target": null }, { "id": "Inject2.BHBW", "display_name": "Inject2.BHBW", "target": null }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Insurance" ], "TLP": "white", "cloned_from": "68efee5ba882db423d3bad8f", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10010, "FileHash-MD5": 150, "FileHash-SHA1": 144, "FileHash-SHA256": 2869, "domain": 2046, "email": 6, "hostname": 3705, "SSLCertFingerprint": 19 }, "indicator_count": 18949, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b114fbbc637a8288f22ff1", "name": "intone.com -", "description": "Company tried to recruiter me the same way st consulting did at Montefiore,", "modified": "2025-09-28T02:07:03.607000", "created": "2025-08-29T02:48:27.616000", "tags": [ "virustotal", "resolver ip", "technology", "date", "domain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "gameprofits.io", "id": "170823", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_170823/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 367, "URL": 395, "hostname": 200, "FileHash-SHA256": 143 }, "indicator_count": 1105, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "245 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687f0f210ec1de4316b22522", "name": "Strange Medical Facility with Overt Bad Actors Spying on Disabled", "description": "Strange Medical Facility with Overt Bad Actors already Spying on Disabled. Everything including bathroom is monitored.\nfounderintech.com\nwww.galbutfamilyfoundation.com\t\nwpengine.com\t\nhttps://foundry2sdbl.dvr.dn2.n-helix.com\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\npegasusthruster.com\t\nhttps://www.pegasusthruster.com/\t\nsmtp.pegasustech.net\nhttp://pegasusthruster.com/shoppegasus/includes/att", "modified": "2025-08-21T03:02:43.704000", "created": "2025-07-22T04:10:09.158000", "tags": [ "date", "submit url", "analysis", "passive dns", "urls", "files", "ip address", "asn as13335", "whois registrar", "creation date", "extraction", "data", "extri", "include review", "iocs", "data upload", "united", "unknown aaaa", "search", "showing", "moved", "a domains", "record value", "body" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6560, "FileHash-MD5": 121, "FileHash-SHA1": 125, "FileHash-SHA256": 3989, "domain": 1616, "hostname": 1876, "email": 3, "CVE": 2 }, "indicator_count": 14292, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "283 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "682d481cb7ed0e71682f8309", "name": "Plumix 41:1c:fc:08:65:49:a7:e3:91:67:ab:94:82:bf:2c:0f:af:e4:24:2a 2018-08-08 bis 2292-05-22", "description": "Plumix.com\nSerwer nazw domen\nns2.nazwa.pl , ns1.nazwa.pl", "modified": "2025-06-20T03:02:24.594000", "created": "2025-05-21T03:27:24.351000", "tags": [ "dht penomocnik", "anycast voip", "dht kopalnia", "chmura dht", "amazonaes", "akamai poczona", "chmura chmura", "dnparking dht", "porwany", "dnparking", "amazon02 spam", "4 zapisy", "cname", "mx a" ], "references": [ "Plumix.com", "https://www.virustotal.com/graph/embed/gcbfc9c0da50d4e0b826b5d57" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "SSLCertFingerprint": 1, "hostname": 387, "domain": 338, "FileHash-SHA256": 198, "URL": 958 }, "indicator_count": 1882, "is_author": false, "is_subscribing": null, "subscriber_count": 125, "modified_text": "345 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://app.socrates.com/share/person/96168844448...", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://app.socrates.com/share/person/96168844448...", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780269394.9577296 }