{ "type": "URL", "indicator": "https://auth.bankid.no/auth", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://auth.bankid.no/auth", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4092242560, "indicator": "https://auth.bankid.no/auth", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69f54c711cd17df01c20d601", "name": "Enemy of the State: Order in the Court \u2022 Part 3 - Rogue Domain Controller | Gh0stRAT", "description": "Active cyber issues\ncontinue to affect Colorado Judicial, Government and Hospital systems. \n\nWhat\u2019s true: Targeting, Hacking , Rogue Domain Controller. Bad actors regularly ride outdated , poorly managed networks. \n\n\nTipped: Monitored Targets past irregular mail \nissues. URLs that redirects to Colorado Justice system., included in a letter that was sent to an undeliverable address. Mail sent again, recipient believes the contents of letters does not appear authentic. \n\n\nTipped: RE: Monitored Target. Unfavorable, Unjust conditions in Denver , Colorado USA. As recent as 4/2026. Other pulses related to this matter suggests a Pegasus relationship. Will need to analyze.", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-02T00:59:29.794000", "tags": [ "united kingdom", "united", "spain", "denmark", "report spam", "adversaries", "days ago", "xy amp", "ck ids", "packing", "taskjob", "ipv4", "indicator role", "active related", "ccus asnas749", "dynamicloader", "port", "high", "windows", "destination", "displayname", "write c", "write", "stream", "defense evasion", "malware", "hostile", "contacted", "ids detections", "query", "hostile http", "request", "lowercase host", "header observed", "tls sni", "yara detections", "active", "pulses hostname", "otx logo", "all report", "t1045", "t1053", "t1055", "fastly dns", ".ru", "microsoft", "palantirfoundry", "ioc", "history", "compromise", "antonio apr", "valeria paredes", "valeria", "paredes", "colorado", "courts", "judicial", "denver county", "dougco", "pagosa springs", "hacking", "modifications", "masquerading", "mock", "bannock st", "ericka", "arevalo antonio", "criminal attack", "cyber", "threat actors", "bots", "ascii text", "json", "ms windows", "pe32", "medium", "trojan", "august", "packer", "local", "next", "rat", "bat", "botnet", "cve", "yahoo", "pornhub", "dns", "remote", "password", "manipulation", "objection", "overruled", "your witness", "patriot act", "tsara brashears", "reflected", "targeting", "monitored target", "incc", "hua mucatul", "securityvaleria", "injection", "aquire", "correo", "number", "security apr", "document file", "v2 document", "little endian", "version", "msi installer", "code page", "template", "logmein", "title", "logmein rescue", "gh0strat", "emotet", "scar", "snake keylogger", "trojandropper", "review lo", "ccdk ,", "asnas20940", "tulach", "login join", "support privacy", "notice", "programs porn", "found pornstars", "videos movies", "now ooops", "we ca", "nt find", "the page", "sweet", "click", "back", "tulach", "they know", "1%", "f-h", "englert" ], "references": [ "https://www.coloradojudicial.gov/data", "https://cp.bankid.no", "coloradoproblemsolvingcourts.org?", "https://odr.coloradojudicial.gov/login", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "www.its.courts.state.co.us", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.sweetheartvideo.com/tsara-brashears", "chrome.cloudflare-dns.com", "https://rockylinux.map.fastlydns.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908275-0", "display_name": "Win.Trojan.Generic-9908275-0", "target": null }, { "id": "Trojan:Win32/Scar.MR!MTB", "display_name": "Trojan:Win32/Scar.MR!MTB", "target": "/malware/Trojan:Win32/Scar.MR!MTB" }, { "id": "Trojan:Win32/Zbot", "display_name": "Trojan:Win32/Zbot", "target": "/malware/Trojan:Win32/Zbot" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanDownloader:Win32/VB.IL", "display_name": "TrojanDownloader:Win32/VB.IL", "target": "/malware/TrojanDownloader:Win32/VB.IL" }, { "id": "TrojanDownloader:Win32/Inbat.H", "display_name": "TrojanDownloader:Win32/Inbat.H", "target": "/malware/TrojanDownloader:Win32/Inbat.H" }, { "id": "Trojan:Win32/Gupboot.B", "display_name": "Trojan:Win32/Gupboot.B", "target": "/malware/Trojan:Win32/Gupboot.B" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Win.Trojan.Gh0stRAT-7480037-0", "display_name": "Win.Trojan.Gh0stRAT-7480037-0", "target": null }, { "id": "TrojanDownloader:Win32/Systex.A", "display_name": "TrojanDownloader:Win32/Systex.A", "target": "/malware/TrojanDownloader:Win32/Systex.A" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "target": null }, { "id": "Win.Trojan.Barys", "display_name": "Win.Trojan.Barys", "target": null }, { "id": "Win.Trojan.Killav-210", "display_name": "Win.Trojan.Killav-210", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "TrojanDownloader:Win32/Misfox", "display_name": "TrojanDownloader:Win32/Misfox", "target": "/malware/TrojanDownloader:Win32/Misfox" }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Technology", "Law" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 271, "hostname": 743, "URL": 1509, "FileHash-SHA256": 1574, "IPv4": 30, "FileHash-MD5": 197, "FileHash-SHA1": 109, "SSLCertFingerprint": 4 }, "indicator_count": 4437, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f5d960e861f6159823ff0b", "name": "CREDIT: Q.VASHTI, Clone [\"Enemy of the State: Order in the Court \u2022 Part 3 - Rogue Domain Controller | Gh0stRAT'] credit, Q.VASHTI", "description": "", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-02T11:00:48.440000", "tags": [ "united kingdom", "united", "spain", "denmark", "report spam", "adversaries", "days ago", "xy amp", "ck ids", "packing", "taskjob", "ipv4", "indicator role", "active related", "ccus asnas749", "dynamicloader", "port", "high", "windows", "destination", "displayname", "write c", "write", "stream", "defense evasion", "malware", "hostile", "contacted", "ids detections", "query", "hostile http", "request", "lowercase host", "header observed", "tls sni", "yara detections", "active", "pulses hostname", "otx logo", "all report", "t1045", "t1053", "t1055", "fastly dns", ".ru", "microsoft", "palantirfoundry", "ioc", "history", "compromise", "antonio apr", "valeria paredes", "valeria", "paredes", "colorado", "courts", "judicial", "denver county", "dougco", "pagosa springs", "hacking", "modifications", "masquerading", "mock", "bannock st", "ericka", "arevalo antonio", "criminal attack", "cyber", "threat actors", "bots", "ascii text", "json", "ms windows", "pe32", "medium", "trojan", "august", "packer", "local", "next", "rat", "bat", "botnet", "cve", "yahoo", "pornhub", "dns", "remote", "password", "manipulation", "objection", "overruled", "your witness", "patriot act", "tsara brashears", "reflected", "targeting", "monitored target", "incc", "hua mucatul", "securityvaleria", "injection", "aquire", "correo", "number", "security apr", "document file", "v2 document", "little endian", "version", "msi installer", "code page", "template", "logmein", "title", "logmein rescue", "gh0strat", "emotet", "scar", "snake keylogger", "trojandropper", "review lo", "ccdk ,", "asnas20940", "tulach", "login join", "support privacy", "notice", "programs porn", "found pornstars", "videos movies", "now ooops", "we ca", "nt find", "the page", "sweet", "click", "back", "tulach", "they know", "1%", "f-h", "englert" ], "references": [ "https://www.coloradojudicial.gov/data", "https://cp.bankid.no", "coloradoproblemsolvingcourts.org?", "https://odr.coloradojudicial.gov/login", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "www.its.courts.state.co.us", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.sweetheartvideo.com/tsara-brashears", "chrome.cloudflare-dns.com", "https://rockylinux.map.fastlydns.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908275-0", "display_name": "Win.Trojan.Generic-9908275-0", "target": null }, { "id": "Trojan:Win32/Scar.MR!MTB", "display_name": "Trojan:Win32/Scar.MR!MTB", "target": "/malware/Trojan:Win32/Scar.MR!MTB" }, { "id": "Trojan:Win32/Zbot", "display_name": "Trojan:Win32/Zbot", "target": "/malware/Trojan:Win32/Zbot" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanDownloader:Win32/VB.IL", "display_name": "TrojanDownloader:Win32/VB.IL", "target": "/malware/TrojanDownloader:Win32/VB.IL" }, { "id": "TrojanDownloader:Win32/Inbat.H", "display_name": "TrojanDownloader:Win32/Inbat.H", "target": "/malware/TrojanDownloader:Win32/Inbat.H" }, { "id": "Trojan:Win32/Gupboot.B", "display_name": "Trojan:Win32/Gupboot.B", "target": "/malware/Trojan:Win32/Gupboot.B" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Win.Trojan.Gh0stRAT-7480037-0", "display_name": "Win.Trojan.Gh0stRAT-7480037-0", "target": null }, { "id": "TrojanDownloader:Win32/Systex.A", "display_name": "TrojanDownloader:Win32/Systex.A", "target": "/malware/TrojanDownloader:Win32/Systex.A" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "target": null }, { "id": "Win.Trojan.Barys", "display_name": "Win.Trojan.Barys", "target": null }, { "id": "Win.Trojan.Killav-210", "display_name": "Win.Trojan.Killav-210", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "TrojanDownloader:Win32/Misfox", "display_name": "TrojanDownloader:Win32/Misfox", "target": "/malware/TrojanDownloader:Win32/Misfox" }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Technology", "Law" ], "TLP": "green", "cloned_from": "69f54c711cd17df01c20d601", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 271, "hostname": 744, "URL": 1509, "FileHash-SHA256": 1574, "IPv4": 30, "FileHash-MD5": 197, "FileHash-SHA1": 109, "SSLCertFingerprint": 4 }, "indicator_count": 4438, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f5da1228db82eb87274cab", "name": "CREDIT: Q.VASHTI, Clone [\"Enemy of the State: Order in the Court] clone from cellphone seperate", "description": "", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-02T11:03:46.995000", "tags": [ "united kingdom", "united", "spain", "denmark", "report spam", "adversaries", "days ago", "xy amp", "ck ids", "packing", "taskjob", "ipv4", "indicator role", "active related", "ccus asnas749", "dynamicloader", "port", "high", "windows", "destination", "displayname", "write c", "write", "stream", "defense evasion", "malware", "hostile", "contacted", "ids detections", "query", "hostile http", "request", "lowercase host", "header observed", "tls sni", "yara detections", "active", "pulses hostname", "otx logo", "all report", "t1045", "t1053", "t1055", "fastly dns", ".ru", "microsoft", "palantirfoundry", "ioc", "history", "compromise", "antonio apr", "valeria paredes", "valeria", "paredes", "colorado", "courts", "judicial", "denver county", "dougco", "pagosa springs", "hacking", "modifications", "masquerading", "mock", "bannock st", "ericka", "arevalo antonio", "criminal attack", "cyber", "threat actors", "bots", "ascii text", "json", "ms windows", "pe32", "medium", "trojan", "august", "packer", "local", "next", "rat", "bat", "botnet", "cve", "yahoo", "pornhub", "dns", "remote", "password", "manipulation", "objection", "overruled", "your witness", "patriot act", "tsara brashears", "reflected", "targeting", "monitored target", "incc", "hua mucatul", "securityvaleria", "injection", "aquire", "correo", "number", "security apr", "document file", "v2 document", "little endian", "version", "msi installer", "code page", "template", "logmein", "title", "logmein rescue", "gh0strat", "emotet", "scar", "snake keylogger", "trojandropper", "review lo", "ccdk ,", "asnas20940", "tulach", "login join", "support privacy", "notice", "programs porn", "found pornstars", "videos movies", "now ooops", "we ca", "nt find", "the page", "sweet", "click", "back", "tulach", "they know", "1%", "f-h", "englert" ], "references": [ "https://www.coloradojudicial.gov/data", "https://cp.bankid.no", "coloradoproblemsolvingcourts.org?", "https://odr.coloradojudicial.gov/login", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "www.its.courts.state.co.us", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.sweetheartvideo.com/tsara-brashears", "chrome.cloudflare-dns.com", "https://rockylinux.map.fastlydns.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908275-0", "display_name": "Win.Trojan.Generic-9908275-0", "target": null }, { "id": "Trojan:Win32/Scar.MR!MTB", "display_name": "Trojan:Win32/Scar.MR!MTB", "target": "/malware/Trojan:Win32/Scar.MR!MTB" }, { "id": "Trojan:Win32/Zbot", "display_name": "Trojan:Win32/Zbot", "target": "/malware/Trojan:Win32/Zbot" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanDownloader:Win32/VB.IL", "display_name": "TrojanDownloader:Win32/VB.IL", "target": "/malware/TrojanDownloader:Win32/VB.IL" }, { "id": "TrojanDownloader:Win32/Inbat.H", "display_name": "TrojanDownloader:Win32/Inbat.H", "target": "/malware/TrojanDownloader:Win32/Inbat.H" }, { "id": "Trojan:Win32/Gupboot.B", "display_name": "Trojan:Win32/Gupboot.B", "target": "/malware/Trojan:Win32/Gupboot.B" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Win.Trojan.Gh0stRAT-7480037-0", "display_name": "Win.Trojan.Gh0stRAT-7480037-0", "target": null }, { "id": "TrojanDownloader:Win32/Systex.A", "display_name": "TrojanDownloader:Win32/Systex.A", "target": "/malware/TrojanDownloader:Win32/Systex.A" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "target": null }, { "id": "Win.Trojan.Barys", "display_name": "Win.Trojan.Barys", "target": null }, { "id": "Win.Trojan.Killav-210", "display_name": "Win.Trojan.Killav-210", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "TrojanDownloader:Win32/Misfox", "display_name": "TrojanDownloader:Win32/Misfox", "target": "/malware/TrojanDownloader:Win32/Misfox" }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Technology", "Law" ], "TLP": "green", "cloned_from": "69f5d960e861f6159823ff0b", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 273, "hostname": 769, "URL": 1601, "FileHash-SHA256": 1576, "IPv4": 227, "FileHash-MD5": 197, "FileHash-SHA1": 109, "SSLCertFingerprint": 4, "IPv6": 4 }, "indicator_count": 4760, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6875e98438889e51b3fdd18f", "name": "Critical \u2022 Schedule system process - Mirai | Foundry Overwatch", "description": "", "modified": "2025-08-14T05:04:16.839000", "created": "2025-07-15T05:39:16.652000", "tags": [ "win32 exe", "country", "include review", "exclude", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "impact ob0008", "file system", "system oc0008", "match unknown", "adversaries", "match info", "info", "execution flow", "t1574 dll", "tries", "registry", "modify system", "process t1543", "unknown", "window", "ob0009 install", "ob0012 install", "insecure", "b0047 modify", "registry e1112", "hidden files", "registry run", "keys", "startup folder", "f0012 file", "critical", "united", "as15169", "delete c", "as16509", "show", "search", "intel", "ms windows", "entries", "medium", "worm", "copy", "write", "explorer", "malware", "next", "present jul", "status", "date", "ip address", "domain", "servers", "showing", "unknown ns", "related pulses", "pulses", "tags", "related tags", "more file", "type", "date april", "am size", "sha1 sha256", "as14618", "united kingdom", "as54113", "as15133 verizon", "top source", "top destination", "status domain", "ip whitelisted", "whitelisted", "tcp include", "source source", "oamazon", "cnamazon rsa", "odigicert inc", "sweden as20940", "as20940", "entries tls", "ip destination", "encrypt", "aaaa", "found", "certificate", "next associated", "urls show", "date checked", "error", "windows", "high", "yara detections", "installs", "checks", "filehash", "sha256 add", "themida", "data upload", "extraction", "md5 add", "av detections", "ids detections", "alerts", "analysis date", "file score", "win32", "ddos", "passive dns", "activity", "checkin", "win64", "mtb jan", "lowfi", "trojan", "ransom", "trojandropper", "yara", "nsis", "nss bv", "su data", "windo alerts", "andariel", "malware traffic", "nids", "icmp traffic", "dns query", "id deadhost", "connects", "andariel high", "richhash", "external", "virustotal api", "screenshots", "failed", "auurtonany data", "themida andarie", "present may", "japan unknown", "unknown cname", "domain add", "urls", "files", "http headers", "msie", "windows nt", "tcp syn", "resolverror", "externalport", "internalport", "wget command", "devices home", "execution", "foundry", "home networks", "mirai", "x.com", "porn", "monitored target", "d link", "targets" ], "references": [ "TJprojMain.exe {79c7303a1a49b85569245a8ca1c1a26be720387845af9391fa1e4677308bd6b6}", "Crowdsourced Signa: Schedule system process by Joe Security", "Sigma \u2022 Suspicious Process Masquerading As SvcHost.EXE by Swachchhanda Shrawan Poudel", "Sigma \u2022 System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "Yara \u2022 NSIS from ruleset NSIS by kevoreilly", "Yara \u2022 rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "Yara \u2022 Windows_Generic_Threat_7526f106 from ruleset Windows_Generic_Threat by Elastic Security", "Alerts: persistence_autorun \u2022 persistence_autorun_tasks stealth_hiddenreg \u2022 suspicious_command", "IDS : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI", "Mirai - ]1.0.0.0 - Unix.Trojan.Mirai-6981169-0", "*Themida_2xx. Oreans,Technologies", "*Andariel Backdoor Activity (Checkin)", "Alert: dead_host nids_malware_alert network_icmp nolookup_communication", "IDS: WGET Command Specifying Output in HTTP Headers", "IDS: D-Link Devices Home Network Administration Protocol Command Execution", "foundry2-lbl.dvr.dn2.n-helix.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://foundry2sdbl", "https://xn--72c9abh1f8ad1lzc.com/video_tag/pornthai/ \u2022 https://ro.theskinnyfoodco.com/en-fr/blogs/recipes/pornstar-martini-recipe \u2022 m.pornsexer.xxx.3.1.adiosfil.roksit.net", "x.com \u2022 nr-data.net \u2022 apple.k8s.joewa.com", "http://apple.cc.lvlid.com/ \u2022 http://apple.cc.lvlid.com/ios/ \u2022 http://www.apple.cc.lvlid.com/ios", "Devices remotely connected, tracked , monitored" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Win.Malware.Ursu-9856871-0", "display_name": "Win.Malware.Ursu-9856871-0", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [ "Healthcare", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 448, "FileHash-SHA1": 435, "FileHash-SHA256": 5851, "hostname": 2580, "domain": 1176, "URL": 7133, "SSLCertFingerprint": 30, "email": 3, "CVE": 3 }, "indicator_count": 17659, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "290 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "coloradoproblemsolvingcourts.org?", "http://apple.cc.lvlid.com/ \u2022 http://apple.cc.lvlid.com/ios/ \u2022 http://www.apple.cc.lvlid.com/ios", "*Andariel Backdoor Activity (Checkin)", "https://www.coloradojudicial.gov/data", "https://www.sweetheartvideo.com/tsara-brashears", "Devices remotely connected, tracked , monitored", "TJprojMain.exe {79c7303a1a49b85569245a8ca1c1a26be720387845af9391fa1e4677308bd6b6}", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "x.com \u2022 nr-data.net \u2022 apple.k8s.joewa.com", "*Themida_2xx. Oreans,Technologies", "Yara \u2022 NSIS from ruleset NSIS by kevoreilly", "IDS : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI", "Crowdsourced Signa: Schedule system process by Joe Security", "https://rockylinux.map.fastlydns.net/", "www.its.courts.state.co.us", "foundry2-lbl.dvr.dn2.n-helix.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://foundry2sdbl", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "chrome.cloudflare-dns.com", "IDS: D-Link Devices Home Network Administration Protocol Command Execution", "Sigma \u2022 Suspicious Process Masquerading As SvcHost.EXE by Swachchhanda Shrawan Poudel", "https://odr.coloradojudicial.gov/login", "https://cp.bankid.no", "Yara \u2022 Windows_Generic_Threat_7526f106 from ruleset Windows_Generic_Threat by Elastic Security", "Alert: dead_host nids_malware_alert network_icmp nolookup_communication", "Yara \u2022 rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "Sigma \u2022 System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "Mirai - ]1.0.0.0 - Unix.Trojan.Mirai-6981169-0", "https://xn--72c9abh1f8ad1lzc.com/video_tag/pornthai/ \u2022 https://ro.theskinnyfoodco.com/en-fr/blogs/recipes/pornstar-martini-recipe \u2022 m.pornsexer.xxx.3.1.adiosfil.roksit.net", "Alerts: persistence_autorun \u2022 persistence_autorun_tasks stealth_hiddenreg \u2022 suspicious_command", "IDS: WGET Command Specifying Output in HTTP Headers" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win.trojan.barys", "Alf:pulzati:trojan:win32/emotet!rfn", "Malware packed", "Unix.trojan.mirai-6981169-0", "Tel:trojan:win32/injector.ab!msr", "Win.malware.jaik-9968280-0", "Worm:win32/mofksys.rnd!mtb", "Trojan:win32/dorv.a", "Trojan:win32/zombie.a", "Trojandownloader:win32/inbat.h", "Trojandownloader:win32/nemucod", "Trojan:msil/snakekeylogger.mk1!mtb", "Elf:ddos-y\\ [trj]", "Trojan:win32/gupboot.b", "Trojandownloader:win32/systex.a", "Win.trojan.gh0strat-7480037-0", "Trojan:win32/blihan.a", "Trojan:win32/glupteba.mt!mtb", "Trojan:win32/zbot", "Win.trojan.generic-9908275-0", "Alf:trojan:win32/cassini_f2776388!ibt", "Trojandownloader:win32/vb.il", "Win.trojan.killav-210", "Trojandownloader:win32/misfox", "Win.malware.ursu-9856871-0", "Trojan:win32/scar.mr!mtb", "Trojandownloader:win32/upatre" ], "industries": [ "Government", "Law", "Healthcare", "Technology" ], "unique_indicators": 22464 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/bankid.no", "whois": "http://whois.domaintools.com/bankid.no", "domain": "bankid.no", "hostname": "auth.bankid.no" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69f54c711cd17df01c20d601", "name": "Enemy of the State: Order in the Court \u2022 Part 3 - Rogue Domain Controller | Gh0stRAT", "description": "Active cyber issues\ncontinue to affect Colorado Judicial, Government and Hospital systems. \n\nWhat\u2019s true: Targeting, Hacking , Rogue Domain Controller. Bad actors regularly ride outdated , poorly managed networks. \n\n\nTipped: Monitored Targets past irregular mail \nissues. URLs that redirects to Colorado Justice system., included in a letter that was sent to an undeliverable address. Mail sent again, recipient believes the contents of letters does not appear authentic. \n\n\nTipped: RE: Monitored Target. Unfavorable, Unjust conditions in Denver , Colorado USA. As recent as 4/2026. Other pulses related to this matter suggests a Pegasus relationship. Will need to analyze.", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-02T00:59:29.794000", "tags": [ "united kingdom", "united", "spain", "denmark", "report spam", "adversaries", "days ago", "xy amp", "ck ids", "packing", "taskjob", "ipv4", "indicator role", "active related", "ccus asnas749", "dynamicloader", "port", "high", "windows", "destination", "displayname", "write c", "write", "stream", "defense evasion", "malware", "hostile", "contacted", "ids detections", "query", "hostile http", "request", "lowercase host", "header observed", "tls sni", "yara detections", "active", "pulses hostname", "otx logo", "all report", "t1045", "t1053", "t1055", "fastly dns", ".ru", "microsoft", "palantirfoundry", "ioc", "history", "compromise", "antonio apr", "valeria paredes", "valeria", "paredes", "colorado", "courts", "judicial", "denver county", "dougco", "pagosa springs", "hacking", "modifications", "masquerading", "mock", "bannock st", "ericka", "arevalo antonio", "criminal attack", "cyber", "threat actors", "bots", "ascii text", "json", "ms windows", "pe32", "medium", "trojan", "august", "packer", "local", "next", "rat", "bat", "botnet", "cve", "yahoo", "pornhub", "dns", "remote", "password", "manipulation", "objection", "overruled", "your witness", "patriot act", "tsara brashears", "reflected", "targeting", "monitored target", "incc", "hua mucatul", "securityvaleria", "injection", "aquire", "correo", "number", "security apr", "document file", "v2 document", "little endian", "version", "msi installer", "code page", "template", "logmein", "title", "logmein rescue", "gh0strat", "emotet", "scar", "snake keylogger", "trojandropper", "review lo", "ccdk ,", "asnas20940", "tulach", "login join", "support privacy", "notice", "programs porn", "found pornstars", "videos movies", "now ooops", "we ca", "nt find", "the page", "sweet", "click", "back", "tulach", "they know", "1%", "f-h", "englert" ], "references": [ "https://www.coloradojudicial.gov/data", "https://cp.bankid.no", "coloradoproblemsolvingcourts.org?", "https://odr.coloradojudicial.gov/login", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "www.its.courts.state.co.us", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.sweetheartvideo.com/tsara-brashears", "chrome.cloudflare-dns.com", "https://rockylinux.map.fastlydns.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908275-0", "display_name": "Win.Trojan.Generic-9908275-0", "target": null }, { "id": "Trojan:Win32/Scar.MR!MTB", "display_name": "Trojan:Win32/Scar.MR!MTB", "target": "/malware/Trojan:Win32/Scar.MR!MTB" }, { "id": "Trojan:Win32/Zbot", "display_name": "Trojan:Win32/Zbot", "target": "/malware/Trojan:Win32/Zbot" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanDownloader:Win32/VB.IL", "display_name": "TrojanDownloader:Win32/VB.IL", "target": "/malware/TrojanDownloader:Win32/VB.IL" }, { "id": "TrojanDownloader:Win32/Inbat.H", "display_name": "TrojanDownloader:Win32/Inbat.H", "target": "/malware/TrojanDownloader:Win32/Inbat.H" }, { "id": "Trojan:Win32/Gupboot.B", "display_name": "Trojan:Win32/Gupboot.B", "target": "/malware/Trojan:Win32/Gupboot.B" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Win.Trojan.Gh0stRAT-7480037-0", "display_name": "Win.Trojan.Gh0stRAT-7480037-0", "target": null }, { "id": "TrojanDownloader:Win32/Systex.A", "display_name": "TrojanDownloader:Win32/Systex.A", "target": "/malware/TrojanDownloader:Win32/Systex.A" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "target": null }, { "id": "Win.Trojan.Barys", "display_name": "Win.Trojan.Barys", "target": null }, { "id": "Win.Trojan.Killav-210", "display_name": "Win.Trojan.Killav-210", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "TrojanDownloader:Win32/Misfox", "display_name": "TrojanDownloader:Win32/Misfox", "target": "/malware/TrojanDownloader:Win32/Misfox" }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Technology", "Law" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 271, "hostname": 743, "URL": 1509, "FileHash-SHA256": 1574, "IPv4": 30, "FileHash-MD5": 197, "FileHash-SHA1": 109, "SSLCertFingerprint": 4 }, "indicator_count": 4437, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f5d960e861f6159823ff0b", "name": "CREDIT: Q.VASHTI, Clone [\"Enemy of the State: Order in the Court \u2022 Part 3 - Rogue Domain Controller | Gh0stRAT'] credit, Q.VASHTI", "description": "", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-02T11:00:48.440000", "tags": [ "united kingdom", "united", "spain", "denmark", "report spam", "adversaries", "days ago", "xy amp", "ck ids", "packing", "taskjob", "ipv4", "indicator role", "active related", "ccus asnas749", "dynamicloader", "port", "high", "windows", "destination", "displayname", "write c", "write", "stream", "defense evasion", "malware", "hostile", "contacted", "ids detections", "query", "hostile http", "request", "lowercase host", "header observed", "tls sni", "yara detections", "active", "pulses hostname", "otx logo", "all report", "t1045", "t1053", "t1055", "fastly dns", ".ru", "microsoft", "palantirfoundry", "ioc", "history", "compromise", "antonio apr", "valeria paredes", "valeria", "paredes", "colorado", "courts", "judicial", "denver county", "dougco", "pagosa springs", "hacking", "modifications", "masquerading", "mock", "bannock st", "ericka", "arevalo antonio", "criminal attack", "cyber", "threat actors", "bots", "ascii text", "json", "ms windows", "pe32", "medium", "trojan", "august", "packer", "local", "next", "rat", "bat", "botnet", "cve", "yahoo", "pornhub", "dns", "remote", "password", "manipulation", "objection", "overruled", "your witness", "patriot act", "tsara brashears", "reflected", "targeting", "monitored target", "incc", "hua mucatul", "securityvaleria", "injection", "aquire", "correo", "number", "security apr", "document file", "v2 document", "little endian", "version", "msi installer", "code page", "template", "logmein", "title", "logmein rescue", "gh0strat", "emotet", "scar", "snake keylogger", "trojandropper", "review lo", "ccdk ,", "asnas20940", "tulach", "login join", "support privacy", "notice", "programs porn", "found pornstars", "videos movies", "now ooops", "we ca", "nt find", "the page", "sweet", "click", "back", "tulach", "they know", "1%", "f-h", "englert" ], "references": [ "https://www.coloradojudicial.gov/data", "https://cp.bankid.no", "coloradoproblemsolvingcourts.org?", "https://odr.coloradojudicial.gov/login", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "www.its.courts.state.co.us", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.sweetheartvideo.com/tsara-brashears", "chrome.cloudflare-dns.com", "https://rockylinux.map.fastlydns.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908275-0", "display_name": "Win.Trojan.Generic-9908275-0", "target": null }, { "id": "Trojan:Win32/Scar.MR!MTB", "display_name": "Trojan:Win32/Scar.MR!MTB", "target": "/malware/Trojan:Win32/Scar.MR!MTB" }, { "id": "Trojan:Win32/Zbot", "display_name": "Trojan:Win32/Zbot", "target": "/malware/Trojan:Win32/Zbot" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanDownloader:Win32/VB.IL", "display_name": "TrojanDownloader:Win32/VB.IL", "target": "/malware/TrojanDownloader:Win32/VB.IL" }, { "id": "TrojanDownloader:Win32/Inbat.H", "display_name": "TrojanDownloader:Win32/Inbat.H", "target": "/malware/TrojanDownloader:Win32/Inbat.H" }, { "id": "Trojan:Win32/Gupboot.B", "display_name": "Trojan:Win32/Gupboot.B", "target": "/malware/Trojan:Win32/Gupboot.B" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Win.Trojan.Gh0stRAT-7480037-0", "display_name": "Win.Trojan.Gh0stRAT-7480037-0", "target": null }, { "id": "TrojanDownloader:Win32/Systex.A", "display_name": "TrojanDownloader:Win32/Systex.A", "target": "/malware/TrojanDownloader:Win32/Systex.A" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "target": null }, { "id": "Win.Trojan.Barys", "display_name": "Win.Trojan.Barys", "target": null }, { "id": "Win.Trojan.Killav-210", "display_name": "Win.Trojan.Killav-210", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "TrojanDownloader:Win32/Misfox", "display_name": "TrojanDownloader:Win32/Misfox", "target": "/malware/TrojanDownloader:Win32/Misfox" }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Technology", "Law" ], "TLP": "green", "cloned_from": "69f54c711cd17df01c20d601", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 271, "hostname": 744, "URL": 1509, "FileHash-SHA256": 1574, "IPv4": 30, "FileHash-MD5": 197, "FileHash-SHA1": 109, "SSLCertFingerprint": 4 }, "indicator_count": 4438, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f5da1228db82eb87274cab", "name": "CREDIT: Q.VASHTI, Clone [\"Enemy of the State: Order in the Court] clone from cellphone seperate", "description": "", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-02T11:03:46.995000", "tags": [ "united kingdom", "united", "spain", "denmark", "report spam", "adversaries", "days ago", "xy amp", "ck ids", "packing", "taskjob", "ipv4", "indicator role", "active related", "ccus asnas749", "dynamicloader", "port", "high", "windows", "destination", "displayname", "write c", "write", "stream", "defense evasion", "malware", "hostile", "contacted", "ids detections", "query", "hostile http", "request", "lowercase host", "header observed", "tls sni", "yara detections", "active", "pulses hostname", "otx logo", "all report", "t1045", "t1053", "t1055", "fastly dns", ".ru", "microsoft", "palantirfoundry", "ioc", "history", "compromise", "antonio apr", "valeria paredes", "valeria", "paredes", "colorado", "courts", "judicial", "denver county", "dougco", "pagosa springs", "hacking", "modifications", "masquerading", "mock", "bannock st", "ericka", "arevalo antonio", "criminal attack", "cyber", "threat actors", "bots", "ascii text", "json", "ms windows", "pe32", "medium", "trojan", "august", "packer", "local", "next", "rat", "bat", "botnet", "cve", "yahoo", "pornhub", "dns", "remote", "password", "manipulation", "objection", "overruled", "your witness", "patriot act", "tsara brashears", "reflected", "targeting", "monitored target", "incc", "hua mucatul", "securityvaleria", "injection", "aquire", "correo", "number", "security apr", "document file", "v2 document", "little endian", "version", "msi installer", "code page", "template", "logmein", "title", "logmein rescue", "gh0strat", "emotet", "scar", "snake keylogger", "trojandropper", "review lo", "ccdk ,", "asnas20940", "tulach", "login join", "support privacy", "notice", "programs porn", "found pornstars", "videos movies", "now ooops", "we ca", "nt find", "the page", "sweet", "click", "back", "tulach", "they know", "1%", "f-h", "englert" ], "references": [ "https://www.coloradojudicial.gov/data", "https://cp.bankid.no", "coloradoproblemsolvingcourts.org?", "https://odr.coloradojudicial.gov/login", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "www.its.courts.state.co.us", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.sweetheartvideo.com/tsara-brashears", "chrome.cloudflare-dns.com", "https://rockylinux.map.fastlydns.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908275-0", "display_name": "Win.Trojan.Generic-9908275-0", "target": null }, { "id": "Trojan:Win32/Scar.MR!MTB", "display_name": "Trojan:Win32/Scar.MR!MTB", "target": "/malware/Trojan:Win32/Scar.MR!MTB" }, { "id": "Trojan:Win32/Zbot", "display_name": "Trojan:Win32/Zbot", "target": "/malware/Trojan:Win32/Zbot" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanDownloader:Win32/VB.IL", "display_name": "TrojanDownloader:Win32/VB.IL", "target": "/malware/TrojanDownloader:Win32/VB.IL" }, { "id": "TrojanDownloader:Win32/Inbat.H", "display_name": "TrojanDownloader:Win32/Inbat.H", "target": "/malware/TrojanDownloader:Win32/Inbat.H" }, { "id": "Trojan:Win32/Gupboot.B", "display_name": "Trojan:Win32/Gupboot.B", "target": "/malware/Trojan:Win32/Gupboot.B" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Win.Trojan.Gh0stRAT-7480037-0", "display_name": "Win.Trojan.Gh0stRAT-7480037-0", "target": null }, { "id": "TrojanDownloader:Win32/Systex.A", "display_name": "TrojanDownloader:Win32/Systex.A", "target": "/malware/TrojanDownloader:Win32/Systex.A" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "target": null }, { "id": "Win.Trojan.Barys", "display_name": "Win.Trojan.Barys", "target": null }, { "id": "Win.Trojan.Killav-210", "display_name": "Win.Trojan.Killav-210", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "TrojanDownloader:Win32/Misfox", "display_name": "TrojanDownloader:Win32/Misfox", "target": "/malware/TrojanDownloader:Win32/Misfox" }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Technology", "Law" ], "TLP": "green", "cloned_from": "69f5d960e861f6159823ff0b", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 273, "hostname": 769, "URL": 1601, "FileHash-SHA256": 1576, "IPv4": 227, "FileHash-MD5": 197, "FileHash-SHA1": 109, "SSLCertFingerprint": 4, "IPv6": 4 }, "indicator_count": 4760, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6875e98438889e51b3fdd18f", "name": "Critical \u2022 Schedule system process - Mirai | Foundry Overwatch", "description": "", "modified": "2025-08-14T05:04:16.839000", "created": "2025-07-15T05:39:16.652000", "tags": [ "win32 exe", "country", "include review", "exclude", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "impact ob0008", "file system", "system oc0008", "match unknown", "adversaries", "match info", "info", "execution flow", "t1574 dll", "tries", "registry", "modify system", "process t1543", "unknown", "window", "ob0009 install", "ob0012 install", "insecure", "b0047 modify", "registry e1112", "hidden files", "registry run", "keys", "startup folder", "f0012 file", "critical", "united", "as15169", "delete c", "as16509", "show", "search", "intel", "ms windows", "entries", "medium", "worm", "copy", "write", "explorer", "malware", "next", "present jul", "status", "date", "ip address", "domain", "servers", "showing", "unknown ns", "related pulses", "pulses", "tags", "related tags", "more file", "type", "date april", "am size", "sha1 sha256", "as14618", "united kingdom", "as54113", "as15133 verizon", "top source", "top destination", "status domain", "ip whitelisted", "whitelisted", "tcp include", "source source", "oamazon", "cnamazon rsa", "odigicert inc", "sweden as20940", "as20940", "entries tls", "ip destination", "encrypt", "aaaa", "found", "certificate", "next associated", "urls show", "date checked", "error", "windows", "high", "yara detections", "installs", "checks", "filehash", "sha256 add", "themida", "data upload", "extraction", "md5 add", "av detections", "ids detections", "alerts", "analysis date", "file score", "win32", "ddos", "passive dns", "activity", "checkin", "win64", "mtb jan", "lowfi", "trojan", "ransom", "trojandropper", "yara", "nsis", "nss bv", "su data", "windo alerts", "andariel", "malware traffic", "nids", "icmp traffic", "dns query", "id deadhost", "connects", "andariel high", "richhash", "external", "virustotal api", "screenshots", "failed", "auurtonany data", "themida andarie", "present may", "japan unknown", "unknown cname", "domain add", "urls", "files", "http headers", "msie", "windows nt", "tcp syn", "resolverror", "externalport", "internalport", "wget command", "devices home", "execution", "foundry", "home networks", "mirai", "x.com", "porn", "monitored target", "d link", "targets" ], "references": [ "TJprojMain.exe {79c7303a1a49b85569245a8ca1c1a26be720387845af9391fa1e4677308bd6b6}", "Crowdsourced Signa: Schedule system process by Joe Security", "Sigma \u2022 Suspicious Process Masquerading As SvcHost.EXE by Swachchhanda Shrawan Poudel", "Sigma \u2022 System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "Yara \u2022 NSIS from ruleset NSIS by kevoreilly", "Yara \u2022 rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "Yara \u2022 Windows_Generic_Threat_7526f106 from ruleset Windows_Generic_Threat by Elastic Security", "Alerts: persistence_autorun \u2022 persistence_autorun_tasks stealth_hiddenreg \u2022 suspicious_command", "IDS : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI", "Mirai - ]1.0.0.0 - Unix.Trojan.Mirai-6981169-0", "*Themida_2xx. Oreans,Technologies", "*Andariel Backdoor Activity (Checkin)", "Alert: dead_host nids_malware_alert network_icmp nolookup_communication", "IDS: WGET Command Specifying Output in HTTP Headers", "IDS: D-Link Devices Home Network Administration Protocol Command Execution", "foundry2-lbl.dvr.dn2.n-helix.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://foundry2sdbl", "https://xn--72c9abh1f8ad1lzc.com/video_tag/pornthai/ \u2022 https://ro.theskinnyfoodco.com/en-fr/blogs/recipes/pornstar-martini-recipe \u2022 m.pornsexer.xxx.3.1.adiosfil.roksit.net", "x.com \u2022 nr-data.net \u2022 apple.k8s.joewa.com", "http://apple.cc.lvlid.com/ \u2022 http://apple.cc.lvlid.com/ios/ \u2022 http://www.apple.cc.lvlid.com/ios", "Devices remotely connected, tracked , monitored" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Win.Malware.Ursu-9856871-0", "display_name": "Win.Malware.Ursu-9856871-0", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [ "Healthcare", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 448, "FileHash-SHA1": 435, "FileHash-SHA256": 5851, "hostname": 2580, "domain": 1176, "URL": 7133, "SSLCertFingerprint": 30, "email": 3, "CVE": 3 }, "indicator_count": 17659, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "290 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://auth.bankid.no/auth", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://auth.bankid.no/auth", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780237264.3860784 }