{ "type": "URL", "indicator": "https://beta.cellavision-proficiency-software.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://beta.cellavision-proficiency-software.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4141887796, "indicator": "https://beta.cellavision-proficiency-software.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "692e8cd886e0bb692e8a9d08", "name": "Blocker Ransomware affecting Apple and iCloud | Injection", "description": "Wild! Hackers attack-ack-acking!\nThey\u2019re quite good. Persistent. Angry. \nIt\u2019s the same group of hackers.", "modified": "2026-01-01T06:01:02.583000", "created": "2025-12-02T06:53:12.823000", "tags": [ "url https", "url http", "domain", "fh no", "ipv4", "united", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "pattern match", "mitre att", "ck id", "ck matrix", "ascii text", "href", "network traffic", "general", "local", "click", "strings", "learn", "name tactics", "suspicious", "informative", "found", "command", "adversaries", "spawns", "defense evasion", "dynamicloader", "windows nt", "wow64", "khtml", "gecko", "write c", "unknown", "virtool", "write", "defender", "malware", "delete", "alerts", "backdoor", "high", "ip address", "t1045", "packing", "t1055", "injection", "t1060", "run keys", "startup", "folder", "t1119", "t1027", "tools", "families", "mirai", "indicator role", "active related", "hackers", "ahmann", "usual suspects" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Backdoor:Win32/Drixed", "display_name": "Backdoor:Win32/Drixed", "target": "/malware/Backdoor:Win32/Drixed" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Ransom:Win32/Blocker.NN!MTB", "display_name": "Ransom:Win32/Blocker.NN!MTB", "target": "/malware/Ransom:Win32/Blocker.NN!MTB" }, { "id": "Unix.Trojan.Mirai-7135937-0", "display_name": "Unix.Trojan.Mirai-7135937-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1066", "name": "Indicator Removal from Tools", "display_name": "T1066 - Indicator Removal from Tools" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1408", "name": "Disguise Root/Jailbreak Indicators", "display_name": "T1408 - Disguise Root/Jailbreak Indicators" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1590.002", "name": "DNS", "display_name": "T1590.002 - DNS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 234, "FileHash-SHA1": 219, "FileHash-SHA256": 841, "URL": 2606, "domain": 298, "hostname": 772, "SSLCertFingerprint": 2, "CVE": 1 }, "indicator_count": 4973, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69212b59117e7e2eb6f3adbf", "name": "X.com RAT \u2022 Tofsee | Attorney | Hacker | Affects visitors to his site.", "description": "Christopher Ahmann again. I\u2019m not sure if he is really an attorney or a hacker. He could be a Hacker and a legal consultant. Again incredibly malicious activity. #contacted #tofsee #trojan #rat #apple #telegram #cnc #google #botnets #bots \n\n[OTC populated: The following is the full list of names you can find on the website of an American law firm, which is based in New York and New Jersey, and which can be accessed via a Google search.]", "modified": "2025-12-22T02:05:33.541000", "created": "2025-11-22T03:17:45.877000", "tags": [ "twitter", "rat", "christopher p ahmann", "trojan", "lowfijavazkm", "x", "x.com", "dynamicloader", "yara rule", "ms windows", "windows", "medium", "united", "ascii text", "high", "write", "guard", "defender", "cybergate", "smartassembly", "malware", "win64", "unknown", "encrypt", "yara detections", "contacted", "av detections", "ids detections", "alerts", "port", "destination", "write c", "delete c", "tofsee", "stream", "telegram", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "ssl certificate", "pattern match", "mitre att", "path", "hybrid", "general", "click", "strings", "legal entities", "apple", "liar" ], "references": [ "x.com | https://x.com/search?q=Ahmann-Christopher-PC-Attorney-at-Law", "IDS Detection : Win32.Cybergate RAT SQLite DL", "IDS Detections : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS Detections : HTTP GET Request for sqlite3.dll - Possible Infostealer Activity", "Yara Detections : Nullsoft_NSIS", "Alerts: antisandbox_sleep creates_largekey process_creation_suspicious_location", "Alerts: infostealer_cookies persistence_autorun procmem_yara static_pe_anomaly", "Alerts: suricata_alert antiav_detectfile antivm_bochs_keys cape_extracted_content", "Alerts: infostealer_keylog injection_runpe suspicious_command_tools antidebug_guardpages mouse_movement_detect dynamic_function_loading resumethread_remote_process reads_memory_remote_process network_connection_via_suspicious_process", "Alerts: infostealer_keylog injection_runpe suspicious_command_tools antidebug_guardpages", "Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process", "Alerts: reads_memory_remote_process network_connection_via_suspicious_process", "IDS Detections : Win32/Tofsee.AX google.com connectivity check", "IDS Detections : HTTP Request with Lowercase host Header Observed", "IDS Detections : Observed Telegram Domain (t .me in TLS SNI)", "Alerts: behavior_tofsee suspicious_iocontrol_codes creates_largekey network_bind", "Alerts : persistence_autorun persistence_autorun_tasks network_smtp procmem_yara", "Alerts : static_pe_anomaly suricata_alert antivm_bochs_keys antivm_generic_disk", "Alerts : antivm_generic_services deletes_executed_files injection_runpe dead_connect", "Alerts : persistence_ads suspicious_command_tools anomalous_deletefile antisandbox_sleep", "appleid.cdn-apple.com \u2022 apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/", "https://apple.k8s.joewa.com/ \u2022 http://www.gtaging.apple.pol.kozow.com", "https://v2.papadustream.tv/episode/the-walking-dead-1x1", "https://www.rubreyatson.ddnsgeek.com/", "https://parabellumnorth.com/product/py2a-g17-69-rail-set/", "remotewd.com \u2022 device-194a3e38-d1e7-421a-8a01-d136fef966f1.remotewd.com", "https://hyperbot.net/ \u2022http://rarebot.com/rarebot-installer.exe", "accounts.google.com" ], "public": 1, "adversary": "Christopher Paul Ahmann", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#LowfiJavaZKM", "display_name": "#LowfiJavaZKM", "target": null }, { "id": "Win.Dropper.Tofsee-10012410-0", "display_name": "Win.Dropper.Tofsee-10012410-0", "target": null }, { "id": "Win.Dropper.Tofsee-10012410-0", "display_name": "Win.Dropper.Tofsee-10012410-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 360, "URL": 1750, "FileHash-MD5": 120, "FileHash-SHA1": 80, "FileHash-SHA256": 1269, "SSLCertFingerprint": 9, "hostname": 644 }, "indicator_count": 4232, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "118 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IDS Detection : Win32.Cybergate RAT SQLite DL", "Alerts : persistence_autorun persistence_autorun_tasks network_smtp procmem_yara", "x.com | https://x.com/search?q=Ahmann-Christopher-PC-Attorney-at-Law", "Alerts : static_pe_anomaly suricata_alert antivm_bochs_keys antivm_generic_disk", "https://www.rubreyatson.ddnsgeek.com/", "remotewd.com \u2022 device-194a3e38-d1e7-421a-8a01-d136fef966f1.remotewd.com", "Alerts: infostealer_cookies persistence_autorun procmem_yara static_pe_anomaly", "Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process", "Alerts : antivm_generic_services deletes_executed_files injection_runpe dead_connect", "https://apple.k8s.joewa.com/ \u2022 http://www.gtaging.apple.pol.kozow.com", "https://parabellumnorth.com/product/py2a-g17-69-rail-set/", "appleid.cdn-apple.com \u2022 apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/", "accounts.google.com", "IDS Detections : HTTP Request with Lowercase host Header Observed", "Yara Detections : Nullsoft_NSIS", "IDS Detections : Win32/Tofsee.AX google.com connectivity check", "Alerts: suricata_alert antiav_detectfile antivm_bochs_keys cape_extracted_content", "IDS Detections : HTTP GET Request for sqlite3.dll - Possible Infostealer Activity", "Alerts : persistence_ads suspicious_command_tools anomalous_deletefile antisandbox_sleep", "Alerts: reads_memory_remote_process network_connection_via_suspicious_process", "Alerts: infostealer_keylog injection_runpe suspicious_command_tools antidebug_guardpages", "https://v2.papadustream.tv/episode/the-walking-dead-1x1", "https://hyperbot.net/ \u2022http://rarebot.com/rarebot-installer.exe", "Alerts: infostealer_keylog injection_runpe suspicious_command_tools antidebug_guardpages mouse_movement_detect dynamic_function_loading resumethread_remote_process reads_memory_remote_process network_connection_via_suspicious_process", "IDS Detections : Observed Telegram Domain (t .me in TLS SNI)", "Alerts: behavior_tofsee suspicious_iocontrol_codes creates_largekey network_bind", "IDS Detections : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Alerts: antisandbox_sleep creates_largekey process_creation_suspicious_location" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Christopher Paul Ahmann" ], "malware_families": [ "Backdoor:win32/drixed", "Virtool:win32/injector", "Tofsee", "#lowfijavazkm", "Win.dropper.tofsee-10012410-0", "#virtool:win32/obfuscator.adb", "Ransom:win32/blocker.nn!mtb", "Mirai", "Unix.trojan.mirai-7135937-0" ], "industries": [], "unique_indicators": 9020 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/cellavision-proficiency-software.com", "whois": "http://whois.domaintools.com/cellavision-proficiency-software.com", "domain": "cellavision-proficiency-software.com", "hostname": "beta.cellavision-proficiency-software.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "692e8cd886e0bb692e8a9d08", "name": "Blocker Ransomware affecting Apple and iCloud | Injection", "description": "Wild! Hackers attack-ack-acking!\nThey\u2019re quite good. Persistent. Angry. \nIt\u2019s the same group of hackers.", "modified": "2026-01-01T06:01:02.583000", "created": "2025-12-02T06:53:12.823000", "tags": [ "url https", "url http", "domain", "fh no", "ipv4", "united", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "pattern match", "mitre att", "ck id", "ck matrix", "ascii text", "href", "network traffic", "general", "local", "click", "strings", "learn", "name tactics", "suspicious", "informative", "found", "command", "adversaries", "spawns", "defense evasion", "dynamicloader", "windows nt", "wow64", "khtml", "gecko", "write c", "unknown", "virtool", "write", "defender", "malware", "delete", "alerts", "backdoor", "high", "ip address", "t1045", "packing", "t1055", "injection", "t1060", "run keys", "startup", "folder", "t1119", "t1027", "tools", "families", "mirai", "indicator role", "active related", "hackers", "ahmann", "usual suspects" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Backdoor:Win32/Drixed", "display_name": "Backdoor:Win32/Drixed", "target": "/malware/Backdoor:Win32/Drixed" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Ransom:Win32/Blocker.NN!MTB", "display_name": "Ransom:Win32/Blocker.NN!MTB", "target": "/malware/Ransom:Win32/Blocker.NN!MTB" }, { "id": "Unix.Trojan.Mirai-7135937-0", "display_name": "Unix.Trojan.Mirai-7135937-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1066", "name": "Indicator Removal from Tools", "display_name": "T1066 - Indicator Removal from Tools" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1408", "name": "Disguise Root/Jailbreak Indicators", "display_name": "T1408 - Disguise Root/Jailbreak Indicators" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1590.002", "name": "DNS", "display_name": "T1590.002 - DNS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 234, "FileHash-SHA1": 219, "FileHash-SHA256": 841, "URL": 2606, "domain": 298, "hostname": 772, "SSLCertFingerprint": 2, "CVE": 1 }, "indicator_count": 4973, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69212b59117e7e2eb6f3adbf", "name": "X.com RAT \u2022 Tofsee | Attorney | Hacker | Affects visitors to his site.", "description": "Christopher Ahmann again. I\u2019m not sure if he is really an attorney or a hacker. He could be a Hacker and a legal consultant. Again incredibly malicious activity. #contacted #tofsee #trojan #rat #apple #telegram #cnc #google #botnets #bots \n\n[OTC populated: The following is the full list of names you can find on the website of an American law firm, which is based in New York and New Jersey, and which can be accessed via a Google search.]", "modified": "2025-12-22T02:05:33.541000", "created": "2025-11-22T03:17:45.877000", "tags": [ "twitter", "rat", "christopher p ahmann", "trojan", "lowfijavazkm", "x", "x.com", "dynamicloader", "yara rule", "ms windows", "windows", "medium", "united", "ascii text", "high", "write", "guard", "defender", "cybergate", "smartassembly", "malware", "win64", "unknown", "encrypt", "yara detections", "contacted", "av detections", "ids detections", "alerts", "port", "destination", "write c", "delete c", "tofsee", "stream", "telegram", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "ssl certificate", "pattern match", "mitre att", "path", "hybrid", "general", "click", "strings", "legal entities", "apple", "liar" ], "references": [ "x.com | https://x.com/search?q=Ahmann-Christopher-PC-Attorney-at-Law", "IDS Detection : Win32.Cybergate RAT SQLite DL", "IDS Detections : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS Detections : HTTP GET Request for sqlite3.dll - Possible Infostealer Activity", "Yara Detections : Nullsoft_NSIS", "Alerts: antisandbox_sleep creates_largekey process_creation_suspicious_location", "Alerts: infostealer_cookies persistence_autorun procmem_yara static_pe_anomaly", "Alerts: suricata_alert antiav_detectfile antivm_bochs_keys cape_extracted_content", "Alerts: infostealer_keylog injection_runpe suspicious_command_tools antidebug_guardpages mouse_movement_detect dynamic_function_loading resumethread_remote_process reads_memory_remote_process network_connection_via_suspicious_process", "Alerts: infostealer_keylog injection_runpe suspicious_command_tools antidebug_guardpages", "Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process", "Alerts: reads_memory_remote_process network_connection_via_suspicious_process", "IDS Detections : Win32/Tofsee.AX google.com connectivity check", "IDS Detections : HTTP Request with Lowercase host Header Observed", "IDS Detections : Observed Telegram Domain (t .me in TLS SNI)", "Alerts: behavior_tofsee suspicious_iocontrol_codes creates_largekey network_bind", "Alerts : persistence_autorun persistence_autorun_tasks network_smtp procmem_yara", "Alerts : static_pe_anomaly suricata_alert antivm_bochs_keys antivm_generic_disk", "Alerts : antivm_generic_services deletes_executed_files injection_runpe dead_connect", "Alerts : persistence_ads suspicious_command_tools anomalous_deletefile antisandbox_sleep", "appleid.cdn-apple.com \u2022 apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/", "https://apple.k8s.joewa.com/ \u2022 http://www.gtaging.apple.pol.kozow.com", "https://v2.papadustream.tv/episode/the-walking-dead-1x1", "https://www.rubreyatson.ddnsgeek.com/", "https://parabellumnorth.com/product/py2a-g17-69-rail-set/", "remotewd.com \u2022 device-194a3e38-d1e7-421a-8a01-d136fef966f1.remotewd.com", "https://hyperbot.net/ \u2022http://rarebot.com/rarebot-installer.exe", "accounts.google.com" ], "public": 1, "adversary": "Christopher Paul Ahmann", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#LowfiJavaZKM", "display_name": "#LowfiJavaZKM", "target": null }, { "id": "Win.Dropper.Tofsee-10012410-0", "display_name": "Win.Dropper.Tofsee-10012410-0", "target": null }, { "id": "Win.Dropper.Tofsee-10012410-0", "display_name": "Win.Dropper.Tofsee-10012410-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 360, "URL": 1750, "FileHash-MD5": 120, "FileHash-SHA1": 80, "FileHash-SHA256": 1269, "SSLCertFingerprint": 9, "hostname": 644 }, "indicator_count": 4232, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "118 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://beta.cellavision-proficiency-software.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://beta.cellavision-proficiency-software.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776640542.8721375 }