{ "type": "URL", "indicator": "https://c.markeliza.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://c.markeliza.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4173170512, "indicator": "https://c.markeliza.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69d6619d62ea0c3bbf0ebf75", "name": "Mac OS Unwanted Programs | Mac Booster application potentially installed in background without target\u2019s knowledge", "description": "Not installed by users I\u2019m researching for. Downloaded as an unwanted program Overview of com.iobit.MacBooster-3\ncom.iobit.MacBooster-3 is the package identifier for MacBooster 3, a software application developed by IObit. This application is specifically designed for optimizing and maintaining Mac computers.\nKey Features\nMacBooster 3 includes several essential features aimed at enhancing the performance and security of Mac systems:\nSystem Cleanup: .\nPerformance Boosting: \nMalware Protection: .\nCompatibility\nMacBooster 3 is compatible with macOS versions starting from OS X 10.9. False - \nWhat are the potential risks of using MacBooster 3 on a Mac computer?\nUsing MacBooster 3 on a Mac computer can lead to potentially unwanted program (PUP) behavior, including browser interference, frequent pop-ups, and the installation of unnecessary software.", "modified": "2026-04-08T14:09:33.432000", "created": "2026-04-08T14:09:33.432000", "tags": [ "issuer apple", "valid from", "valid", "serial number", "macho", "macho 64bit", "mac os", "x macho", "intel", "file version", "team identifier", "apple root", "ca feb", "am ma9eduzpcw", "signers", "issuer valid", "from valid", "status issuer", "apple inc", "valid apple", "a9 a8", "process32nextw", "regsetvalueexa", "read c", "regdword", "tls handshake", "failure", "msie", "malware", "write", "win32", "unknown", "dynamicloader", "high", "myapp", "device driver", "host", "worm", "delphi", "error", "code", "defender", "next", "file score", "cryp", "virus", "checkin tls", "forbidden yara", "msvisualcpp2008", "less ip", "contacted", "scanning host", "trojan", "exploit host", "apple inc", "monitored target", "targeting", "name servers", "servers", "expiration date", "value emails", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "tulach" ], "references": [ "com.iobit.MacBooster-3", "IDS Detections: Win32.Floxif.A Checkin TLS Handshake Failure 403 Forbidden", "Yara Detections: Malware_Floxif_mpsvc_dll , stack_string , MS_Visual_Cpp_2008 ,", "Yara Detections: KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun", "Alerts: modifies_proxy_wpad antivm_vmware_in_instruction dumped_buffer", "Alerts: network_cnc_http network_http allocates_rwx antisandbox_sleep creates_exe", "Alerts: injection_process_search antivm_network_adapters privilege_luid_check", "Alerts: checks_debugger has_pdb raises_exception", "IP\u2019s Contacted: 104.200.23.95 174.139.10.194 198.35.26.96", "Domains Contacted: en.wikipedia.org 5isohu.com www.aieov.com", "Monitored targets. Tsara Brashears, UAlberta (disable_duck) seen", "I can\u2019t speak for behavior of targets. Seems unlikely programs were intentionally installed.", "https://otx.alienvault.com/indicator/cve/CVE-2023-22518", "Issue! Team member found CVE-2023-22518 have origins from the State of Colorado", "Issue! Multiple IoC\u2019s missing.", "A user StreamMiningEx copied pulses: octoseek, scoreblue, KAILULA4, callmeDoris , dorkingbeauty1 and more", "I can\u2019t help but notice a trend. IoC\u2019s found by actual targets are removed from pulses. Recent users are listed in place", "Issue! What I am troubled about the s the deletion service that has plagued OTX/ LevelBlue", "Brian Sabey, Tulach, other adversaries working illegally to remove IoC\u2019s", "Disturbed pulses of mercenary attacks S/A NSO Pegasus NOT reported to CISA or Citizens Lab.", "Reporting is an expected protocol. Is this more of a \u2018bounty\u2019 focused, a honeypot?", "Researching using an easy powerful tool like this has led to confrontations.", "I liked the tool. There is something strange happening with the pulses & IoC\u2019s", "I did not clone my pulse to read Bit.io", "I am not cloning pulses belonging to others without crediting. I\u2019m one of a few who credit. This has happened to other team members", "There are serious researchers on here for a short time hoping to resolve serious cyber issues", "I am unable to reach Level Blue regarding issues. Mailer Daemon only", "It\u2019s not just me. I have contacted from very secured emails, networks, devices", "I typically follow targets who have truly dangerous situations who no longer pulse.", "This would be sent in an email but \u2026.", "About pulse, found in peripheral.", "When your pulse says contacted, who is contacted besides OTX?", "An earlier version contacted entities affected or affecting targets." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "Ransom:Win32/CVE-2017-0147", "display_name": "Ransom:Win32/CVE-2017-0147", "target": "/malware/Ransom:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 75, "FileHash-MD5": 102, "FileHash-SHA256": 2076, "IPv4": 111, "URL": 2496, "CVE": 2, "domain": 483, "hostname": 938, "email": 4, "SSLCertFingerprint": 2 }, "indicator_count": 6289, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6958780c8479a9d69920c3d8", "name": "Telnet - Mirai \u2022 Dark Nexus BusyBox iOS Attack", "description": "There\u2019s enough here to cause an outage. I will stop here. Illegal activities to silence victim and block her from financial settlement award for permanent injuries under workers compensation in a premise and healthcare worker assault scenario. Attorneys estimated her case to be above $100 million but knew she\u2019d be tampered with. Mark Montano MD forewarned her but is culpable. Still attacking family of victim.\n[ True- otx auto generated: Adversaries may be able to gain access to a victim's network through a drive-by attack, as well as using a short-term SSL certificate, in order to target the victim.] |||\nPositive:\nT1140 - Deobfuscate/Decode Files or Information\nSuspicious IP Address\n104.21.51.140, 172.67.181.41\nLocation United States ASN\nModif AS13335 cloudflare\nAutomate Nameservers:\nns1.colocrossing.com.", "modified": "2026-02-02T01:02:46.327000", "created": "2026-01-03T01:59:40.530000", "tags": [ "united", "moved", "title", "passive dns", "ipv4 add", "urls", "files", "hosting", "reverse dns", "location united", "hash avast", "avg clamav", "msdefender mar", "read c", "create c", "medium", "search", "memcommit", "high", "checks", "windows", "execution", "dock", "write", "persistence", "capture", "local", "ref b", "wed may", "backdoor", "mtb aug", "next associated", "mtb dec", "twitter", "smoke loader", "malware", "virtool", "hacktool", "data upload", "present dec", "mtb apr", "win32", "trojan", "worm", "lowfi", "cybota", "expiration date", "name servers", "ipv4", "url analysis", "port", "destination", "telnet login", "bad login", "gpl telnet", "suspicious path", "busybox", "tcp syn", "et telnet", "path", "mirai", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "america", "ck id", "name tactics", "suspicious", "informative", "learn", "t1179 hooking", "installs", "t1035 service", "adversaries", "msie", "windows nt", "slcc2", "media center", "y013", "flag", "span", "accept", "core", "february", "hybrid", "malicious", "general", "click", "strings", "roboto", "next", "usa windows", "finished", "queueprogress", "timestamp input", "threat level", "october", "september", "hwp support", "fresh", "win64", "khtml", "gecko", "brand", "microsoft edge", "programfiles", "comspec", "model", "iframe", "form", "listeners", "initial access", "t1590 gather", "victim network", "ssl certificate", "quasi government", "jeffrey reimer", "palantir", "Regis university", "otx hp", "apple", "pegasus", "h5 data center", "florence colorado", "brian sabey", "target : Tsara Brasheaers", "aig", "industry and commerce", "united states", "State of Colorado.", "date", "status", "domain", "hostname add", "pulse pulses", "files ip", "address", "url https", "url http", "hostname", "show", "type indicator", "source hostname", "entries", "Prometheus Intelligence Technology", "pulse submit", "america flag", "body", "dynamicloader", "microsoft azure", "tls issuing", "named pipe", "json", "ascii text", "lredmond", "Apple", "Telnet", "BusyBox", "Pegasus", "Colorado State Fixer: Christopher P. Ahmann", "Hijacker: Brian Sabey", "For: Concentra", "Protecting Assaulter: Jeffrey Reimer", "For: AIG", "For Industry and Commerce", "For: Quasi Government", "For: Workers Compensation", "Authorities", "Law Enforcement Dark", "Silencing", "Tampering with a Victim", "Meta", "Palantir", "Google", "Bing", "Microsoft", "ColoCrossing", "Associates", "hit men" ], "references": [ "ET Telnet | https://www.colocrossing.com | velocity servers", "https://www.endgamesystems.com/\t This is not a game. This is about people\u2019s lives", "TELNET SUSPICIOUS Path to BusyBox\", TELNET login failed\", is__elf \u007fELF dead_host", "Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)", "(legitimate services will remain up-and-running usually) High | ID dead_host", "ELF:Mirai-GH\\ [Trj] , Unix.Trojan.DarkNexus-7679166-0", "IDS Detections SUSPICIOUS Path to BusyBox TELNET login failed Bad Login", "Yara Detections is__elf", "Alerts dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Yara Detections is__elf , ELFHighEntropy , elf_empty_sections", "http://appleid.apple.com.msg206.site/ http://www.icloud.com.msg206.site/ https://appleid.apple.com.msg206.site/", "https://colocrossing.com/ \u2022 https://www.colocrossing.com/colocation\t l", "https://prometheussteakhouse.lupi.delivery/ Thanks! I\u2019m heavy into Picinha. 2 Brazilian roasts please!", "https://www.colocrossing.com/", "(TLI did you do her that dirty?) Why\u2019SCS\u2019? Pure shame on you.", "In all seriousness. The severity of injuries and outcomes 1 victim had is aligned cyber attacks by Q.Gov", "104.21.51.140, 172.67.181.41", "Detections Win.Packed.ImminentMonitorRAT-9892275-0 , HackTool:MSIL/Boilod.C!bit", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot", "stealth_file cape_detected_threat injection_process_hollowing antiav_detectfile injection_runpe", "Alerts: cape_extracted_content infostealer_cookies recon_fingerprint powershell_download", "Alerts: dynamic_function_loading ipc_namedpipe createtoolhelp32snapshot_module_enumeration", "IP\u2019s Contacted: 142.250.147.101 88.221.104.56 13.33.141.29 35.186.249.72 151.101.1.192", "IP\u2019s Contacted 178.249.97.99 178.249.97.98 178.249.97.23 84.53.172.74 88.221.104.82", "Domains Contacted: accounts.google.com chrome.cloudflare-dns.com clients2.googleusercontent.com", "This is hard to comprehend or put into indelible words." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "HackTool:MSIL/Boilod.C!bit", "display_name": "HackTool:MSIL/Boilod.C!bit", "target": "/malware/HackTool:MSIL/Boilod.C!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1462", "name": "Malicious Software Development Tools", "display_name": "T1462 - Malicious Software Development Tools" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Technology", "Healthcare", "Insurance", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6390, "domain": 723, "hostname": 1978, "FileHash-SHA256": 1912, "FileHash-MD5": 410, "FileHash-SHA1": 306, "email": 3, "SSLCertFingerprint": 28, "CVE": 3 }, "indicator_count": 11753, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "76 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Yara Detections: KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Yara Detections is__elf", "Issue! What I am troubled about the s the deletion service that has plagued OTX/ LevelBlue", "Researching using an easy powerful tool like this has led to confrontations.", "I did not clone my pulse to read Bit.io", "I liked the tool. There is something strange happening with the pulses & IoC\u2019s", "I can\u2019t speak for behavior of targets. Seems unlikely programs were intentionally installed.", "There are serious researchers on here for a short time hoping to resolve serious cyber issues", "Yara Detections: Malware_Floxif_mpsvc_dll , stack_string , MS_Visual_Cpp_2008 ,", "Alerts: modifies_proxy_wpad antivm_vmware_in_instruction dumped_buffer", "stealth_file cape_detected_threat injection_process_hollowing antiav_detectfile injection_runpe", "IP\u2019s Contacted: 142.250.147.101 88.221.104.56 13.33.141.29 35.186.249.72 151.101.1.192", "Domains Contacted: en.wikipedia.org 5isohu.com www.aieov.com", "When your pulse says contacted, who is contacted besides OTX?", "104.21.51.140, 172.67.181.41", "Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)", "IP\u2019s Contacted 178.249.97.99 178.249.97.98 178.249.97.23 84.53.172.74 88.221.104.82", "Domains Contacted: accounts.google.com chrome.cloudflare-dns.com clients2.googleusercontent.com", "Alerts: injection_process_search antivm_network_adapters privilege_luid_check", "Monitored targets. Tsara Brashears, UAlberta (disable_duck) seen", "com.iobit.MacBooster-3", "I am unable to reach Level Blue regarding issues. Mailer Daemon only", "I can\u2019t help but notice a trend. IoC\u2019s found by actual targets are removed from pulses. Recent users are listed in place", "IDS Detections SUSPICIOUS Path to BusyBox TELNET login failed Bad Login", "Alerts: checks_debugger has_pdb raises_exception", "IDS Detections: Win32.Floxif.A Checkin TLS Handshake Failure 403 Forbidden", "https://otx.alienvault.com/indicator/cve/CVE-2023-22518", "Alerts: dynamic_function_loading ipc_namedpipe createtoolhelp32snapshot_module_enumeration", "(TLI did you do her that dirty?) Why\u2019SCS\u2019? Pure shame on you.", "https://www.endgamesystems.com/\t This is not a game. This is about people\u2019s lives", "TELNET SUSPICIOUS Path to BusyBox\", TELNET login failed\", is__elf \u007fELF dead_host", "An earlier version contacted entities affected or affecting targets.", "This is hard to comprehend or put into indelible words.", "This would be sent in an email but \u2026.", "ET Telnet | https://www.colocrossing.com | velocity servers", "Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot", "Alerts dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "A user StreamMiningEx copied pulses: octoseek, scoreblue, KAILULA4, callmeDoris , dorkingbeauty1 and more", "It\u2019s not just me. I have contacted from very secured emails, networks, devices", "About pulse, found in peripheral.", "IP\u2019s Contacted: 104.200.23.95 174.139.10.194 198.35.26.96", "I typically follow targets who have truly dangerous situations who no longer pulse.", "ELF:Mirai-GH\\ [Trj] , Unix.Trojan.DarkNexus-7679166-0", "https://www.colocrossing.com/", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Alerts: cape_extracted_content infostealer_cookies recon_fingerprint powershell_download", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun", "http://appleid.apple.com.msg206.site/ http://www.icloud.com.msg206.site/ https://appleid.apple.com.msg206.site/", "Issue! Multiple IoC\u2019s missing.", "https://prometheussteakhouse.lupi.delivery/ Thanks! I\u2019m heavy into Picinha. 2 Brazilian roasts please!", "Detections Win.Packed.ImminentMonitorRAT-9892275-0 , HackTool:MSIL/Boilod.C!bit", "Brian Sabey, Tulach, other adversaries working illegally to remove IoC\u2019s", "Reporting is an expected protocol. Is this more of a \u2018bounty\u2019 focused, a honeypot?", "Disturbed pulses of mercenary attacks S/A NSO Pegasus NOT reported to CISA or Citizens Lab.", "Yara Detections is__elf , ELFHighEntropy , elf_empty_sections", "In all seriousness. The severity of injuries and outcomes 1 victim had is aligned cyber attacks by Q.Gov", "https://colocrossing.com/ \u2022 https://www.colocrossing.com/colocation\t l", "Issue! Team member found CVE-2023-22518 have origins from the State of Colorado", "Alerts: network_cnc_http network_http allocates_rwx antisandbox_sleep creates_exe", "(legitimate services will remain up-and-running usually) High | ID dead_host", "I am not cloning pulses belonging to others without crediting. I\u2019m one of a few who credit. This has happened to other team members" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Exploit:win32/cve-2017-0147", "Ransom:win32/cve-2017-0147", "Cve-2023-22518", "Virus:win32/floxif.h", "Unix.trojan.darknexus-7679166-0", "Mirai", "Worm:win32/autorun!atmn", "Hacktool:msil/boilod.c!bit" ], "industries": [ "Insurance", "Technology", "Healthcare", "Civil society" ], "unique_indicators": 18237 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/markeliza.com", "whois": "http://whois.domaintools.com/markeliza.com", "domain": "markeliza.com", "hostname": "c.markeliza.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69d6619d62ea0c3bbf0ebf75", "name": "Mac OS Unwanted Programs | Mac Booster application potentially installed in background without target\u2019s knowledge", "description": "Not installed by users I\u2019m researching for. Downloaded as an unwanted program Overview of com.iobit.MacBooster-3\ncom.iobit.MacBooster-3 is the package identifier for MacBooster 3, a software application developed by IObit. This application is specifically designed for optimizing and maintaining Mac computers.\nKey Features\nMacBooster 3 includes several essential features aimed at enhancing the performance and security of Mac systems:\nSystem Cleanup: .\nPerformance Boosting: \nMalware Protection: .\nCompatibility\nMacBooster 3 is compatible with macOS versions starting from OS X 10.9. False - \nWhat are the potential risks of using MacBooster 3 on a Mac computer?\nUsing MacBooster 3 on a Mac computer can lead to potentially unwanted program (PUP) behavior, including browser interference, frequent pop-ups, and the installation of unnecessary software.", "modified": "2026-04-08T14:09:33.432000", "created": "2026-04-08T14:09:33.432000", "tags": [ "issuer apple", "valid from", "valid", "serial number", "macho", "macho 64bit", "mac os", "x macho", "intel", "file version", "team identifier", "apple root", "ca feb", "am ma9eduzpcw", "signers", "issuer valid", "from valid", "status issuer", "apple inc", "valid apple", "a9 a8", "process32nextw", "regsetvalueexa", "read c", "regdword", "tls handshake", "failure", "msie", "malware", "write", "win32", "unknown", "dynamicloader", "high", "myapp", "device driver", "host", "worm", "delphi", "error", "code", "defender", "next", "file score", "cryp", "virus", "checkin tls", "forbidden yara", "msvisualcpp2008", "less ip", "contacted", "scanning host", "trojan", "exploit host", "apple inc", "monitored target", "targeting", "name servers", "servers", "expiration date", "value emails", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "tulach" ], "references": [ "com.iobit.MacBooster-3", "IDS Detections: Win32.Floxif.A Checkin TLS Handshake Failure 403 Forbidden", "Yara Detections: Malware_Floxif_mpsvc_dll , stack_string , MS_Visual_Cpp_2008 ,", "Yara Detections: KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun", "Alerts: modifies_proxy_wpad antivm_vmware_in_instruction dumped_buffer", "Alerts: network_cnc_http network_http allocates_rwx antisandbox_sleep creates_exe", "Alerts: injection_process_search antivm_network_adapters privilege_luid_check", "Alerts: checks_debugger has_pdb raises_exception", "IP\u2019s Contacted: 104.200.23.95 174.139.10.194 198.35.26.96", "Domains Contacted: en.wikipedia.org 5isohu.com www.aieov.com", "Monitored targets. Tsara Brashears, UAlberta (disable_duck) seen", "I can\u2019t speak for behavior of targets. Seems unlikely programs were intentionally installed.", "https://otx.alienvault.com/indicator/cve/CVE-2023-22518", "Issue! Team member found CVE-2023-22518 have origins from the State of Colorado", "Issue! Multiple IoC\u2019s missing.", "A user StreamMiningEx copied pulses: octoseek, scoreblue, KAILULA4, callmeDoris , dorkingbeauty1 and more", "I can\u2019t help but notice a trend. IoC\u2019s found by actual targets are removed from pulses. Recent users are listed in place", "Issue! What I am troubled about the s the deletion service that has plagued OTX/ LevelBlue", "Brian Sabey, Tulach, other adversaries working illegally to remove IoC\u2019s", "Disturbed pulses of mercenary attacks S/A NSO Pegasus NOT reported to CISA or Citizens Lab.", "Reporting is an expected protocol. Is this more of a \u2018bounty\u2019 focused, a honeypot?", "Researching using an easy powerful tool like this has led to confrontations.", "I liked the tool. There is something strange happening with the pulses & IoC\u2019s", "I did not clone my pulse to read Bit.io", "I am not cloning pulses belonging to others without crediting. I\u2019m one of a few who credit. This has happened to other team members", "There are serious researchers on here for a short time hoping to resolve serious cyber issues", "I am unable to reach Level Blue regarding issues. Mailer Daemon only", "It\u2019s not just me. I have contacted from very secured emails, networks, devices", "I typically follow targets who have truly dangerous situations who no longer pulse.", "This would be sent in an email but \u2026.", "About pulse, found in peripheral.", "When your pulse says contacted, who is contacted besides OTX?", "An earlier version contacted entities affected or affecting targets." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "Ransom:Win32/CVE-2017-0147", "display_name": "Ransom:Win32/CVE-2017-0147", "target": "/malware/Ransom:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 75, "FileHash-MD5": 102, "FileHash-SHA256": 2076, "IPv4": 111, "URL": 2496, "CVE": 2, "domain": 483, "hostname": 938, "email": 4, "SSLCertFingerprint": 2 }, "indicator_count": 6289, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6958780c8479a9d69920c3d8", "name": "Telnet - Mirai \u2022 Dark Nexus BusyBox iOS Attack", "description": "There\u2019s enough here to cause an outage. I will stop here. Illegal activities to silence victim and block her from financial settlement award for permanent injuries under workers compensation in a premise and healthcare worker assault scenario. Attorneys estimated her case to be above $100 million but knew she\u2019d be tampered with. Mark Montano MD forewarned her but is culpable. Still attacking family of victim.\n[ True- otx auto generated: Adversaries may be able to gain access to a victim's network through a drive-by attack, as well as using a short-term SSL certificate, in order to target the victim.] |||\nPositive:\nT1140 - Deobfuscate/Decode Files or Information\nSuspicious IP Address\n104.21.51.140, 172.67.181.41\nLocation United States ASN\nModif AS13335 cloudflare\nAutomate Nameservers:\nns1.colocrossing.com.", "modified": "2026-02-02T01:02:46.327000", "created": "2026-01-03T01:59:40.530000", "tags": [ "united", "moved", "title", "passive dns", "ipv4 add", "urls", "files", "hosting", "reverse dns", "location united", "hash avast", "avg clamav", "msdefender mar", "read c", "create c", "medium", "search", "memcommit", "high", "checks", "windows", "execution", "dock", "write", "persistence", "capture", "local", "ref b", "wed may", "backdoor", "mtb aug", "next associated", "mtb dec", "twitter", "smoke loader", "malware", "virtool", "hacktool", "data upload", "present dec", "mtb apr", "win32", "trojan", "worm", "lowfi", "cybota", "expiration date", "name servers", "ipv4", "url analysis", "port", "destination", "telnet login", "bad login", "gpl telnet", "suspicious path", "busybox", "tcp syn", "et telnet", "path", "mirai", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "america", "ck id", "name tactics", "suspicious", "informative", "learn", "t1179 hooking", "installs", "t1035 service", "adversaries", "msie", "windows nt", "slcc2", "media center", "y013", "flag", "span", "accept", "core", "february", "hybrid", "malicious", "general", "click", "strings", "roboto", "next", "usa windows", "finished", "queueprogress", "timestamp input", "threat level", "october", "september", "hwp support", "fresh", "win64", "khtml", "gecko", "brand", "microsoft edge", "programfiles", "comspec", "model", "iframe", "form", "listeners", "initial access", "t1590 gather", "victim network", "ssl certificate", "quasi government", "jeffrey reimer", "palantir", "Regis university", "otx hp", "apple", "pegasus", "h5 data center", "florence colorado", "brian sabey", "target : Tsara Brasheaers", "aig", "industry and commerce", "united states", "State of Colorado.", "date", "status", "domain", "hostname add", "pulse pulses", "files ip", "address", "url https", "url http", "hostname", "show", "type indicator", "source hostname", "entries", "Prometheus Intelligence Technology", "pulse submit", "america flag", "body", "dynamicloader", "microsoft azure", "tls issuing", "named pipe", "json", "ascii text", "lredmond", "Apple", "Telnet", "BusyBox", "Pegasus", "Colorado State Fixer: Christopher P. Ahmann", "Hijacker: Brian Sabey", "For: Concentra", "Protecting Assaulter: Jeffrey Reimer", "For: AIG", "For Industry and Commerce", "For: Quasi Government", "For: Workers Compensation", "Authorities", "Law Enforcement Dark", "Silencing", "Tampering with a Victim", "Meta", "Palantir", "Google", "Bing", "Microsoft", "ColoCrossing", "Associates", "hit men" ], "references": [ "ET Telnet | https://www.colocrossing.com | velocity servers", "https://www.endgamesystems.com/\t This is not a game. This is about people\u2019s lives", "TELNET SUSPICIOUS Path to BusyBox\", TELNET login failed\", is__elf \u007fELF dead_host", "Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)", "(legitimate services will remain up-and-running usually) High | ID dead_host", "ELF:Mirai-GH\\ [Trj] , Unix.Trojan.DarkNexus-7679166-0", "IDS Detections SUSPICIOUS Path to BusyBox TELNET login failed Bad Login", "Yara Detections is__elf", "Alerts dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Yara Detections is__elf , ELFHighEntropy , elf_empty_sections", "http://appleid.apple.com.msg206.site/ http://www.icloud.com.msg206.site/ https://appleid.apple.com.msg206.site/", "https://colocrossing.com/ \u2022 https://www.colocrossing.com/colocation\t l", "https://prometheussteakhouse.lupi.delivery/ Thanks! I\u2019m heavy into Picinha. 2 Brazilian roasts please!", "https://www.colocrossing.com/", "(TLI did you do her that dirty?) Why\u2019SCS\u2019? Pure shame on you.", "In all seriousness. The severity of injuries and outcomes 1 victim had is aligned cyber attacks by Q.Gov", "104.21.51.140, 172.67.181.41", "Detections Win.Packed.ImminentMonitorRAT-9892275-0 , HackTool:MSIL/Boilod.C!bit", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot", "stealth_file cape_detected_threat injection_process_hollowing antiav_detectfile injection_runpe", "Alerts: cape_extracted_content infostealer_cookies recon_fingerprint powershell_download", "Alerts: dynamic_function_loading ipc_namedpipe createtoolhelp32snapshot_module_enumeration", "IP\u2019s Contacted: 142.250.147.101 88.221.104.56 13.33.141.29 35.186.249.72 151.101.1.192", "IP\u2019s Contacted 178.249.97.99 178.249.97.98 178.249.97.23 84.53.172.74 88.221.104.82", "Domains Contacted: accounts.google.com chrome.cloudflare-dns.com clients2.googleusercontent.com", "This is hard to comprehend or put into indelible words." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "HackTool:MSIL/Boilod.C!bit", "display_name": "HackTool:MSIL/Boilod.C!bit", "target": "/malware/HackTool:MSIL/Boilod.C!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1462", "name": "Malicious Software Development Tools", "display_name": "T1462 - Malicious Software Development Tools" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Technology", "Healthcare", "Insurance", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6390, "domain": 723, "hostname": 1978, "FileHash-SHA256": 1912, "FileHash-MD5": 410, "FileHash-SHA1": 306, "email": 3, "SSLCertFingerprint": 28, "CVE": 3 }, "indicator_count": 11753, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "76 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://c.markeliza.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://c.markeliza.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776641873.8578868 }