{ "type": "URL", "indicator": "https://carmody-consulting.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://carmody-consulting.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3819340012, "indicator": "https://carmody-consulting.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "69bf261cc4e399447d78776c", "name": "Cyber Bully Attackers | Revenge Attacks | Remote attackers | Malware Packed |", "description": "Several government entities, attorneys have sought porn revenge including physical violence, attempted crimes, malicious prosecution case , harassment when a female patient of man formerly known as Jeffrey Scott Reimer of Chester Springs, PA, violently, critically injured patient in a sexually charged assault [URL\thttp://foundry2-lbl.dvr.dn2.n-helix.com\t\t\t\nhttps://foundry2-lbl.dvr.dn2.n-helix.com\t\tfoundry2-lbl.dvr.dn2.n-helix.com\t\t\t\t\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\nhttp://datafoundry.com\t\t\t\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\thttps://209-99-40-223.fwd.datafoundry.com\t\t\t\ndatafoundry.com", "modified": "2026-04-20T21:01:07.869000", "created": "2026-03-21T23:13:32.760000", "tags": [ "sc data", "data upload", "please sub", "include data", "extraction", "failed", "sc pulse", "idron anv", "extr please", "include review", "exclude sugges", "stop show", "typ domain", "united", "virtool", "name servers", "cryp", "emails", "win32", "ip address", "worm", "trojan", "learn", "suspicious", "informative", "ck id", "name tactics", "command", "adversaries", "spawns", "ssl certificate", "initial access", "link initial", "prefetch8", "mitre att", "ck matrix", "flag", "windows nt", "win64", "accept", "encrypt", "form", "hybrid", "bypass", "general", "path", "iframe", "click", "strings", "anchor https", "anchor", "liberal", "sabey", "liberal friends", "meta", "html internet", "html document", "unicode text", "utf8 text", "info initial", "access ta0001", "compromise", "t1189 network", "communication", "get http", "artifacts v", "full reports", "v get", "help dns", "resolutions", "ip traffic", "extr data", "enter sc", "extra data", "referen", "broth", "passive dns", "urls", "http", "hostname", "files domain", "files related", "related tags", "none google", "safe browsing", "inquest labs", "lucas acha", "code integrity", "checks creation", "otx logo", "all hostname", "files", "domain", "protect", "date", "title", "exchange", "se http", "present jan", "present feb", "present dec", "backdoor", "certificate", "all domain", "alibaba cloud", "hichina", "porkbun llc", "cloudflare", "namecheap inc", "namecheap", "domains", "dynadot llc", "ascio", "denmark", "url https", "filehashsha256", "url http", "dopple ai", "snit", "iocs", "otx description", "information", "report spam", "delete service", "poem", "hunter", "malicious", "porn revenge", "brian sabeys", "all report", "spam delete", "rl http", "https", "expiration http", "spam brian", "swipper", "type indicator", "role title", "added active", "related pulses", "filehashmd5", "filehashsha1", "sha256", "scan", "learn more", "indicators show", "tbmvid", "sourcelnms", "zx1724209326040", "xxx videos", "xxxvideohd", "adversary", "packing", "palantir.com", "discovery", "victim won case", "doin it", "palantirian abuse", "apple", "sabey data centers", "insurance", "quasi government", "the brother sabey", "reimer", "law enforcement", "vessel state", "sabey porn", "hall evans", "christopher ahmann", "defamation", "google" ], "references": [ "The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/", "http://watchhers.net/index.php", "http://212.33.237.86/images/1/report.php", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://webmail.police.govmm.org/owa/", "https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl", "https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215", "Mark Brian Sabey", "Melvin Sabey", "Christopher P \u2018Buzz\u2019 Ahmann", "Ronda Cordova", "Unknown Persons impersonating Private Investigators (plural)", "Quasi Government Case", "Victim silenced. Struck by Car Driven by male police let walk", "Denver Police let this attempted murder walk. Cited him as a ghost driver", "Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora", "Sexual and Physical Assaulter - Jeffrey Scott Reimer", "Reimer was a PT. Unknown whereabouts , name or job description", "Denver Police Department Major Crimes closed investigation", "Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim", "I bring up the personal nature of the crime because a delete service has been used", "More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed", "All IoC\u2019s originate from sources named. There are some unknown attackers", "This is a serious crime. I\u2019m certain God WILL pay them.", "https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com", "http://palantirwww.sweetheartvideo.com/ (weirdness)", "http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx", "https://www.datafoundry.com/data-center-contamination-control/", "https://www.datafoundry.com/data-center-contamination-control/", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "http://foundry2-lbl.dvr.dn2.n-helix.com/", "https://207-207-25-201.fwd.datafoundry.com/", "http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd", "http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://rdweb.datafoundry.com/", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "http://foundry2sdbl.dvr.dn2.n-helix.com/", "Updated | What\u2019s left after theft", "207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com", "207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com", "https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse", "https://www.datafoundry.com/category/news/press-releases/", "207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com", "209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com", "www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com", "http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com", "http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/", "https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022", "https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/", "https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com", "Some may may find this content is very disturbing and offensive" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Porn Revenge", "display_name": "Porn Revenge", "target": null }, { "id": "Tons of Malware", "display_name": "Tons of Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1586.001", "name": "Social Media Accounts", "display_name": "T1586.001 - Social Media Accounts" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6034, "domain": 1422, "FileHash-MD5": 274, "FileHash-SHA1": 252, "FileHash-SHA256": 3378, "email": 11, "hostname": 2753, "CVE": 1, "SSLCertFingerprint": 9 }, "indicator_count": 14134, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "41 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d167a8cf2e7966af16a671", "name": "Mirai \u2022 Emotet \u2022 Injection VT & AlienVault reports deleted & modified", "description": "Remote actor uses injection, brute force and remote logins to delete incriminating pulse , virustotal and otx.alienvault pulses, nodes and/or graphs.\n\u2192https://myaccount.uscis.gov/- Immigration (DHS) Login. For years many tactics, social engineering and fraudulent activities persisted. Contact is made to American born citizens, to get in touch. A website is provided, homepage on affected devices is bogus, you have to call to address bogus government concern. Target calls redirected to a call center where they're told they have reached immigration, to verify PII, next told it's a mistake as they are not in the system. At some point meritless notification of Patriot Act violation is received. Identity theft occurs. Credit, bank and other accounts are cancelled. Likely away to gain legal access to spy on targets.", "modified": "2024-03-18T21:03:15.841000", "created": "2024-02-18T02:12:56.143000", "tags": [ "ssl certificate", "resolutions", "communicating", "historical ssl", "referrer", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "body", "read c", "write c", "show", "delete", "msie", "windows nt", "search", "read", "write", "default", "malware", "copy", "contacted", "execution", "contacted urls", "whois sslcert", "emotet", "creation date", "meta", "cookie", "pragma", "mozilla", "ms windows", "intel", "regsetvalueexa", "nsisinetc", "pe32", "class", "persistence", "code", "explorer", "toolbar", "next", "self", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "httponly", "html info", "us citizenship", "meta tags", "citizenship", "immigration", "trackers new", "relic na", "utc google", "tag manager", "gtm5h8hdq3", "ids detections", "title", "date", "entries", "content type", "a domains", "gmt server", "apache x", "path", "win32dh", "as46606", "slcc2", "media center", "temple", "port", "destination", "as29873 newfold", "digital", "as15169 google", "otx telemetry", "trojandropper", "trojan", "backdoor", "wabot", "apanas", "south korea", "as9318 sk", "as3786 lg", "china as4134", "get hello", "as4766 korea", "dlink router", "dsl2750b rce", "exploit", "mirai", "as21928", "china as4837", "gafgyt", "strings", "high priority", "pulses", "related tags", "file type", "sysv", "external", "virustotal", "as39962 pretecs", "canada unknown", "moved", "present dec", "server", "lifeweb server", "lifeweb", "encrypt", "accept", "malware infection", "yara detections", "icmp traffic", "top source", "top destination", "source source", "policy http", "client body", "wordpress login", "brain sabey", "hall render", "government", "https://myaccount.uscis.gov/", "attempted brute forcing", "remote handler", "junk data stuffing", "cyber threat", "human rights threat", "basic human rights", "collision", "collusion", "cultureneutral", "et trojan", "known hostile", "etpro trojan", "possible virut", "error", "stream", "vitro", "delphi", "form", "canvas" ], "references": [ "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "Yara Detections: GlassesCode" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ireland", "Cyprus", "Sweden", "Australia", "Canada", "Hong Kong", "India", "Japan" ], "malware_families": [ { "id": "Win.Trojan.6977536-1", "display_name": "Win.Trojan.6977536-1", "target": null }, { "id": "Nebuler/Dialer.qn", "display_name": "Nebuler/Dialer.qn", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Win32/DH{gVIJAw?}", "display_name": "Win32/DH{gVIJAw?}", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Trojan:Win32/Tinba!rfn", "display_name": "Trojan:Win32/Tinba!rfn", "target": "/malware/Trojan:Win32/Tinba!rfn" }, { "id": "Win32:Emotet-AI\\ [Trj]", "display_name": "Win32:Emotet-AI\\ [Trj]", "target": null }, { "id": "Win.Trojan.Generic-6333842-0", "display_name": "Win.Trojan.Generic-6333842-0", "target": null }, { "id": "Win32/CMSBrute/Pifagor", "display_name": "Win32/CMSBrute/Pifagor", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Vitro", "display_name": "Win32:Vitro", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7636, "URL": 4080, "domain": 3917, "hostname": 1617, "FileHash-MD5": 1284, "FileHash-SHA1": 1213, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 19751, "is_author": false, "is_subscribing": null, "subscriber_count": 236, "modified_text": "804 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d167a9c59fe757dc56b395", "name": "Mirai \u2022 Emotet \u2022 Injection VT & AlienVault reports deleted & modified", "description": "Remote actor uses injection, brute force and remote logins to delete incriminating pulse , virustotal and otx.alienvault pulses, nodes and/or graphs.\n\u2192https://myaccount.uscis.gov/- Immigration (DHS) Login. For years many tactics, social engineering and fraudulent activities persisted. Contact is made to American born citizens, to get in touch. A website is provided, homepage on affected devices is bogus, you have to call to address bogus government concern. Target calls redirected to a call center where they're told they have reached immigration, to verify PII, next told it's a mistake as they are not in the system. At some point meritless notification of Patriot Act violation is received. Identity theft occurs. Credit, bank and other accounts are cancelled. Likely away to gain legal access to spy on targets.", "modified": "2024-03-18T21:03:15.841000", "created": "2024-02-18T02:12:57.917000", "tags": [ "ssl certificate", "resolutions", "communicating", "historical ssl", "referrer", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "body", "read c", "write c", "show", "delete", "msie", "windows nt", "search", "read", "write", "default", "malware", "copy", "contacted", "execution", "contacted urls", "whois sslcert", "emotet", "creation date", "meta", "cookie", "pragma", "mozilla", "ms windows", "intel", "regsetvalueexa", "nsisinetc", "pe32", "class", "persistence", "code", "explorer", "toolbar", "next", "self", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "httponly", "html info", "us citizenship", "meta tags", "citizenship", "immigration", "trackers new", "relic na", "utc google", "tag manager", "gtm5h8hdq3", "ids detections", "title", "date", "entries", "content type", "a domains", "gmt server", "apache x", "path", "win32dh", "as46606", "slcc2", "media center", "temple", "port", "destination", "as29873 newfold", "digital", "as15169 google", "otx telemetry", "trojandropper", "trojan", "backdoor", "wabot", "apanas", "south korea", "as9318 sk", "as3786 lg", "china as4134", "get hello", "as4766 korea", "dlink router", "dsl2750b rce", "exploit", "mirai", "as21928", "china as4837", "gafgyt", "strings", "high priority", "pulses", "related tags", "file type", "sysv", "external", "virustotal", "as39962 pretecs", "canada unknown", "moved", "present dec", "server", "lifeweb server", "lifeweb", "encrypt", "accept", "malware infection", "yara detections", "icmp traffic", "top source", "top destination", "source source", "policy http", "client body", "wordpress login", "brain sabey", "hall render", "government", "https://myaccount.uscis.gov/", "attempted brute forcing", "remote handler", "junk data stuffing", "cyber threat", "human rights threat", "basic human rights", "collision", "collusion", "cultureneutral", "et trojan", "known hostile", "etpro trojan", "possible virut", "error", "stream", "vitro", "delphi", "form", "canvas" ], "references": [ "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "Yara Detections: GlassesCode" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ireland", "Cyprus", "Sweden", "Australia", "Canada", "Hong Kong", "India", "Japan" ], "malware_families": [ { "id": "Win.Trojan.6977536-1", "display_name": "Win.Trojan.6977536-1", "target": null }, { "id": "Nebuler/Dialer.qn", "display_name": "Nebuler/Dialer.qn", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Win32/DH{gVIJAw?}", "display_name": "Win32/DH{gVIJAw?}", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Trojan:Win32/Tinba!rfn", "display_name": "Trojan:Win32/Tinba!rfn", "target": "/malware/Trojan:Win32/Tinba!rfn" }, { "id": "Win32:Emotet-AI\\ [Trj]", "display_name": "Win32:Emotet-AI\\ [Trj]", "target": null }, { "id": "Win.Trojan.Generic-6333842-0", "display_name": "Win.Trojan.Generic-6333842-0", "target": null }, { "id": "Win32/CMSBrute/Pifagor", "display_name": "Win32/CMSBrute/Pifagor", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Vitro", "display_name": "Win32:Vitro", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7636, "URL": 4080, "domain": 3917, "hostname": 1617, "FileHash-MD5": 1284, "FileHash-SHA1": 1213, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 19751, "is_author": false, "is_subscribing": null, "subscriber_count": 236, "modified_text": "804 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d3ae057e25854811cc1395", "name": "Mirai \u2022 Injection VT & AlienVault reports deleted & modified", "description": "", "modified": "2024-03-18T21:03:15.841000", "created": "2024-02-19T19:37:41.208000", "tags": [ "ssl certificate", "resolutions", "communicating", "historical ssl", "referrer", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "body", "read c", "write c", "show", "delete", "msie", "windows nt", "search", "read", "write", "default", "malware", "copy", "contacted", "execution", "contacted urls", "whois sslcert", "emotet", "creation date", "meta", "cookie", "pragma", "mozilla", "ms windows", "intel", "regsetvalueexa", "nsisinetc", "pe32", "class", "persistence", "code", "explorer", "toolbar", "next", "self", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "httponly", "html info", "us citizenship", "meta tags", "citizenship", "immigration", "trackers new", "relic na", "utc google", "tag manager", "gtm5h8hdq3", "ids detections", "title", "date", "entries", "content type", "a domains", "gmt server", "apache x", "path", "win32dh", "as46606", "slcc2", "media center", "temple", "port", "destination", "as29873 newfold", "digital", "as15169 google", "otx telemetry", "trojandropper", "trojan", "backdoor", "wabot", "apanas", "south korea", "as9318 sk", "as3786 lg", "china as4134", "get hello", "as4766 korea", "dlink router", "dsl2750b rce", "exploit", "mirai", "as21928", "china as4837", "gafgyt", "strings", "high priority", "pulses", "related tags", "file type", "sysv", "external", "virustotal", "as39962 pretecs", "canada unknown", "moved", "present dec", "server", "lifeweb server", "lifeweb", "encrypt", "accept", "malware infection", "yara detections", "icmp traffic", "top source", "top destination", "source source", "policy http", "client body", "wordpress login", "brain sabey", "hall render", "government", "https://myaccount.uscis.gov/", "attempted brute forcing", "remote handler", "junk data stuffing", "cyber threat", "human rights threat", "basic human rights", "collision", "collusion", "cultureneutral", "et trojan", "known hostile", "etpro trojan", "possible virut", "error", "stream", "vitro", "delphi", "form", "canvas" ], "references": [ "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "Yara Detections: GlassesCode" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ireland", "Cyprus", "Sweden", "Australia", "Canada", "Hong Kong", "India", "Japan" ], "malware_families": [ { "id": "Win.Trojan.6977536-1", "display_name": "Win.Trojan.6977536-1", "target": null }, { "id": "Nebuler/Dialer.qn", "display_name": "Nebuler/Dialer.qn", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Win32/DH{gVIJAw?}", "display_name": "Win32/DH{gVIJAw?}", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Trojan:Win32/Tinba!rfn", "display_name": "Trojan:Win32/Tinba!rfn", "target": "/malware/Trojan:Win32/Tinba!rfn" }, { "id": "Win32:Emotet-AI\\ [Trj]", "display_name": "Win32:Emotet-AI\\ [Trj]", "target": null }, { "id": "Win.Trojan.Generic-6333842-0", "display_name": "Win.Trojan.Generic-6333842-0", "target": null }, { "id": "Win32/CMSBrute/Pifagor", "display_name": "Win32/CMSBrute/Pifagor", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Vitro", "display_name": "Win32:Vitro", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": "65d167a9c59fe757dc56b395", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7636, "URL": 4080, "domain": 3917, "hostname": 1617, "FileHash-MD5": 1284, "FileHash-SHA1": 1213, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 19751, "is_author": false, "is_subscribing": null, "subscriber_count": 236, "modified_text": "804 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c994c8b145925072b6583a", "name": "Private Loader cyber threat - Sliq.net | https://house.mo.gov", "description": "Link found active in https://house.mo.gov. \nhttps://sg001-harmony.sliq.net/00325/harmony/en/PowerBrowser/RoomRouter?location=chamber&viewMode=3&globalStreamId=1 |", "modified": "2024-03-13T03:00:40.889000", "created": "2024-02-12T03:47:20.138000", "tags": [ "ssl certificate", "threat roundup", "referrer", "historical ssl", "remcos rat", "august", "iocs", "contacted", "qakbot", "june", "service", "privateloader", "amadey", "blacknet rat", "qbot", "cobalt strike", "push", "core", "malformed domains", "sliq", "typosquatting", "malware", "network", "dns", "spyware", "access", "remote", "cyber threat", "virus network", "command and control", "remote connections", "exploits", "injection", "legislature", "trojan", "scanning host", "threat analyzer", "threat", "paste", "urls https", "locationchamber", "viewmode3", "hostnames", "url https", "false layer", "http" ], "references": [ "https://sg001-harmony.sliq.net/00325/harmony/en/PowerBrowser/RoomRouter?location=chamber&viewMode=3&globalStreamId=1", "https://www.facebooksunglassshop.com [pegasus related]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "PrivateLoader", "display_name": "PrivateLoader", "target": null } ], "attack_ids": [ { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Government", "Technology", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 36, "FileHash-SHA256": 1384, "CVE": 5, "URL": 1865, "domain": 222, "hostname": 648 }, "indicator_count": 4216, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "810 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab679e6ff8544ecf11962", "name": "Private Loader cyber threat - Sliq.net | https://house.mo.gov ", "description": "", "modified": "2024-03-13T03:00:40.889000", "created": "2024-02-13T00:23:21.062000", "tags": [ "ssl certificate", "threat roundup", "referrer", "historical ssl", "remcos rat", "august", "iocs", "contacted", "qakbot", "june", "service", "privateloader", "amadey", "blacknet rat", "qbot", "cobalt strike", "push", "core", "malformed domains", "sliq", "typosquatting", "malware", "network", "dns", "spyware", "access", "remote", "cyber threat", "virus network", "command and control", "remote connections", "exploits", "injection", "legislature", "trojan", "scanning host", "threat analyzer", "threat", "paste", "urls https", "locationchamber", "viewmode3", "hostnames", "url https", "false layer", "http" ], "references": [ "https://sg001-harmony.sliq.net/00325/harmony/en/PowerBrowser/RoomRouter?location=chamber&viewMode=3&globalStreamId=1", "https://www.facebooksunglassshop.com [pegasus related]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "PrivateLoader", "display_name": "PrivateLoader", "target": null } ], "attack_ids": [ { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Government", "Technology", "Civil Society" ], "TLP": "white", "cloned_from": "65c994c8b145925072b6583a", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 36, "FileHash-SHA256": 1384, "CVE": 5, "URL": 1865, "domain": 222, "hostname": 648 }, "indicator_count": 4216, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "810 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659864357d1d3185efc5c112", "name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus", "description": "CVE-2017-0147 and other malware is attacking a large Colorado Hospital. A report was posted by colleague but is somehow deleted. This has been exploited in a major way. The ability to have full cnc of all Medical center computers, will interact, listen,attend remotely, can login to system. Can run unauthorized systems in the background, access microphone, computer, ability to freeze system,imaging, records modification, appointment, diagnosis modification, records can and have been removed from facility. I only noticed today's that it appears to have been created by an entity targeting Tsara Brashears in every way possible. Report in references. Low confidence of having been exploited, CVE and Network attack has been quite active for some time.", "modified": "2024-02-04T18:00:29.833000", "created": "2024-01-05T20:19:01.457000", "tags": [ "ssl certificate", "whois record", "execution", "contacted", "dropped", "historical ssl", "communicating", "referrer", "stolec kradnie", "vt graph", "first", "utc submissions", "submitters", "amazonaes", "amazon02", "cloudflarenet", "gandi sas", "csc corporate", "ltd dba", "com laude", "facebook", "paris", "twitter", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "url https", "samples", "bundled", "tracking", "tsara brashears", "malware hunting", "hacktool", "emotet", "copy", "brashears", "dynadot inc", "enom", "srsplus", "spaceship", "CVE-2017-0147", "spy cve", "pegasus", "CVE-2017-0147 also found in Pegasus", "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "hostnames", "urls https", "namecheap inc", "feeds ioc", "maltiverse", "analyze", "fastly", "mb installer", "helper", "summary iocs", "graph community", "urls", "urls http", "united", "unknown", "msie", "chrome", "passive dns", "body", "date", "gmt server", "user agent", "content type", "encrypt", "accept", "as136800 sun", "ipv4", "pulse submit", "url analysis", "files", "location hong", "kong asn", "dns resolutions", "dinkle threat", "mirai", "hallrender", "briansabey", "brian sabey", "mark sabey", "uche6vol", "uc health medical campus colorado medical campus", "abuse" ], "references": [ "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "CVE-2017-0147", "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary", "114.114.114.114 - Tulach Malware", "Targeting", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "tsarabrashears.com", "https://pin.it/ malicious Pinterest redirect targets Tsara Brashears", "sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]", "www.dead-speak.com", "Certificate Subject CN=brazzerspesonals.com", "http://r3.o.lencr.org", "156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0", "Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]", "104.247.75.218 | [cnc ]", "www.governmentattic.org [privilege: malicious malware downloading]", "https://www.adultforce.com/ [malvertizing Tsara Brashears]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "TULACH", "display_name": "TULACH", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "SPACESHIP", "display_name": "SPACESHIP", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Virus:DOS/Paris", "display_name": "Virus:DOS/Paris", "target": "/malware/Virus:DOS/Paris" }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 885, "FileHash-SHA1": 505, "FileHash-SHA256": 5051, "URL": 12316, "domain": 3944, "hostname": 4449, "CVE": 2 }, "indicator_count": 27152, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659864448507cc1752ff6456", "name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus", "description": "CVE-2017-0147 and other malware is attacking a large Colorado Hospital. A report was posted by colleague but is somehow deleted. This has been exploited in a major way. The ability to have full cnc of all Medical center computers, will interact, listen,attend remotely, can login to system. Can run unauthorized systems in the background, access microphone, computer, ability to freeze system,imaging, records modification, appointment, diagnosis modification, records can and have been removed from facility. I only noticed today's that it appears to have been created by an entity targeting Tsara Brashears in every way possible. Report in references. Low confidence of having been exploited, CVE and Network attack has been quite active for some time.", "modified": "2024-02-04T18:00:29.833000", "created": "2024-01-05T20:19:16.886000", "tags": [ "ssl certificate", "whois record", "execution", "contacted", "dropped", "historical ssl", "communicating", "referrer", "stolec kradnie", "vt graph", "first", "utc submissions", "submitters", "amazonaes", "amazon02", "cloudflarenet", "gandi sas", "csc corporate", "ltd dba", "com laude", "facebook", "paris", "twitter", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "url https", "samples", "bundled", "tracking", "tsara brashears", "malware hunting", "hacktool", "emotet", "copy", "brashears", "dynadot inc", "enom", "srsplus", "spaceship", "CVE-2017-0147", "spy cve", "pegasus", "CVE-2017-0147 also found in Pegasus", "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "hostnames", "urls https", "namecheap inc", "feeds ioc", "maltiverse", "analyze", "fastly", "mb installer", "helper", "summary iocs", "graph community", "urls", "urls http", "united", "unknown", "msie", "chrome", "passive dns", "body", "date", "gmt server", "user agent", "content type", "encrypt", "accept", "as136800 sun", "ipv4", "pulse submit", "url analysis", "files", "location hong", "kong asn", "dns resolutions", "dinkle threat", "mirai", "hallrender", "briansabey", "brian sabey", "mark sabey", "uche6vol", "uc health medical campus colorado medical campus", "abuse" ], "references": [ "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "CVE-2017-0147", "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary", "114.114.114.114 - Tulach Malware", "Targeting", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "tsarabrashears.com", "https://pin.it/ malicious Pinterest redirect targets Tsara Brashears", "sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]", "www.dead-speak.com", "Certificate Subject CN=brazzerspesonals.com", "http://r3.o.lencr.org", "156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0", "Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]", "104.247.75.218 | [cnc ]", "www.governmentattic.org [privilege: malicious malware downloading]", "https://www.adultforce.com/ [malvertizing Tsara Brashears]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "TULACH", "display_name": "TULACH", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "SPACESHIP", "display_name": "SPACESHIP", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Virus:DOS/Paris", "display_name": "Virus:DOS/Paris", "target": "/malware/Virus:DOS/Paris" }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 885, "FileHash-SHA1": 505, "FileHash-SHA256": 5051, "URL": 12316, "domain": 3944, "hostname": 4449, "CVE": 2 }, "indicator_count": 27152, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a4898fa85cad0af83e032d", "name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus ", "description": "", "modified": "2024-02-04T18:00:29.833000", "created": "2024-01-15T01:25:35.060000", "tags": [ "ssl certificate", "whois record", "execution", "contacted", "dropped", "historical ssl", "communicating", "referrer", "stolec kradnie", "vt graph", "first", "utc submissions", "submitters", "amazonaes", "amazon02", "cloudflarenet", "gandi sas", "csc corporate", "ltd dba", "com laude", "facebook", "paris", "twitter", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "url https", "samples", "bundled", "tracking", "tsara brashears", "malware hunting", "hacktool", "emotet", "copy", "brashears", "dynadot inc", "enom", "srsplus", "spaceship", "CVE-2017-0147", "spy cve", "pegasus", "CVE-2017-0147 also found in Pegasus", "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "hostnames", "urls https", "namecheap inc", "feeds ioc", "maltiverse", "analyze", "fastly", "mb installer", "helper", "summary iocs", "graph community", "urls", "urls http", "united", "unknown", "msie", "chrome", "passive dns", "body", "date", "gmt server", "user agent", "content type", "encrypt", "accept", "as136800 sun", "ipv4", "pulse submit", "url analysis", "files", "location hong", "kong asn", "dns resolutions", "dinkle threat", "mirai", "hallrender", "briansabey", "brian sabey", "mark sabey", "uche6vol", "uc health medical campus colorado medical campus", "abuse" ], "references": [ "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "CVE-2017-0147", "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary", "114.114.114.114 - Tulach Malware", "Targeting", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "tsarabrashears.com", "https://pin.it/ malicious Pinterest redirect targets Tsara Brashears", "sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]", "www.dead-speak.com", "Certificate Subject CN=brazzerspesonals.com", "http://r3.o.lencr.org", "156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0", "Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]", "104.247.75.218 | [cnc ]", "www.governmentattic.org [privilege: malicious malware downloading]", "https://www.adultforce.com/ [malvertizing Tsara Brashears]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "TULACH", "display_name": "TULACH", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "SPACESHIP", "display_name": "SPACESHIP", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Virus:DOS/Paris", "display_name": "Virus:DOS/Paris", "target": "/malware/Virus:DOS/Paris" }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "659864448507cc1752ff6456", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 885, "FileHash-SHA1": 505, "FileHash-SHA256": 5051, "URL": 12316, "domain": 3944, "hostname": 4449, "CVE": 2 }, "indicator_count": 27152, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "www.dead-speak.com", "Denver Police let this attempted murder walk. Cited him as a ghost driver", "207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]", "Unknown Persons impersonating Private Investigators (plural)", "www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com", "https://www.adultforce.com/ [malvertizing Tsara Brashears]", "207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com", "https://www.datafoundry.com/category/news/press-releases/", "207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com", "Sexual and Physical Assaulter - Jeffrey Scott Reimer", "https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/", "tsarabrashears.com", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "sweetheartvideo.com", "Mark Brian Sabey", "http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com", "http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd", "Targeting", "156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0", "http://r3.o.lencr.org", "http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "Reimer was a PT. Unknown whereabouts , name or job description", "https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx", "The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/", "114.114.114.114 - Tulach Malware", "http://foundry2-lbl.dvr.dn2.n-helix.com/", "https://webmail.police.govmm.org/owa/", "104.247.75.218 | [cnc ]", "Victim silenced. Struck by Car Driven by male police let walk", "I bring up the personal nature of the crime because a delete service has been used", "https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com", "This is a serious crime. I\u2019m certain God WILL pay them.", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "https://rdweb.datafoundry.com/", "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]", "Ronda Cordova", "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "CVE-2017-0147", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "http://watchhers.net/index.php", "http://palantirwww.sweetheartvideo.com/ (weirdness)", "https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215", "Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim", "www.governmentattic.org [privilege: malicious malware downloading]", "Quasi Government Case", "Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora", "http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/", "https://www.datafoundry.com/data-center-contamination-control/", "Yara Detections: GlassesCode", "https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022", "https://sg001-harmony.sliq.net/00325/harmony/en/PowerBrowser/RoomRouter?location=chamber&viewMode=3&globalStreamId=1", "http://foundry2sdbl.dvr.dn2.n-helix.com/", "Melvin Sabey", "Some may may find this content is very disturbing and offensive", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com", "Christopher P \u2018Buzz\u2019 Ahmann", "https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse", "https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl", "More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed", "Denver Police Department Major Crimes closed investigation", "https://pin.it/ malicious Pinterest redirect targets Tsara Brashears", "http://212.33.237.86/images/1/report.php", "http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com", "https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "Certificate Subject CN=brazzerspesonals.com", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://207-207-25-201.fwd.datafoundry.com/", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "https://www.facebooksunglassshop.com [pegasus related]", "All IoC\u2019s originate from sources named. There are some unknown attackers", "Updated | What\u2019s left after theft", "https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win32:trojan-gen", "Porn revenge", "Qakbot", "Blacknet rat", "Hallgrand", "Win32/cmsbrute/pifagor", "Et", "Win32/dh{gvijaw?}", "Amadey", "Nsis", "Win.trojan.6977536-1", "Malware", "Cve-2017-0147", "Brashears", "Win.trojan.generic-6333842-0", "Privateloader", "Nebuler/dialer.qn", "Spaceship", "Virus:dos/paris", "Hacktool", "Elf:ddos-y\\ [trj]", "Qbot", "Ddos:linux/mirai", "Tons of malware", "Sabey", "Mirai", "Win32:vitro", "Cobalt strike", "Tulach", "Hallrender", "Trojan:win32/tinba!rfn", "Win32:emotet-ai\\ [trj]" ], "industries": [ "Civil society", "Government", "Technology" ], "unique_indicators": 66239 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/carmody-consulting.com", "whois": "http://whois.domaintools.com/carmody-consulting.com", "domain": "carmody-consulting.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "69bf261cc4e399447d78776c", "name": "Cyber Bully Attackers | Revenge Attacks | Remote attackers | Malware Packed |", "description": "Several government entities, attorneys have sought porn revenge including physical violence, attempted crimes, malicious prosecution case , harassment when a female patient of man formerly known as Jeffrey Scott Reimer of Chester Springs, PA, violently, critically injured patient in a sexually charged assault [URL\thttp://foundry2-lbl.dvr.dn2.n-helix.com\t\t\t\nhttps://foundry2-lbl.dvr.dn2.n-helix.com\t\tfoundry2-lbl.dvr.dn2.n-helix.com\t\t\t\t\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\nhttp://datafoundry.com\t\t\t\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\thttps://209-99-40-223.fwd.datafoundry.com\t\t\t\ndatafoundry.com", "modified": "2026-04-20T21:01:07.869000", "created": "2026-03-21T23:13:32.760000", "tags": [ "sc data", "data upload", "please sub", "include data", "extraction", "failed", "sc pulse", "idron anv", "extr please", "include review", "exclude sugges", "stop show", "typ domain", "united", "virtool", "name servers", "cryp", "emails", "win32", "ip address", "worm", "trojan", "learn", "suspicious", "informative", "ck id", "name tactics", "command", "adversaries", "spawns", "ssl certificate", "initial access", "link initial", "prefetch8", "mitre att", "ck matrix", "flag", "windows nt", "win64", "accept", "encrypt", "form", "hybrid", "bypass", "general", "path", "iframe", "click", "strings", "anchor https", "anchor", "liberal", "sabey", "liberal friends", "meta", "html internet", "html document", "unicode text", "utf8 text", "info initial", "access ta0001", "compromise", "t1189 network", "communication", "get http", "artifacts v", "full reports", "v get", "help dns", "resolutions", "ip traffic", "extr data", "enter sc", "extra data", "referen", "broth", "passive dns", "urls", "http", "hostname", "files domain", "files related", "related tags", "none google", "safe browsing", "inquest labs", "lucas acha", "code integrity", "checks creation", "otx logo", "all hostname", "files", "domain", "protect", "date", "title", "exchange", "se http", "present jan", "present feb", "present dec", "backdoor", "certificate", "all domain", "alibaba cloud", "hichina", "porkbun llc", "cloudflare", "namecheap inc", "namecheap", "domains", "dynadot llc", "ascio", "denmark", "url https", "filehashsha256", "url http", "dopple ai", "snit", "iocs", "otx description", "information", "report spam", "delete service", "poem", "hunter", "malicious", "porn revenge", "brian sabeys", "all report", "spam delete", "rl http", "https", "expiration http", "spam brian", "swipper", "type indicator", "role title", "added active", "related pulses", "filehashmd5", "filehashsha1", "sha256", "scan", "learn more", "indicators show", "tbmvid", "sourcelnms", "zx1724209326040", "xxx videos", "xxxvideohd", "adversary", "packing", "palantir.com", "discovery", "victim won case", "doin it", "palantirian abuse", "apple", "sabey data centers", "insurance", "quasi government", "the brother sabey", "reimer", "law enforcement", "vessel state", "sabey porn", "hall evans", "christopher ahmann", "defamation", "google" ], "references": [ "The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/", "http://watchhers.net/index.php", "http://212.33.237.86/images/1/report.php", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://webmail.police.govmm.org/owa/", "https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl", "https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215", "Mark Brian Sabey", "Melvin Sabey", "Christopher P \u2018Buzz\u2019 Ahmann", "Ronda Cordova", "Unknown Persons impersonating Private Investigators (plural)", "Quasi Government Case", "Victim silenced. Struck by Car Driven by male police let walk", "Denver Police let this attempted murder walk. Cited him as a ghost driver", "Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora", "Sexual and Physical Assaulter - Jeffrey Scott Reimer", "Reimer was a PT. Unknown whereabouts , name or job description", "Denver Police Department Major Crimes closed investigation", "Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim", "I bring up the personal nature of the crime because a delete service has been used", "More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed", "All IoC\u2019s originate from sources named. There are some unknown attackers", "This is a serious crime. I\u2019m certain God WILL pay them.", "https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com", "http://palantirwww.sweetheartvideo.com/ (weirdness)", "http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx", "https://www.datafoundry.com/data-center-contamination-control/", "https://www.datafoundry.com/data-center-contamination-control/", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "http://foundry2-lbl.dvr.dn2.n-helix.com/", "https://207-207-25-201.fwd.datafoundry.com/", "http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd", "http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://rdweb.datafoundry.com/", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "http://foundry2sdbl.dvr.dn2.n-helix.com/", "Updated | What\u2019s left after theft", "207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com", "207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com", "https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse", "https://www.datafoundry.com/category/news/press-releases/", "207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com", "209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com", "www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com", "http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com", "http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/", "https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022", "https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/", "https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com", "Some may may find this content is very disturbing and offensive" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Porn Revenge", "display_name": "Porn Revenge", "target": null }, { "id": "Tons of Malware", "display_name": "Tons of Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1586.001", "name": "Social Media Accounts", "display_name": "T1586.001 - Social Media Accounts" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6034, "domain": 1422, "FileHash-MD5": 274, "FileHash-SHA1": 252, "FileHash-SHA256": 3378, "email": 11, "hostname": 2753, "CVE": 1, "SSLCertFingerprint": 9 }, "indicator_count": 14134, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "41 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d167a8cf2e7966af16a671", "name": "Mirai \u2022 Emotet \u2022 Injection VT & AlienVault reports deleted & modified", "description": "Remote actor uses injection, brute force and remote logins to delete incriminating pulse , virustotal and otx.alienvault pulses, nodes and/or graphs.\n\u2192https://myaccount.uscis.gov/- Immigration (DHS) Login. For years many tactics, social engineering and fraudulent activities persisted. Contact is made to American born citizens, to get in touch. A website is provided, homepage on affected devices is bogus, you have to call to address bogus government concern. Target calls redirected to a call center where they're told they have reached immigration, to verify PII, next told it's a mistake as they are not in the system. At some point meritless notification of Patriot Act violation is received. Identity theft occurs. Credit, bank and other accounts are cancelled. Likely away to gain legal access to spy on targets.", "modified": "2024-03-18T21:03:15.841000", "created": "2024-02-18T02:12:56.143000", "tags": [ "ssl certificate", "resolutions", "communicating", "historical ssl", "referrer", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "body", "read c", "write c", "show", "delete", "msie", "windows nt", "search", "read", "write", "default", "malware", "copy", "contacted", "execution", "contacted urls", "whois sslcert", "emotet", "creation date", "meta", "cookie", "pragma", "mozilla", "ms windows", "intel", "regsetvalueexa", "nsisinetc", "pe32", "class", "persistence", "code", "explorer", "toolbar", "next", "self", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "httponly", "html info", "us citizenship", "meta tags", "citizenship", "immigration", "trackers new", "relic na", "utc google", "tag manager", "gtm5h8hdq3", "ids detections", "title", "date", "entries", "content type", "a domains", "gmt server", "apache x", "path", "win32dh", "as46606", "slcc2", "media center", "temple", "port", "destination", "as29873 newfold", "digital", "as15169 google", "otx telemetry", "trojandropper", "trojan", "backdoor", "wabot", "apanas", "south korea", "as9318 sk", "as3786 lg", "china as4134", "get hello", "as4766 korea", "dlink router", "dsl2750b rce", "exploit", "mirai", "as21928", "china as4837", "gafgyt", "strings", "high priority", "pulses", "related tags", "file type", "sysv", "external", "virustotal", "as39962 pretecs", "canada unknown", "moved", "present dec", "server", "lifeweb server", "lifeweb", "encrypt", "accept", "malware infection", "yara detections", "icmp traffic", "top source", "top destination", "source source", "policy http", "client body", "wordpress login", "brain sabey", "hall render", "government", "https://myaccount.uscis.gov/", "attempted brute forcing", "remote handler", "junk data stuffing", "cyber threat", "human rights threat", "basic human rights", "collision", "collusion", "cultureneutral", "et trojan", "known hostile", "etpro trojan", "possible virut", "error", "stream", "vitro", "delphi", "form", "canvas" ], "references": [ "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "Yara Detections: GlassesCode" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ireland", "Cyprus", "Sweden", "Australia", "Canada", "Hong Kong", "India", "Japan" ], "malware_families": [ { "id": "Win.Trojan.6977536-1", "display_name": "Win.Trojan.6977536-1", "target": null }, { "id": "Nebuler/Dialer.qn", "display_name": "Nebuler/Dialer.qn", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Win32/DH{gVIJAw?}", "display_name": "Win32/DH{gVIJAw?}", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Trojan:Win32/Tinba!rfn", "display_name": "Trojan:Win32/Tinba!rfn", "target": "/malware/Trojan:Win32/Tinba!rfn" }, { "id": "Win32:Emotet-AI\\ [Trj]", "display_name": "Win32:Emotet-AI\\ [Trj]", "target": null }, { "id": "Win.Trojan.Generic-6333842-0", "display_name": "Win.Trojan.Generic-6333842-0", "target": null }, { "id": "Win32/CMSBrute/Pifagor", "display_name": "Win32/CMSBrute/Pifagor", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Vitro", "display_name": "Win32:Vitro", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7636, "URL": 4080, "domain": 3917, "hostname": 1617, "FileHash-MD5": 1284, "FileHash-SHA1": 1213, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 19751, "is_author": false, "is_subscribing": null, "subscriber_count": 236, "modified_text": "804 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d167a9c59fe757dc56b395", "name": "Mirai \u2022 Emotet \u2022 Injection VT & AlienVault reports deleted & modified", "description": "Remote actor uses injection, brute force and remote logins to delete incriminating pulse , virustotal and otx.alienvault pulses, nodes and/or graphs.\n\u2192https://myaccount.uscis.gov/- Immigration (DHS) Login. For years many tactics, social engineering and fraudulent activities persisted. Contact is made to American born citizens, to get in touch. A website is provided, homepage on affected devices is bogus, you have to call to address bogus government concern. Target calls redirected to a call center where they're told they have reached immigration, to verify PII, next told it's a mistake as they are not in the system. At some point meritless notification of Patriot Act violation is received. Identity theft occurs. Credit, bank and other accounts are cancelled. Likely away to gain legal access to spy on targets.", "modified": "2024-03-18T21:03:15.841000", "created": "2024-02-18T02:12:57.917000", "tags": [ "ssl certificate", "resolutions", "communicating", "historical ssl", "referrer", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "body", "read c", "write c", "show", "delete", "msie", "windows nt", "search", "read", "write", "default", "malware", "copy", "contacted", "execution", "contacted urls", "whois sslcert", "emotet", "creation date", "meta", "cookie", "pragma", "mozilla", "ms windows", "intel", "regsetvalueexa", "nsisinetc", "pe32", "class", "persistence", "code", "explorer", "toolbar", "next", "self", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "httponly", "html info", "us citizenship", "meta tags", "citizenship", "immigration", "trackers new", "relic na", "utc google", "tag manager", "gtm5h8hdq3", "ids detections", "title", "date", "entries", "content type", "a domains", "gmt server", "apache x", "path", "win32dh", "as46606", "slcc2", "media center", "temple", "port", "destination", "as29873 newfold", "digital", "as15169 google", "otx telemetry", "trojandropper", "trojan", "backdoor", "wabot", "apanas", "south korea", "as9318 sk", "as3786 lg", "china as4134", "get hello", "as4766 korea", "dlink router", "dsl2750b rce", "exploit", "mirai", "as21928", "china as4837", "gafgyt", "strings", "high priority", "pulses", "related tags", "file type", "sysv", "external", "virustotal", "as39962 pretecs", "canada unknown", "moved", "present dec", "server", "lifeweb server", "lifeweb", "encrypt", "accept", "malware infection", "yara detections", "icmp traffic", "top source", "top destination", "source source", "policy http", "client body", "wordpress login", "brain sabey", "hall render", "government", "https://myaccount.uscis.gov/", "attempted brute forcing", "remote handler", "junk data stuffing", "cyber threat", "human rights threat", "basic human rights", "collision", "collusion", "cultureneutral", "et trojan", "known hostile", "etpro trojan", "possible virut", "error", "stream", "vitro", "delphi", "form", "canvas" ], "references": [ "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "Yara Detections: GlassesCode" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ireland", "Cyprus", "Sweden", "Australia", "Canada", "Hong Kong", "India", "Japan" ], "malware_families": [ { "id": "Win.Trojan.6977536-1", "display_name": "Win.Trojan.6977536-1", "target": null }, { "id": "Nebuler/Dialer.qn", "display_name": "Nebuler/Dialer.qn", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Win32/DH{gVIJAw?}", "display_name": "Win32/DH{gVIJAw?}", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Trojan:Win32/Tinba!rfn", "display_name": "Trojan:Win32/Tinba!rfn", "target": "/malware/Trojan:Win32/Tinba!rfn" }, { "id": "Win32:Emotet-AI\\ [Trj]", "display_name": "Win32:Emotet-AI\\ [Trj]", "target": null }, { "id": "Win.Trojan.Generic-6333842-0", "display_name": "Win.Trojan.Generic-6333842-0", "target": null }, { "id": "Win32/CMSBrute/Pifagor", "display_name": "Win32/CMSBrute/Pifagor", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Vitro", "display_name": "Win32:Vitro", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7636, "URL": 4080, "domain": 3917, "hostname": 1617, "FileHash-MD5": 1284, "FileHash-SHA1": 1213, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 19751, "is_author": false, "is_subscribing": null, "subscriber_count": 236, "modified_text": "804 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d3ae057e25854811cc1395", "name": "Mirai \u2022 Injection VT & AlienVault reports deleted & modified", "description": "", "modified": "2024-03-18T21:03:15.841000", "created": "2024-02-19T19:37:41.208000", "tags": [ "ssl certificate", "resolutions", "communicating", "historical ssl", "referrer", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "body", "read c", "write c", "show", "delete", "msie", "windows nt", "search", "read", "write", "default", "malware", "copy", "contacted", "execution", "contacted urls", "whois sslcert", "emotet", "creation date", "meta", "cookie", "pragma", "mozilla", "ms windows", "intel", "regsetvalueexa", "nsisinetc", "pe32", "class", "persistence", "code", "explorer", "toolbar", "next", "self", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "httponly", "html info", "us citizenship", "meta tags", "citizenship", "immigration", "trackers new", "relic na", "utc google", "tag manager", "gtm5h8hdq3", "ids detections", "title", "date", "entries", "content type", "a domains", "gmt server", "apache x", "path", "win32dh", "as46606", "slcc2", "media center", "temple", "port", "destination", "as29873 newfold", "digital", "as15169 google", "otx telemetry", "trojandropper", "trojan", "backdoor", "wabot", "apanas", "south korea", "as9318 sk", "as3786 lg", "china as4134", "get hello", "as4766 korea", "dlink router", "dsl2750b rce", "exploit", "mirai", "as21928", "china as4837", "gafgyt", "strings", "high priority", "pulses", "related tags", "file type", "sysv", "external", "virustotal", "as39962 pretecs", "canada unknown", "moved", "present dec", "server", "lifeweb server", "lifeweb", "encrypt", "accept", "malware infection", "yara detections", "icmp traffic", "top source", "top destination", "source source", "policy http", "client body", "wordpress login", "brain sabey", "hall render", "government", "https://myaccount.uscis.gov/", "attempted brute forcing", "remote handler", "junk data stuffing", "cyber threat", "human rights threat", "basic human rights", "collision", "collusion", "cultureneutral", "et trojan", "known hostile", "etpro trojan", "possible virut", "error", "stream", "vitro", "delphi", "form", "canvas" ], "references": [ "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "Yara Detections: GlassesCode" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ireland", "Cyprus", "Sweden", "Australia", "Canada", "Hong Kong", "India", "Japan" ], "malware_families": [ { "id": "Win.Trojan.6977536-1", "display_name": "Win.Trojan.6977536-1", "target": null }, { "id": "Nebuler/Dialer.qn", "display_name": "Nebuler/Dialer.qn", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Win32/DH{gVIJAw?}", "display_name": "Win32/DH{gVIJAw?}", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Trojan:Win32/Tinba!rfn", "display_name": "Trojan:Win32/Tinba!rfn", "target": "/malware/Trojan:Win32/Tinba!rfn" }, { "id": "Win32:Emotet-AI\\ [Trj]", "display_name": "Win32:Emotet-AI\\ [Trj]", "target": null }, { "id": "Win.Trojan.Generic-6333842-0", "display_name": "Win.Trojan.Generic-6333842-0", "target": null }, { "id": "Win32/CMSBrute/Pifagor", "display_name": "Win32/CMSBrute/Pifagor", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Vitro", "display_name": "Win32:Vitro", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": "65d167a9c59fe757dc56b395", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7636, "URL": 4080, "domain": 3917, "hostname": 1617, "FileHash-MD5": 1284, "FileHash-SHA1": 1213, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 19751, "is_author": false, "is_subscribing": null, "subscriber_count": 236, "modified_text": "804 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c994c8b145925072b6583a", "name": "Private Loader cyber threat - Sliq.net | https://house.mo.gov", "description": "Link found active in https://house.mo.gov. \nhttps://sg001-harmony.sliq.net/00325/harmony/en/PowerBrowser/RoomRouter?location=chamber&viewMode=3&globalStreamId=1 |", "modified": "2024-03-13T03:00:40.889000", "created": "2024-02-12T03:47:20.138000", "tags": [ "ssl certificate", "threat roundup", "referrer", "historical ssl", "remcos rat", "august", "iocs", "contacted", "qakbot", "june", "service", "privateloader", "amadey", "blacknet rat", "qbot", "cobalt strike", "push", "core", "malformed domains", "sliq", "typosquatting", "malware", "network", "dns", "spyware", "access", "remote", "cyber threat", "virus network", "command and control", "remote connections", "exploits", "injection", "legislature", "trojan", "scanning host", "threat analyzer", "threat", "paste", "urls https", "locationchamber", "viewmode3", "hostnames", "url https", "false layer", "http" ], "references": [ "https://sg001-harmony.sliq.net/00325/harmony/en/PowerBrowser/RoomRouter?location=chamber&viewMode=3&globalStreamId=1", "https://www.facebooksunglassshop.com [pegasus related]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "PrivateLoader", "display_name": "PrivateLoader", "target": null } ], "attack_ids": [ { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Government", "Technology", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 36, "FileHash-SHA256": 1384, "CVE": 5, "URL": 1865, "domain": 222, "hostname": 648 }, "indicator_count": 4216, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "810 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab679e6ff8544ecf11962", "name": "Private Loader cyber threat - Sliq.net | https://house.mo.gov ", "description": "", "modified": "2024-03-13T03:00:40.889000", "created": "2024-02-13T00:23:21.062000", "tags": [ "ssl certificate", "threat roundup", "referrer", "historical ssl", "remcos rat", "august", "iocs", "contacted", "qakbot", "june", "service", "privateloader", "amadey", "blacknet rat", "qbot", "cobalt strike", "push", "core", "malformed domains", "sliq", "typosquatting", "malware", "network", "dns", "spyware", "access", "remote", "cyber threat", "virus network", "command and control", "remote connections", "exploits", "injection", "legislature", "trojan", "scanning host", "threat analyzer", "threat", "paste", "urls https", "locationchamber", "viewmode3", "hostnames", "url https", "false layer", "http" ], "references": [ "https://sg001-harmony.sliq.net/00325/harmony/en/PowerBrowser/RoomRouter?location=chamber&viewMode=3&globalStreamId=1", "https://www.facebooksunglassshop.com [pegasus related]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "PrivateLoader", "display_name": "PrivateLoader", "target": null } ], "attack_ids": [ { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Government", "Technology", "Civil Society" ], "TLP": "white", "cloned_from": "65c994c8b145925072b6583a", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 36, "FileHash-SHA256": 1384, "CVE": 5, "URL": 1865, "domain": 222, "hostname": 648 }, "indicator_count": 4216, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "810 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659864357d1d3185efc5c112", "name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus", "description": "CVE-2017-0147 and other malware is attacking a large Colorado Hospital. A report was posted by colleague but is somehow deleted. This has been exploited in a major way. The ability to have full cnc of all Medical center computers, will interact, listen,attend remotely, can login to system. Can run unauthorized systems in the background, access microphone, computer, ability to freeze system,imaging, records modification, appointment, diagnosis modification, records can and have been removed from facility. I only noticed today's that it appears to have been created by an entity targeting Tsara Brashears in every way possible. Report in references. Low confidence of having been exploited, CVE and Network attack has been quite active for some time.", "modified": "2024-02-04T18:00:29.833000", "created": "2024-01-05T20:19:01.457000", "tags": [ "ssl certificate", "whois record", "execution", "contacted", "dropped", "historical ssl", "communicating", "referrer", "stolec kradnie", "vt graph", "first", "utc submissions", "submitters", "amazonaes", "amazon02", "cloudflarenet", "gandi sas", "csc corporate", "ltd dba", "com laude", "facebook", "paris", "twitter", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "url https", "samples", "bundled", "tracking", "tsara brashears", "malware hunting", "hacktool", "emotet", "copy", "brashears", "dynadot inc", "enom", "srsplus", "spaceship", "CVE-2017-0147", "spy cve", "pegasus", "CVE-2017-0147 also found in Pegasus", "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "hostnames", "urls https", "namecheap inc", "feeds ioc", "maltiverse", "analyze", "fastly", "mb installer", "helper", "summary iocs", "graph community", "urls", "urls http", "united", "unknown", "msie", "chrome", "passive dns", "body", "date", "gmt server", "user agent", "content type", "encrypt", "accept", "as136800 sun", "ipv4", "pulse submit", "url analysis", "files", "location hong", "kong asn", "dns resolutions", "dinkle threat", "mirai", "hallrender", "briansabey", "brian sabey", "mark sabey", "uche6vol", "uc health medical campus colorado medical campus", "abuse" ], "references": [ "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "CVE-2017-0147", "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary", "114.114.114.114 - Tulach Malware", "Targeting", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "tsarabrashears.com", "https://pin.it/ malicious Pinterest redirect targets Tsara Brashears", "sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]", "www.dead-speak.com", "Certificate Subject CN=brazzerspesonals.com", "http://r3.o.lencr.org", "156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0", "Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]", "104.247.75.218 | [cnc ]", "www.governmentattic.org [privilege: malicious malware downloading]", "https://www.adultforce.com/ [malvertizing Tsara Brashears]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "TULACH", "display_name": "TULACH", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "SPACESHIP", "display_name": "SPACESHIP", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Virus:DOS/Paris", "display_name": "Virus:DOS/Paris", "target": "/malware/Virus:DOS/Paris" }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 885, "FileHash-SHA1": 505, "FileHash-SHA256": 5051, "URL": 12316, "domain": 3944, "hostname": 4449, "CVE": 2 }, "indicator_count": 27152, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659864448507cc1752ff6456", "name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus", "description": "CVE-2017-0147 and other malware is attacking a large Colorado Hospital. A report was posted by colleague but is somehow deleted. This has been exploited in a major way. The ability to have full cnc of all Medical center computers, will interact, listen,attend remotely, can login to system. Can run unauthorized systems in the background, access microphone, computer, ability to freeze system,imaging, records modification, appointment, diagnosis modification, records can and have been removed from facility. I only noticed today's that it appears to have been created by an entity targeting Tsara Brashears in every way possible. Report in references. Low confidence of having been exploited, CVE and Network attack has been quite active for some time.", "modified": "2024-02-04T18:00:29.833000", "created": "2024-01-05T20:19:16.886000", "tags": [ "ssl certificate", "whois record", "execution", "contacted", "dropped", "historical ssl", "communicating", "referrer", "stolec kradnie", "vt graph", "first", "utc submissions", "submitters", "amazonaes", "amazon02", "cloudflarenet", "gandi sas", "csc corporate", "ltd dba", "com laude", "facebook", "paris", "twitter", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "url https", "samples", "bundled", "tracking", "tsara brashears", "malware hunting", "hacktool", "emotet", "copy", "brashears", "dynadot inc", "enom", "srsplus", "spaceship", "CVE-2017-0147", "spy cve", "pegasus", "CVE-2017-0147 also found in Pegasus", "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "hostnames", "urls https", "namecheap inc", "feeds ioc", "maltiverse", "analyze", "fastly", "mb installer", "helper", "summary iocs", "graph community", "urls", "urls http", "united", "unknown", "msie", "chrome", "passive dns", "body", "date", "gmt server", "user agent", "content type", "encrypt", "accept", "as136800 sun", "ipv4", "pulse submit", "url analysis", "files", "location hong", "kong asn", "dns resolutions", "dinkle threat", "mirai", "hallrender", "briansabey", "brian sabey", "mark sabey", "uche6vol", "uc health medical campus colorado medical campus", "abuse" ], "references": [ "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "CVE-2017-0147", "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary", "114.114.114.114 - Tulach Malware", "Targeting", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "tsarabrashears.com", "https://pin.it/ malicious Pinterest redirect targets Tsara Brashears", "sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]", "www.dead-speak.com", "Certificate Subject CN=brazzerspesonals.com", "http://r3.o.lencr.org", "156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0", "Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]", "104.247.75.218 | [cnc ]", "www.governmentattic.org [privilege: malicious malware downloading]", "https://www.adultforce.com/ [malvertizing Tsara Brashears]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "TULACH", "display_name": "TULACH", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "SPACESHIP", "display_name": "SPACESHIP", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Virus:DOS/Paris", "display_name": "Virus:DOS/Paris", "target": "/malware/Virus:DOS/Paris" }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 885, "FileHash-SHA1": 505, "FileHash-SHA256": 5051, "URL": 12316, "domain": 3944, "hostname": 4449, "CVE": 2 }, "indicator_count": 27152, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a4898fa85cad0af83e032d", "name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus ", "description": "", "modified": "2024-02-04T18:00:29.833000", "created": "2024-01-15T01:25:35.060000", "tags": [ "ssl certificate", "whois record", "execution", "contacted", "dropped", "historical ssl", "communicating", "referrer", "stolec kradnie", "vt graph", "first", "utc submissions", "submitters", "amazonaes", "amazon02", "cloudflarenet", "gandi sas", "csc corporate", "ltd dba", "com laude", "facebook", "paris", "twitter", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "url https", "samples", "bundled", "tracking", "tsara brashears", "malware hunting", "hacktool", "emotet", "copy", "brashears", "dynadot inc", "enom", "srsplus", "spaceship", "CVE-2017-0147", "spy cve", "pegasus", "CVE-2017-0147 also found in Pegasus", "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "hostnames", "urls https", "namecheap inc", "feeds ioc", "maltiverse", "analyze", "fastly", "mb installer", "helper", "summary iocs", "graph community", "urls", "urls http", "united", "unknown", "msie", "chrome", "passive dns", "body", "date", "gmt server", "user agent", "content type", "encrypt", "accept", "as136800 sun", "ipv4", "pulse submit", "url analysis", "files", "location hong", "kong asn", "dns resolutions", "dinkle threat", "mirai", "hallrender", "briansabey", "brian sabey", "mark sabey", "uche6vol", "uc health medical campus colorado medical campus", "abuse" ], "references": [ "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "CVE-2017-0147", "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary", "114.114.114.114 - Tulach Malware", "Targeting", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "tsarabrashears.com", "https://pin.it/ malicious Pinterest redirect targets Tsara Brashears", "sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]", "www.dead-speak.com", "Certificate Subject CN=brazzerspesonals.com", "http://r3.o.lencr.org", "156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0", "Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]", "104.247.75.218 | [cnc ]", "www.governmentattic.org [privilege: malicious malware downloading]", "https://www.adultforce.com/ [malvertizing Tsara Brashears]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "TULACH", "display_name": "TULACH", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "SPACESHIP", "display_name": "SPACESHIP", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Virus:DOS/Paris", "display_name": "Virus:DOS/Paris", "target": "/malware/Virus:DOS/Paris" }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "659864448507cc1752ff6456", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 885, "FileHash-SHA1": 505, "FileHash-SHA256": 5051, "URL": 12316, "domain": 3944, "hostname": 4449, "CVE": 2 }, "indicator_count": 27152, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://carmody-consulting.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://carmody-consulting.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780343729.4746654 }