{ "type": "URL", "indicator": "https://cc.aogg.top/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://cc.aogg.top/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4057639860, "indicator": "https://cc.aogg.top/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "69519fa81048ad057eb9beaa", "name": "Cart.Guru Malware Hosting - Malware Packed _Pegasus Espionage Detected (Positive)", "description": "I really love using this tool (LevelBlue -OTX) In all reality this information would have been sent to the government. CISA , NSA, Homeland Security, Citizens Lab, Canada based international organization would have been involved years ago. | \nWhere does this information goes. Citizens Lab would has been attempting to track 1000\u2019s of affected Pegasus targets. OTX detected and tagged Pegasus. I suspected it. This is from a Palantir Malware Hosting Honey Pot. \n\nWhen Pegasus was discovered in the wild , credited to those who found what the real team (T8) found, Citizens Lab then conducted tests in 2021\non the cell phone of Jamal Khashoggi, a Saudi dissident journalist. Pegasus is a kill list. \n\nVictims need help. There are a few people even on this platform that are on this list. Unless it\u2019s the US government who has ordered these actions, I don\u2019t know what is going on. The targets are not only innocent, some are crime victims, some are going mad. AT&T corporate easily confirms LevelBlue is legitimate.", "modified": "2026-01-27T21:02:45.343000", "created": "2025-12-28T21:22:48.595000", "tags": [ "united", "servers", "moved", "ip address", "record value", "encrypt", "present jul", "present jun", "trojandropper", "passive dns", "ipv4 add", "urls", "files", "virtool", "united states", "dynamicloader", "directui", "element", "classinfobase", "write c", "medium", "yara rule", "msvisualbasic60", "high", "hwndelement", "explorer", "write", "movie", "insert", "program", "python", "http traffic", "trojan generic", "search", "cnc activity", "delphi", "win32", "launcher", "pony", "fareit", "malware", "push", "msie", "windows nt", "generic", "checkin", "post", "yara detections", "rxr", "inject", "memcommit", "cryptexportkey", "invalid pointer", "regsetvalueexa", "solutions ltd", "read c", "regdword", "mozilla", "persistence", "execution", "android", "unknown", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "initial access", "defense evasion", "spawns", "t1590 gather", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "pattern match", "mitre att", "ck matrix", "href", "ascii text", "starfield", "hybrid", "general", "local", "path", "iframe", "palantir", "present nov", "present oct", "status", "present apr", "present dec", "cryp", "date", "trojan", "title", "name servers", "windows", "t1060", "disables proxy", "dock", "pegasus", "rootkit", "backdoor", "susp", "win32qqpass feb", "worm", "msr win32", "win64", "process32nextw", "findwindowa", "file execution", "writeconsolea", "procexpl", "file v2", "document", "document file", "v2 document", "lost", "tools", "pecompact", "media", "autorun", "service", "post http", "delete", "alerts", "emotet", "rkt", "autorun", "worm", "plugins", "title error", "body doctype", "html public", "w3cdtd html", "html head", "domain", "expiration date", "hostname add", "pulse pulses", "contacted hosts", "sha1", "sha256", "show technique", "strings", "t1480 execution", "signing defense", "script urls", "a domains", "unknown ns", "texas flyover", "script domains", "script script", "meta", "window", "process details", "contacted" ], "references": [ "Cart.Guru", "Yara Detections: Delphi", "Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer", "MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer", "HTTP traffic on port 443 (POST)", "IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query", "Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs", "Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http", "Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates", "Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http", "Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe", "Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check", "Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad", "Yara Detections: Nullsoft_NSIS ...", "Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat", "Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com", "Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103", "Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx", "Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy", "Emotet IDS Detections: Win32/Emotet CnC Checkin Response", "Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users" ], "public": 1, "adversary": "Palantir Pegasus", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RXR", "display_name": "RXR", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Bagsu!rfn", "display_name": "Trojan:Win32/Bagsu!rfn", "target": "/malware/Trojan:Win32/Bagsu!rfn" }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "#Lowfi:Win32/SandboxProductId", "display_name": "#Lowfi:Win32/SandboxProductId", "target": "/malware/#Lowfi:Win32/SandboxProductId" }, { "id": "Win32:Backdoor", "display_name": "Win32:Backdoor", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "ALF:Trojan:MSIL/BlackFus.C", "display_name": "ALF:Trojan:MSIL/BlackFus.C", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "TrojanProxy:Win32/Ceutv.A", "display_name": "TrojanProxy:Win32/Ceutv.A", "target": "/malware/TrojanProxy:Win32/Ceutv.A" }, { "id": "VirTool:Win32/Obfuscator.AHU", "display_name": "VirTool:Win32/Obfuscator.AHU", "target": "/malware/VirTool:Win32/Obfuscator.AHU" }, { "id": "ShellCode", "display_name": "ShellCode", "target": null }, { "id": "Win32:Rootkit", "display_name": "Win32:Rootkit", "target": null }, { "id": "VB Flash", "display_name": "VB Flash", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Win.Packed.Razy-6847895-0", "display_name": "Win.Packed.Razy-6847895-0", "target": null }, { "id": "Backdoor:Win32/Plugx.N!", "display_name": "Backdoor:Win32/Plugx.N!", "target": "/malware/Backdoor:Win32/Plugx.N!" }, { "id": "Win.Dropper.QQpass-7194329-0", "display_name": "Win.Dropper.QQpass-7194329-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win32:Agent", "display_name": "Win32:Agent", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "Win.Trojan.Emotet-7545664-0", "display_name": "Win.Trojan.Emotet-7545664-0", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2362, "domain": 449, "hostname": 710, "email": 6, "FileHash-MD5": 260, "FileHash-SHA1": 201, "FileHash-SHA256": 333, "SSLCertFingerprint": 27 }, "indicator_count": 4348, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69519fa818f84531ce6becc9", "name": "Cart.Guru Malware Hosting - Malware Packed _Pegasus Espionage Detected (Positive)", "description": "I really love using this tool (LevelBlue -OTX) In all reality this information would have been sent to the government. CISA , NSA, Homeland Security, Citizens Lab, Canada based international organization would have been involved years ago. Where does this information goes. Citizens Lab would has been attempting to track 1000\u2019s of affected Pegasus targets. OTX detected and tagged Pegasus. I suspected it. This is from a Palantir Malware Hosting Honey Pot. \n\nWhen Pegasus was discovered in the wild , credited to those who found what the real team (T8) found, Citizens Lab then conducted tests in 2021\non the cell phone of Jamal Khashoggi, a Saudi dissident journalist. Pegasus is a kill list. \n\nVictims need help. There are a few people even on this platform that are on this list. Unless it\u2019s the US government who has ordered these actions, I don\u2019t know what is going on. The targets are not only innocent, some are crime victims, some are going mad. AT&T corporate easily confirms LevelBlue is legitimate.", "modified": "2026-01-27T21:02:45.343000", "created": "2025-12-28T21:22:48.383000", "tags": [ "united", "servers", "moved", "ip address", "record value", "encrypt", "present jul", "present jun", "trojandropper", "passive dns", "ipv4 add", "urls", "files", "virtool", "united states", "dynamicloader", "directui", "element", "classinfobase", "write c", "medium", "yara rule", "msvisualbasic60", "high", "hwndelement", "explorer", "write", "movie", "insert", "program", "python", "http traffic", "trojan generic", "search", "cnc activity", "delphi", "win32", "launcher", "pony", "fareit", "malware", "push", "msie", "windows nt", "generic", "checkin", "post", "yara detections", "rxr", "inject", "memcommit", "cryptexportkey", "invalid pointer", "regsetvalueexa", "solutions ltd", "read c", "regdword", "mozilla", "persistence", "execution", "android", "unknown", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "initial access", "defense evasion", "spawns", "t1590 gather", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "pattern match", "mitre att", "ck matrix", "href", "ascii text", "starfield", "hybrid", "general", "local", "path", "iframe", "palantir", "present nov", "present oct", "status", "present apr", "present dec", "cryp", "date", "trojan", "title", "name servers", "windows", "t1060", "disables proxy", "dock", "pegasus", "rootkit", "backdoor", "susp", "win32qqpass feb", "worm", "msr win32", "win64", "process32nextw", "findwindowa", "file execution", "writeconsolea", "procexpl", "file v2", "document", "document file", "v2 document", "lost", "tools", "pecompact", "media", "autorun", "service", "post http", "delete", "alerts", "emotet", "rkt", "autorun", "worm", "plugins", "title error", "body doctype", "html public", "w3cdtd html", "html head", "domain", "expiration date", "hostname add", "pulse pulses", "contacted hosts", "sha1", "sha256", "show technique", "strings", "t1480 execution", "signing defense", "script urls", "a domains", "unknown ns", "texas flyover", "script domains", "script script", "meta", "window", "process details", "contacted" ], "references": [ "Cart.Guru", "Yara Detections: Delphi", "Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer", "MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer", "HTTP traffic on port 443 (POST)", "IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query", "Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs", "Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http", "Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates", "Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http", "Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe", "Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check", "Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad", "Yara Detections: Nullsoft_NSIS ...", "Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat", "Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com", "Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103", "Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx", "Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy", "Emotet IDS Detections: Win32/Emotet CnC Checkin Response", "Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users" ], "public": 1, "adversary": "Palantir Pegasus", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RXR", "display_name": "RXR", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Bagsu!rfn", "display_name": "Trojan:Win32/Bagsu!rfn", "target": "/malware/Trojan:Win32/Bagsu!rfn" }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "#Lowfi:Win32/SandboxProductId", "display_name": "#Lowfi:Win32/SandboxProductId", "target": "/malware/#Lowfi:Win32/SandboxProductId" }, { "id": "Win32:Backdoor", "display_name": "Win32:Backdoor", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "ALF:Trojan:MSIL/BlackFus.C", "display_name": "ALF:Trojan:MSIL/BlackFus.C", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "TrojanProxy:Win32/Ceutv.A", "display_name": "TrojanProxy:Win32/Ceutv.A", "target": "/malware/TrojanProxy:Win32/Ceutv.A" }, { "id": "VirTool:Win32/Obfuscator.AHU", "display_name": "VirTool:Win32/Obfuscator.AHU", "target": "/malware/VirTool:Win32/Obfuscator.AHU" }, { "id": "ShellCode", "display_name": "ShellCode", "target": null }, { "id": "Win32:Rootkit", "display_name": "Win32:Rootkit", "target": null }, { "id": "VB Flash", "display_name": "VB Flash", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Win.Packed.Razy-6847895-0", "display_name": "Win.Packed.Razy-6847895-0", "target": null }, { "id": "Backdoor:Win32/Plugx.N!", "display_name": "Backdoor:Win32/Plugx.N!", "target": "/malware/Backdoor:Win32/Plugx.N!" }, { "id": "Win.Dropper.QQpass-7194329-0", "display_name": "Win.Dropper.QQpass-7194329-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win32:Agent", "display_name": "Win32:Agent", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "Win.Trojan.Emotet-7545664-0", "display_name": "Win.Trojan.Emotet-7545664-0", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2362, "domain": 449, "hostname": 710, "email": 6, "FileHash-MD5": 260, "FileHash-SHA1": 201, "FileHash-SHA256": 333, "SSLCertFingerprint": 27 }, "indicator_count": 4348, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692d02f096f3ec8b5b507496", "name": "Google Drive: Share Files Online with Secure Cloud Storage | Google Workspace", "description": "nJRAT | Corrupted Google Drive sent to targets former device. Years long social engineering may have been involved. All\nIoC\u2019s Appears to involve years of social engineering. Google\ndrive service in question is a storage service based in Vietnam. | \n\nBotnet / Check-ins / Spyware / Cams. [Anon Sec Botnet subdomain name pulsed. Close directly related to zalo.me\nand tbtteams.com]\nRequires further research.\n\nThis pulse is a bit confusing due where and who it originated from.", "modified": "2025-12-31T02:01:50.101000", "created": "2025-12-01T02:52:32.483000", "tags": [ "business", "enterprise", "drive", "english", "google drive", "try drive", "business small", "workspace", "sign", "strong", "find", "life", "tools", "protect", "cloud", "simple", "android", "indonesia", "video", "mb download", "shared may", "shared", "learn", "drive drive", "name date", "javascript", "dynamicloader", "medium", "minimal headers", "high", "observed get", "get http", "united", "yara rule", "http", "write", "guard", "malware", "read c", "ms windows", "intel", "png image", "rgba", "pe32", "get na", "explorer", "music", "virlock", "media", "ho chi", "minh city", "viet nam", "storage company", "limited", "google", "address as", "luutruso", "cloudflar", "domain", "asn15169", "asn56153", "asn13335", "cisco", "umbrella rank", "apex domain", "url https", "kb stylesheet", "kb font", "kb image", "image", "kb script", "november", "resource path", "size", "type mimetype", "primary request", "redirect chain", "kb document", "urls", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "t1590 gather", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "domain address", "rsdsq jfu", "ollydbg ollydbg", "wireshark", "external", "binary file", "mitre att", "ck matrix", "aaaa", "cong ty", "co phan", "code", "province hcm", "files", "ip address", "request", "flag", "country", "contacted hosts", "process details", "link initial", "t1480 execution", "domains", "moved", "gmt content", "all ipv4", "url analysis", "location viet", "title", "error", "problem", "url add", "related nids", "files location", "flag united", "development att", "name server", "markmonitor", "localappdata", "programfiles", "edge", "hyundai", "social engineering", ".mil", "hackers", "phishing eml", "summary", "cisco umbrella", "google safe", "browsing", "current dns", "a record", "ip information", "ipasns ip", "detail domain", "domain tree", "links apex", "transfer", "b script", "b stylesheet", "frame b830", "b document", "value", "december", "degurafregistry", "gat object", "jsl object", "gapijstiming", "iframe function", "domainpath name", "nid value", "source level", "files domain", "files related", "tags", "related tags", "virustotal", "foundry", "pulse otx", "dark", "vietnam", "present aug", "present nov", "present jul", "present sep", "unknown aaaa", "search", "name servers", "present oct", "trojan", "data upload", "extraction", "se https", "include review", "exclude sugges", "find s", "failed", "typ don", "faith", "study", "romeo\u2019s", "juliettes", "femme fatales", "strategy", "honey pot", "honey traps", "spy", "helix", "anons", "passive dns", "pulse pulses", "files ip", "address", "location united", "asn as400519", "whois registrar", "ms defender", "files matching", "number", "sample analysis", "hide samples", "date hash", "cameras", "cams", "spycam", "botnet", "vietnam", "company limited", "dnssec", "status", "india unknown", "present may", "espionage", "hostname add", "generic", "cnc activity", "backdoor", "ipv4", "anonsecbotnet", "iptv" ], "references": [ "drive.google.com/", "https://foundry2-lbl.dvr.dn2.n-helix.com/", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9", "zalo.me | href | Binary File | ATT&CK ID T1566.002", "https://account.helix.com/activate/start", "anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022", "https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]", "Terse Unencrypted Request for Google - Likely Connectivity Check", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6", "cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com", "https://hyundaibariavungtau3s.com/vehicle/stargazer", "https://hyundaibariavungtau3s.com/vehicle/ioniq-5", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade", "https://hyundaibariavungtau3s.com/vehicle/hyundai-custin", "https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/", "https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com", "https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/", "https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com", "http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/", "http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466", "https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam", "feedback-pa.clients6.google.com/v1/survey/trigger/", "https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg", "anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Virus.Virlock-6804475-0", "display_name": "Win.Virus.Virlock-6804475-0", "target": null }, { "id": "Win.Malware.Bzub-6727003-0", "display_name": "Win.Malware.Bzub-6727003-0", "target": null }, { "id": "Win.Trojan.Generic-9801687-0", "display_name": "Win.Trojan.Generic-9801687-0", "target": null }, { "id": "NID", "display_name": "NID", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Dropper.njRAT-10015886-0", "display_name": "Win.Dropper.njRAT-10015886-0", "target": null }, { "id": "Win.Packed.Generic-9795615-0", "display_name": "Win.Packed.Generic-9795615-0", "target": null }, { "id": "Backdoor:MSIL/Bladabindi.AJ GC!", "display_name": "Backdoor:MSIL/Bladabindi.AJ GC!", "target": "/malware/Backdoor:MSIL/Bladabindi.AJ GC!" }, { "id": "Win.Packed.Generic-9795615-0\t.", "display_name": "Win.Packed.Generic-9795615-0\t.", "target": null }, { "id": "Backdoor:MSIL/Bladabindi.AJ", "display_name": "Backdoor:MSIL/Bladabindi.AJ", "target": "/malware/Backdoor:MSIL/Bladabindi.AJ" }, { "id": "Win.Packed.Fecn-7077459-0", "display_name": "Win.Packed.Fecn-7077459-0", "target": null }, { "id": "Trojan:MSIL/Ranos.A", "display_name": "Trojan:MSIL/Ranos.A", "target": "/malware/Trojan:MSIL/Ranos.A" }, { "id": "Win.Trojan.Generic-6417450-0", "display_name": "Win.Trojan.Generic-6417450-0", "target": null }, { "id": "ALF:Backdoor:MSIL/Noancooe.KA", "display_name": "ALF:Backdoor:MSIL/Noancooe.KA", "target": null }, { "id": "Win.Packed.Msilperseus-9956592-0", "display_name": "Win.Packed.Msilperseus-9956592-0", "target": null }, { "id": "Trojan:MSIL/ClipBanker", "display_name": "Trojan:MSIL/ClipBanker", "target": "/malware/Trojan:MSIL/ClipBanker" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1194", "name": "Spearphishing via Service", "display_name": "T1194 - Spearphishing via Service" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1911, "hostname": 714, "FileHash-SHA256": 1304, "FileHash-MD5": 159, "FileHash-SHA1": 71, "SSLCertFingerprint": 2, "domain": 421, "CVE": 1, "email": 4 }, "indicator_count": 4587, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6923408464566e39caf32285", "name": "Discord- DNS | Malvertizing | Ransom/Msilzilla (sifting IoC\u2019s created by scnrscnr)", "description": "TAGS\nActive\n443 ma2592000\nChristopher Pool\nPool's Closed\nTimothy Pool\na li\n google\namerica att\napache\napache ip\nasn as46606\nauditmode force\nbehavior\nbinary\nbinary file\nbk role\nchat\ncheck\nchrome\nck ids\ncommon stealer\ncookie\ndata upload\ndefender\ndelete c\ndirectui\ndiscord\ndns lookup\ndomain add\ndrop\ndynamicloader\neb d8\nee fc\nerror oct\nexplorer\nexternal ip\nextraction\nf0 ff\nfailed\nff bb\nff d5\nff ff\nfiles\nfoundry\ngmt content\ngmt etag\ngmt server\ngoogle chrome\nguard\nhigh\ninsert\nlolminer\nmalware\nmedia\nmeta\nmoved\nmovie\nmsie\nmsvisualbasic60\nmtb aug -present \nneversend\npowershell\nrelated nids\nresponse ip\nself\nservice domain\nsingapore\nsmartassembly\nspan\nspan a\nsx08x00x00a\ntargeting\ntls sni\ntrojan\ntrojandropper\ntwitter\ntx08x00x00n\nunique\nuser agent\nux08x00x00h\nvirtool\nvirustotal api\nvoice\nvx08x00x00j\nwrite\nwrite c\nwx08x00x00\nx08x00x00b\nx08x00x00x00\nyara\nyara rule\nyx08x00x00l\nz3je\nz3uwq7\nzx08x00x00", "modified": "2025-12-23T16:04:54.329000", "created": "2025-11-23T17:12:36.917000", "tags": [ "no expiration", "expiration", "url https", "url http", "filehashsha256", "hostname", "domain", "filehashmd5", "filehashsha1", "ipv4", "code", "pool", "timothy pool", "z3je z3uwq7", "creation date", "ip address", "emails", "expiration date", "status", "hostname add", "pulse pulses", "passive dns", "urls", "date" ], "references": [ "https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba", "Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted", "http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com", "https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com", "www.techcult.com", "http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com", "https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE", "truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com", "yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com", "lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json", "162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/", "http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing", "http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site", "2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt", "IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)", "IDS Detections: Observed Discord Domain (discord .com in TLS SNI)", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less", "Yara: Detections ConventionEngine_Term_Users", "Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents", "Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly", "Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc", "Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process", "Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name", "Yara : MS_Visual_Basic_6_0 ,", "Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly", "Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile", "Alerts: mouse_movement_detect", "Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left", "scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.", "Foundry stalking." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDropper:Win32/VB.IL0", "display_name": "TrojanDropper:Win32/VB.IL0", "target": "/malware/TrojanDropper:Win32/VB.IL0" }, { "id": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "display_name": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "target": null }, { "id": "Win.Ransomware.Msilzilla-10014498-0", "display_name": "Win.Ransomware.Msilzilla-10014498-0", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1443", "name": "Remotely Install Application", "display_name": "T1443 - Remotely Install Application" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 773, "FileHash-SHA1": 684, "FileHash-SHA256": 1910, "CVE": 2, "SSLCertFingerprint": 4, "URL": 3783, "domain": 878, "email": 7, "hostname": 1913 }, "indicator_count": 9954, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68feb98a8c1b75b4431a3e8e", "name": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator?", "description": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator? 1.) (userlolxxl) is also disable_duck, has an unhealthy interest in the Tsara Brashears \u2018dead yet\u2019 theory , has many profiles. His issues are self made by grabbing vulnerabilities found and linking them to a fake University website. We checked. Profile belongs to a group causing needless distraction and hooking users into the \u2018No Problems\u2019 group. \n\nWe swiftly got Regis University to take notice of Palantirs Prometheus Intelligence Technology tracking. Dean let semester begin putting students at risk despite warnings from Tsara Brashears of owa canary cookie in server, to replace computers , halt school , deal with issue. RU ignored issues, Brashears didn\u2019t. They went black , blacklisted Tsara warning of credible death threats on dark web.", "modified": "2025-11-25T20:05:31.749000", "created": "2025-10-27T00:15:06.191000", "tags": [ "html internet", "html document", "ascii text", "language", "cve202323397", "iframe tags", "tag manager", "gtmkvjvztk", "anchor hrefs", "info ta0011", "protocol", "layer protocol", "port", "t1571 encrypted", "channel", "t1573 malware", "tree", "oc0006 http", "c0014", "get http", "dns resolutions", "resolved ips", "user", "data", "datacrashpad", "edge", "v full", "reports v", "chrome u", "appdata local", "googlechrome u", "u ser", "cname", "ip address", "http", "accept", "network dropped", "duration cuckoo", "version file", "machine label", "shutdown", "extraction", "suggested iocs", "data upload", "cry dee", "stop", "type", "url indicator", "enter", "failed", "se share", "extrac", "enter so", "passive dns", "urls", "hostname add", "pulse pulses", "files", "domain", "files ip", "address", "location united", "asn as20473", "dynamicloader", "directui", "write c", "intel", "ms windows", "pe32", "element", "delete c", "document file", "v2 document", "explorer", "trojandropper", "write", "markus", "august", "movie", "insert", "pulse submit", "url analysis", "asn as8068", "united", "entries", "body", "please", "x msedge", "ipv4 add", "present sep", "present oct", "present feb", "status", "unknown ns", "search", "name servers", "present jul", "aaaa", "present apr", "trojan", "medium", "high", "yara rule", "globalc", "june", "malware", "win64", "unknown", "america flag", "twitter", "hostname", "domain add", "reverse dns", "america asn", "present aug", "a domains", "moved", "first pqc", "unknown aaaa", "title", "meta", "window", "encrypt", "pulse indicator", "body doctype", "welcome", "ok server", "gmt content", "atlanta", "abuse", "agent", "service", "present jun", "present may", "creation date", "record value", "servers", "libretv meta", "certificate", "value", "whois lookup", "loopia ab", "userlolxxl" ], "references": [ "http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist", "It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!", "pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz", "Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com", "docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips", "https://hs.ecam.com/your-challenges-ecams-solutions", "https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022", "https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/", "Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Wannacry", "display_name": "Wannacry", "target": null }, { "id": "Foundry", "display_name": "Foundry", "target": null }, { "id": "Trojan:Win32/Comisproc!gmb", "display_name": "Trojan:Win32/Comisproc!gmb", "target": "/malware/Trojan:Win32/Comisproc!gmb" }, { "id": "Trojandropper:Win32/VB.IL", "display_name": "Trojandropper:Win32/VB.IL", "target": "/malware/Trojandropper:Win32/VB.IL" }, { "id": "#Exploit:Win32/CVE- 2023 - 23397", "display_name": "#Exploit:Win32/CVE- 2023 - 23397", "target": "/malware/#Exploit:Win32/CVE- 2023 - 23397" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "ALF:PulZati:Worm:Win32/Mydoom", "display_name": "ALF:PulZati:Worm:Win32/Mydoom", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 8, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 248, "FileHash-SHA1": 134, "FileHash-SHA256": 2661, "URL": 6257, "domain": 682, "email": 8, "hostname": 2077, "CVE": 1 }, "indicator_count": 12068, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "144 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67fe9f3c682800301b89c556", "name": "Sitemap This page shows the most recent scans (manual, API, automatic) to be picked up by spiders.", "description": "https://urlscan.io/sitemap/", "modified": "2025-09-01T08:05:18.611000", "created": "2025-04-15T18:02:36.693000", "tags": [ "new run", "key pointing", "run key", "roth", "nextron", "markus neis", "sander wiebing", "public", "imagestartswith", "delnoderundll32", "vhash", "imphash", "rich pe", "ssdeep", "data sheetfinal", "wbn1", "mobil ip", "hsotu tin", "firmar", "statement", "ebook", "uwaaj moesz" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 168, "FileHash-MD5": 106, "FileHash-SHA1": 101, "FileHash-SHA256": 415, "hostname": 63, "domain": 61, "CVE": 1 }, "indicator_count": 915, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68629f622fe936e3141a1ed0", "name": "APT33 (by ilyailya)", "description": "", "modified": "2025-06-30T14:29:54.892000", "created": "2025-06-30T14:29:54.892000", "tags": [ "apfs encryption", "adguard extra", "jumpcloud go", "chrome web", "store", "privacy badger", "safety checker", "stay", "mywot", "flowcrypt", "encrypt gmail", "simple", "facebook", "apollo", "future", "assistant", "excbreakpoint", "sigtrap", "excguard", "renderer", "vallumes", "excbadaccess", "sigsegv", "helper", "chrome helper", "exccrash", "rave scout", "cookies", "public folder", "browsersignin", "denyactivation", "disableoverride", "loginwindowtext", "jumpcloud", "disableairdrop", "enablefirewall", "macos14action", "macos13action", "showfullname", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "yubico", "daemon", "service", "server", "open directory", "account", "kerberos admin", "kerberos change", "io daemon", "device daemon", "network", "bridge", "desktop", "installer", "calendar", "screensaver", "agent", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "command line", "cloud", "remote assist", "aesxtsarm", "aesecbarm", "darwin kernel", "version", "fri apr", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "user", "coregraphics", "quartzcore", "dock", "corefoundation", "cgimage", "cgcolorspace", "load address", "identifier", "build info", "code type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6816697e166bba8972d8d4a3", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 125, "hostname": 402, "FileHash-SHA256": 38, "URL": 582, "CVE": 1 }, "indicator_count": 1148, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "293 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6816697e166bba8972d8d4a3", "name": "APT33", "description": "APT33", "modified": "2025-06-02T18:02:26.651000", "created": "2025-05-03T19:07:42.325000", "tags": [ "apfs encryption", "adguard extra", "jumpcloud go", "chrome web", "store", "privacy badger", "safety checker", "stay", "mywot", "flowcrypt", "encrypt gmail", "simple", "facebook", "apollo", "future", "assistant", "excbreakpoint", "sigtrap", "excguard", "renderer", "vallumes", "excbadaccess", "sigsegv", "helper", "chrome helper", "exccrash", "rave scout", "cookies", "public folder", "browsersignin", "denyactivation", "disableoverride", "loginwindowtext", "jumpcloud", "disableairdrop", "enablefirewall", "macos14action", "macos13action", "showfullname", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "yubico", "daemon", "service", "server", "open directory", "account", "kerberos admin", "kerberos change", "io daemon", "device daemon", "network", "bridge", "desktop", "installer", "calendar", "screensaver", "agent", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "command line", "cloud", "remote assist", "aesxtsarm", "aesecbarm", "darwin kernel", "version", "fri apr", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "user", "coregraphics", "quartzcore", "dock", "corefoundation", "cgimage", "cgcolorspace", "load address", "identifier", "build info", "code type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 125, "hostname": 402, "FileHash-SHA256": 38, "URL": 582, "CVE": 1 }, "indicator_count": 1148, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "320 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com", "Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http", "IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)", "Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs", "anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net", "https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg", "https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE", "Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx", "http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com", "scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9", "https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/", "OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist", "Alerts: mouse_movement_detect", "Yara Detections: Delphi", "https://hyundaibariavungtau3s.com/vehicle/stargazer", "Yara : MS_Visual_Basic_6_0 ,", "Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents", "Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly", "Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer", "Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue", "https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/", "docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com", "https://hyundaibariavungtau3s.com/vehicle/hyundai-custin", "https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/", "anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC", "https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]", "Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "https://account.helix.com/activate/start", "https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com", "https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba", "https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022", "http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips", "http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site", "Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly", "HTTP traffic on port 443 (POST)", "truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com", "IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less", "https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com", "Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains", "zalo.me | href | Binary File | ATT&CK ID T1566.002", "Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left", "Cart.Guru", "162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/", "It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!", "Yara: Detections ConventionEngine_Term_Users", "http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/", "Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc", "Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy", "IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query", "cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com", "https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com", "lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json", "Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted", "Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe", "https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam", "Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com", "Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http", "Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103", "Terse Unencrypted Request for Google - Likely Connectivity Check", "https://hs.ecam.com/your-challenges-ecams-solutions", "drive.google.com/", "http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing", "Foundry stalking.", "http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466", "www.techcult.com", "Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check", "Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process", "MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer", "Yara Detections: Nullsoft_NSIS ...", "feedback-pa.clients6.google.com/v1/survey/trigger/", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade", "Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates", "Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name", "Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com", "https://hyundaibariavungtau3s.com/vehicle/ioniq-5", "Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad", "pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz", "IDS Detections: Observed Discord Domain (discord .com in TLS SNI)", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips", "yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6", "Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat", "Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile", "https://foundry2-lbl.dvr.dn2.n-helix.com/", "Emotet IDS Detections: Win32/Emotet CnC Checkin Response" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Palantir Pegasus" ], "malware_families": [ "Trojan:win32/qqpass", "Win32:agent", "Win.packed.razy-6847895-0", "Win.ransomware.msilzilla-10014498-0", "Vb flash", "Trojan:msil/clipbanker", "Trojandropper:win32/vb.il", "Pegasus - mob-s0005", "Win.dropper.qqpass-7194329-0", "Win32:backdoor", "Other malware", "Trojan:win32/bagsu!rfn", "Win.trojan.emotet-7545664-0", "Win.packed.msilperseus-9956592-0", "Win32:rootkit", "Backdoor:msil/bladabindi.aj", "Win.packed.generic-9795615-0\t.", "Win.packed.fecn-7077459-0", "Trojan:msil/ranos.a", "Win.trojan.generic-6417450-0", "#lowfienabledtcontinueafterunpacking", "Worm:win32/autorun", "Win.virus.virlock-6804475-0", "Alf:trojan:win32/cassini_56a3061!ibt", "Wannacry", "Virtool:win32/obfuscator.ahu", "Pony", "Foundry", "Trojan:win32/comisproc!gmb", "Alf:trojan:msil/blackfus.c", "Trojan:win32/floxif.e", "Virtool:win32/obfuscator", "Win32:evo-gen\\ [susp]", "Backdoor:win32/plugx.n!", "Win.trojan.agent", "Pegasus", "#exploit:win32/cve- 2023 - 23397", "Trojanproxy:win32/ceutv.a", "#lowfi:win32/sandboxproductid", "Nid", "Shellcode", "Win.malware.bzub-6727003-0", "Alf:backdoor:msil/noancooe.ka", "Win.packed.generic-9795615-0", "Alf:pulzati:worm:win32/mydoom", "Trojandropper:win32/vb.il0", "Win32:malware", "Win32:malob-bx\\ [cryp]", "Rxr", "Backdoor:msil/bladabindi.aj gc!", "Win.trojan.generic-9801687-0", "Tofsee", "Win.dropper.njrat-10015886-0", "Trojandownloader:win32/cutwail" ], "industries": [], "unique_indicators": 32625 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/aogg.top", "whois": "http://whois.domaintools.com/aogg.top", "domain": "aogg.top", "hostname": "cc.aogg.top" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "69519fa81048ad057eb9beaa", "name": "Cart.Guru Malware Hosting - Malware Packed _Pegasus Espionage Detected (Positive)", "description": "I really love using this tool (LevelBlue -OTX) In all reality this information would have been sent to the government. CISA , NSA, Homeland Security, Citizens Lab, Canada based international organization would have been involved years ago. | \nWhere does this information goes. Citizens Lab would has been attempting to track 1000\u2019s of affected Pegasus targets. OTX detected and tagged Pegasus. I suspected it. This is from a Palantir Malware Hosting Honey Pot. \n\nWhen Pegasus was discovered in the wild , credited to those who found what the real team (T8) found, Citizens Lab then conducted tests in 2021\non the cell phone of Jamal Khashoggi, a Saudi dissident journalist. Pegasus is a kill list. \n\nVictims need help. There are a few people even on this platform that are on this list. Unless it\u2019s the US government who has ordered these actions, I don\u2019t know what is going on. The targets are not only innocent, some are crime victims, some are going mad. AT&T corporate easily confirms LevelBlue is legitimate.", "modified": "2026-01-27T21:02:45.343000", "created": "2025-12-28T21:22:48.595000", "tags": [ "united", "servers", "moved", "ip address", "record value", "encrypt", "present jul", "present jun", "trojandropper", "passive dns", "ipv4 add", "urls", "files", "virtool", "united states", "dynamicloader", "directui", "element", "classinfobase", "write c", "medium", "yara rule", "msvisualbasic60", "high", "hwndelement", "explorer", "write", "movie", "insert", "program", "python", "http traffic", "trojan generic", "search", "cnc activity", "delphi", "win32", "launcher", "pony", "fareit", "malware", "push", "msie", "windows nt", "generic", "checkin", "post", "yara detections", "rxr", "inject", "memcommit", "cryptexportkey", "invalid pointer", "regsetvalueexa", "solutions ltd", "read c", "regdword", "mozilla", "persistence", "execution", "android", "unknown", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "initial access", "defense evasion", "spawns", "t1590 gather", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "pattern match", "mitre att", "ck matrix", "href", "ascii text", "starfield", "hybrid", "general", "local", "path", "iframe", "palantir", "present nov", "present oct", "status", "present apr", "present dec", "cryp", "date", "trojan", "title", "name servers", "windows", "t1060", "disables proxy", "dock", "pegasus", "rootkit", "backdoor", "susp", "win32qqpass feb", "worm", "msr win32", "win64", "process32nextw", "findwindowa", "file execution", "writeconsolea", "procexpl", "file v2", "document", "document file", "v2 document", "lost", "tools", "pecompact", "media", "autorun", "service", "post http", "delete", "alerts", "emotet", "rkt", "autorun", "worm", "plugins", "title error", "body doctype", "html public", "w3cdtd html", "html head", "domain", "expiration date", "hostname add", "pulse pulses", "contacted hosts", "sha1", "sha256", "show technique", "strings", "t1480 execution", "signing defense", "script urls", "a domains", "unknown ns", "texas flyover", "script domains", "script script", "meta", "window", "process details", "contacted" ], "references": [ "Cart.Guru", "Yara Detections: Delphi", "Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer", "MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer", "HTTP traffic on port 443 (POST)", "IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query", "Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs", "Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http", "Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates", "Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http", "Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe", "Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check", "Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad", "Yara Detections: Nullsoft_NSIS ...", "Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat", "Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com", "Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103", "Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx", "Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy", "Emotet IDS Detections: Win32/Emotet CnC Checkin Response", "Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users" ], "public": 1, "adversary": "Palantir Pegasus", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RXR", "display_name": "RXR", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Bagsu!rfn", "display_name": "Trojan:Win32/Bagsu!rfn", "target": "/malware/Trojan:Win32/Bagsu!rfn" }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "#Lowfi:Win32/SandboxProductId", "display_name": "#Lowfi:Win32/SandboxProductId", "target": "/malware/#Lowfi:Win32/SandboxProductId" }, { "id": "Win32:Backdoor", "display_name": "Win32:Backdoor", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "ALF:Trojan:MSIL/BlackFus.C", "display_name": "ALF:Trojan:MSIL/BlackFus.C", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "TrojanProxy:Win32/Ceutv.A", "display_name": "TrojanProxy:Win32/Ceutv.A", "target": "/malware/TrojanProxy:Win32/Ceutv.A" }, { "id": "VirTool:Win32/Obfuscator.AHU", "display_name": "VirTool:Win32/Obfuscator.AHU", "target": "/malware/VirTool:Win32/Obfuscator.AHU" }, { "id": "ShellCode", "display_name": "ShellCode", "target": null }, { "id": "Win32:Rootkit", "display_name": "Win32:Rootkit", "target": null }, { "id": "VB Flash", "display_name": "VB Flash", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Win.Packed.Razy-6847895-0", "display_name": "Win.Packed.Razy-6847895-0", "target": null }, { "id": "Backdoor:Win32/Plugx.N!", "display_name": "Backdoor:Win32/Plugx.N!", "target": "/malware/Backdoor:Win32/Plugx.N!" }, { "id": "Win.Dropper.QQpass-7194329-0", "display_name": "Win.Dropper.QQpass-7194329-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win32:Agent", "display_name": "Win32:Agent", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "Win.Trojan.Emotet-7545664-0", "display_name": "Win.Trojan.Emotet-7545664-0", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2362, "domain": 449, "hostname": 710, "email": 6, "FileHash-MD5": 260, "FileHash-SHA1": 201, "FileHash-SHA256": 333, "SSLCertFingerprint": 27 }, "indicator_count": 4348, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69519fa818f84531ce6becc9", "name": "Cart.Guru Malware Hosting - Malware Packed _Pegasus Espionage Detected (Positive)", "description": "I really love using this tool (LevelBlue -OTX) In all reality this information would have been sent to the government. CISA , NSA, Homeland Security, Citizens Lab, Canada based international organization would have been involved years ago. Where does this information goes. Citizens Lab would has been attempting to track 1000\u2019s of affected Pegasus targets. OTX detected and tagged Pegasus. I suspected it. This is from a Palantir Malware Hosting Honey Pot. \n\nWhen Pegasus was discovered in the wild , credited to those who found what the real team (T8) found, Citizens Lab then conducted tests in 2021\non the cell phone of Jamal Khashoggi, a Saudi dissident journalist. Pegasus is a kill list. \n\nVictims need help. There are a few people even on this platform that are on this list. Unless it\u2019s the US government who has ordered these actions, I don\u2019t know what is going on. The targets are not only innocent, some are crime victims, some are going mad. AT&T corporate easily confirms LevelBlue is legitimate.", "modified": "2026-01-27T21:02:45.343000", "created": "2025-12-28T21:22:48.383000", "tags": [ "united", "servers", "moved", "ip address", "record value", "encrypt", "present jul", "present jun", "trojandropper", "passive dns", "ipv4 add", "urls", "files", "virtool", "united states", "dynamicloader", "directui", "element", "classinfobase", "write c", "medium", "yara rule", "msvisualbasic60", "high", "hwndelement", "explorer", "write", "movie", "insert", "program", "python", "http traffic", "trojan generic", "search", "cnc activity", "delphi", "win32", "launcher", "pony", "fareit", "malware", "push", "msie", "windows nt", "generic", "checkin", "post", "yara detections", "rxr", "inject", "memcommit", "cryptexportkey", "invalid pointer", "regsetvalueexa", "solutions ltd", "read c", "regdword", "mozilla", "persistence", "execution", "android", "unknown", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "initial access", "defense evasion", "spawns", "t1590 gather", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "pattern match", "mitre att", "ck matrix", "href", "ascii text", "starfield", "hybrid", "general", "local", "path", "iframe", "palantir", "present nov", "present oct", "status", "present apr", "present dec", "cryp", "date", "trojan", "title", "name servers", "windows", "t1060", "disables proxy", "dock", "pegasus", "rootkit", "backdoor", "susp", "win32qqpass feb", "worm", "msr win32", "win64", "process32nextw", "findwindowa", "file execution", "writeconsolea", "procexpl", "file v2", "document", "document file", "v2 document", "lost", "tools", "pecompact", "media", "autorun", "service", "post http", "delete", "alerts", "emotet", "rkt", "autorun", "worm", "plugins", "title error", "body doctype", "html public", "w3cdtd html", "html head", "domain", "expiration date", "hostname add", "pulse pulses", "contacted hosts", "sha1", "sha256", "show technique", "strings", "t1480 execution", "signing defense", "script urls", "a domains", "unknown ns", "texas flyover", "script domains", "script script", "meta", "window", "process details", "contacted" ], "references": [ "Cart.Guru", "Yara Detections: Delphi", "Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer", "MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer", "HTTP traffic on port 443 (POST)", "IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query", "Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs", "Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http", "Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates", "Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http", "Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe", "Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check", "Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad", "Yara Detections: Nullsoft_NSIS ...", "Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat", "Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com", "Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103", "Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx", "Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy", "Emotet IDS Detections: Win32/Emotet CnC Checkin Response", "Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users" ], "public": 1, "adversary": "Palantir Pegasus", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RXR", "display_name": "RXR", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Bagsu!rfn", "display_name": "Trojan:Win32/Bagsu!rfn", "target": "/malware/Trojan:Win32/Bagsu!rfn" }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "#Lowfi:Win32/SandboxProductId", "display_name": "#Lowfi:Win32/SandboxProductId", "target": "/malware/#Lowfi:Win32/SandboxProductId" }, { "id": "Win32:Backdoor", "display_name": "Win32:Backdoor", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "ALF:Trojan:MSIL/BlackFus.C", "display_name": "ALF:Trojan:MSIL/BlackFus.C", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "TrojanProxy:Win32/Ceutv.A", "display_name": "TrojanProxy:Win32/Ceutv.A", "target": "/malware/TrojanProxy:Win32/Ceutv.A" }, { "id": "VirTool:Win32/Obfuscator.AHU", "display_name": "VirTool:Win32/Obfuscator.AHU", "target": "/malware/VirTool:Win32/Obfuscator.AHU" }, { "id": "ShellCode", "display_name": "ShellCode", "target": null }, { "id": "Win32:Rootkit", "display_name": "Win32:Rootkit", "target": null }, { "id": "VB Flash", "display_name": "VB Flash", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Win.Packed.Razy-6847895-0", "display_name": "Win.Packed.Razy-6847895-0", "target": null }, { "id": "Backdoor:Win32/Plugx.N!", "display_name": "Backdoor:Win32/Plugx.N!", "target": "/malware/Backdoor:Win32/Plugx.N!" }, { "id": "Win.Dropper.QQpass-7194329-0", "display_name": "Win.Dropper.QQpass-7194329-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win32:Agent", "display_name": "Win32:Agent", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "Win.Trojan.Emotet-7545664-0", "display_name": "Win.Trojan.Emotet-7545664-0", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2362, "domain": 449, "hostname": 710, "email": 6, "FileHash-MD5": 260, "FileHash-SHA1": 201, "FileHash-SHA256": 333, "SSLCertFingerprint": 27 }, "indicator_count": 4348, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692d02f096f3ec8b5b507496", "name": "Google Drive: Share Files Online with Secure Cloud Storage | Google Workspace", "description": "nJRAT | Corrupted Google Drive sent to targets former device. Years long social engineering may have been involved. All\nIoC\u2019s Appears to involve years of social engineering. Google\ndrive service in question is a storage service based in Vietnam. | \n\nBotnet / Check-ins / Spyware / Cams. [Anon Sec Botnet subdomain name pulsed. Close directly related to zalo.me\nand tbtteams.com]\nRequires further research.\n\nThis pulse is a bit confusing due where and who it originated from.", "modified": "2025-12-31T02:01:50.101000", "created": "2025-12-01T02:52:32.483000", "tags": [ "business", "enterprise", "drive", "english", "google drive", "try drive", "business small", "workspace", "sign", "strong", "find", "life", "tools", "protect", "cloud", "simple", "android", "indonesia", "video", "mb download", "shared may", "shared", "learn", "drive drive", "name date", "javascript", "dynamicloader", "medium", "minimal headers", "high", "observed get", "get http", "united", "yara rule", "http", "write", "guard", "malware", "read c", "ms windows", "intel", "png image", "rgba", "pe32", "get na", "explorer", "music", "virlock", "media", "ho chi", "minh city", "viet nam", "storage company", "limited", "google", "address as", "luutruso", "cloudflar", "domain", "asn15169", "asn56153", "asn13335", "cisco", "umbrella rank", "apex domain", "url https", "kb stylesheet", "kb font", "kb image", "image", "kb script", "november", "resource path", "size", "type mimetype", "primary request", "redirect chain", "kb document", "urls", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "t1590 gather", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "domain address", "rsdsq jfu", "ollydbg ollydbg", "wireshark", "external", "binary file", "mitre att", "ck matrix", "aaaa", "cong ty", "co phan", "code", "province hcm", "files", "ip address", "request", "flag", "country", "contacted hosts", "process details", "link initial", "t1480 execution", "domains", "moved", "gmt content", "all ipv4", "url analysis", "location viet", "title", "error", "problem", "url add", "related nids", "files location", "flag united", "development att", "name server", "markmonitor", "localappdata", "programfiles", "edge", "hyundai", "social engineering", ".mil", "hackers", "phishing eml", "summary", "cisco umbrella", "google safe", "browsing", "current dns", "a record", "ip information", "ipasns ip", "detail domain", "domain tree", "links apex", "transfer", "b script", "b stylesheet", "frame b830", "b document", "value", "december", "degurafregistry", "gat object", "jsl object", "gapijstiming", "iframe function", "domainpath name", "nid value", "source level", "files domain", "files related", "tags", "related tags", "virustotal", "foundry", "pulse otx", "dark", "vietnam", "present aug", "present nov", "present jul", "present sep", "unknown aaaa", "search", "name servers", "present oct", "trojan", "data upload", "extraction", "se https", "include review", "exclude sugges", "find s", "failed", "typ don", "faith", "study", "romeo\u2019s", "juliettes", "femme fatales", "strategy", "honey pot", "honey traps", "spy", "helix", "anons", "passive dns", "pulse pulses", "files ip", "address", "location united", "asn as400519", "whois registrar", "ms defender", "files matching", "number", "sample analysis", "hide samples", "date hash", "cameras", "cams", "spycam", "botnet", "vietnam", "company limited", "dnssec", "status", "india unknown", "present may", "espionage", "hostname add", "generic", "cnc activity", "backdoor", "ipv4", "anonsecbotnet", "iptv" ], "references": [ "drive.google.com/", "https://foundry2-lbl.dvr.dn2.n-helix.com/", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9", "zalo.me | href | Binary File | ATT&CK ID T1566.002", "https://account.helix.com/activate/start", "anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022", "https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]", "Terse Unencrypted Request for Google - Likely Connectivity Check", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6", "cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com", "https://hyundaibariavungtau3s.com/vehicle/stargazer", "https://hyundaibariavungtau3s.com/vehicle/ioniq-5", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade", "https://hyundaibariavungtau3s.com/vehicle/hyundai-custin", "https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/", "https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com", "https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/", "https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com", "http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/", "http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466", "https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam", "feedback-pa.clients6.google.com/v1/survey/trigger/", "https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg", "anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Virus.Virlock-6804475-0", "display_name": "Win.Virus.Virlock-6804475-0", "target": null }, { "id": "Win.Malware.Bzub-6727003-0", "display_name": "Win.Malware.Bzub-6727003-0", "target": null }, { "id": "Win.Trojan.Generic-9801687-0", "display_name": "Win.Trojan.Generic-9801687-0", "target": null }, { "id": "NID", "display_name": "NID", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Dropper.njRAT-10015886-0", "display_name": "Win.Dropper.njRAT-10015886-0", "target": null }, { "id": "Win.Packed.Generic-9795615-0", "display_name": "Win.Packed.Generic-9795615-0", "target": null }, { "id": "Backdoor:MSIL/Bladabindi.AJ GC!", "display_name": "Backdoor:MSIL/Bladabindi.AJ GC!", "target": "/malware/Backdoor:MSIL/Bladabindi.AJ GC!" }, { "id": "Win.Packed.Generic-9795615-0\t.", "display_name": "Win.Packed.Generic-9795615-0\t.", "target": null }, { "id": "Backdoor:MSIL/Bladabindi.AJ", "display_name": "Backdoor:MSIL/Bladabindi.AJ", "target": "/malware/Backdoor:MSIL/Bladabindi.AJ" }, { "id": "Win.Packed.Fecn-7077459-0", "display_name": "Win.Packed.Fecn-7077459-0", "target": null }, { "id": "Trojan:MSIL/Ranos.A", "display_name": "Trojan:MSIL/Ranos.A", "target": "/malware/Trojan:MSIL/Ranos.A" }, { "id": "Win.Trojan.Generic-6417450-0", "display_name": "Win.Trojan.Generic-6417450-0", "target": null }, { "id": "ALF:Backdoor:MSIL/Noancooe.KA", "display_name": "ALF:Backdoor:MSIL/Noancooe.KA", "target": null }, { "id": "Win.Packed.Msilperseus-9956592-0", "display_name": "Win.Packed.Msilperseus-9956592-0", "target": null }, { "id": "Trojan:MSIL/ClipBanker", "display_name": "Trojan:MSIL/ClipBanker", "target": "/malware/Trojan:MSIL/ClipBanker" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1194", "name": "Spearphishing via Service", "display_name": "T1194 - Spearphishing via Service" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1911, "hostname": 714, "FileHash-SHA256": 1304, "FileHash-MD5": 159, "FileHash-SHA1": 71, "SSLCertFingerprint": 2, "domain": 421, "CVE": 1, "email": 4 }, "indicator_count": 4587, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6923408464566e39caf32285", "name": "Discord- DNS | Malvertizing | Ransom/Msilzilla (sifting IoC\u2019s created by scnrscnr)", "description": "TAGS\nActive\n443 ma2592000\nChristopher Pool\nPool's Closed\nTimothy Pool\na li\n google\namerica att\napache\napache ip\nasn as46606\nauditmode force\nbehavior\nbinary\nbinary file\nbk role\nchat\ncheck\nchrome\nck ids\ncommon stealer\ncookie\ndata upload\ndefender\ndelete c\ndirectui\ndiscord\ndns lookup\ndomain add\ndrop\ndynamicloader\neb d8\nee fc\nerror oct\nexplorer\nexternal ip\nextraction\nf0 ff\nfailed\nff bb\nff d5\nff ff\nfiles\nfoundry\ngmt content\ngmt etag\ngmt server\ngoogle chrome\nguard\nhigh\ninsert\nlolminer\nmalware\nmedia\nmeta\nmoved\nmovie\nmsie\nmsvisualbasic60\nmtb aug -present \nneversend\npowershell\nrelated nids\nresponse ip\nself\nservice domain\nsingapore\nsmartassembly\nspan\nspan a\nsx08x00x00a\ntargeting\ntls sni\ntrojan\ntrojandropper\ntwitter\ntx08x00x00n\nunique\nuser agent\nux08x00x00h\nvirtool\nvirustotal api\nvoice\nvx08x00x00j\nwrite\nwrite c\nwx08x00x00\nx08x00x00b\nx08x00x00x00\nyara\nyara rule\nyx08x00x00l\nz3je\nz3uwq7\nzx08x00x00", "modified": "2025-12-23T16:04:54.329000", "created": "2025-11-23T17:12:36.917000", "tags": [ "no expiration", "expiration", "url https", "url http", "filehashsha256", "hostname", "domain", "filehashmd5", "filehashsha1", "ipv4", "code", "pool", "timothy pool", "z3je z3uwq7", "creation date", "ip address", "emails", "expiration date", "status", "hostname add", "pulse pulses", "passive dns", "urls", "date" ], "references": [ "https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba", "Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted", "http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com", "https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com", "www.techcult.com", "http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com", "https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE", "truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com", "yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com", "lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json", "162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/", "http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing", "http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site", "2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt", "IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)", "IDS Detections: Observed Discord Domain (discord .com in TLS SNI)", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less", "Yara: Detections ConventionEngine_Term_Users", "Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents", "Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly", "Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc", "Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process", "Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name", "Yara : MS_Visual_Basic_6_0 ,", "Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly", "Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile", "Alerts: mouse_movement_detect", "Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left", "scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.", "Foundry stalking." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDropper:Win32/VB.IL0", "display_name": "TrojanDropper:Win32/VB.IL0", "target": "/malware/TrojanDropper:Win32/VB.IL0" }, { "id": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "display_name": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "target": null }, { "id": "Win.Ransomware.Msilzilla-10014498-0", "display_name": "Win.Ransomware.Msilzilla-10014498-0", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1443", "name": "Remotely Install Application", "display_name": "T1443 - Remotely Install Application" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 773, "FileHash-SHA1": 684, "FileHash-SHA256": 1910, "CVE": 2, "SSLCertFingerprint": 4, "URL": 3783, "domain": 878, "email": 7, "hostname": 1913 }, "indicator_count": 9954, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68feb98a8c1b75b4431a3e8e", "name": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator?", "description": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator? 1.) (userlolxxl) is also disable_duck, has an unhealthy interest in the Tsara Brashears \u2018dead yet\u2019 theory , has many profiles. His issues are self made by grabbing vulnerabilities found and linking them to a fake University website. We checked. Profile belongs to a group causing needless distraction and hooking users into the \u2018No Problems\u2019 group. \n\nWe swiftly got Regis University to take notice of Palantirs Prometheus Intelligence Technology tracking. Dean let semester begin putting students at risk despite warnings from Tsara Brashears of owa canary cookie in server, to replace computers , halt school , deal with issue. RU ignored issues, Brashears didn\u2019t. They went black , blacklisted Tsara warning of credible death threats on dark web.", "modified": "2025-11-25T20:05:31.749000", "created": "2025-10-27T00:15:06.191000", "tags": [ "html internet", "html document", "ascii text", "language", "cve202323397", "iframe tags", "tag manager", "gtmkvjvztk", "anchor hrefs", "info ta0011", "protocol", "layer protocol", "port", "t1571 encrypted", "channel", "t1573 malware", "tree", "oc0006 http", "c0014", "get http", "dns resolutions", "resolved ips", "user", "data", "datacrashpad", "edge", "v full", "reports v", "chrome u", "appdata local", "googlechrome u", "u ser", "cname", "ip address", "http", "accept", "network dropped", "duration cuckoo", "version file", "machine label", "shutdown", "extraction", "suggested iocs", "data upload", "cry dee", "stop", "type", "url indicator", "enter", "failed", "se share", "extrac", "enter so", "passive dns", "urls", "hostname add", "pulse pulses", "files", "domain", "files ip", "address", "location united", "asn as20473", "dynamicloader", "directui", "write c", "intel", "ms windows", "pe32", "element", "delete c", "document file", "v2 document", "explorer", "trojandropper", "write", "markus", "august", "movie", "insert", "pulse submit", "url analysis", "asn as8068", "united", "entries", "body", "please", "x msedge", "ipv4 add", "present sep", "present oct", "present feb", "status", "unknown ns", "search", "name servers", "present jul", "aaaa", "present apr", "trojan", "medium", "high", "yara rule", "globalc", "june", "malware", "win64", "unknown", "america flag", "twitter", "hostname", "domain add", "reverse dns", "america asn", "present aug", "a domains", "moved", "first pqc", "unknown aaaa", "title", "meta", "window", "encrypt", "pulse indicator", "body doctype", "welcome", "ok server", "gmt content", "atlanta", "abuse", "agent", "service", "present jun", "present may", "creation date", "record value", "servers", "libretv meta", "certificate", "value", "whois lookup", "loopia ab", "userlolxxl" ], "references": [ "http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist", "It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!", "pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz", "Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com", "docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips", "https://hs.ecam.com/your-challenges-ecams-solutions", "https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022", "https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/", "Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Wannacry", "display_name": "Wannacry", "target": null }, { "id": "Foundry", "display_name": "Foundry", "target": null }, { "id": "Trojan:Win32/Comisproc!gmb", "display_name": "Trojan:Win32/Comisproc!gmb", "target": "/malware/Trojan:Win32/Comisproc!gmb" }, { "id": "Trojandropper:Win32/VB.IL", "display_name": "Trojandropper:Win32/VB.IL", "target": "/malware/Trojandropper:Win32/VB.IL" }, { "id": "#Exploit:Win32/CVE- 2023 - 23397", "display_name": "#Exploit:Win32/CVE- 2023 - 23397", "target": "/malware/#Exploit:Win32/CVE- 2023 - 23397" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "ALF:PulZati:Worm:Win32/Mydoom", "display_name": "ALF:PulZati:Worm:Win32/Mydoom", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 8, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 248, "FileHash-SHA1": 134, "FileHash-SHA256": 2661, "URL": 6257, "domain": 682, "email": 8, "hostname": 2077, "CVE": 1 }, "indicator_count": 12068, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "144 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67fe9f3c682800301b89c556", "name": "Sitemap This page shows the most recent scans (manual, API, automatic) to be picked up by spiders.", "description": "https://urlscan.io/sitemap/", "modified": "2025-09-01T08:05:18.611000", "created": "2025-04-15T18:02:36.693000", "tags": [ "new run", "key pointing", "run key", "roth", "nextron", "markus neis", "sander wiebing", "public", "imagestartswith", "delnoderundll32", "vhash", "imphash", "rich pe", "ssdeep", "data sheetfinal", "wbn1", "mobil ip", "hsotu tin", "firmar", "statement", "ebook", "uwaaj moesz" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 168, "FileHash-MD5": 106, "FileHash-SHA1": 101, "FileHash-SHA256": 415, "hostname": 63, "domain": 61, "CVE": 1 }, "indicator_count": 915, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68629f622fe936e3141a1ed0", "name": "APT33 (by ilyailya)", "description": "", "modified": "2025-06-30T14:29:54.892000", "created": "2025-06-30T14:29:54.892000", "tags": [ "apfs encryption", "adguard extra", "jumpcloud go", "chrome web", "store", "privacy badger", "safety checker", "stay", "mywot", "flowcrypt", "encrypt gmail", "simple", "facebook", "apollo", "future", "assistant", "excbreakpoint", "sigtrap", "excguard", "renderer", "vallumes", "excbadaccess", "sigsegv", "helper", "chrome helper", "exccrash", "rave scout", "cookies", "public folder", "browsersignin", "denyactivation", "disableoverride", "loginwindowtext", "jumpcloud", "disableairdrop", "enablefirewall", "macos14action", "macos13action", "showfullname", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "yubico", "daemon", "service", "server", "open directory", "account", "kerberos admin", "kerberos change", "io daemon", "device daemon", "network", "bridge", "desktop", "installer", "calendar", "screensaver", "agent", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "command line", "cloud", "remote assist", "aesxtsarm", "aesecbarm", "darwin kernel", "version", "fri apr", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "user", "coregraphics", "quartzcore", "dock", "corefoundation", "cgimage", "cgcolorspace", "load address", "identifier", "build info", "code type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6816697e166bba8972d8d4a3", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 125, "hostname": 402, "FileHash-SHA256": 38, "URL": 582, "CVE": 1 }, "indicator_count": 1148, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "293 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6816697e166bba8972d8d4a3", "name": "APT33", "description": "APT33", "modified": "2025-06-02T18:02:26.651000", "created": "2025-05-03T19:07:42.325000", "tags": [ "apfs encryption", "adguard extra", "jumpcloud go", "chrome web", "store", "privacy badger", "safety checker", "stay", "mywot", "flowcrypt", "encrypt gmail", "simple", "facebook", "apollo", "future", "assistant", "excbreakpoint", "sigtrap", "excguard", "renderer", "vallumes", "excbadaccess", "sigsegv", "helper", "chrome helper", "exccrash", "rave scout", "cookies", "public folder", "browsersignin", "denyactivation", "disableoverride", "loginwindowtext", "jumpcloud", "disableairdrop", "enablefirewall", "macos14action", "macos13action", "showfullname", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "yubico", "daemon", "service", "server", "open directory", "account", "kerberos admin", "kerberos change", "io daemon", "device daemon", "network", "bridge", "desktop", "installer", "calendar", "screensaver", "agent", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "command line", "cloud", "remote assist", "aesxtsarm", "aesecbarm", "darwin kernel", "version", "fri apr", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "user", "coregraphics", "quartzcore", "dock", "corefoundation", "cgimage", "cgcolorspace", "load address", "identifier", "build info", "code type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 125, "hostname": 402, "FileHash-SHA256": 38, "URL": 582, "CVE": 1 }, "indicator_count": 1148, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "320 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://cc.aogg.top/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://cc.aogg.top/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776618550.053683 }