{ "type": "URL", "indicator": "https://cchlsa.ccedge.cn/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://cchlsa.ccedge.cn/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4158689411, "indicator": "https://cchlsa.ccedge.cn/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "69aa41b0d714318bf8937184", "name": "W.Vashti .Net obfuscator clone", "description": "", "modified": "2026-04-04T00:06:41.423000", "created": "2026-03-06T02:53:36.216000", "tags": [ "no expiration", "domain", "name", "control flow", "dlls", "method parent", "declarative", "ms build", "core", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "dock", "write", "execution", "capture", "endgame", "united", "moved", "ip address", "record value", "gate software", "newnham house", "expiration date", "urls", "url add", "http", "related nids", "files location", "flag united", "present aug", "present sep", "present nov", "present oct", "name servers", "emails", "present dec", "meta", "passive dns", "next associated", "ipv4", "url analysis", "files", "cookie", "subscribe", "unsubscribe", "s paris", "englewood", "state", "skip", "espaol", "summary", "filing history", "ireland", "title", "united states", "certificate", "colorado", "ipv4 add", "america flag", "showing", "pulse submit", "size", "pattern match", "mitre att", "ck id", "path", "hybrid", "general", "local", "iframe", "click", "strings", "cece", "mult", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "sha1", "sha256", "njmk", "kwruymy", "mime", "submitted", "process details", "calls", "apis", "reads", "defense evasion", "model", "getprocaddress", "show technique", "ck matrix", "access type", "value", "api call", "open", "august", "format", "typeof symbol", "typeof s", "typeof c", "function", "symbol", "comenabled", "image path", "ndex", "ndroleextdll", "f0f0f0", "ff4b55", "stop", "span", "show process", "binary file", "file", "network traffic", "encrypt", "date", "found", "ssl certificate", "creation date", "hostname add", "pulse pulses", "files ip", "address domain", "data upload", "extraction", "ge6 mira", "failed", "ascii text", "development att", "hostname", "files domain", "files related", "pulses otx", "pulses", "unknown aaaa", "unknown ns", "united states", "urls show", "date checked", "url hostname", "server response", "google safe", "results may", "a domains", "search", "germany unknown", "win32", "lowfi", "chrome", "susp", "trojan", "backdoor", "twitter", "virtool", "worm", "exploit", "trojandropper", "win32upatre dec", "mtb dec", "reverse dns", "body", "location united", "asn as14618", "less whois", "files show", "date hash", "avast avg", "initial access", "javascript", "root", "enterprise", "form", "desktop", "command decode", "suricata ipv4", "spycloud", "robots", "bots", "chatbot", "bot network", "spy", "mixb", "a2fryx", "therahand", "typosquating" ], "references": [ "https://www.red-gate.com/products/smartassembly", "spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud", "https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=", "https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0", "dasima-containers.palantirfoundry.com \u2022 blitzrobots.com", "https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com", "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/", "https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3", "Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-", "Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" } ], "industries": [], "TLP": "green", "cloned_from": "6952d4fc6910b0b866746d8a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 343, "FileHash-SHA256": 1332, "domain": 1062, "hostname": 1969, "URL": 5700, "email": 10, "SSLCertFingerprint": 21, "CVE": 1 }, "indicator_count": 10779, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695555b664c8998371393b8f", "name": "\u200emyMetro App - App Store \u2022 Access Attack via iOS App", "description": "Apple iOS attack. Drive by compromise. Device fully compromised. Service provider incorrect. Device user does not use MetroPCS as Cellular carrier. \n\n#cyberwarfare #pegasus #endgame #apple #earsinthecornfield #compromised_device #zombie", "modified": "2026-01-30T16:01:37.437000", "created": "2025-12-31T16:56:22.577000", "tags": [ "espaol", "metro pcs", "metro", "english", "data", "privacy", "learn", "requires", "strong", "see all", "bernie", "mint", "never", "example", "click", "indonesia", "\u2019m", "win32mydoom dec", "united", "trojan", "name servers", "servers", "expiration date", "backdoor", "found", "passive dns", "gmt connection", "control", "content type", "twitter", "title", "aaaa", "ember cli", "ember view", "certificate", "win32", "invalid url", "body html", "head title", "title head", "body h1", "reference", "urls", "akamai", "unknown ns", "domain", "search", "ipv4", "files", "reverse dns", "location united", "america flag", "america asn", "dynamicloader", "port", "high", "medium", "windows", "displayname", "write", "destination", "tofsee", "stream", "malware", "hostile", "read c", "show", "rgba", "unicode", "whitelisted", "memcommit", "delete", "execution", "dock", "persistence", "msie", "chrome", "ip address", "otx telemetry", "unknown soa", "gmt content", "for privacy", "moved", "record value", "ubuntu date", "encrypt", "a domains", "welcome", "type", "content length", "ipv4 add", "url analysis", "accept", "overview domain", "files ip", "address", "location france", "asn as16276", "tags none", "indicator facts", "historical otx", "france unknown", "ovhcloud meta", "domain add", "present dec", "status", "service", "win32cutwail", "setcookie", "gmt server", "refloadapihash", "virtool", "present nov", "present oct", "all ipv4", "hostname", "present jul", "saudi arabia", "present mar", "present jun", "present feb", "entries", "france asn", "asn as16509", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "pattern match", "ascii text", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "hybrid", "local", "path", "strings", "delete c", "okrndate", "grum", "powershell", "pegasus", "unknown", "crlf line", "ff d5", "unicode text", "utf8", "ee fc", "yara rule", "f0 ff", "ff bb", "push", "autorun", "suspicious", "pulse pulses", "date", "music", "apple", "apple id", "show process", "flag", "markmonitor", "name tactics", "informative", "command", "adversaries", "spawns", "access att", "t1566 phishing", "zerobits", "allocationtype", "protect", "programfiles", "processhandle", "commitsize", "viewsize", "regionsize", "handles modules", "files amsi", "filehandle", "path filehandle", "porthandle", "copy md5", "copy sha1", "copy sha256", "href", "null", "refresh", "body", "span", "general", "error", "tools", "look", "verify", "restart", "html", "x22scriptx22", "binary file", "t1189", "cyberwarfare", "brian sabey", "never say anything", "christopher ahmann", "colorado state", "quasi", "zombie device", "present may", "emails", "exif standard", "tiff image", "windows nt", "wow64", "slcc2", "media center", "jpeg image", "copy", "next", "pecompact", "february", "packer", "delphi", "code", "tlsv1", "ogoogle trust", "xserver", "lowfi", "creation date", "domain name", "showing", "ids detections", "yara detections", "worm", "arial", "present aug", "meta", "dns domain", "site", "free dns", "msil", "dnssec", "penetration", "injections", "dead host" ], "references": [ "https://apps.apple.com/app/", "metropcs.com/account/sign-in.html", "smtp.google.com \u2022 www.google.com/images/errors/robot.png", "https://www.endgamesystems.com/ \u2022 https://www.endgames.com/", "https://freedns.afraid.org/images/exclamation", "xred.mooo.com \u2022 mooo.com \u2022 afraid.org", "admin@bigtits.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Worm:Win32/Mydoom", "display_name": "Worm:Win32/Mydoom", "target": "/malware/Worm:Win32/Mydoom" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win.Trojan.Installcore-877", "display_name": "Win.Trojan.Installcore-877", "target": null }, { "id": "Win.Downloader.Small", "display_name": "Win.Downloader.Small", "target": null }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "Tibs", "display_name": "Tibs", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ALF:JASYP:PUA:Win32/4Shared", "display_name": "ALF:JASYP:PUA:Win32/4Shared", "target": null } ], "attack_ids": [ { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1577", "name": "Compromise Application Executable", "display_name": "T1577 - Compromise Application Executable" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1086", "name": "PowerShell", "display_name": "T1086 - PowerShell" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1863, "URL": 4952, "FileHash-SHA256": 1990, "FileHash-MD5": 981, "FileHash-SHA1": 791, "email": 26, "domain": 1277, "SSLCertFingerprint": 24 }, "indicator_count": 11904, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "78 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6952d4fc6910b0b866746d8a", "name": ".NET Obfuscator, Error Reporting, DLL Merging | SmartAssembly | Spycloud", "description": "*Mirai | Currently being used maliciously. Mirai botnet work in place. Obfuscation, call redirection, evasion , chatbots, spyware , cal retrieval , typosquating , and other tactics used against victim. Red hats being unethical is expected.. This team is attacking in this instance. Screen Capture 24/7. Malicious media +++ from Englewood, Co. \n\nWhen used ethically SmartAssembly protects your code and Intellectual Property with powerful obfuscation features, and provides error reports when your application crashes in the wild, as well as a range of other tools for database management and data management.\n#palantir #foundry #denver #englewood #colorado #spycloud #mirai #botnet", "modified": "2026-01-28T18:03:54.589000", "created": "2025-12-29T19:22:36.103000", "tags": [ "no expiration", "domain", "name", "control flow", "dlls", "method parent", "declarative", "ms build", "core", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "dock", "write", "execution", "capture", "endgame", "united", "moved", "ip address", "record value", "gate software", "newnham house", "expiration date", "urls", "url add", "http", "related nids", "files location", "flag united", "present aug", "present sep", "present nov", "present oct", "name servers", "emails", "present dec", "meta", "passive dns", "next associated", "ipv4", "url analysis", "files", "cookie", "subscribe", "unsubscribe", "s paris", "englewood", "state", "skip", "espaol", "summary", "filing history", "ireland", "title", "united states", "certificate", "colorado", "ipv4 add", "america flag", "showing", "pulse submit", "size", "pattern match", "mitre att", "ck id", "path", "hybrid", "general", "local", "iframe", "click", "strings", "cece", "mult", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "sha1", "sha256", "njmk", "kwruymy", "mime", "submitted", "process details", "calls", "apis", "reads", "defense evasion", "model", "getprocaddress", "show technique", "ck matrix", "access type", "value", "api call", "open", "august", "format", "typeof symbol", "typeof s", "typeof c", "function", "symbol", "comenabled", "image path", "ndex", "ndroleextdll", "f0f0f0", "ff4b55", "stop", "span", "show process", "binary file", "file", "network traffic", "encrypt", "date", "found", "ssl certificate", "creation date", "hostname add", "pulse pulses", "files ip", "address domain", "data upload", "extraction", "ge6 mira", "failed", "ascii text", "development att", "hostname", "files domain", "files related", "pulses otx", "pulses", "unknown aaaa", "unknown ns", "united states", "urls show", "date checked", "url hostname", "server response", "google safe", "results may", "a domains", "search", "germany unknown", "win32", "lowfi", "chrome", "susp", "trojan", "backdoor", "twitter", "virtool", "worm", "exploit", "trojandropper", "win32upatre dec", "mtb dec", "reverse dns", "body", "location united", "asn as14618", "less whois", "files show", "date hash", "avast avg", "initial access", "javascript", "root", "enterprise", "form", "desktop", "command decode", "suricata ipv4", "spycloud", "robots", "bots", "chatbot", "bot network", "spy", "mixb", "a2fryx", "therahand", "typosquating" ], "references": [ "https://www.red-gate.com/products/smartassembly", "spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud", "https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=", "https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0", "dasima-containers.palantirfoundry.com \u2022 blitzrobots.com", "https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com", "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/", "https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3", "Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-", "Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 343, "FileHash-SHA256": 1332, "domain": 1062, "hostname": 1967, "URL": 5699, "email": 10, "SSLCertFingerprint": 21, "CVE": 1 }, "indicator_count": 10776, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "80 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694dc80ac6e7fd5474b316a1", "name": "Malicious DDOS attacks targeting Brand New 2025 | Updated Apple Products affecting IRS payment portal", "description": "Malicious actors continue to target certain users attempting to pay the IRS. Victim is redirected to : http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan after typing in IRS.gov (w/ secure header \u2018https\u2019 )\nOnce information is input it is payment is rejected, levy against bank accounts and assets and other threats. There is social engineering as one victim is communicating with someone allegedly from the IRS? \nAlthough malicious entities contacted , malicious behavior continues. Adversaries in the Middle attack. US hacker group. Denver, Iowa, Arizona, NY and abroad. \n\n*Targets: https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main |", "modified": "2026-01-24T22:05:13.068000", "created": "2025-12-25T23:26:02.712000", "tags": [ "hash avast", "avg clamav", "msdefender feb", "url http", "url https", "zipcode", "active related", "cage01195 dec", "passports", "ipv4", "active", "irs", "apple", "role title", "indicator role", "malware attacks", "find encrypted", "lumen", "fastly", "create c", "read c", "delete", "write", "default", "medium", "rgba", "dock", "execution", "xport", "united", "passive dns", "urls", "expiration date", "unknown ns", "unknown aaaa", "pulse pulses", "merit", "dod network", "type indicator", "related pulses", "name", "name servers", "ffffff", "ip address", "emails", "object", "clsid6bf52a52", "cookie", "meta", "united kingdom", "germany", "russia", "search", "added active", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "href", "pattern match", "ascii text", "ck id", "mitre att", "ck matrix", "t1071", "general", "local", "path", "iframe", "click", "beginstring", "segoe ui", "null", "refresh", "span", "hybrid", "strings", "error", "tools", "title", "look", "verify", "restart", "data upload", "extraction", "failed", "include data", "entries", "unicode", "high", "memcommit", "next", "flag", "process details", "path expiresthu", "moved", "gmt set", "domain", "httponly path", "encrypt", "leaseweb", "iowa", "title added", "bad traffic", "et info", "tls handshake", "failure", "command decode", "suricata stream", "circle", "f5f8fa", "learn", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "development att", "suricata http", "windows nt", "date", "ips initial", "prefetch8", "localappdata", "prefetch1", "programfiles", "edge", "access att", "t1566 phishing", "initial access", "show process", "show technique", "process", "t1057", "contacted", "ck techniques", "evasion att", "body", "report spam", "apple", "ddos", "irs created", "hours ago", "white", "apple user", "industries", "government", "finance", "trojandropper", "appleservice", "mirai", "trojan", "next associated", "fastly error", "please", "sea p", "mozilla", "accept", "alerts", "filehash", "md5 add", "av detections", "ids detections", "yara detections", "analysis date", "file score", "medium risk", "copy", "richhash", "finding notes", "clamav malware", "files matching", "number", "sample analysis", "samples show", "date hash", "yara rule", "msie", "t1063", "windows", "malware", "detected", "https domain", "tls sni", "markus", "smartassembly", "win64", "exif data", "present dec", "status", "showing", "show", "icmp traffic", "pdb path", "crlf line", "mutex", "ms defender", "mtb malware", "hide samples", "rootkit", "apple webkit", "macbook pro", "apple ios" ], "references": [ "sa.www4.irs.gov \u2022 sa1.www4.irs.gov \u2022 sa2.www4.irs.gov \u2022 apps.irs.gov \u2022 freetaxassistance.for.irs.gov \u2022 home.treasury.gov \u2022", "132.3.48.38 \u2022 Description: CC=US ASN=AS721 dod network information center", "154.35.132.70\t\u2022 Description: CC=US ASN=AS14987 rethem hosting llc", "165.206.254.134 \u2022 Description: CC=US ASN=AS6122", "192.85.127.130 \u2022 Description: CC=US ASN=AS2173 hewlett-packard company", "195.128.76.205 \u2022 Description: CC=RU ASN=AS8470 jsc macomnet", "205.181.242.243 \u2022 Description: CC=US ASN=AS3738 state street bank and trust company", "207.75.164.17 \u2022 Description: CC=US ASN=AS237 merit network", "207.75.164.210 \u2022 Description: CC=US ASN=AS237 merit network", "214.25.9.149 \u2022 Description: CC=US ASN=AS344 dod network information center", "216.252.199.59 \u2022 Description: CC=US ASN=AS31827 biz net technologies", "78.46.218.253 \u2022 Description: CC=DE ASN=AS24940 hetzner online gmbh", "95.211.7.168 \u2022Description: CC=NL ASN=AS60781 leaseweb netherlands b.v.", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing - Adult Content", "http://www.anyxxxtube.net/search-porn/tsara-brashears - Adult Content", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ - Adult Content", "http://www.anyxxxtube.net/search-porn/ - Adult Content", "https://eliyporasa.life/uelbu/5/151504-harleyxwest-porn - Adult Content", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net - Adult Content", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t- Adult Content", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io\t- Adult Content", "https://wallpapers-nature.com/tsara-brashears/urlscan-io - Adult Content", "http://sissy.com/default - Adult Content", "https://eliyporasa - Adult Content", "64.38.232.180 - Adult Content IP", "www.anyxxxtube.net - Adult Content", "www.anyxxxtube.net - Adult Content IP", "http://www.iranianporn.com/ \u2022 iranianporn.com - Adult Content", "http://www.italianporn.com/ \u2022 italianporn.com - Adult Content IP", "jamaicansex.com \u2022 onlinesexmags.com \u2022 sexbible.com \u2022 bestsex.com - Adult Content IP", "https://www.anyxxxtube.net/video/2241/big-titted-sexy-chick-august-ames/ - Adult Content IP", "http://geometry.ru/articles/blinkovsexcircle.pdf- Adult Content IP", "http://www.onlinesexmags.com/members/gent/current/ - Adult Content IP", "http://sissy.com/default.php?qry=xinb0NVH3vxGQfarWy4r54j5FWwjyNsIfAXqPpjmSCTYnrY20orAEt5QcaKNVYpHM3.AFndEsyGlSb_SXAGpMTdue0rkjANJ3fQ0wH3yzmI9qKCDJp39iCno_V.ci7VYf_I4t_Y2ibuGhE_rlOAs3FGeaahClLHQmyX30MRH5AfpY6B5N9LDoau6dxnMaf3qGZEX_xCRYTdVAigxUMX2qRyl16DvSb9DohTpdet4E_v0QjzIjDwGGS4PYEDpjmzIeKlCSItsv09pHL84QDb6V_fvuFw0jX8tfoI8VQmpnaeudPhO0nDmV3c5G7HjNNcF&tgt=NO+TOKEN&searchKey=free+porn&wp=1&skp=3_2402 - Adult Content IP", "httpssa.www4.irs.gov \u2022 jobs.irs.gov \u2022 https://sa.www4.irs.gov/ \u2022 https://sa.www4.irs.gov \u2022 www.directfile.irs.gov \u2022", "http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan \u2022 www4.irs.gov \u2022 www.drupal.org", "asp.bet", "apple.co \u2022 apple.com \u2022 apple.info \u2022 apple.net", "https://www.freeiconspng.com/thumbs/icloud-logo/icloud-drive-mac-mail-cloud-apple-pc-works-c", "https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main", "http://usw2.apple.com/ \u2022 https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "applefilmmaker.com \u2022 appleid.com \u2022 appleiservices.com", "jobs.lumen.com \u2022 lumen.com \u2022 msradc.lumen.com \u2022 voip.lumen.com \u2022 www.lumen.com", "https://otx.alienvault.com/pulse/694d7d426afd8c1c816ddb9e", "Information gathered equals 2 pulses. Pulse (1) included", "https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d/694d9e6a07ba5e76e203a672", "https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d", "https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3", "https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676", "https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3/694d9a33a2febcb826005ed5", "https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676", "Follow up need. This is a serious financial crime following the victims.", "Victims have lost financial assets, jobs, vehicles", "Persistent. Is Christopher P. Ahmann, Brian Sabey, State of Colorado", "After an attack a different victim had awe , tax refund seized, Insurance became Medicaid, Was audited by the IRs and there was attempts on life w/ bad outcome" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Win.Malware.Msilperseus-6989564-0", "display_name": "Win.Malware.Msilperseus-6989564-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.Ramnit-1847", "display_name": "Win.Trojan.Ramnit-1847", "target": null }, { "id": "Win.Trojan.Fenomengame-14", "display_name": "Win.Trojan.Fenomengame-14", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Pandex!gen1", "display_name": "Pandex!gen1", "target": null }, { "id": "Mirai Sim Swap", "display_name": "Mirai Sim Swap", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Lumen IP", "display_name": "Lumen IP", "target": null }, { "id": "Unknown Malware \u2018Can't access file\u2019", "display_name": "Unknown Malware \u2018Can't access file\u2019", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Win.Trojan.Fenomengame-8", "display_name": "Win.Trojan.Fenomengame-8", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/Adialer", "display_name": "ALF:JASYP:Trojan:Win32/Adialer", "target": null }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "ELF:DDoS-S\\ [Trj]", "display_name": "ELF:DDoS-S\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Gafgyt-6981154-0", "display_name": "Unix.Trojan.Gafgyt-6981154-0", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [ "Financial", "Government", "Technology", "IRS" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 363, "FileHash-SHA1": 360, "FileHash-SHA256": 3009, "URL": 3504, "domain": 879, "email": 15, "hostname": 1487, "SSLCertFingerprint": 3 }, "indicator_count": 9620, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "84 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6946fdbb4a22dc28d60d6ca2", "name": "Expiro - DoomScroller \u2022 BrowseHappy | Part 2", "description": "Pulse: \u00c2\u00a31.1bn.io.com, a search engine for the most popular websites on the planet, is now available on Facebook, Twitter, Instagram and YouTube.", "modified": "2026-01-19T19:04:41.997000", "created": "2025-12-20T19:49:15.713000", "tags": [ "doomscroller", "browsehappy", "xpirat", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "united", "tlsv1", "execution", "dock", "write", "persistence", "encrypt", "meta", "browse happy", "worry", "body doctype", "online", "gmt server", "a domains", "ipv4 add", "win32", "trojandropper", "title", "date", "unknown", "post http", "cryptexportkey", "cryptgenkey", "calgrc4", "expiro", "temple", "xserver", "adversaries", "worry wordpress" ], "references": [ "Xpirat = doomscroller.io" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Xpirat", "display_name": "Xpirat", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1423", "name": "Network Service Scanning", "display_name": "T1423 - Network Service Scanning" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5576, "domain": 1502, "FileHash-MD5": 116, "FileHash-SHA1": 73, "FileHash-SHA256": 1041, "SSLCertFingerprint": 1, "hostname": 1951 }, "indicator_count": 10260, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "89 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6944ce38344ccded23df66f5", "name": "Ransom - Amnesty.org - a single link in a Pegasus attack against a civilian.", "description": "I don\u2019t have the right words to put this together because it involves so much coercion, fraud, betrayal, manipulation , hacking, multiple business fronts, loud mouth mafia plants, working with someone under false pretenses, redhat security teams in Denver , Colorado, false implications of cyber attacks coming from foreign entities. \n\nTips come from a highly reliable sources. One link in a Pegasus attack .", "modified": "2026-01-18T03:05:59.836000", "created": "2025-12-19T04:02:00.973000", "tags": [ "intel", "ms windows", "write c", "pe32", "pe32 executable", "copy c", "free", "benjamin", "write", "worm", "win32", "code", "june", "delphi", "malware", "benjamin", "tulach", "state of colorado", "christopher p. \u2018buzz\u2019 ahmann", "danica implants", "nids_malware_alert", "bonu$", "network_icmp", "network_irc", "persistence_autorun", "network_http", "nids_alert", "allocates_rwx", "hackers", "creates_exe", "brian sabey", "sour del", "packer_entropy", "antivm_memory_available", "pe_features", "get key", "crime", "organized crime", "federal crime", "cyber crime", "piracy", "status", "china unknown", "name servers", "div div", "ip address", "domain", "creation date", "record value", "meta", "title", "hong kong", "passive dns", "gmt content", "type", "content length", "ipv4 add", "urls", "files", "location hong", "twitter", "youtube", "side 3 studios", "denver music", "infiltration", "whistleblower", "getkey", "cyber warfare", "fraud", "financial crimes", "pegasus", "music front", "france unknown", "present feb", "iran unknown", "present nov", "present jun", "present jan", "hidden", "present jul", "date", "united", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "llc name", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "pattern match", "mitre att", "show technique", "ck matrix", "ascii text", "href", "show process", "file", "general", "local", "path", "memory dumping", "entries", "icmp delphi", "showing", "delete", "yara detections", "windows nt", "wow64", "khtml", "gecko", "dns query", "packing t1045", "ransom", "cve", "palantir", "remote", "graham" ], "references": [ "Amnesty.org | remote.amnesty.org", "tulach.cc", "Worm:Win32/Benjamin IDS Detections: Win32.Worm.Benjamin.A CnC Checkin ICMP", "Alerts : nids_malware_alert network_icmp network_irc persistence_autorun network_http", "Alerts : nids_alert allocates_rwx creates_exe packer_entropy antivm_memory_available", "Delphi Likely Precursor to Scan PING Delphi-Piette Windows Yara Detections Delphi", "Delphi This program must be run under Win32 Compilers", "More IP\u2019s Contacted 74.6.143.26 Domains Contacted benjamin.xww.de", "http://www.yixun.com/getkey {\"privateKey\": \"JMVRar4COFWb3eKZ\"}", "Server: JFE https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.yixun.com/getkey", "http://www.shopsleuth.com/goal-academy/the-citadel/colorado-springs-co", "ipv4bot.whatismyipaddress.com", "helloprismatic.com", "https://palantir-staging.staging.candidate.app.paulsjob.ai/", "Brian Sabey", "Christopher P. \u2018Buzz\u2019 Ahmann" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "Ransom:Win32/GandCrab", "display_name": "Ransom:Win32/GandCrab", "target": "/malware/Ransom:Win32/GandCrab" }, { "id": "CVE-2023-2868", "display_name": "CVE-2023-2868", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 429, "FileHash-SHA1": 341, "FileHash-SHA256": 2766, "URL": 6976, "domain": 1151, "CVE": 2, "email": 3, "hostname": 2913, "SSLCertFingerprint": 4 }, "indicator_count": 14585, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "91 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693f5674439d297728312967", "name": "BeenVerified.com | Malicious Information Doman |", "description": "34.232.241.155:443 (segment.prod.bidr.io)\t GET\tsegment.prod.bidr.io/associate-segment?buzz_key=tatari&segment_key=tatari-983&value=&uncacheplz=9327084282", "modified": "2026-01-14T00:04:33.341000", "created": "2025-12-15T00:29:40.025000", "tags": [ "united", "as13335", "as14061", "cname", "as20940", "date", "name", "status", "present dec", "present nov", "unknown", "body", "cluster", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "search", "read c", "show", "execution", "next", "dock", "write", "capture", "persistence", "local", "copy", "trojan", "win32", "mtb oct", "entries", "passive dns", "next associated", "msr feb", "gmt cache", "ipv4 add", "title", "urls", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "flag united", "name servers", "creation date", "emails", "domain name", "expiration date", "servers", "error", "flag", "prefetch8", "prefetch1", "win64", "khtml", "gecko", "pcap frame", "microsoft edge", "strings", "show process", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "network traffic", "ogoogle trust", "pattern match", "path", "hybrid", "cookie", "general", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "initial access", "spawns", "ssl certificate", "click" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1764, "FileHash-SHA256": 1006, "URL": 5427, "domain": 442, "email": 3, "FileHash-MD5": 115, "FileHash-SHA1": 62, "SSLCertFingerprint": 21 }, "indicator_count": 8840, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693f5675e3f12fa3229bdcb3", "name": "BeenVerified.com | Malicious Information Doman |", "description": "34.232.241.155:443 (segment.prod.bidr.io)\t GET\tsegment.prod.bidr.io/associate-segment?buzz_key=tatari&segment_key=tatari-983&value=&uncacheplz=9327084282", "modified": "2026-01-14T00:04:33.341000", "created": "2025-12-15T00:29:41.963000", "tags": [ "united", "as13335", "as14061", "cname", "as20940", "date", "name", "status", "present dec", "present nov", "unknown", "body", "cluster", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "search", "read c", "show", "execution", "next", "dock", "write", "capture", "persistence", "local", "copy", "trojan", "win32", "mtb oct", "entries", "passive dns", "next associated", "msr feb", "gmt cache", "ipv4 add", "title", "urls", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "flag united", "name servers", "creation date", "emails", "domain name", "expiration date", "servers", "error", "flag", "prefetch8", "prefetch1", "win64", "khtml", "gecko", "pcap frame", "microsoft edge", "strings", "show process", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "network traffic", "ogoogle trust", "pattern match", "path", "hybrid", "cookie", "general", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "initial access", "spawns", "ssl certificate", "click" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1764, "FileHash-SHA256": 1006, "URL": 5427, "domain": 442, "email": 3, "FileHash-MD5": 115, "FileHash-SHA1": 62, "SSLCertFingerprint": 21 }, "indicator_count": 8840, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693f57720ddcc1a02d19a78f", "name": "GameHack Malware | BeenVerified.com | Information Doman |", "description": "", "modified": "2026-01-14T00:04:33.341000", "created": "2025-12-15T00:33:54.304000", "tags": [ "united", "as13335", "as14061", "cname", "as20940", "date", "name", "status", "present dec", "present nov", "unknown", "body", "cluster", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "search", "read c", "show", "execution", "next", "dock", "write", "capture", "persistence", "local", "copy", "trojan", "win32", "mtb oct", "entries", "passive dns", "next associated", "msr feb", "gmt cache", "ipv4 add", "title", "urls", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "flag united", "name servers", "creation date", "emails", "domain name", "expiration date", "servers", "error", "flag", "prefetch8", "prefetch1", "win64", "khtml", "gecko", "pcap frame", "microsoft edge", "strings", "show process", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "network traffic", "ogoogle trust", "pattern match", "path", "hybrid", "cookie", "general", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "initial access", "spawns", "ssl certificate", "click" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": "693f5674439d297728312967", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1764, "FileHash-SHA256": 1006, "URL": 5427, "domain": 442, "email": 3, "FileHash-MD5": 115, "FileHash-SHA1": 62, "SSLCertFingerprint": 21 }, "indicator_count": 8840, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693de4a8a72cf95b028365f0", "name": "Bot Block 162.159.128.0/19 | X Fake tweets | Tofsee", "description": "Tofsee.Trojan.T malware infection affects infected devices. \n\n\n#unlocked #injection #dead_host #compromised_devices #folk_in _browser #botnets", "modified": "2026-01-12T21:02:35.560000", "created": "2025-12-13T22:11:52.474000", "tags": [ "network", "ip address", "subnet", "dynamicloader", "port", "destination", "high", "windows", "united", "write", "tofsee", "stream", "win64", "push", "urls", "url analysis", "dnssec", "script domains", "encrypt", "url add", "http", "related nids", "flag united", "germany", "address google", "passive dns", "ipv4 add", "files", "asn as13335", "dns resolutions", "domains top", "level", "unique tlds", "location united", "asn asnone", "present dec", "backdoor", "lowfi", "win32autoit mar", "urls show", "date checked", "connection", "httponly", "secure", "path", "expiressat", "dynamic cfray", "medium", "delete c", "displayname", "show", "unknown", "next", "rndhex", "malware", "cname", "next associated", "url hostname", "server response", "google safe", "read c", "unicode", "png image", "rgba", "memcommit", "dock", "execution", "files location", "china flag", "china hostname", "hostname", "domain", "files ip", "address", "asn as45102", "gmt content", "certificate", "associated urls", "location china", "china asn", "as4808 china", "present aug", "object", "present apr", "present oct", "alman", "present sep", "error", "present jul", "rmndrp", "present feb", "expiration", "url https", "url http", "iocs", "review iocs", "expireswed", "samesitenone", "maxage86400", "maxage0", "server", "expires", "victina nulcac", "data upload", "extraction", "enter", "enter source", "url data", "type", "extract indic", "included iocs", "china unknown", "botnet", "folk in browser", "japan unknown", "asnone country", "as13335", "a domains", "script urls", "servers", "title", "moved", "record value", "entries", "whitelisted", "powershell", "xf9xb5xf9", "xxcexf6x8fr", "k2xe7xcbxxeaxa2", "x99x19", "x88yxf9xc858", "x83x12x8da", "zx9bx8ex84", "attempts", "yara detections", "contacted", "tags none", "file type", "pe packer", "dll compilation", "guard", "botnets" ], "references": [ "https://x.com/DenverPolice/status/1999710339584475507?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet", "x.com | 162.159.140.229 (162.159.128.0/19) AS 13335 ( CLOUDFLARENET )", "foundry.neconsside.com \u2022 http://foundry.neconsside.com", "http://foundry.neconsside.com/ \u2022 https://foundry.neconsside.com \u2022 https://foundry.neconsside", "IT Mirai | https://otx.alienvault.com/indicator/domain/miraitranslate.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "United States of America", "Russian Federation", "T\u00fcrkiye", "Netherlands" ], "malware_families": [ { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "HtBot", "display_name": "HtBot", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1481", "name": "Web Service", "display_name": "T1481 - Web Service" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8145, "domain": 1389, "FileHash-SHA256": 1545, "CIDR": 2, "hostname": 2533, "FileHash-MD5": 209, "FileHash-SHA1": 190, "email": 6, "SSLCertFingerprint": 4 }, "indicator_count": 14023, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "96 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693adba47b2cce69440c726a", "name": "TESLA HACKERS | Login Google", "description": "Attackers target victims Google account, Google browser, Google homepage.\n\nTesla Hackers in the job. Tesla hackers are very young , angry, kids who chased target around mercilessly in their vehicles, photographed target, drive threateningly. Nothing sophisticated about the stalker crewl. This is intentional. Finding troubled individuals who are desperate for power is pretty easy. \n\nThe hit men range from gang members, white , black , Hispanic to the highly educated, Hit man who attempted to take target out was a spoiled, angry , aggressive, sneering POC. He walked in Denver. The next morning , the area target was driven if roadway was closed off and filled with a rather large road crew, work continues to work on this area. (Charlie Kirk like). Alleged traffic officer claims cameras pointed in different directions that night. He was identified as a computer science major by a PI. This feels so dangerous.", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T14:56:36.874000", "tags": [ "tlsv1", "united", "oamazon", "cnamazon rsa", "jfif", "ogoogle trust", "cngts ca", "exif standard", "tiff image", "xresolution74", "execution", "dock", "write", "persistence", "malware", "encrypt", "ca https", "no expiration", "iocs", "url https", "enter source", "url or", "text drag", "drop or", "browse to", "select file", "ipv4", "url http", "type indicator", "sec ch", "ch ua", "unknown", "ua full", "ua platform", "as44273 host", "ua bitness", "msie", "chrome", "backdoor", "trojandropper", "passive dns", "forbidden", "body", "twitter", "trojan", "cookie", "title", "windows nt", "wow64", "slcc2", "media center", "read c", "port", "destination", "local", "moved", "integration all", "urls", "files", "reverse dns", "location united", "america flag", "name servers", "hostname", "unique", "expires wed", "gmt date", "server", "date wed", "connection", "use linux", "cybersecurity", "http", "ip address", "files location", "flag united", "win32", "urls show", "date checked", "url hostname", "server response", "virtool", "date hash", "avast avg", "heur", "lowfi", "k sep", "contacted", "related tags", "none file", "type", "present dec", "present nov", "mtb mar", "aaaa", "hacktool", "indicator role", "domain", "url add", "as20940", "as16625 akamai", "present mar", "present may", "as54113", "present apr", "ipv4 add", "url analysis", "servers", "emails", "hostname add", "present aug", "present sep", "present oct", "status", "present jul", "data upload", "extraction", "as208722 yandex", "russia unknown", "a domains", "expirestue", "path", "certificate", "medium", "alerts show", "ck technique", "technique id", "installs", "pe32", "intel", "ms windows", "high", "icmp traffic", "dns query", "packing t1045", "t1045", "screenshots", "file type", "date february", "pm size", "imphash pehash", "guard", "syst", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "spawns", "t1590 gather", "flag", "united kingdom", "command decode", "belgium belgium", "federation", "france france", "ireland ireland", "canada canada", "suricata ipv4", "click", "tesla hackers", "elon musk", "show", "richhash", "external", "virustotal api", "comments", "vendor finding", "notes clamav", "ms defender", "files matching", "copy", "found", "ssl certificate", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "yara rule", "reads", "number", "sample analysis", "hide samples", "entries", "samples show", "next yara", "detections name", "devcv5 ujrb", "ujrb", "uja1t", "show technique", "mitre att", "ck matrix", "ascii text", "pattern match", "sha1", "network traffic", "show process", "general" ], "references": [ "https://www.teslarati.com/spacex", "https://omodeling.wpenginepowered.com/wp-content/uploads/2020/07/modelhub-pornhub-sell-nudes-1024x57", "https://cdn.teslarati.com \u2022 https://forums.teslarati.com/", "https://forums.teslarati.com/data/avatars/m/5/5998.jpg?1504431665 \u2022 https://forums.teslarati.com/forums/model-3.4/", "https://forums.teslarati.com/threads/humanlike-ai-robot-sophia-calls-out-elon-musk-during-live-interview.4970/", "https://www.teslarati.com/tesla-model-s-hitch-torklift-ecohitch-3-year-update/", "https://www.teslarati.com/tesla-tsla-monster-investment-rise-alaska-dept-of-revenue/", "https://www.teslarati.com/wp-content/themes/teslarati-mag/map/", "https://www.teslarati.com/tesla-model-3-crash-insight-60mph-collision/", "https://www.teslarati.com/", "https://www.teslarati.com/spacex", "https://www.teslarati.com/tesla-lands-87-million-megapack-belgium/", "https://www.teslarati.com/tesla-giga-shanghai-builds-5-millionth-battery-pack/", "https://www.teslarati.com/TESLA-DEBUTS-GROK-AI-UPDATE-2025-26-WHAT-YOU-NEED-TO-KNOW/", "https://www.teslarati.com/tesla-robotaxi-vs-new-york-taxi-why-the-yellow-cab-a-lot-to-lose/", "pornlynx.com \u2022 https://pornlynx.com \u2022 https://www.pornlynx", "http://www.aiupnow.com/2023/04/pakistani-hackers-use-linux-malware.html\\", "http://pickyhot.disqus.com/ \u2022 https://www.teslarati.com/tesla-hackers \u2022 https://pickyhot.disqus.com/tsara-brashears", "http://dev.browserweb.yandex.kg/ \u2022 https://api.messenger.yandex.az/ \u2022 https://yandex.uz/maps/-/CLWNeAKm", "HTML contains suspicious external redirect patterns details Suspicious redirect patterns detected: Redirect Types: Delayed Redirect Redirects to: /doodles/ Suspicious", "Redirect (Delayed Redirect): setTimeout(function(){location.href= source Binary File relevance 10/10 ATT&CK ID T1189", "External resources linked to high-risk commonly abused domains detected: mc.yandex.ru | script | src snd.click | src |", "Source : Binary File ATT&CK ID T1566.002", "Domain match: \"media-mbst-pub-ue1.s3.amazonaws.com\" possible high risk indicator. Commonly abused for malicious purposes. .", "Domain: \"snd.click\" possible high risk indicator. Domain uses TLD that is commonly abused for malicious purposes", "Detected Non-Google domain serving Google homepage details", "Detected Google homepage HTML served from suspicious domain Matched required Google homepage markers", "Source: Binary File relevance 10/10 ATT&CK ID T1204.001 | Target contacted CBI re: Suspicious looking Google Homepage.", "CBI (Colorado) - target believes she was redirected to malicious actors. Staffers not found in directory.", "Female states title as \u2018intern\u2019 dropped false information at front desk of CBI. Claims target ID theft victim. True", "Alleged CBI staffer refuses to provide evidence of identity theft resolution. Target unaware of. what\u2019s true", "CBI - asked target to enter Gmail in a resource. Targets Gmail account disappeared" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Japan" ], "malware_families": [ { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Ms Defender\tTrojan:Win32/Qbot.KVD!MTB", "display_name": "Ms Defender\tTrojan:Win32/Qbot.KVD!MTB", "target": "/malware/Ms Defender\tTrojan:Win32/Qbot.KVD!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Malware.Jaik-9940406-0", "display_name": "Win.Malware.Jaik-9940406-0", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/Genmaldown!atmn", "display_name": "ALF:JASYP:Trojan:Win32/Genmaldown!atmn", "target": null }, { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5894, "FileHash-MD5": 458, "FileHash-SHA1": 305, "FileHash-SHA256": 2481, "SSLCertFingerprint": 26, "hostname": 2406, "domain": 966, "email": 16, "CVE": 1 }, "indicator_count": 12553, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "98 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6939d93da11a7d2bf7535ef1", "name": "Tesla Hackers Log In | Disqus", "description": "I\u2019m not for certain when blog \u2018https://pickyhot.disqus.com/tsara-brashears\u2019 first appeared online. It was present in 2016 -2021. It was a porn spewing blog that obviously was full of tools. The lot pics debated targets race , beauty and other silly things. I don\u2019t know if target ever clicked on links. Tesla Hackers have played a major role in attacks against target. I haven\u2019t sifted through all malware yet. \n\n\n - Elon Musk - When Brashears suffered attempted hit on roadway she described suspect as an Elon Musk type, possible, offspring, or someone closely tied to him.", "modified": "2026-01-09T19:02:12.608000", "created": "2025-12-10T20:34:05.903000", "tags": [ "disqus", "disqus.com", "comments", "blog", "blogs", "discussion", "google facebook", "twitter", "microsoft apple", "email", "forgot password", "login", "sign", "general full", "url https", "security tls", "united", "asn54113", "fastly", "reverse dns", "resource", "hash", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "ck id", "show technique", "mitre att", "ck matrix", "pattern match", "ascii text", "network traffic", "t1057", "path", "learn", "command", "suspicious", "informative", "name tactics", "spawns", "t1480 execution", "signing defense", "file defense", "read c", "tlsv1", "search", "jfif", "ijg jpeg", "tls handshake", "failure", "show", "port", "execution", "next", "dock", "write", "persistence", "malware", "unknown", "waymo", "tesla", "musk", "austin", "bay area", "tesla ceo", "elon musk", "wednesday", "safety monitor", "synacktiv", "aaaa", "present jul", "status", "asnone country", "as13335", "present sep", "present apr", "present dec", "present jun", "lte all", "search otx", "additionally", "enter source", "url or", "data upload", "extraction", "entries", "present may", "dynamicloader", "as15169", "medium", "write c", "odigicert inc", "windows", "as54113", "worm", "copy", "explorer", "encrypt", "target tsraa brashears" ], "references": [ "http://pickyhot.disqus.com/", "https://www.teslarati.com/tesla-hackers", "https://pickyhot.disqus.com/tsara-brashears", "All tags auto populated including\u2019 Elon Musk\u2019", "Running webserver Running WordPress Running Drupal", "bulletproof.palantirapollo.com \u2022 vpn-etuleusj2dpr.palantirclou", "https://publicsector.google/404-page-not-found/\t \u2022 www.founderstack.pro \u2022 oedfoundation.org", "https://www.founderstack.pro/feedhive \u2022 https://coinbase.getro.com/companies/astar-foundation \u2022 founders-vision.com", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "www.endgame.com", "://blog.endgamesystems.com/ \u2022 http://httpswww.endgamesystems.com\t URL\thttp://wg41xm05b3.endgamesystems.com", "https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com\t\u2022 http://blog.endgamesystems.com", "https://httpswww.endgamesystems.com\t\u2022 https://wg41xm05b3.endgamesystems.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com", "https://blog.endgamesystems.com/\t\u2022 https://blog.endgamesystems.com", "http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/", "http://www.endgamesystems.com/", "Requires further research" ], "public": 1, "adversary": "Tesla Hackers", "targeted_countries": [], "malware_families": [ { "id": "Synacktiv", "display_name": "Synacktiv", "target": null }, { "id": "Tesla Hackers", "display_name": "Tesla Hackers", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Mofksys", "display_name": "Mofksys", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2523, "URL": 6583, "FileHash-SHA256": 1132, "domain": 1483, "FileHash-SHA1": 43, "SSLCertFingerprint": 17, "FileHash-MD5": 109, "email": 2 }, "indicator_count": 11892, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6935c92c5fc93fd873c6aa6d", "name": "[COINBASECARTEL] - Ransomware Victim: Cinvestav - RedPacket Security | CVE-2025-11727 (New)", "description": "Related to multiple exploits. Government Cyber Defense implications but shows as very legitimate looking masquerading. I am not positive and don\u2019t want to move to Belfast. Populated NSA [.] gov domains and subdomains (w/o no headers) lightly researched but does not assert a government identity. \n*New CVE-2025-11727", "modified": "2026-01-06T18:04:02.620000", "created": "2025-12-07T18:36:28.055000", "tags": [ "memcommit", "read c", "t1082", "cryptexportkey", "invalid pointer", "write", "msil", "malware", "media", "autorun", "countries", "united", "america", "high defense", "evasion", "t1055", "ck technique", "technique id", "allocates", "potential code", "attempts", "threatintel", "dark web", "coinbasecartel", "ransomware", "osint", "tor", "data breach", "cinvestav", "ai generated", "ransomware leak", "page", "november", "investigacin y", "nacional", "mexican", "mexico", "present nov", "verdana", "td tr", "passive dns", "ip address", "urls", "aaaa", "present may", "present oct", "present jul", "virtool", "present sep", "present jun", "win32", "default", "unicode", "png image", "rgba", "high", "dock", "execution", "xport", "unknown", "data upload", "extraction", "will", "data", "name cloudflare", "hostmaster name", "org cloudflare", "townsend st", "city san", "us creation", "kelihos", "ipv4", "present dec", "files", "domain", "search", "hostname", "verdict", "location united", "asn as16625", "akamai", "urls show", "date checked", "url hostname", "server response", "google safe", "results nov", "present aug", "backdoor", "msie", "chrome", "trojan", "mtb aug", "worm", "cryp", "junkpoly", "twitter", "trojandropper", "title", "germany unknown", "ipv4 add", "pulse pulses", "hosting", "reverse dns", "cologne", "search engine", "gse compromised", "redacted for", "privacy admin", "privacy tech", "server", "organization", "street", "city", "stateprovince", "postal code", "country", "resolver domain", "cape sa", "virustot", "type pdf", "name", "lookups", "email abuse", "historical ssl", "certificates", "first", "graph summary", "cname", "address", "ip2location", "bogon ip", "admin", "network", "wifi password", "ssid", "demo", "details", "failed", "include review", "exclude sugges", "onlv", "x try", "find s", "typ url", "url data", "severity att", "module load", "icmp traffic", "dns query", "t1055 jseval", "windows nt", "port", "entries", "destination", "medium", "show", "pecompact", "june", "service", "next", "xserver", "encrypt", "t1129", "windows module", "dlls", "convention", "windows native" ], "references": [ "Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS", "Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection", "hallplan.vm05.iveins.de", "https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c", "Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx", "Name : iveins.de Service : connect", "https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com", "phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com", "https://otx.alienvault.com/indicator/cve/CVE-2025-11727" ], "public": 1, "adversary": "COINBASECARTEL", "targeted_countries": [ "United States of America", "Sweden", "Bangladesh", "Japan" ], "malware_families": [ { "id": "Trojan:Win32/Tiggre!rfn", "display_name": "Trojan:Win32/Tiggre!rfn", "target": "/malware/Trojan:Win32/Tiggre!rfn" }, { "id": "MSIL:Agent-DQ\\ [Trj]", "display_name": "MSIL:Agent-DQ\\ [Trj]", "target": null }, { "id": "VirTool:MSIL/Covent.A", "display_name": "VirTool:MSIL/Covent.A", "target": "/malware/VirTool:MSIL/Covent.A" }, { "id": "Trojan:Win32/Pynamer!rfn", "display_name": "Trojan:Win32/Pynamer!rfn", "target": "/malware/Trojan:Win32/Pynamer!rfn" }, { "id": "Win64:TrojanX", "display_name": "Win64:TrojanX", "target": null }, { "id": "VirTool:MSIL/Covent", "display_name": "VirTool:MSIL/Covent", "target": "/malware/VirTool:MSIL/Covent" }, { "id": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea", "display_name": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "Kelihos", "display_name": "Kelihos", "target": null }, { "id": "CVE-2025-11727", "display_name": "CVE-2025-11727", "target": null }, { "id": "Exploit:JS/CVE-2014-0322", "display_name": "Exploit:JS/CVE-2014-0322", "target": "/malware/Exploit:JS/CVE-2014-0322" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" } ], "industries": [ "Education" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 117, "FileHash-SHA256": 1746, "URL": 5018, "hostname": 1827, "domain": 1072, "CVE": 3, "email": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9938, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "102 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693596f8cd50958de6e9415c", "name": "Eternal Blue Probe - YouTube - GSE", "description": "EternalBlue is an exploit that targets a critical vulnerability (CVE-2017-0144, part of the larger MS17-010 security bulletin) in Microsoft's implementation of the Server Message Block (SMB) version 1 (SMBv1) protocol, which is used for file and printer sharing on Windows networks. \nVulnerability: The flaw allows an unauthenticated, remote attacker to execute arbitrary code on a vulnerable system by sending specially crafted packets to the SMBv1 server.\nOrigin: The exploit was developed by the NSA but was stolen and publicly leaked in April 2017 by a hacker group known as the Shadow Brokers.\nMajor Attacks: Shortly after its leak, EternalBlue was used in major, widespread cyberattacks, most notably the WannaCry and NotPetya ransomware outbreaks, which caused massive global disruption. The self-propagating \"wormable\" nature of the exploit allowed malware to spread rapidly across networks.", "modified": "2026-01-06T00:03:32.099000", "created": "2025-12-07T15:02:16.840000", "tags": [ "asn as8068", "cloud provider", "reverse dns", "america flag", "united", "america asn", "as8068", "united states", "avast avg", "ids detections", "yara detections", "probe ms17010", "smbds ipc", "av detections", "alerts", "read c", "medium", "rgba", "unicode", "msf style", "dock", "write", "execution", "malware", "eternal blue", "check in", "file score", "medium risk", "generic flags", "ms17010", "none alerts", "less ip", "contacted", "matches", "mirroring", "chromeshorts", "gse", "google", "youtube", "dating apps", "suspicious apps", "search engine", "redirect", "eternalblue" ], "references": [ "chromeshorts.com mirroring YouTube.com googlechinablog.com \u2022 www.google.com \u2022 108.177.121.105", "IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010", "IDS Detections : Possible ETERNALBLUE Probe MS17-010 (MSF style)", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "IDS Detections: SMB-DS IPC$ unicode share access SMB-DS IPC$ share access", "Environment Awareness : Able to access user sensitive domai", "Alerts : suspicious_write_exe nids_exploit_alert process_martian injection_resumethread js_eval", "Alerts : network_http allocates_rwx suspicious_process stealth_window uses_windows_utilities", "Alerts : recono_fingerprint antivm_memory_available", "www.endgame.com", "admin-contact-api.uat2.white-label-dating.com \u2022 capi-sns.qa1.white-label-dating.com \u2022 http://payments.uat1.white-label-dating.com", "URL https://mailcatcher.qa2.white-label-dating.com", "Attackers : Christopher P. Ahmann , Hall Render , Brian Sabey & Co , Foundry , Tulach , Quasi government entities.", "Alt + Google \u2018branded\u2019 search engine (monitoring targets searches) YouTube mirroring.", "Suspicious apps" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 449, "FileHash-MD5": 26, "FileHash-SHA1": 6, "FileHash-SHA256": 169, "URL": 719, "domain": 86, "SSLCertFingerprint": 1 }, "indicator_count": 1456, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "103 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://www.anyxxxtube.net/search-porn/ - Adult Content", "Follow up need. This is a serious financial crime following the victims.", "Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection", "Female states title as \u2018intern\u2019 dropped false information at front desk of CBI. Claims target ID theft victim. True", "216.252.199.59 \u2022 Description: CC=US ASN=AS31827 biz net technologies", "https://cdn.teslarati.com \u2022 https://forums.teslarati.com/", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "http://www.endgamesystems.com/", "More IP\u2019s Contacted 74.6.143.26 Domains Contacted benjamin.xww.de", "https://www.teslarati.com/wp-content/themes/teslarati-mag/map/", "IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010", "Alt + Google \u2018branded\u2019 search engine (monitoring targets searches) YouTube mirroring.", "165.206.254.134 \u2022 Description: CC=US ASN=AS6122", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content", "Persistent. Is Christopher P. Ahmann, Brian Sabey, State of Colorado", "www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/", "Information gathered equals 2 pulses. Pulse (1) included", "External resources linked to high-risk commonly abused domains detected: mc.yandex.ru | script | src snd.click | src |", "http://www.iranianporn.com/ \u2022 iranianporn.com - Adult Content", "https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d/694d9e6a07ba5e76e203a672", "https://wallpapers-nature.com/tsara-brashears/urlscan-io - Adult Content", "https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ - Adult Content", "helloprismatic.com", "https://www.founderstack.pro/feedhive \u2022 https://coinbase.getro.com/companies/astar-foundation \u2022 founders-vision.com", "x.com | 162.159.140.229 (162.159.128.0/19) AS 13335 ( CLOUDFLARENET )", "https://www.endgamesystems.com/ \u2022 https://www.endgames.com/", "Worm:Win32/Benjamin IDS Detections: Win32.Worm.Benjamin.A CnC Checkin ICMP", "jamaicansex.com \u2022 onlinesexmags.com \u2022 sexbible.com \u2022 bestsex.com - Adult Content IP", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net - Adult Content", "Victims have lost financial assets, jobs, vehicles", "https://www.teslarati.com/tesla-model-3-crash-insight-60mph-collision/", "https://forums.teslarati.com/threads/humanlike-ai-robot-sophia-calls-out-elon-musk-during-live-interview.4970/", "apple.co \u2022 apple.com \u2022 apple.info \u2022 apple.net", "192.85.127.130 \u2022 Description: CC=US ASN=AS2173 hewlett-packard company", "195.128.76.205 \u2022 Description: CC=RU ASN=AS8470 jsc macomnet", "Source : Binary File ATT&CK ID T1566.002", "Detected Non-Google domain serving Google homepage details", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io\t- Adult Content", "Brian Sabey", "205.181.242.243 \u2022 Description: CC=US ASN=AS3738 state street bank and trust company", "https://otx.alienvault.com/indicator/cve/CVE-2025-11727", "https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d", "Alerts : nids_malware_alert network_icmp network_irc persistence_autorun network_http", "http://pickyhot.disqus.com/ \u2022 https://www.teslarati.com/tesla-hackers \u2022 https://pickyhot.disqus.com/tsara-brashears", "Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-", "Alerts : network_http allocates_rwx suspicious_process stealth_window uses_windows_utilities", "http://www.anyxxxtube.net/search-porn/tsara-brashears - Adult Content", "https://palantir-staging.staging.candidate.app.paulsjob.ai/", "Requires further research", "https://eliyporasa - Adult Content", "http://www.italianporn.com/ \u2022 italianporn.com - Adult Content IP", "http://foundry.neconsside.com/ \u2022 https://foundry.neconsside.com \u2022 https://foundry.neconsside", "ipv4bot.whatismyipaddress.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing - Adult Content", "URL https://mailcatcher.qa2.white-label-dating.com", "https://www.freeiconspng.com/thumbs/icloud-logo/icloud-drive-mac-mail-cloud-apple-pc-works-c", "https://www.teslarati.com/tesla-model-s-hitch-torklift-ecohitch-3-year-update/", "Alerts : nids_alert allocates_rwx creates_exe packer_entropy antivm_memory_available", "154.35.132.70\t\u2022 Description: CC=US ASN=AS14987 rethem hosting llc", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com", "http://pickyhot.disqus.com/", "https://www.endgames.us \u2022 https://www.endgames.us/", "Name : iveins.de Service : connect", "207.75.164.210 \u2022 Description: CC=US ASN=AS237 merit network", "www.anyxxxtube.net - Adult Content", "CBI (Colorado) - target believes she was redirected to malicious actors. Staffers not found in directory.", "Alerts : suspicious_write_exe nids_exploit_alert process_martian injection_resumethread js_eval", "https://apps.apple.com/app/", "Delphi Likely Precursor to Scan PING Delphi-Piette Windows Yara Detections Delphi", "http://www.shopsleuth.com/goal-academy/the-citadel/colorado-springs-co", "Environment Awareness : Able to access user sensitive domai", "hallplan.vm05.iveins.de", "https://omodeling.wpenginepowered.com/wp-content/uploads/2020/07/modelhub-pornhub-sell-nudes-1024x57", "https://x.com/DenverPolice/status/1999710339584475507?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet", "dasima-containers.palantirfoundry.com \u2022 blitzrobots.com", "Server: JFE https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.yixun.com/getkey", "IT Mirai | https://otx.alienvault.com/indicator/domain/miraitranslate.com", "applefilmmaker.com \u2022 appleid.com \u2022 appleiservices.com", "httpssa.www4.irs.gov \u2022 jobs.irs.gov \u2022 https://sa.www4.irs.gov/ \u2022 https://sa.www4.irs.gov \u2022 www.directfile.irs.gov \u2022", "All tags auto populated including\u2019 Elon Musk\u2019", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t- Adult Content", "Suspicious apps", "https://www.teslarati.com/spacex", "https://www.teslarati.com/TESLA-DEBUTS-GROK-AI-UPDATE-2025-26-WHAT-YOU-NEED-TO-KNOW/", "Christopher P. \u2018Buzz\u2019 Ahmann", "https://otx.alienvault.com/pulse/694d7d426afd8c1c816ddb9e", "bulletproof.palantirapollo.com \u2022 vpn-etuleusj2dpr.palantirclou", "Alerts : recono_fingerprint antivm_memory_available", "https://www.teslarati.com/tesla-tsla-monster-investment-rise-alaska-dept-of-revenue/", "tulach.cc", "www.endgame.com", "Domain match: \"media-mbst-pub-ue1.s3.amazonaws.com\" possible high risk indicator. Commonly abused for malicious purposes. .", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "www.anyxxxtube.net - Adult Content IP", "http://www.yixun.com/getkey {\"privateKey\": \"JMVRar4COFWb3eKZ\"}", "http://wg41xm05b3.endgamesystems.com/", "Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com", "https://www.teslarati.com/tesla-giga-shanghai-builds-5-millionth-battery-pack/", "Source: Binary File relevance 10/10 ATT&CK ID T1204.001 | Target contacted CBI re: Suspicious looking Google Homepage.", "https://www.teslarati.com/tesla-hackers", "Domain: \"snd.click\" possible high risk indicator. Domain uses TLD that is commonly abused for malicious purposes", "Alleged CBI staffer refuses to provide evidence of identity theft resolution. Target unaware of. what\u2019s true", "HTML contains suspicious external redirect patterns details Suspicious redirect patterns detected: Redirect Types: Delayed Redirect Redirects to: /doodles/ Suspicious", "https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676", "pornlynx.com \u2022 https://pornlynx.com \u2022 https://www.pornlynx", "http://sissy.com/default.php?qry=xinb0NVH3vxGQfarWy4r54j5FWwjyNsIfAXqPpjmSCTYnrY20orAEt5QcaKNVYpHM3.AFndEsyGlSb_SXAGpMTdue0rkjANJ3fQ0wH3yzmI9qKCDJp39iCno_V.ci7VYf_I4t_Y2ibuGhE_rlOAs3FGeaahClLHQmyX30MRH5AfpY6B5N9LDoau6dxnMaf3qGZEX_xCRYTdVAigxUMX2qRyl16DvSb9DohTpdet4E_v0QjzIjDwGGS4PYEDpjmzIeKlCSItsv09pHL84QDb6V_fvuFw0jX8tfoI8VQmpnaeudPhO0nDmV3c5G7HjNNcF&tgt=NO+TOKEN&searchKey=free+porn&wp=1&skp=3_2402 - Adult Content IP", "https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3", "://blog.endgamesystems.com/ \u2022 http://httpswww.endgamesystems.com\t URL\thttp://wg41xm05b3.endgamesystems.com", "sa.www4.irs.gov \u2022 sa1.www4.irs.gov \u2022 sa2.www4.irs.gov \u2022 apps.irs.gov \u2022 freetaxassistance.for.irs.gov \u2022 home.treasury.gov \u2022", "Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS", "https://publicsector.google/404-page-not-found/\t \u2022 www.founderstack.pro \u2022 oedfoundation.org", "207.75.164.17 \u2022 Description: CC=US ASN=AS237 merit network", "https://pickyhot.disqus.com/tsara-brashears", "foundry.neconsside.com \u2022 http://foundry.neconsside.com", "64.38.232.180 - Adult Content IP", "95.211.7.168 \u2022Description: CC=NL ASN=AS60781 leaseweb netherlands b.v.", "https://forums.teslarati.com/data/avatars/m/5/5998.jpg?1504431665 \u2022 https://forums.teslarati.com/forums/model-3.4/", "https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3/694d9a33a2febcb826005ed5", "Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx", "After an attack a different victim had awe , tax refund seized, Insurance became Medicaid, Was audited by the IRs and there was attempts on life w/ bad outcome", "78.46.218.253 \u2022 Description: CC=DE ASN=AS24940 hetzner online gmbh", "Xpirat = doomscroller.io", "metropcs.com/account/sign-in.html", "asp.bet", "http://www.onlinesexmags.com/members/gent/current/ - Adult Content IP", "Redirect (Delayed Redirect): setTimeout(function(){location.href= source Binary File relevance 10/10 ATT&CK ID T1189", "http://dev.browserweb.yandex.kg/ \u2022 https://api.messenger.yandex.az/ \u2022 https://yandex.uz/maps/-/CLWNeAKm", "214.25.9.149 \u2022 Description: CC=US ASN=AS344 dod network information center", "admin-contact-api.uat2.white-label-dating.com \u2022 capi-sns.qa1.white-label-dating.com \u2022 http://payments.uat1.white-label-dating.com", "http://sissy.com/default - Adult Content", "https://blog.endgamesystems.com/\t\u2022 https://blog.endgamesystems.com", "wg41xm05b3.endgamesystems.com\t\u2022 http://blog.endgamesystems.com", "smtp.google.com \u2022 www.google.com/images/errors/robot.png", "132.3.48.38 \u2022 Description: CC=US ASN=AS721 dod network information center", "https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0", "https://www.teslarati.com/tesla-lands-87-million-megapack-belgium/", "Attackers : Christopher P. Ahmann , Hall Render , Brian Sabey & Co , Foundry , Tulach , Quasi government entities.", "https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com", "Detected Google homepage HTML served from suspicious domain Matched required Google homepage markers", "https://www.anyxxxtube.net/video/2241/big-titted-sexy-chick-august-ames/ - Adult Content IP", "http://geometry.ru/articles/blinkovsexcircle.pdf- Adult Content IP", "https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com", "https://www.red-gate.com/products/smartassembly", "CBI - asked target to enter Gmail in a resource. Targets Gmail account disappeared", "https://httpswww.endgamesystems.com\t\u2022 https://wg41xm05b3.endgamesystems.com", "phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com", "IDS Detections : Possible ETERNALBLUE Probe MS17-010 (MSF style)", "https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=", "IDS Detections: SMB-DS IPC$ unicode share access SMB-DS IPC$ share access", "https://www.teslarati.com/tesla-robotaxi-vs-new-york-taxi-why-the-yellow-cab-a-lot-to-lose/", "Running webserver Running WordPress Running Drupal", "https://eliyporasa.life/uelbu/5/151504-harleyxwest-porn - Adult Content", "http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan \u2022 www4.irs.gov \u2022 www.drupal.org", "https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main", "http://usw2.apple.com/ \u2022 https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "chromeshorts.com mirroring YouTube.com googlechinablog.com \u2022 www.google.com \u2022 108.177.121.105", "Amnesty.org | remote.amnesty.org", "admin@bigtits.com", "spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud", "https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3", "Delphi This program must be run under Win32 Compilers", "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "https://www.teslarati.com/", "https://freedns.afraid.org/images/exclamation", "xred.mooo.com \u2022 mooo.com \u2022 afraid.org", "jobs.lumen.com \u2022 lumen.com \u2022 msradc.lumen.com \u2022 voip.lumen.com \u2022 www.lumen.com", "http://www.aiupnow.com/2023/04/pakistani-hackers-use-linux-malware.html\\" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Tesla Hackers", "COINBASECARTEL" ], "malware_families": [ "Win64:trojanx", "Worm:win32/mofksys.rnd!mtb", "Pandex!gen1", "Alf:jasyp:trojan:win32/adialer", "Worm:win32/benjamin", "Appleservice", "Htbot", "Backdoor:win32/tofsee", "Trojan:win32/zombie.a", "Kelihos", "Tesla hackers", "Other malware", "Elf:mirai-gh\\ [trj]", "Lumen ip", "Cve-2025-11727", "Tibs", "Ms defender\ttrojan:win32/qbot.kvd!mtb", "Msil:agent-dq\\ [trj]", "Xpirat", "Win.malware.jaik-9968280-0", "Win.malware.msilperseus-6989564-0", "Win.downloader.small", "Autoit", "Win.malware.jaik-9940406-0", "Win32:malware", "Win.trojan.fenomengame-8", "Elf:ddos-s\\ [trj]", "Win.trojan.fenomengame-14", "Virtool:msil/covent.a", "Expiro", "Alf:jasyp:pua:win32/4shared", "Trojandownloader:win32/cutwail", "Trojan:win32/tiggre!rfn", "Win.trojan.ramnit-1847", "Ransom:win32/gandcrab", "Alf:jasyp:trojan:win32/genmaldown!atmn", "Mirai", "Et", "Unix.trojan.gafgyt-6981154-0", "Emotet", "\u2019m", "#lowfi:hstr:msil/obfuscator.deepsea", "Unknown malware \u2018can't access file\u2019", "Trojandropper:win32/muldrop", "Virtool:msil/covent", "Unix.dropper.mirai-7135870-0", "Exploit:win32/cve-2017-0147", "Win.trojan.installcore-877", "Exploit:js/cve-2014-0322", "Mirai sim swap", "Alf:jasyp:trojan:win32/ircbot!atmn", "Cve-2023-2868", "Tofsee", "Worm:win32/autorun", "Worm:win32/mydoom", "Win.malware.snojan-6775202-0", "Synacktiv", "Mofksys", "Trojan:win32/pynamer!rfn", "Win.trojan.barys-10005825-0" ], "industries": [ "Government", "Technology", "Education", "Financial", "Irs" ], "unique_indicators": 104900 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/ccedge.cn", "whois": "http://whois.domaintools.com/ccedge.cn", "domain": "ccedge.cn", "hostname": "cchlsa.ccedge.cn" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "69aa41b0d714318bf8937184", "name": "W.Vashti .Net obfuscator clone", "description": "", "modified": "2026-04-04T00:06:41.423000", "created": "2026-03-06T02:53:36.216000", "tags": [ "no expiration", "domain", "name", "control flow", "dlls", "method parent", "declarative", "ms build", "core", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "dock", "write", "execution", "capture", "endgame", "united", "moved", "ip address", "record value", "gate software", "newnham house", "expiration date", "urls", "url add", "http", "related nids", "files location", "flag united", "present aug", "present sep", "present nov", "present oct", "name servers", "emails", "present dec", "meta", "passive dns", "next associated", "ipv4", "url analysis", "files", "cookie", "subscribe", "unsubscribe", "s paris", "englewood", "state", "skip", "espaol", "summary", "filing history", "ireland", "title", "united states", "certificate", "colorado", "ipv4 add", "america flag", "showing", "pulse submit", "size", "pattern match", "mitre att", "ck id", "path", "hybrid", "general", "local", "iframe", "click", "strings", "cece", "mult", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "sha1", "sha256", "njmk", "kwruymy", "mime", "submitted", "process details", "calls", "apis", "reads", "defense evasion", "model", "getprocaddress", "show technique", "ck matrix", "access type", "value", "api call", "open", "august", "format", "typeof symbol", "typeof s", "typeof c", "function", "symbol", "comenabled", "image path", "ndex", "ndroleextdll", "f0f0f0", "ff4b55", "stop", "span", "show process", "binary file", "file", "network traffic", "encrypt", "date", "found", "ssl certificate", "creation date", "hostname add", "pulse pulses", "files ip", "address domain", "data upload", "extraction", "ge6 mira", "failed", "ascii text", "development att", "hostname", "files domain", "files related", "pulses otx", "pulses", "unknown aaaa", "unknown ns", "united states", "urls show", "date checked", "url hostname", "server response", "google safe", "results may", "a domains", "search", "germany unknown", "win32", "lowfi", "chrome", "susp", "trojan", "backdoor", "twitter", "virtool", "worm", "exploit", "trojandropper", "win32upatre dec", "mtb dec", "reverse dns", "body", "location united", "asn as14618", "less whois", "files show", "date hash", "avast avg", "initial access", "javascript", "root", "enterprise", "form", "desktop", "command decode", "suricata ipv4", "spycloud", "robots", "bots", "chatbot", "bot network", "spy", "mixb", "a2fryx", "therahand", "typosquating" ], "references": [ "https://www.red-gate.com/products/smartassembly", "spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud", "https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=", "https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0", "dasima-containers.palantirfoundry.com \u2022 blitzrobots.com", "https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com", "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/", "https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3", "Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-", "Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" } ], "industries": [], "TLP": "green", "cloned_from": "6952d4fc6910b0b866746d8a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 343, "FileHash-SHA256": 1332, "domain": 1062, "hostname": 1969, "URL": 5700, "email": 10, "SSLCertFingerprint": 21, "CVE": 1 }, "indicator_count": 10779, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695555b664c8998371393b8f", "name": "\u200emyMetro App - App Store \u2022 Access Attack via iOS App", "description": "Apple iOS attack. Drive by compromise. Device fully compromised. Service provider incorrect. Device user does not use MetroPCS as Cellular carrier. \n\n#cyberwarfare #pegasus #endgame #apple #earsinthecornfield #compromised_device #zombie", "modified": "2026-01-30T16:01:37.437000", "created": "2025-12-31T16:56:22.577000", "tags": [ "espaol", "metro pcs", "metro", "english", "data", "privacy", "learn", "requires", "strong", "see all", "bernie", "mint", "never", "example", "click", "indonesia", "\u2019m", "win32mydoom dec", "united", "trojan", "name servers", "servers", "expiration date", "backdoor", "found", "passive dns", "gmt connection", "control", "content type", "twitter", "title", "aaaa", "ember cli", "ember view", "certificate", "win32", "invalid url", "body html", "head title", "title head", "body h1", "reference", "urls", "akamai", "unknown ns", "domain", "search", "ipv4", "files", "reverse dns", "location united", "america flag", "america asn", "dynamicloader", "port", "high", "medium", "windows", "displayname", "write", "destination", "tofsee", "stream", "malware", "hostile", "read c", "show", "rgba", "unicode", "whitelisted", "memcommit", "delete", "execution", "dock", "persistence", "msie", "chrome", "ip address", "otx telemetry", "unknown soa", "gmt content", "for privacy", "moved", "record value", "ubuntu date", "encrypt", "a domains", "welcome", "type", "content length", "ipv4 add", "url analysis", "accept", "overview domain", "files ip", "address", "location france", "asn as16276", "tags none", "indicator facts", "historical otx", "france unknown", "ovhcloud meta", "domain add", "present dec", "status", "service", "win32cutwail", "setcookie", "gmt server", "refloadapihash", "virtool", "present nov", "present oct", "all ipv4", "hostname", "present jul", "saudi arabia", "present mar", "present jun", "present feb", "entries", "france asn", "asn as16509", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "pattern match", "ascii text", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "hybrid", "local", "path", "strings", "delete c", "okrndate", "grum", "powershell", "pegasus", "unknown", "crlf line", "ff d5", "unicode text", "utf8", "ee fc", "yara rule", "f0 ff", "ff bb", "push", "autorun", "suspicious", "pulse pulses", "date", "music", "apple", "apple id", "show process", "flag", "markmonitor", "name tactics", "informative", "command", "adversaries", "spawns", "access att", "t1566 phishing", "zerobits", "allocationtype", "protect", "programfiles", "processhandle", "commitsize", "viewsize", "regionsize", "handles modules", "files amsi", "filehandle", "path filehandle", "porthandle", "copy md5", "copy sha1", "copy sha256", "href", "null", "refresh", "body", "span", "general", "error", "tools", "look", "verify", "restart", "html", "x22scriptx22", "binary file", "t1189", "cyberwarfare", "brian sabey", "never say anything", "christopher ahmann", "colorado state", "quasi", "zombie device", "present may", "emails", "exif standard", "tiff image", "windows nt", "wow64", "slcc2", "media center", "jpeg image", "copy", "next", "pecompact", "february", "packer", "delphi", "code", "tlsv1", "ogoogle trust", "xserver", "lowfi", "creation date", "domain name", "showing", "ids detections", "yara detections", "worm", "arial", "present aug", "meta", "dns domain", "site", "free dns", "msil", "dnssec", "penetration", "injections", "dead host" ], "references": [ "https://apps.apple.com/app/", "metropcs.com/account/sign-in.html", "smtp.google.com \u2022 www.google.com/images/errors/robot.png", "https://www.endgamesystems.com/ \u2022 https://www.endgames.com/", "https://freedns.afraid.org/images/exclamation", "xred.mooo.com \u2022 mooo.com \u2022 afraid.org", "admin@bigtits.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Worm:Win32/Mydoom", "display_name": "Worm:Win32/Mydoom", "target": "/malware/Worm:Win32/Mydoom" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win.Trojan.Installcore-877", "display_name": "Win.Trojan.Installcore-877", "target": null }, { "id": "Win.Downloader.Small", "display_name": "Win.Downloader.Small", "target": null }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "Tibs", "display_name": "Tibs", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ALF:JASYP:PUA:Win32/4Shared", "display_name": "ALF:JASYP:PUA:Win32/4Shared", "target": null } ], "attack_ids": [ { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1577", "name": "Compromise Application Executable", "display_name": "T1577 - Compromise Application Executable" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1086", "name": "PowerShell", "display_name": "T1086 - PowerShell" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1863, "URL": 4952, "FileHash-SHA256": 1990, "FileHash-MD5": 981, "FileHash-SHA1": 791, "email": 26, "domain": 1277, "SSLCertFingerprint": 24 }, "indicator_count": 11904, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "78 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6952d4fc6910b0b866746d8a", "name": ".NET Obfuscator, Error Reporting, DLL Merging | SmartAssembly | Spycloud", "description": "*Mirai | Currently being used maliciously. Mirai botnet work in place. Obfuscation, call redirection, evasion , chatbots, spyware , cal retrieval , typosquating , and other tactics used against victim. Red hats being unethical is expected.. This team is attacking in this instance. Screen Capture 24/7. Malicious media +++ from Englewood, Co. \n\nWhen used ethically SmartAssembly protects your code and Intellectual Property with powerful obfuscation features, and provides error reports when your application crashes in the wild, as well as a range of other tools for database management and data management.\n#palantir #foundry #denver #englewood #colorado #spycloud #mirai #botnet", "modified": "2026-01-28T18:03:54.589000", "created": "2025-12-29T19:22:36.103000", "tags": [ "no expiration", "domain", "name", "control flow", "dlls", "method parent", "declarative", "ms build", "core", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "dock", "write", "execution", "capture", "endgame", "united", "moved", "ip address", "record value", "gate software", "newnham house", "expiration date", "urls", "url add", "http", "related nids", "files location", "flag united", "present aug", "present sep", "present nov", "present oct", "name servers", "emails", "present dec", "meta", "passive dns", "next associated", "ipv4", "url analysis", "files", "cookie", "subscribe", "unsubscribe", "s paris", "englewood", "state", "skip", "espaol", "summary", "filing history", "ireland", "title", "united states", "certificate", "colorado", "ipv4 add", "america flag", "showing", "pulse submit", "size", "pattern match", "mitre att", "ck id", "path", "hybrid", "general", "local", "iframe", "click", "strings", "cece", "mult", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "sha1", "sha256", "njmk", "kwruymy", "mime", "submitted", "process details", "calls", "apis", "reads", "defense evasion", "model", "getprocaddress", "show technique", "ck matrix", "access type", "value", "api call", "open", "august", "format", "typeof symbol", "typeof s", "typeof c", "function", "symbol", "comenabled", "image path", "ndex", "ndroleextdll", "f0f0f0", "ff4b55", "stop", "span", "show process", "binary file", "file", "network traffic", "encrypt", "date", "found", "ssl certificate", "creation date", "hostname add", "pulse pulses", "files ip", "address domain", "data upload", "extraction", "ge6 mira", "failed", "ascii text", "development att", "hostname", "files domain", "files related", "pulses otx", "pulses", "unknown aaaa", "unknown ns", "united states", "urls show", "date checked", "url hostname", "server response", "google safe", "results may", "a domains", "search", "germany unknown", "win32", "lowfi", "chrome", "susp", "trojan", "backdoor", "twitter", "virtool", "worm", "exploit", "trojandropper", "win32upatre dec", "mtb dec", "reverse dns", "body", "location united", "asn as14618", "less whois", "files show", "date hash", "avast avg", "initial access", "javascript", "root", "enterprise", "form", "desktop", "command decode", "suricata ipv4", "spycloud", "robots", "bots", "chatbot", "bot network", "spy", "mixb", "a2fryx", "therahand", "typosquating" ], "references": [ "https://www.red-gate.com/products/smartassembly", "spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud", "https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=", "https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0", "dasima-containers.palantirfoundry.com \u2022 blitzrobots.com", "https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com", "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/", "https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3", "Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-", "Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 343, "FileHash-SHA256": 1332, "domain": 1062, "hostname": 1967, "URL": 5699, "email": 10, "SSLCertFingerprint": 21, "CVE": 1 }, "indicator_count": 10776, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "80 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694dc80ac6e7fd5474b316a1", "name": "Malicious DDOS attacks targeting Brand New 2025 | Updated Apple Products affecting IRS payment portal", "description": "Malicious actors continue to target certain users attempting to pay the IRS. Victim is redirected to : http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan after typing in IRS.gov (w/ secure header \u2018https\u2019 )\nOnce information is input it is payment is rejected, levy against bank accounts and assets and other threats. There is social engineering as one victim is communicating with someone allegedly from the IRS? \nAlthough malicious entities contacted , malicious behavior continues. Adversaries in the Middle attack. US hacker group. Denver, Iowa, Arizona, NY and abroad. \n\n*Targets: https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main |", "modified": "2026-01-24T22:05:13.068000", "created": "2025-12-25T23:26:02.712000", "tags": [ "hash avast", "avg clamav", "msdefender feb", "url http", "url https", "zipcode", "active related", "cage01195 dec", "passports", "ipv4", "active", "irs", "apple", "role title", "indicator role", "malware attacks", "find encrypted", "lumen", "fastly", "create c", "read c", "delete", "write", "default", "medium", "rgba", "dock", "execution", "xport", "united", "passive dns", "urls", "expiration date", "unknown ns", "unknown aaaa", "pulse pulses", "merit", "dod network", "type indicator", "related pulses", "name", "name servers", "ffffff", "ip address", "emails", "object", "clsid6bf52a52", "cookie", "meta", "united kingdom", "germany", "russia", "search", "added active", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "href", "pattern match", "ascii text", "ck id", "mitre att", "ck matrix", "t1071", "general", "local", "path", "iframe", "click", "beginstring", "segoe ui", "null", "refresh", "span", "hybrid", "strings", "error", "tools", "title", "look", "verify", "restart", "data upload", "extraction", "failed", "include data", "entries", "unicode", "high", "memcommit", "next", "flag", "process details", "path expiresthu", "moved", "gmt set", "domain", "httponly path", "encrypt", "leaseweb", "iowa", "title added", "bad traffic", "et info", "tls handshake", "failure", "command decode", "suricata stream", "circle", "f5f8fa", "learn", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "development att", "suricata http", "windows nt", "date", "ips initial", "prefetch8", "localappdata", "prefetch1", "programfiles", "edge", "access att", "t1566 phishing", "initial access", "show process", "show technique", "process", "t1057", "contacted", "ck techniques", "evasion att", "body", "report spam", "apple", "ddos", "irs created", "hours ago", "white", "apple user", "industries", "government", "finance", "trojandropper", "appleservice", "mirai", "trojan", "next associated", "fastly error", "please", "sea p", "mozilla", "accept", "alerts", "filehash", "md5 add", "av detections", "ids detections", "yara detections", "analysis date", "file score", "medium risk", "copy", "richhash", "finding notes", "clamav malware", "files matching", "number", "sample analysis", "samples show", "date hash", "yara rule", "msie", "t1063", "windows", "malware", "detected", "https domain", "tls sni", "markus", "smartassembly", "win64", "exif data", "present dec", "status", "showing", "show", "icmp traffic", "pdb path", "crlf line", "mutex", "ms defender", "mtb malware", "hide samples", "rootkit", "apple webkit", "macbook pro", "apple ios" ], "references": [ "sa.www4.irs.gov \u2022 sa1.www4.irs.gov \u2022 sa2.www4.irs.gov \u2022 apps.irs.gov \u2022 freetaxassistance.for.irs.gov \u2022 home.treasury.gov \u2022", "132.3.48.38 \u2022 Description: CC=US ASN=AS721 dod network information center", "154.35.132.70\t\u2022 Description: CC=US ASN=AS14987 rethem hosting llc", "165.206.254.134 \u2022 Description: CC=US ASN=AS6122", "192.85.127.130 \u2022 Description: CC=US ASN=AS2173 hewlett-packard company", "195.128.76.205 \u2022 Description: CC=RU ASN=AS8470 jsc macomnet", "205.181.242.243 \u2022 Description: CC=US ASN=AS3738 state street bank and trust company", "207.75.164.17 \u2022 Description: CC=US ASN=AS237 merit network", "207.75.164.210 \u2022 Description: CC=US ASN=AS237 merit network", "214.25.9.149 \u2022 Description: CC=US ASN=AS344 dod network information center", "216.252.199.59 \u2022 Description: CC=US ASN=AS31827 biz net technologies", "78.46.218.253 \u2022 Description: CC=DE ASN=AS24940 hetzner online gmbh", "95.211.7.168 \u2022Description: CC=NL ASN=AS60781 leaseweb netherlands b.v.", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing - Adult Content", "http://www.anyxxxtube.net/search-porn/tsara-brashears - Adult Content", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ - Adult Content", "http://www.anyxxxtube.net/search-porn/ - Adult Content", "https://eliyporasa.life/uelbu/5/151504-harleyxwest-porn - Adult Content", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net - Adult Content", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t- Adult Content", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io\t- Adult Content", "https://wallpapers-nature.com/tsara-brashears/urlscan-io - Adult Content", "http://sissy.com/default - Adult Content", "https://eliyporasa - Adult Content", "64.38.232.180 - Adult Content IP", "www.anyxxxtube.net - Adult Content", "www.anyxxxtube.net - Adult Content IP", "http://www.iranianporn.com/ \u2022 iranianporn.com - Adult Content", "http://www.italianporn.com/ \u2022 italianporn.com - Adult Content IP", "jamaicansex.com \u2022 onlinesexmags.com \u2022 sexbible.com \u2022 bestsex.com - Adult Content IP", "https://www.anyxxxtube.net/video/2241/big-titted-sexy-chick-august-ames/ - Adult Content IP", "http://geometry.ru/articles/blinkovsexcircle.pdf- Adult Content IP", "http://www.onlinesexmags.com/members/gent/current/ - Adult Content IP", "http://sissy.com/default.php?qry=xinb0NVH3vxGQfarWy4r54j5FWwjyNsIfAXqPpjmSCTYnrY20orAEt5QcaKNVYpHM3.AFndEsyGlSb_SXAGpMTdue0rkjANJ3fQ0wH3yzmI9qKCDJp39iCno_V.ci7VYf_I4t_Y2ibuGhE_rlOAs3FGeaahClLHQmyX30MRH5AfpY6B5N9LDoau6dxnMaf3qGZEX_xCRYTdVAigxUMX2qRyl16DvSb9DohTpdet4E_v0QjzIjDwGGS4PYEDpjmzIeKlCSItsv09pHL84QDb6V_fvuFw0jX8tfoI8VQmpnaeudPhO0nDmV3c5G7HjNNcF&tgt=NO+TOKEN&searchKey=free+porn&wp=1&skp=3_2402 - Adult Content IP", "httpssa.www4.irs.gov \u2022 jobs.irs.gov \u2022 https://sa.www4.irs.gov/ \u2022 https://sa.www4.irs.gov \u2022 www.directfile.irs.gov \u2022", "http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan \u2022 www4.irs.gov \u2022 www.drupal.org", "asp.bet", "apple.co \u2022 apple.com \u2022 apple.info \u2022 apple.net", "https://www.freeiconspng.com/thumbs/icloud-logo/icloud-drive-mac-mail-cloud-apple-pc-works-c", "https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main", "http://usw2.apple.com/ \u2022 https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "applefilmmaker.com \u2022 appleid.com \u2022 appleiservices.com", "jobs.lumen.com \u2022 lumen.com \u2022 msradc.lumen.com \u2022 voip.lumen.com \u2022 www.lumen.com", "https://otx.alienvault.com/pulse/694d7d426afd8c1c816ddb9e", "Information gathered equals 2 pulses. Pulse (1) included", "https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d/694d9e6a07ba5e76e203a672", "https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d", "https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3", "https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676", "https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3/694d9a33a2febcb826005ed5", "https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676", "Follow up need. This is a serious financial crime following the victims.", "Victims have lost financial assets, jobs, vehicles", "Persistent. Is Christopher P. Ahmann, Brian Sabey, State of Colorado", "After an attack a different victim had awe , tax refund seized, Insurance became Medicaid, Was audited by the IRs and there was attempts on life w/ bad outcome" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Win.Malware.Msilperseus-6989564-0", "display_name": "Win.Malware.Msilperseus-6989564-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.Ramnit-1847", "display_name": "Win.Trojan.Ramnit-1847", "target": null }, { "id": "Win.Trojan.Fenomengame-14", "display_name": "Win.Trojan.Fenomengame-14", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Pandex!gen1", "display_name": "Pandex!gen1", "target": null }, { "id": "Mirai Sim Swap", "display_name": "Mirai Sim Swap", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Lumen IP", "display_name": "Lumen IP", "target": null }, { "id": "Unknown Malware \u2018Can't access file\u2019", "display_name": "Unknown Malware \u2018Can't access file\u2019", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Win.Trojan.Fenomengame-8", "display_name": "Win.Trojan.Fenomengame-8", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/Adialer", "display_name": "ALF:JASYP:Trojan:Win32/Adialer", "target": null }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "ELF:DDoS-S\\ [Trj]", "display_name": "ELF:DDoS-S\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Gafgyt-6981154-0", "display_name": "Unix.Trojan.Gafgyt-6981154-0", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [ "Financial", "Government", "Technology", "IRS" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 363, "FileHash-SHA1": 360, "FileHash-SHA256": 3009, "URL": 3504, "domain": 879, "email": 15, "hostname": 1487, "SSLCertFingerprint": 3 }, "indicator_count": 9620, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "84 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6946fdbb4a22dc28d60d6ca2", "name": "Expiro - DoomScroller \u2022 BrowseHappy | Part 2", "description": "Pulse: \u00c2\u00a31.1bn.io.com, a search engine for the most popular websites on the planet, is now available on Facebook, Twitter, Instagram and YouTube.", "modified": "2026-01-19T19:04:41.997000", "created": "2025-12-20T19:49:15.713000", "tags": [ "doomscroller", "browsehappy", "xpirat", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "united", "tlsv1", "execution", "dock", "write", "persistence", "encrypt", "meta", "browse happy", "worry", "body doctype", "online", "gmt server", "a domains", "ipv4 add", "win32", "trojandropper", "title", "date", "unknown", "post http", "cryptexportkey", "cryptgenkey", "calgrc4", "expiro", "temple", "xserver", "adversaries", "worry wordpress" ], "references": [ "Xpirat = doomscroller.io" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Xpirat", "display_name": "Xpirat", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1423", "name": "Network Service Scanning", "display_name": "T1423 - Network Service Scanning" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5576, "domain": 1502, "FileHash-MD5": 116, "FileHash-SHA1": 73, "FileHash-SHA256": 1041, "SSLCertFingerprint": 1, "hostname": 1951 }, "indicator_count": 10260, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "89 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6944ce38344ccded23df66f5", "name": "Ransom - Amnesty.org - a single link in a Pegasus attack against a civilian.", "description": "I don\u2019t have the right words to put this together because it involves so much coercion, fraud, betrayal, manipulation , hacking, multiple business fronts, loud mouth mafia plants, working with someone under false pretenses, redhat security teams in Denver , Colorado, false implications of cyber attacks coming from foreign entities. \n\nTips come from a highly reliable sources. One link in a Pegasus attack .", "modified": "2026-01-18T03:05:59.836000", "created": "2025-12-19T04:02:00.973000", "tags": [ "intel", "ms windows", "write c", "pe32", "pe32 executable", "copy c", "free", "benjamin", "write", "worm", "win32", "code", "june", "delphi", "malware", "benjamin", "tulach", "state of colorado", "christopher p. \u2018buzz\u2019 ahmann", "danica implants", "nids_malware_alert", "bonu$", "network_icmp", "network_irc", "persistence_autorun", "network_http", "nids_alert", "allocates_rwx", "hackers", "creates_exe", "brian sabey", "sour del", "packer_entropy", "antivm_memory_available", "pe_features", "get key", "crime", "organized crime", "federal crime", "cyber crime", "piracy", "status", "china unknown", "name servers", "div div", "ip address", "domain", "creation date", "record value", "meta", "title", "hong kong", "passive dns", "gmt content", "type", "content length", "ipv4 add", "urls", "files", "location hong", "twitter", "youtube", "side 3 studios", "denver music", "infiltration", "whistleblower", "getkey", "cyber warfare", "fraud", "financial crimes", "pegasus", "music front", "france unknown", "present feb", "iran unknown", "present nov", "present jun", "present jan", "hidden", "present jul", "date", "united", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "llc name", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "pattern match", "mitre att", "show technique", "ck matrix", "ascii text", "href", "show process", "file", "general", "local", "path", "memory dumping", "entries", "icmp delphi", "showing", "delete", "yara detections", "windows nt", "wow64", "khtml", "gecko", "dns query", "packing t1045", "ransom", "cve", "palantir", "remote", "graham" ], "references": [ "Amnesty.org | remote.amnesty.org", "tulach.cc", "Worm:Win32/Benjamin IDS Detections: Win32.Worm.Benjamin.A CnC Checkin ICMP", "Alerts : nids_malware_alert network_icmp network_irc persistence_autorun network_http", "Alerts : nids_alert allocates_rwx creates_exe packer_entropy antivm_memory_available", "Delphi Likely Precursor to Scan PING Delphi-Piette Windows Yara Detections Delphi", "Delphi This program must be run under Win32 Compilers", "More IP\u2019s Contacted 74.6.143.26 Domains Contacted benjamin.xww.de", "http://www.yixun.com/getkey {\"privateKey\": \"JMVRar4COFWb3eKZ\"}", "Server: JFE https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.yixun.com/getkey", "http://www.shopsleuth.com/goal-academy/the-citadel/colorado-springs-co", "ipv4bot.whatismyipaddress.com", "helloprismatic.com", "https://palantir-staging.staging.candidate.app.paulsjob.ai/", "Brian Sabey", "Christopher P. \u2018Buzz\u2019 Ahmann" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "Ransom:Win32/GandCrab", "display_name": "Ransom:Win32/GandCrab", "target": "/malware/Ransom:Win32/GandCrab" }, { "id": "CVE-2023-2868", "display_name": "CVE-2023-2868", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 429, "FileHash-SHA1": 341, "FileHash-SHA256": 2766, "URL": 6976, "domain": 1151, "CVE": 2, "email": 3, "hostname": 2913, "SSLCertFingerprint": 4 }, "indicator_count": 14585, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "91 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693f5674439d297728312967", "name": "BeenVerified.com | Malicious Information Doman |", "description": "34.232.241.155:443 (segment.prod.bidr.io)\t GET\tsegment.prod.bidr.io/associate-segment?buzz_key=tatari&segment_key=tatari-983&value=&uncacheplz=9327084282", "modified": "2026-01-14T00:04:33.341000", "created": "2025-12-15T00:29:40.025000", "tags": [ "united", "as13335", "as14061", "cname", "as20940", "date", "name", "status", "present dec", "present nov", "unknown", "body", "cluster", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "search", "read c", "show", "execution", "next", "dock", "write", "capture", "persistence", "local", "copy", "trojan", "win32", "mtb oct", "entries", "passive dns", "next associated", "msr feb", "gmt cache", "ipv4 add", "title", "urls", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "flag united", "name servers", "creation date", "emails", "domain name", "expiration date", "servers", "error", "flag", "prefetch8", "prefetch1", "win64", "khtml", "gecko", "pcap frame", "microsoft edge", "strings", "show process", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "network traffic", "ogoogle trust", "pattern match", "path", "hybrid", "cookie", "general", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "initial access", "spawns", "ssl certificate", "click" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1764, "FileHash-SHA256": 1006, "URL": 5427, "domain": 442, "email": 3, "FileHash-MD5": 115, "FileHash-SHA1": 62, "SSLCertFingerprint": 21 }, "indicator_count": 8840, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693f5675e3f12fa3229bdcb3", "name": "BeenVerified.com | Malicious Information Doman |", "description": "34.232.241.155:443 (segment.prod.bidr.io)\t GET\tsegment.prod.bidr.io/associate-segment?buzz_key=tatari&segment_key=tatari-983&value=&uncacheplz=9327084282", "modified": "2026-01-14T00:04:33.341000", "created": "2025-12-15T00:29:41.963000", "tags": [ "united", "as13335", "as14061", "cname", "as20940", "date", "name", "status", "present dec", "present nov", "unknown", "body", "cluster", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "search", "read c", "show", "execution", "next", "dock", "write", "capture", "persistence", "local", "copy", "trojan", "win32", "mtb oct", "entries", "passive dns", "next associated", "msr feb", "gmt cache", "ipv4 add", "title", "urls", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "flag united", "name servers", "creation date", "emails", "domain name", "expiration date", "servers", "error", "flag", "prefetch8", "prefetch1", "win64", "khtml", "gecko", "pcap frame", "microsoft edge", "strings", "show process", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "network traffic", "ogoogle trust", "pattern match", "path", "hybrid", "cookie", "general", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "initial access", "spawns", "ssl certificate", "click" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1764, "FileHash-SHA256": 1006, "URL": 5427, "domain": 442, "email": 3, "FileHash-MD5": 115, "FileHash-SHA1": 62, "SSLCertFingerprint": 21 }, "indicator_count": 8840, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693f57720ddcc1a02d19a78f", "name": "GameHack Malware | BeenVerified.com | Information Doman |", "description": "", "modified": "2026-01-14T00:04:33.341000", "created": "2025-12-15T00:33:54.304000", "tags": [ "united", "as13335", "as14061", "cname", "as20940", "date", "name", "status", "present dec", "present nov", "unknown", "body", "cluster", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "search", "read c", "show", "execution", "next", "dock", "write", "capture", "persistence", "local", "copy", "trojan", "win32", "mtb oct", "entries", "passive dns", "next associated", "msr feb", "gmt cache", "ipv4 add", "title", "urls", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "flag united", "name servers", "creation date", "emails", "domain name", "expiration date", "servers", "error", "flag", "prefetch8", "prefetch1", "win64", "khtml", "gecko", "pcap frame", "microsoft edge", "strings", "show process", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "network traffic", "ogoogle trust", "pattern match", "path", "hybrid", "cookie", "general", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "initial access", "spawns", "ssl certificate", "click" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": "693f5674439d297728312967", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1764, "FileHash-SHA256": 1006, "URL": 5427, "domain": 442, "email": 3, "FileHash-MD5": 115, "FileHash-SHA1": 62, "SSLCertFingerprint": 21 }, "indicator_count": 8840, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693de4a8a72cf95b028365f0", "name": "Bot Block 162.159.128.0/19 | X Fake tweets | Tofsee", "description": "Tofsee.Trojan.T malware infection affects infected devices. \n\n\n#unlocked #injection #dead_host #compromised_devices #folk_in _browser #botnets", "modified": "2026-01-12T21:02:35.560000", "created": "2025-12-13T22:11:52.474000", "tags": [ "network", "ip address", "subnet", "dynamicloader", "port", "destination", "high", "windows", "united", "write", "tofsee", "stream", "win64", "push", "urls", "url analysis", "dnssec", "script domains", "encrypt", "url add", "http", "related nids", "flag united", "germany", "address google", "passive dns", "ipv4 add", "files", "asn as13335", "dns resolutions", "domains top", "level", "unique tlds", "location united", "asn asnone", "present dec", "backdoor", "lowfi", "win32autoit mar", "urls show", "date checked", "connection", "httponly", "secure", "path", "expiressat", "dynamic cfray", "medium", "delete c", "displayname", "show", "unknown", "next", "rndhex", "malware", "cname", "next associated", "url hostname", "server response", "google safe", "read c", "unicode", "png image", "rgba", "memcommit", "dock", "execution", "files location", "china flag", "china hostname", "hostname", "domain", "files ip", "address", "asn as45102", "gmt content", "certificate", "associated urls", "location china", "china asn", "as4808 china", "present aug", "object", "present apr", "present oct", "alman", "present sep", "error", "present jul", "rmndrp", "present feb", "expiration", "url https", "url http", "iocs", "review iocs", "expireswed", "samesitenone", "maxage86400", "maxage0", "server", "expires", "victina nulcac", "data upload", "extraction", "enter", "enter source", "url data", "type", "extract indic", "included iocs", "china unknown", "botnet", "folk in browser", "japan unknown", "asnone country", "as13335", "a domains", "script urls", "servers", "title", "moved", "record value", "entries", "whitelisted", "powershell", "xf9xb5xf9", "xxcexf6x8fr", "k2xe7xcbxxeaxa2", "x99x19", "x88yxf9xc858", "x83x12x8da", "zx9bx8ex84", "attempts", "yara detections", "contacted", "tags none", "file type", "pe packer", "dll compilation", "guard", "botnets" ], "references": [ "https://x.com/DenverPolice/status/1999710339584475507?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet", "x.com | 162.159.140.229 (162.159.128.0/19) AS 13335 ( CLOUDFLARENET )", "foundry.neconsside.com \u2022 http://foundry.neconsside.com", "http://foundry.neconsside.com/ \u2022 https://foundry.neconsside.com \u2022 https://foundry.neconsside", "IT Mirai | https://otx.alienvault.com/indicator/domain/miraitranslate.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "United States of America", "Russian Federation", "T\u00fcrkiye", "Netherlands" ], "malware_families": [ { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "HtBot", "display_name": "HtBot", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1481", "name": "Web Service", "display_name": "T1481 - Web Service" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8145, "domain": 1389, "FileHash-SHA256": 1545, "CIDR": 2, "hostname": 2533, "FileHash-MD5": 209, "FileHash-SHA1": 190, "email": 6, "SSLCertFingerprint": 4 }, "indicator_count": 14023, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "96 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://cchlsa.ccedge.cn/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://cchlsa.ccedge.cn/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776597445.2205822 }