{ "type": "URL", "indicator": "https://cdn-cloudfront.riverside.rocks", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://cdn-cloudfront.riverside.rocks", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3780716133, "indicator": "https://cdn-cloudfront.riverside.rocks", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 17, "pulses": [ { "id": "69a9e7c572b8411d126215a6", "name": "@scoreblue callback clone", "description": "", "modified": "2026-03-06T05:11:18.020000", "created": "2026-03-05T20:29:57.169000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "65b8a052c4160dbd76054f8a", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3267, "domain": 1459, "hostname": 1268, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9172, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6916d97edb28b2616ffac3ab", "name": "njRAT| BazarLoader| Darkside 2020 .Beware \u2022 WebToolbar \u2022 Qbot", "description": "", "modified": "2025-11-14T07:41:19.912000", "created": "2025-11-14T07:25:50.524000", "tags": [ "whois record", "ssl certificate", "historical ssl", "resolutions", "referrer", "communicating", "subdomains", "domains", "problems", "urls http", "ransomware", "malware", "contacted", "dropped", "execution", "tsara brashears", "apple ios", "whois whois", "unlocker", "njrat", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "installer", "awful", "open", "banker", "keylogger", "malicious", "tofsee", "mitre attack", "et", "cisco umbrella", "internet storm", "site", "covid19", "cyber threat", "safe site", "cobalt strike", "malicious url", "alexa", "script urls", "united", "a domains", "as396982 google", "as15169 google", "search", "cname", "accept encoding", "showing", "unknown", "date", "body", "meta", "encrypt", "domain related", "as396982", "creation date", "expiration date", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "passive dns", "urls", "next", "all search", "otx octoseek", "as7922 comcast", "as16276", "as54113", "aaaa", "france unknown", "as14061", "status", "as40509", "ip address", "for privacy", "as44273 host", "record value", "certificate", "gmt content", "x sucuri", "as8075", "nxdomain", "as30148 sucuri", "as20940", "as31898 oracle", "hong kong", "as139021", "msie", "chrome", "ipv4", "blacklist http", "detection list", "blacklist", "files", "location hong", "kong asn", "tags none", "indicator facts", "name verdict", "falcon sandbox", "mail spammer", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "heur", "malicious site", "alexa top", "million", "alexa proxy", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "artemis", "dropper", "mediaget", "crack", "spammer", "france mail", "summary", "url summary", "phishing", "union", "team", "bank", "unsafe", "threat report", "ip summary", "pattern match", "script", "et tor", "known tor", "relayrouter", "node traffic", "misc attack", "beginstring", "null", "error", "span", "class", "generator", "refresh", "tools", "hybrid", "general", "click", "strings", "servers", "ps ord", "name servers", "poetry", "moved", "content length", "content type", "x powered", "poems", "poem", "topic", "topics", "poem topics", "free poems", "love poems", "romantic poems", "classic poems", "friendship poems", "shone pale", "herself", "heavens", "her beam", "a fleecy", "proud evening", "star", "thou bearest", "heaven", "than", "google", "http", "leasewebuklon11", "search live", "api blog", "docs pricing", "login", "february", "gb summary", "london", "april", "screenshot", "url https", "reverse dns", "general full", "name value", "frankfurt", "main", "germany", "asn15169", "resource", "hashes", "copyright", "gmbh version", "follow", "blacklist https", "phishing site", "malware site", "riskware", "opencandy", "cleaner", "iframe", "xtrat", "agent", "softcnapp", "generic", "patcher", "driverpack", "exploit", "mimikatz", "downldr", "presenoker", "fusioncore", "wacatac", "beach research", "trojanspy", "maltiverse", "firehol", "proxy", "anonymizer", "adware", "kuaizip", "downer", "tag count", "tue apr", "sample", "samples", "fakealert", "genkryptik", "icedid", "coinminer", "nircmd", "swrort", "systweak", "behav", "tiggre", "filetour", "quasar rat", "fuery", "bazaloader", "media", "facebook", "service", "runescape", "webtoolbar", "a9dia", "a1ginaprincipal", "emails", "registrar", "http header", "tcp traffic", "et useragents", "unknown traffic", "antivirus", "server", "gmt united", "accept", "local", "path", "falcon", "file", "ascii text", "windows nt", "png image", "appdata", "jpeg image", "indicator", "twitter", "westlaw njrat", "zuorat", "skynet bot", "glupteba", "asn4583", "thomsonreuters", "asn209242", "june", "back", "united kingdom", "cisco", "umbrella rank", "rank", "page url", "as autonomous", "system", "yndx", "ipasns ip", "november", "de summary", "comodo rsa", "security tls", "software", "resource hash", "security", "ecdhersa", "de indicators", "de page", "url history", "javascript", "gts ca", "secure server", "markmonitor", "ip information", "detail domains", "domain tree", "links certs", "frames domain", "requested", "threat roundup", "march", "threat round", "parent parent", "roundup", "january", "threats", "qbot", "cyberwar", "skynet", "radar ineractive", "control server", "engineering", "host", "services", "pony", "nanocore rat", "meterpreter", "zeus", "zbot", "suppobox", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "laplasclipper", "asn16276", "get h2", "kb image", "august", "kali", "localappdata", "network traffic", "binary file", "svg scalable", "vector graphics", "mwin", "domain", "url http", "pulse pulses", "related nids", "files location", "customer", "address", "as29789", "hosting", "location united", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "urls date", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present mar", "pulse indicator", "protocol h2", "value", "variables", "waypoint object", "gsqueue", "isotope", "hostnames", "ice fog", "maltiverse top", "financial", "as62597 nsone", "sec ch", "domains show", "entries", "as14720 gamma", "canada unknown", "as397241", "as13335", "applicunwnt", "xrat", "maltiverse safe", "aig", "soc", "hallrender", "brian sabey", "mark brian sabey", "sabey", "mark", "sabey", "data center", "malvertizing", "malware host", "scanning host", "botnetwork", "colorado", "edsaid", "geotracking", "satellite tracking", "radar tracking", "pornhub", "child teen content illegal", "social engineering", "cyber stalking", "CVE-2023-4966", "device control", "camera usage", "hidden users", "message interception", "text archiver", "mail collection", "remote attacks", "js", "python", "inject", "sql", "extraction", "AIG Claims", "hallrender.com", "soc", "milemighmedia", "westlaw", "revengeporn", "bot", "regex", "ai", "yandex" ], "references": [ "web2.westlaw.com (redirects to thbrzzrstr.me)", "http://web2.westlaw.com/ (redirect) https://signon.thomsonreuters.com/?productid=CBT&lr=0&culture=en-US&returnto=https%3a%2f%2f1.next.westlaw.com%...", "https://hybrid-analysis.com/sample/8bf763ce9396c4569afbae58392097fd57408339c0ac59ec256468c9fd8ac4c5/6548ebfe56b25bab28017757", "https://urlscan.io/result/2285cee3-1e08-4e63-b48f-ee685e008480/#summary", "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba/5c5c13577ca3e12626364777", "https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Malware Host: HallRender.com", "riverside.rocks (safebae.com remote uTorrent) https://hybrid-analysis.com/sample/11108ef17bd75f36e0d22d95b1f3bde3e9fa968a78a24c2d2508f4238e22651d/6326a50be4a8a71b885f5bf3", "safebae.org", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu (phishing | cybercrime)", "Hallrender.com and Westlaw.com.= http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "Poemhunter.com + rally point.com = pornhub.dev", "Pornhub dev VT community: https://www.virustotal.com/gui/domain/pornhub.dev/community", "Poemhunter.com: https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "https://www.poemhunter.com/tsara-brashears/poems/: https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Rallypoint.com https://hybrid-analysis.com/sample/66287c2c36699037cb504201693e26b5f3282cebde1d1c78aecd6f97f04fb694", "Malicious revenge malvertizing: https://www.milehighmedia.com/legal/2257", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://matrix.pornhub.dev", "nr-data.net", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon-76x76.png", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon.png", "https://apple.pantion.top/", "newrelic.se", "user-apple.info", "appleid-comloginaccount.info", "init-p01st.push.apple.com", "boostmobile.com", "www.metrobyt-mobile.com", "http://bpdb.portal.gov.bd:3128/sites/default/files/files/bpdb.portal.gov.bd/npfblock/2021-34bc869d2906198362a4346373ce5b94.jpg", "https://b.link/infringement", "my.mintmobile.com", "CVE-2023-4966", "http://watchhers.net/index.php", "https://rr2---sn-4g5ednsz.googlevideo.com/videoplayback?expire=1699319292&ei=nDlJZfb4G43E-gaYt5XoDg&ip=2001%3A1b60%3A2%3A240%3A3247%3A%3A" ], "public": 1, "adversary": "", "targeted_countries": [ "Spain", "Netherlands", "Canada", "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1423", "name": "Network Service Scanning", "display_name": "T1423 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1427", "name": "Attack PC via USB Connection", "display_name": "T1427 - Attack PC via USB Connection" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1173", "name": "Dynamic Data Exchange", "display_name": "T1173 - Dynamic Data Exchange" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [], "TLP": "green", "cloned_from": "654971c396ca4306a6534b12", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4037, "hostname": 2241, "URL": 2516, "FileHash-MD5": 1224, "FileHash-SHA1": 783, "FileHash-SHA256": 2796, "CVE": 10, "email": 25 }, "indicator_count": 13632, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "156 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d95bd10bfcc8c3dd66a44d", "name": "Qbot ", "description": "", "modified": "2024-09-05T09:51:10.113000", "created": "2024-09-05T07:20:49.138000", "tags": [ "whois record", "ssl certificate", "historical ssl", "resolutions", "referrer", "communicating", "subdomains", "domains", "problems", "urls http", "ransomware", "malware", "contacted", "dropped", "execution", "tsara brashears", "apple ios", "whois whois", "unlocker", "njrat", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "installer", "awful", "open", "banker", "keylogger", "malicious", "tofsee", "mitre attack", "et", "cisco umbrella", "internet storm", "site", "covid19", "cyber threat", "safe site", "cobalt strike", "malicious url", "alexa", "script urls", "united", "a domains", "as396982 google", "as15169 google", "search", "cname", "accept encoding", "showing", "unknown", "date", "body", "meta", "encrypt", "domain related", "as396982", "creation date", "expiration date", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "passive dns", "urls", "next", "all search", "otx octoseek", "as7922 comcast", "as16276", "as54113", "aaaa", "france unknown", "as14061", "status", "as40509", "ip address", "for privacy", "as44273 host", "record value", "certificate", "gmt content", "x sucuri", "as8075", "nxdomain", "as30148 sucuri", "as20940", "as31898 oracle", "hong kong", "as139021", "msie", "chrome", "ipv4", "blacklist http", "detection list", "blacklist", "files", "location hong", "kong asn", "tags none", "indicator facts", "name verdict", "falcon sandbox", "mail spammer", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "heur", "malicious site", "alexa top", "million", "alexa proxy", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "artemis", "dropper", "mediaget", "crack", "spammer", "france mail", "summary", "url summary", "phishing", "union", "team", "bank", "unsafe", "threat report", "ip summary", "pattern match", "script", "et tor", "known tor", "relayrouter", "node traffic", "misc attack", "beginstring", "null", "error", "span", "class", "generator", "refresh", "tools", "hybrid", "general", "click", "strings", "servers", "ps ord", "name servers", "poetry", "moved", "content length", "content type", "x powered", "poems", "poem", "topic", "topics", "poem topics", "free poems", "love poems", "romantic poems", "classic poems", "friendship poems", "shone pale", "herself", "heavens", "her beam", "a fleecy", "proud evening", "star", "thou bearest", "heaven", "than", "google", "http", "leasewebuklon11", "search live", "api blog", "docs pricing", "login", "february", "gb summary", "london", "april", "screenshot", "url https", "reverse dns", "general full", "name value", "frankfurt", "main", "germany", "asn15169", "resource", "hashes", "copyright", "gmbh version", "follow", "blacklist https", "phishing site", "malware site", "riskware", "opencandy", "cleaner", "iframe", "xtrat", "agent", "softcnapp", "generic", "patcher", "driverpack", "exploit", "mimikatz", "downldr", "presenoker", "fusioncore", "wacatac", "beach research", "trojanspy", "maltiverse", "firehol", "proxy", "anonymizer", "adware", "kuaizip", "downer", "tag count", "tue apr", "sample", "samples", "fakealert", "genkryptik", "icedid", "coinminer", "nircmd", "swrort", "systweak", "behav", "tiggre", "filetour", "quasar rat", "fuery", "bazaloader", "media", "facebook", "service", "runescape", "webtoolbar", "a9dia", "a1ginaprincipal", "emails", "registrar", "http header", "tcp traffic", "et useragents", "unknown traffic", "antivirus", "server", "gmt united", "accept", "local", "path", "falcon", "file", "ascii text", "windows nt", "png image", "appdata", "jpeg image", "indicator", "twitter", "westlaw njrat", "zuorat", "skynet bot", "glupteba", "asn4583", "thomsonreuters", "asn209242", "june", "back", "united kingdom", "cisco", "umbrella rank", "rank", "page url", "as autonomous", "system", "yndx", "ipasns ip", "november", "de summary", "comodo rsa", "security tls", "software", "resource hash", "security", "ecdhersa", "de indicators", "de page", "url history", "javascript", "gts ca", "secure server", "markmonitor", "ip information", "detail domains", "domain tree", "links certs", "frames domain", "requested", "threat roundup", "march", "threat round", "parent parent", "roundup", "january", "threats", "qbot", "cyberwar", "skynet", "radar ineractive", "control server", "engineering", "host", "services", "pony", "nanocore rat", "meterpreter", "zeus", "zbot", "suppobox", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "laplasclipper", "asn16276", "get h2", "kb image", "august", "kali", "localappdata", "network traffic", "binary file", "svg scalable", "vector graphics", "mwin", "domain", "url http", "pulse pulses", "related nids", "files location", "customer", "address", "as29789", "hosting", "location united", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "urls date", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present mar", "pulse indicator", "protocol h2", "value", "variables", "waypoint object", "gsqueue", "isotope", "hostnames", "ice fog", "maltiverse top", "financial", "as62597 nsone", "sec ch", "domains show", "entries", "as14720 gamma", "canada unknown", "as397241", "as13335", "applicunwnt", "xrat", "maltiverse safe", "aig", "soc", "hallrender", "brian sabey", "mark brian sabey", "sabey", "mark", "sabey", "data center", "malvertizing", "malware host", "scanning host", "botnetwork", "colorado", "edsaid", "geotracking", "satellite tracking", "radar tracking", "pornhub", "child teen content illegal", "social engineering", "cyber stalking", "CVE-2023-4966", "device control", "camera usage", "hidden users", "message interception", "text archiver", "mail collection", "remote attacks", "js", "python", "inject", "sql", "extraction", "AIG Claims", "hallrender.com", "soc", "milemighmedia", "westlaw", "revengeporn", "bot", "regex", "ai", "yandex" ], "references": [ "web2.westlaw.com (redirects to thbrzzrstr.me)", "http://web2.westlaw.com/ (redirect) https://signon.thomsonreuters.com/?productid=CBT&lr=0&culture=en-US&returnto=https%3a%2f%2f1.next.westlaw.com%...", "https://hybrid-analysis.com/sample/8bf763ce9396c4569afbae58392097fd57408339c0ac59ec256468c9fd8ac4c5/6548ebfe56b25bab28017757", "https://urlscan.io/result/2285cee3-1e08-4e63-b48f-ee685e008480/#summary", "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba/5c5c13577ca3e12626364777", "https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Malware Host: HallRender.com", "riverside.rocks (safebae.com remote uTorrent) https://hybrid-analysis.com/sample/11108ef17bd75f36e0d22d95b1f3bde3e9fa968a78a24c2d2508f4238e22651d/6326a50be4a8a71b885f5bf3", "safebae.org", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu (phishing | cybercrime)", "Hallrender.com and Westlaw.com.= http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "Poemhunter.com + rally point.com = pornhub.dev", "Pornhub dev VT community: https://www.virustotal.com/gui/domain/pornhub.dev/community", "Poemhunter.com: https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "https://www.poemhunter.com/tsara-brashears/poems/: https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Rallypoint.com https://hybrid-analysis.com/sample/66287c2c36699037cb504201693e26b5f3282cebde1d1c78aecd6f97f04fb694", "Malicious revenge malvertizing: https://www.milehighmedia.com/legal/2257", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://matrix.pornhub.dev", "nr-data.net", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon-76x76.png", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon.png", "https://apple.pantion.top/", "newrelic.se", "user-apple.info", "appleid-comloginaccount.info", "init-p01st.push.apple.com", "boostmobile.com", "www.metrobyt-mobile.com", "http://bpdb.portal.gov.bd:3128/sites/default/files/files/bpdb.portal.gov.bd/npfblock/2021-34bc869d2906198362a4346373ce5b94.jpg", "https://b.link/infringement", "my.mintmobile.com", "CVE-2023-4966", "http://watchhers.net/index.php", "https://rr2---sn-4g5ednsz.googlevideo.com/videoplayback?expire=1699319292&ei=nDlJZfb4G43E-gaYt5XoDg&ip=2001%3A1b60%3A2%3A240%3A3247%3A%3A" ], "public": 1, "adversary": "", "targeted_countries": [ "Spain", "Netherlands", "Canada", "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1423", "name": "Network Service Scanning", "display_name": "T1423 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1427", "name": "Attack PC via USB Connection", "display_name": "T1427 - Attack PC via USB Connection" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1173", "name": "Dynamic Data Exchange", "display_name": "T1173 - Dynamic Data Exchange" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [], "TLP": "green", "cloned_from": "654971c396ca4306a6534b12", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4091, "hostname": 2422, "URL": 3167, "FileHash-MD5": 1424, "FileHash-SHA1": 983, "FileHash-SHA256": 3174, "CVE": 10, "email": 25 }, "indicator_count": 15296, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b8a052c4160dbd76054f8a", "name": "Callback Phishing Campaign | Pegasus | Callback Phishing | https://safebae.org/", "description": "Multiple ransomware groups have adopted the BazarCall callback phishing technique a sophisticated scam; to gain initial access to victims' networks\nCallback phishing is a relying on a multi-stage process, exploiting trust to manipulate victims into divulging sensitive information or. At its core, callback phishing is a sophisticated social engineering tactic that triggers an emotional reaction from a victim and compels them to engage.\n\nStrange alleged tribute website appears to target Tsara Brashears. The alleged SA victims name is Catherine 'Daisy' Coleman name isn't part infrastructure. Malicious", "modified": "2024-02-29T04:00:48.424000", "created": "2024-01-30T07:08:02.918000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3266, "domain": 1458, "hostname": 1265, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9167, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c970b55f5040aee8c91a55", "name": "Callback Phishing Campaign | Pegasus", "description": "", "modified": "2024-02-29T04:00:48.424000", "created": "2024-02-12T01:13:25.034000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "65b8a05a0b9ebf8d916f0a6d", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3266, "domain": 1458, "hostname": 1265, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9167, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be8c8b8997508722c642ee", "name": "Phishing Campaign | Pegasus ", "description": "", "modified": "2024-02-29T04:00:48.424000", "created": "2024-02-03T18:57:15.475000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "65b8a05a0b9ebf8d916f0a6d", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3266, "domain": 1458, "hostname": 1265, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9167, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b9716ef65566497546a7b1", "name": "Callback Phishing Campaign | Pegasus | https://safebae.org/", "description": "", "modified": "2024-02-29T04:00:48.424000", "created": "2024-01-30T22:00:14.725000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "65b8a05a0b9ebf8d916f0a6d", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3266, "domain": 1458, "hostname": 1265, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9167, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b8a05a0b9ebf8d916f0a6d", "name": "Callback Phishing Campaign | Pegasus | Callback Phishing | https://safebae.org/", "description": "Multiple ransomware groups have adopted the BazarCall callback phishing technique a sophisticated scam; to gain initial access to victims' networks\nCallback phishing is a relying on a multi-stage process, exploiting trust to manipulate victims into divulging sensitive information or. At its core, callback phishing is a sophisticated social engineering tactic that triggers an emotional reaction from a victim and compels them to engage.\n\nStrange alleged tribute website appears to target Tsara Brashears. The alleged SA victims name is Catherine 'Daisy' Coleman name isn't part infrastructure. Malicious", "modified": "2024-02-29T04:00:48.424000", "created": "2024-01-30T07:08:10.072000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3266, "domain": 1458, "hostname": 1265, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9167, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b8a056f2c1f16d391175b0", "name": "Callback Phishing Campaign | Pegasus | Callback Phishing | https://safebae.org/", "description": "Multiple ransomware groups have adopted the BazarCall callback phishing technique a sophisticated scam; to gain initial access to victims' networks\nCallback phishing is a relying on a multi-stage process, exploiting trust to manipulate victims into divulging sensitive information or. At its core, callback phishing is a sophisticated social engineering tactic that triggers an emotional reaction from a victim and compels them to engage.\n\nStrange alleged tribute website appears to target Tsara Brashears. The alleged SA victims name is Catherine 'Daisy' Coleman name isn't part infrastructure. Malicious", "modified": "2024-02-29T04:00:48.424000", "created": "2024-01-30T07:08:06.711000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3266, "domain": 1458, "hostname": 1265, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9167, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b809ec9da9326e1bdf8743", "name": "Pegasus | Lazarus Group [Hallrender.com = safebae.oeg + rallypoint.com]", "description": "", "modified": "2024-01-29T20:26:20.769000", "created": "2024-01-29T20:26:20.769000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "657feca7df9ea6c21350c01a", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "811 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b809eabd76cbbfdfc07c6e", "name": "Pegasus | Lazarus Group [Hallrender.com = safebae.oeg + rallypoint.com]", "description": "", "modified": "2024-01-29T20:26:18.174000", "created": "2024-01-29T20:26:18.174000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "657feca7df9ea6c21350c01a", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "811 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657f69115e6b1bdc8a7dcdbc", "name": "RallyPoint.com", "description": "MyPublicWiFi.exe\nRallyPoint.com", "modified": "2024-01-16T18:00:08.947000", "created": "2023-12-17T21:33:05.056000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6581d8d30621e6303cad9da4", "name": "RallyPoint.com", "description": "", "modified": "2024-01-16T18:00:08.947000", "created": "2023-12-19T17:54:27.416000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "657f69115e6b1bdc8a7dcdbc", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657feca7df9ea6c21350c01a", "name": "Lazarus Group [Hallrender.com = safebae.oeg + rallypoint.com] ", "description": "", "modified": "2024-01-16T18:00:08.947000", "created": "2023-12-18T06:54:31.063000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "657f6b136775cbf67d25ddfb", "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657f6b136775cbf67d25ddfb", "name": "Lazarus Group [Hallrender.com = safebae.oeg + rallypoint.com] Alias Brian Sabey?", "description": "", "modified": "2024-01-16T18:00:08.947000", "created": "2023-12-17T21:41:39.434000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "657f69115e6b1bdc8a7dcdbc", "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657f6920d79aa646c2d5db49", "name": "RallyPoint.com", "description": "MyPublicWiFi.exe\nRallyPoint.com", "modified": "2024-01-16T18:00:08.947000", "created": "2023-12-17T21:33:20.787000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657f6919cafcba3ac406d5b2", "name": "RallyPoint.com", "description": "MyPublicWiFi.exe\nRallyPoint.com", "modified": "2024-01-16T18:00:08.947000", "created": "2023-12-17T21:33:13.375000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu (phishing | cybercrime)", "appleid-comloginaccount.info", "riverside.rocks (safebae.com remote uTorrent) https://hybrid-analysis.com/sample/11108ef17bd75f36e0d22d95b1f3bde3e9fa968a78a24c2d2508f4238e22651d/6326a50be4a8a71b885f5bf3", "http://www.01tracks.com/happy-customers", "deadlyexploits.com | deadlysymbol.com |", "CVE-2023-4966", "init-p01st.push.apple.com", "https://rr2---sn-4g5ednsz.googlevideo.com/videoplayback?expire=1699319292&ei=nDlJZfb4G43E-gaYt5XoDg&ip=2001%3A1b60%3A2%3A240%3A3247%3A%3A", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "http://watchhers.net/index.php", "www.hallrender.com", "https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "https://urlscan.io/result/2285cee3-1e08-4e63-b48f-ee685e008480/#summary", "Pornhub dev VT community: https://www.virustotal.com/gui/domain/pornhub.dev/community", "https://hybrid-analysis.com/sample/8bf763ce9396c4569afbae58392097fd57408339c0ac59ec256468c9fd8ac4c5/6548ebfe56b25bab28017757", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "Malware Host: HallRender.com", "newrelic.se", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon.png", "https://b.link/infringement", "Rallypoint.com https://hybrid-analysis.com/sample/66287c2c36699037cb504201693e26b5f3282cebde1d1c78aecd6f97f04fb694", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "nr-data.net", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon-76x76.png", "Malicious revenge malvertizing: https://www.milehighmedia.com/legal/2257", "http://bpdb.portal.gov.bd:3128/sites/default/files/files/bpdb.portal.gov.bd/npfblock/2021-34bc869d2906198362a4346373ce5b94.jpg", "9.6.zip - SQLi", "https://matrix.pornhub.dev", "dns.trackgroup.net", "safebae.org", "Poemhunter.com + rally point.com = pornhub.dev", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "scripting-sandbox-dns.bunny.net", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "Hallrender.com and Westlaw.com.= http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "Poemhunter.com: https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "boostmobile.com", "web2.westlaw.com (redirects to thbrzzrstr.me)", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "my.mintmobile.com", "user-apple.info", "https://safebae.org/", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com", "www.metrobyt-mobile.com", "https://www.poemhunter.com/tsara-brashears/poems/: https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "nr-data.net [Apple Private Data Collection]", "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba/5c5c13577ca3e12626364777", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "http://web2.westlaw.com/ (redirect) https://signon.thomsonreuters.com/?productid=CBT&lr=0&culture=en-US&returnto=https%3a%2f%2f1.next.westlaw.com%...", "https://apple.pantion.top/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Callback phishing", "Hacktool", "Mitre attack", "Pegasus", "Webtoolbar", "Et", "Ransomware", "Tsara brashears", "Trojanspy", "Radar ineractive", "Maltiverse", "Bazarcall", "Beach research", "Njrat" ], "industries": [], "unique_indicators": 49715 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/riverside.rocks", "whois": "http://whois.domaintools.com/riverside.rocks", "domain": "riverside.rocks", "hostname": "cdn-cloudfront.riverside.rocks" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 17, "pulses": [ { "id": "69a9e7c572b8411d126215a6", "name": "@scoreblue callback clone", "description": "", "modified": "2026-03-06T05:11:18.020000", "created": "2026-03-05T20:29:57.169000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "65b8a052c4160dbd76054f8a", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3267, "domain": 1459, "hostname": 1268, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9172, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6916d97edb28b2616ffac3ab", "name": "njRAT| BazarLoader| Darkside 2020 .Beware \u2022 WebToolbar \u2022 Qbot", "description": "", "modified": "2025-11-14T07:41:19.912000", "created": "2025-11-14T07:25:50.524000", "tags": [ "whois record", "ssl certificate", "historical ssl", "resolutions", "referrer", "communicating", "subdomains", "domains", "problems", "urls http", "ransomware", "malware", "contacted", "dropped", "execution", "tsara brashears", "apple ios", "whois whois", "unlocker", "njrat", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "installer", "awful", "open", "banker", "keylogger", "malicious", "tofsee", "mitre attack", "et", "cisco umbrella", "internet storm", "site", "covid19", "cyber threat", "safe site", "cobalt strike", "malicious url", "alexa", "script urls", "united", "a domains", "as396982 google", "as15169 google", "search", "cname", "accept encoding", "showing", "unknown", "date", "body", "meta", "encrypt", "domain related", "as396982", "creation date", "expiration date", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "passive dns", "urls", "next", "all search", "otx octoseek", "as7922 comcast", "as16276", "as54113", "aaaa", "france unknown", "as14061", "status", "as40509", "ip address", "for privacy", "as44273 host", "record value", "certificate", "gmt content", "x sucuri", "as8075", "nxdomain", "as30148 sucuri", "as20940", "as31898 oracle", "hong kong", "as139021", "msie", "chrome", "ipv4", "blacklist http", "detection list", "blacklist", "files", "location hong", "kong asn", "tags none", "indicator facts", "name verdict", "falcon sandbox", "mail spammer", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "heur", "malicious site", "alexa top", "million", "alexa proxy", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "artemis", "dropper", "mediaget", "crack", "spammer", "france mail", "summary", "url summary", "phishing", "union", "team", "bank", "unsafe", "threat report", "ip summary", "pattern match", "script", "et tor", "known tor", "relayrouter", "node traffic", "misc attack", "beginstring", "null", "error", "span", "class", "generator", "refresh", "tools", "hybrid", "general", "click", "strings", "servers", "ps ord", "name servers", "poetry", "moved", "content length", "content type", "x powered", "poems", "poem", "topic", "topics", "poem topics", "free poems", "love poems", "romantic poems", "classic poems", "friendship poems", "shone pale", "herself", "heavens", "her beam", "a fleecy", "proud evening", "star", "thou bearest", "heaven", "than", "google", "http", "leasewebuklon11", "search live", "api blog", "docs pricing", "login", "february", "gb summary", "london", "april", "screenshot", "url https", "reverse dns", "general full", "name value", "frankfurt", "main", "germany", "asn15169", "resource", "hashes", "copyright", "gmbh version", "follow", "blacklist https", "phishing site", "malware site", "riskware", "opencandy", "cleaner", "iframe", "xtrat", "agent", "softcnapp", "generic", "patcher", "driverpack", "exploit", "mimikatz", "downldr", "presenoker", "fusioncore", "wacatac", "beach research", "trojanspy", "maltiverse", "firehol", "proxy", "anonymizer", "adware", "kuaizip", "downer", "tag count", "tue apr", "sample", "samples", "fakealert", "genkryptik", "icedid", "coinminer", "nircmd", "swrort", "systweak", "behav", "tiggre", "filetour", "quasar rat", "fuery", "bazaloader", "media", "facebook", "service", "runescape", "webtoolbar", "a9dia", "a1ginaprincipal", "emails", "registrar", "http header", "tcp traffic", "et useragents", "unknown traffic", "antivirus", "server", "gmt united", "accept", "local", "path", "falcon", "file", "ascii text", "windows nt", "png image", "appdata", "jpeg image", "indicator", "twitter", "westlaw njrat", "zuorat", "skynet bot", "glupteba", "asn4583", "thomsonreuters", "asn209242", "june", "back", "united kingdom", "cisco", "umbrella rank", "rank", "page url", "as autonomous", "system", "yndx", "ipasns ip", "november", "de summary", "comodo rsa", "security tls", "software", "resource hash", "security", "ecdhersa", "de indicators", "de page", "url history", "javascript", "gts ca", "secure server", "markmonitor", "ip information", "detail domains", "domain tree", "links certs", "frames domain", "requested", "threat roundup", "march", "threat round", "parent parent", "roundup", "january", "threats", "qbot", "cyberwar", "skynet", "radar ineractive", "control server", "engineering", "host", "services", "pony", "nanocore rat", "meterpreter", "zeus", "zbot", "suppobox", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "laplasclipper", "asn16276", "get h2", "kb image", "august", "kali", "localappdata", "network traffic", "binary file", "svg scalable", "vector graphics", "mwin", "domain", "url http", "pulse pulses", "related nids", "files location", "customer", "address", "as29789", "hosting", "location united", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "urls date", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present mar", "pulse indicator", "protocol h2", "value", "variables", "waypoint object", "gsqueue", "isotope", "hostnames", "ice fog", "maltiverse top", "financial", "as62597 nsone", "sec ch", "domains show", "entries", "as14720 gamma", "canada unknown", "as397241", "as13335", "applicunwnt", "xrat", "maltiverse safe", "aig", "soc", "hallrender", "brian sabey", "mark brian sabey", "sabey", "mark", "sabey", "data center", "malvertizing", "malware host", "scanning host", "botnetwork", "colorado", "edsaid", "geotracking", "satellite tracking", "radar tracking", "pornhub", "child teen content illegal", "social engineering", "cyber stalking", "CVE-2023-4966", "device control", "camera usage", "hidden users", "message interception", "text archiver", "mail collection", "remote attacks", "js", "python", "inject", "sql", "extraction", "AIG Claims", "hallrender.com", "soc", "milemighmedia", "westlaw", "revengeporn", "bot", "regex", "ai", "yandex" ], "references": [ "web2.westlaw.com (redirects to thbrzzrstr.me)", "http://web2.westlaw.com/ (redirect) https://signon.thomsonreuters.com/?productid=CBT&lr=0&culture=en-US&returnto=https%3a%2f%2f1.next.westlaw.com%...", "https://hybrid-analysis.com/sample/8bf763ce9396c4569afbae58392097fd57408339c0ac59ec256468c9fd8ac4c5/6548ebfe56b25bab28017757", "https://urlscan.io/result/2285cee3-1e08-4e63-b48f-ee685e008480/#summary", "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba/5c5c13577ca3e12626364777", "https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Malware Host: HallRender.com", "riverside.rocks (safebae.com remote uTorrent) https://hybrid-analysis.com/sample/11108ef17bd75f36e0d22d95b1f3bde3e9fa968a78a24c2d2508f4238e22651d/6326a50be4a8a71b885f5bf3", "safebae.org", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu (phishing | cybercrime)", "Hallrender.com and Westlaw.com.= http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "Poemhunter.com + rally point.com = pornhub.dev", "Pornhub dev VT community: https://www.virustotal.com/gui/domain/pornhub.dev/community", "Poemhunter.com: https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "https://www.poemhunter.com/tsara-brashears/poems/: https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Rallypoint.com https://hybrid-analysis.com/sample/66287c2c36699037cb504201693e26b5f3282cebde1d1c78aecd6f97f04fb694", "Malicious revenge malvertizing: https://www.milehighmedia.com/legal/2257", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://matrix.pornhub.dev", "nr-data.net", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon-76x76.png", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon.png", "https://apple.pantion.top/", "newrelic.se", "user-apple.info", "appleid-comloginaccount.info", "init-p01st.push.apple.com", "boostmobile.com", "www.metrobyt-mobile.com", "http://bpdb.portal.gov.bd:3128/sites/default/files/files/bpdb.portal.gov.bd/npfblock/2021-34bc869d2906198362a4346373ce5b94.jpg", "https://b.link/infringement", "my.mintmobile.com", "CVE-2023-4966", "http://watchhers.net/index.php", "https://rr2---sn-4g5ednsz.googlevideo.com/videoplayback?expire=1699319292&ei=nDlJZfb4G43E-gaYt5XoDg&ip=2001%3A1b60%3A2%3A240%3A3247%3A%3A" ], "public": 1, "adversary": "", "targeted_countries": [ "Spain", "Netherlands", "Canada", "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1423", "name": "Network Service Scanning", "display_name": "T1423 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1427", "name": "Attack PC via USB Connection", "display_name": "T1427 - Attack PC via USB Connection" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1173", "name": "Dynamic Data Exchange", "display_name": "T1173 - Dynamic Data Exchange" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [], "TLP": "green", "cloned_from": "654971c396ca4306a6534b12", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4037, "hostname": 2241, "URL": 2516, "FileHash-MD5": 1224, "FileHash-SHA1": 783, "FileHash-SHA256": 2796, "CVE": 10, "email": 25 }, "indicator_count": 13632, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "156 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d95bd10bfcc8c3dd66a44d", "name": "Qbot ", "description": "", "modified": "2024-09-05T09:51:10.113000", "created": "2024-09-05T07:20:49.138000", "tags": [ "whois record", "ssl certificate", "historical ssl", "resolutions", "referrer", "communicating", "subdomains", "domains", "problems", "urls http", "ransomware", "malware", "contacted", "dropped", "execution", "tsara brashears", "apple ios", "whois whois", "unlocker", "njrat", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "installer", "awful", "open", "banker", "keylogger", "malicious", "tofsee", "mitre attack", "et", "cisco umbrella", "internet storm", "site", "covid19", "cyber threat", "safe site", "cobalt strike", "malicious url", "alexa", "script urls", "united", "a domains", "as396982 google", "as15169 google", "search", "cname", "accept encoding", "showing", "unknown", "date", "body", "meta", "encrypt", "domain related", "as396982", "creation date", "expiration date", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "passive dns", "urls", "next", "all search", "otx octoseek", "as7922 comcast", "as16276", "as54113", "aaaa", "france unknown", "as14061", "status", "as40509", "ip address", "for privacy", "as44273 host", "record value", "certificate", "gmt content", "x sucuri", "as8075", "nxdomain", "as30148 sucuri", "as20940", "as31898 oracle", "hong kong", "as139021", "msie", "chrome", "ipv4", "blacklist http", "detection list", "blacklist", "files", "location hong", "kong asn", "tags none", "indicator facts", "name verdict", "falcon sandbox", "mail spammer", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "heur", "malicious site", "alexa top", "million", "alexa proxy", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "artemis", "dropper", "mediaget", "crack", "spammer", "france mail", "summary", "url summary", "phishing", "union", "team", "bank", "unsafe", "threat report", "ip summary", "pattern match", "script", "et tor", "known tor", "relayrouter", "node traffic", "misc attack", "beginstring", "null", "error", "span", "class", "generator", "refresh", "tools", "hybrid", "general", "click", "strings", "servers", "ps ord", "name servers", "poetry", "moved", "content length", "content type", "x powered", "poems", "poem", "topic", "topics", "poem topics", "free poems", "love poems", "romantic poems", "classic poems", "friendship poems", "shone pale", "herself", "heavens", "her beam", "a fleecy", "proud evening", "star", "thou bearest", "heaven", "than", "google", "http", "leasewebuklon11", "search live", "api blog", "docs pricing", "login", "february", "gb summary", "london", "april", "screenshot", "url https", "reverse dns", "general full", "name value", "frankfurt", "main", "germany", "asn15169", "resource", "hashes", "copyright", "gmbh version", "follow", "blacklist https", "phishing site", "malware site", "riskware", "opencandy", "cleaner", "iframe", "xtrat", "agent", "softcnapp", "generic", "patcher", "driverpack", "exploit", "mimikatz", "downldr", "presenoker", "fusioncore", "wacatac", "beach research", "trojanspy", "maltiverse", "firehol", "proxy", "anonymizer", "adware", "kuaizip", "downer", "tag count", "tue apr", "sample", "samples", "fakealert", "genkryptik", "icedid", "coinminer", "nircmd", "swrort", "systweak", "behav", "tiggre", "filetour", "quasar rat", "fuery", "bazaloader", "media", "facebook", "service", "runescape", "webtoolbar", "a9dia", "a1ginaprincipal", "emails", "registrar", "http header", "tcp traffic", "et useragents", "unknown traffic", "antivirus", "server", "gmt united", "accept", "local", "path", "falcon", "file", "ascii text", "windows nt", "png image", "appdata", "jpeg image", "indicator", "twitter", "westlaw njrat", "zuorat", "skynet bot", "glupteba", "asn4583", "thomsonreuters", "asn209242", "june", "back", "united kingdom", "cisco", "umbrella rank", "rank", "page url", "as autonomous", "system", "yndx", "ipasns ip", "november", "de summary", "comodo rsa", "security tls", "software", "resource hash", "security", "ecdhersa", "de indicators", "de page", "url history", "javascript", "gts ca", "secure server", "markmonitor", "ip information", "detail domains", "domain tree", "links certs", "frames domain", "requested", "threat roundup", "march", "threat round", "parent parent", "roundup", "january", "threats", "qbot", "cyberwar", "skynet", "radar ineractive", "control server", "engineering", "host", "services", "pony", "nanocore rat", "meterpreter", "zeus", "zbot", "suppobox", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "laplasclipper", "asn16276", "get h2", "kb image", "august", "kali", "localappdata", "network traffic", "binary file", "svg scalable", "vector graphics", "mwin", "domain", "url http", "pulse pulses", "related nids", "files location", "customer", "address", "as29789", "hosting", "location united", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "urls date", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present mar", "pulse indicator", "protocol h2", "value", "variables", "waypoint object", "gsqueue", "isotope", "hostnames", "ice fog", "maltiverse top", "financial", "as62597 nsone", "sec ch", "domains show", "entries", "as14720 gamma", "canada unknown", "as397241", "as13335", "applicunwnt", "xrat", "maltiverse safe", "aig", "soc", "hallrender", "brian sabey", "mark brian sabey", "sabey", "mark", "sabey", "data center", "malvertizing", "malware host", "scanning host", "botnetwork", "colorado", "edsaid", "geotracking", "satellite tracking", "radar tracking", "pornhub", "child teen content illegal", "social engineering", "cyber stalking", "CVE-2023-4966", "device control", "camera usage", "hidden users", "message interception", "text archiver", "mail collection", "remote attacks", "js", "python", "inject", "sql", "extraction", "AIG Claims", "hallrender.com", "soc", "milemighmedia", "westlaw", "revengeporn", "bot", "regex", "ai", "yandex" ], "references": [ "web2.westlaw.com (redirects to thbrzzrstr.me)", "http://web2.westlaw.com/ (redirect) https://signon.thomsonreuters.com/?productid=CBT&lr=0&culture=en-US&returnto=https%3a%2f%2f1.next.westlaw.com%...", "https://hybrid-analysis.com/sample/8bf763ce9396c4569afbae58392097fd57408339c0ac59ec256468c9fd8ac4c5/6548ebfe56b25bab28017757", "https://urlscan.io/result/2285cee3-1e08-4e63-b48f-ee685e008480/#summary", "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba/5c5c13577ca3e12626364777", "https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Malware Host: HallRender.com", "riverside.rocks (safebae.com remote uTorrent) https://hybrid-analysis.com/sample/11108ef17bd75f36e0d22d95b1f3bde3e9fa968a78a24c2d2508f4238e22651d/6326a50be4a8a71b885f5bf3", "safebae.org", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu (phishing | cybercrime)", "Hallrender.com and Westlaw.com.= http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "Poemhunter.com + rally point.com = pornhub.dev", "Pornhub dev VT community: https://www.virustotal.com/gui/domain/pornhub.dev/community", "Poemhunter.com: https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "https://www.poemhunter.com/tsara-brashears/poems/: https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Rallypoint.com https://hybrid-analysis.com/sample/66287c2c36699037cb504201693e26b5f3282cebde1d1c78aecd6f97f04fb694", "Malicious revenge malvertizing: https://www.milehighmedia.com/legal/2257", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://matrix.pornhub.dev", "nr-data.net", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon-76x76.png", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon.png", "https://apple.pantion.top/", "newrelic.se", "user-apple.info", "appleid-comloginaccount.info", "init-p01st.push.apple.com", "boostmobile.com", "www.metrobyt-mobile.com", "http://bpdb.portal.gov.bd:3128/sites/default/files/files/bpdb.portal.gov.bd/npfblock/2021-34bc869d2906198362a4346373ce5b94.jpg", "https://b.link/infringement", "my.mintmobile.com", "CVE-2023-4966", "http://watchhers.net/index.php", "https://rr2---sn-4g5ednsz.googlevideo.com/videoplayback?expire=1699319292&ei=nDlJZfb4G43E-gaYt5XoDg&ip=2001%3A1b60%3A2%3A240%3A3247%3A%3A" ], "public": 1, "adversary": "", "targeted_countries": [ "Spain", "Netherlands", "Canada", "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1423", "name": "Network Service Scanning", "display_name": "T1423 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1427", "name": "Attack PC via USB Connection", "display_name": "T1427 - Attack PC via USB Connection" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1173", "name": "Dynamic Data Exchange", "display_name": "T1173 - Dynamic Data Exchange" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [], "TLP": "green", "cloned_from": "654971c396ca4306a6534b12", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4091, "hostname": 2422, "URL": 3167, "FileHash-MD5": 1424, "FileHash-SHA1": 983, "FileHash-SHA256": 3174, "CVE": 10, "email": 25 }, "indicator_count": 15296, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b8a052c4160dbd76054f8a", "name": "Callback Phishing Campaign | Pegasus | Callback Phishing | https://safebae.org/", "description": "Multiple ransomware groups have adopted the BazarCall callback phishing technique a sophisticated scam; to gain initial access to victims' networks\nCallback phishing is a relying on a multi-stage process, exploiting trust to manipulate victims into divulging sensitive information or. At its core, callback phishing is a sophisticated social engineering tactic that triggers an emotional reaction from a victim and compels them to engage.\n\nStrange alleged tribute website appears to target Tsara Brashears. The alleged SA victims name is Catherine 'Daisy' Coleman name isn't part infrastructure. Malicious", "modified": "2024-02-29T04:00:48.424000", "created": "2024-01-30T07:08:02.918000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3266, "domain": 1458, "hostname": 1265, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9167, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c970b55f5040aee8c91a55", "name": "Callback Phishing Campaign | Pegasus", "description": "", "modified": "2024-02-29T04:00:48.424000", "created": "2024-02-12T01:13:25.034000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "65b8a05a0b9ebf8d916f0a6d", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3266, "domain": 1458, "hostname": 1265, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9167, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be8c8b8997508722c642ee", "name": "Phishing Campaign | Pegasus ", "description": "", "modified": "2024-02-29T04:00:48.424000", "created": "2024-02-03T18:57:15.475000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "65b8a05a0b9ebf8d916f0a6d", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3266, "domain": 1458, "hostname": 1265, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9167, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b9716ef65566497546a7b1", "name": "Callback Phishing Campaign | Pegasus | https://safebae.org/", "description": "", "modified": "2024-02-29T04:00:48.424000", "created": "2024-01-30T22:00:14.725000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "65b8a05a0b9ebf8d916f0a6d", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3266, "domain": 1458, "hostname": 1265, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9167, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b8a05a0b9ebf8d916f0a6d", "name": "Callback Phishing Campaign | Pegasus | Callback Phishing | https://safebae.org/", "description": "Multiple ransomware groups have adopted the BazarCall callback phishing technique a sophisticated scam; to gain initial access to victims' networks\nCallback phishing is a relying on a multi-stage process, exploiting trust to manipulate victims into divulging sensitive information or. At its core, callback phishing is a sophisticated social engineering tactic that triggers an emotional reaction from a victim and compels them to engage.\n\nStrange alleged tribute website appears to target Tsara Brashears. The alleged SA victims name is Catherine 'Daisy' Coleman name isn't part infrastructure. Malicious", "modified": "2024-02-29T04:00:48.424000", "created": "2024-01-30T07:08:10.072000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3266, "domain": 1458, "hostname": 1265, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9167, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b8a056f2c1f16d391175b0", "name": "Callback Phishing Campaign | Pegasus | Callback Phishing | https://safebae.org/", "description": "Multiple ransomware groups have adopted the BazarCall callback phishing technique a sophisticated scam; to gain initial access to victims' networks\nCallback phishing is a relying on a multi-stage process, exploiting trust to manipulate victims into divulging sensitive information or. At its core, callback phishing is a sophisticated social engineering tactic that triggers an emotional reaction from a victim and compels them to engage.\n\nStrange alleged tribute website appears to target Tsara Brashears. The alleged SA victims name is Catherine 'Daisy' Coleman name isn't part infrastructure. Malicious", "modified": "2024-02-29T04:00:48.424000", "created": "2024-01-30T07:08:06.711000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3266, "domain": 1458, "hostname": 1265, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9167, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b809ec9da9326e1bdf8743", "name": "Pegasus | Lazarus Group [Hallrender.com = safebae.oeg + rallypoint.com]", "description": "", "modified": "2024-01-29T20:26:20.769000", "created": "2024-01-29T20:26:20.769000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "657feca7df9ea6c21350c01a", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "811 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://cdn-cloudfront.riverside.rocks", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://cdn-cloudfront.riverside.rocks", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776659470.8063881 }