{
"type": "URL",
"indicator": "https://certapple.apple-technology-services.com",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://certapple.apple-technology-services.com",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4093455184,
"indicator": "https://certapple.apple-technology-services.com",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 32,
"pulses": [
{
"id": "698e93e1ab02db8c49e8c3ed",
"name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
"description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
"modified": "2026-04-19T08:11:41.130000",
"created": "2026-02-13T03:00:49.872000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27678,
"FileHash-SHA256": 47676,
"FileHash-MD5": 42534,
"FileHash-SHA1": 23213,
"hostname": 33703,
"URL": 75433,
"SSLCertFingerprint": 30,
"CVE": 7582,
"email": 313,
"FileHash-IMPHASH": 8,
"CIDR": 26205,
"JA3": 1,
"IPv4": 80,
"URI": 5
},
"indicator_count": 284461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "6 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf64eccb5d39a90a3c391e",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:32.565000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "23 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf64e1d5e06aa6207f78de",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:21.863000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "23 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699c6ef61298b57cd7275728",
"name": "Apple Support IOC\u2019s IcedID | Bloored | Mydoom worm | iOS IOC\u2019s",
"description": "A list of Apple and Apple related iOS\u2019s linked to a malicious redirect found in an apple.support.com redirect. Two separate Apple ID\u2019s on one iPhone. | Mimecast compromised with Emotet. iCloud siphoning. Related to Pulse found in references. | IOC\u2019s came from a single url.",
"modified": "2026-03-25T07:05:10.628000",
"created": "2026-02-23T15:15:02.857000",
"tags": [
"ipv4",
"http",
"passive dns",
"files domain",
"united",
"unknown ns",
"for privacy",
"ip address",
"domain",
"dynamicloader",
"antivirus",
"yara rule",
"fe ff",
"write c",
"msvisualcpp60",
"rsds",
"e8 c8",
"e8 a8",
"ff e1",
"unknown",
"worm",
"launch",
"write",
"explorer",
"february",
"push",
"service",
"files",
"reverse dns",
"america flag",
"america asn",
"url add",
"otx logo",
"all ipv4",
"searc",
"date checked",
"server response",
"results dec",
"unknown soa",
"present aug",
"present oct",
"present sep",
"present nov",
"moved",
"error",
"title",
"win32mydoom feb",
"aaaa",
"name servers",
"trojan",
"servers",
"virtool",
"united states",
"apple",
"crlf line",
"unicode text",
"utf8",
"ff d5",
"ascii text",
"ee fc",
"suspicious",
"music",
"malware",
"role title",
"ttl value",
".cc",
"d4 f5",
"msvisualcpp2002",
"msvisualcpp2005",
"apple support",
".ch",
"privaterelay",
"pattern match",
"ck id",
"mitre att",
"ck matrix",
"href",
"et info",
"general",
"local",
"path",
"click",
"learn",
"command",
"name tactics",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"present jun",
"backdoor",
"present may",
"status",
"ransom",
"high",
"medium",
"windows",
"tofsee",
"loaderid",
"lidfileupd",
"localcfg",
"rndhex",
"stream",
"delete",
"emotet",
"bot network",
"mitm",
"screenshot",
"mimecast"
],
"references": [
"http://apple.support.com/ht***** redirect",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"mac.store",
"https://icloud.ch/cn/ipod-touch/",
"https://icloud.ch/",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"Redirect: schemas.microsoft.com",
"apple.com(-inc.cc)",
"oas-japac-domains-applecomputer.cn",
"robert-aebi.appleid.com",
"smtp2.icl-privaterelay.appleid.com",
"http://audaxgroup.appleid.com/",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"iphonegermany.com",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"https://aspmx.l.google.com/",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"http://www.icloud-sms-alert.com/",
"monitoring.eurovision.net",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"monitor.kyos.ninja"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/IcedId.DI!MTB",
"display_name": "Trojan:Win32/IcedId.DI!MTB",
"target": "/malware/Trojan:Win32/IcedId.DI!MTB"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Worm:Win32/Bloored",
"display_name": "Worm:Win32/Bloored",
"target": "/malware/Worm:Win32/Bloored"
},
{
"id": "Win.Malware.Elenooka-6996044-0",
"display_name": "Win.Malware.Elenooka-6996044-0",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6031,
"hostname": 1971,
"domain": 1125,
"FileHash-SHA256": 1715,
"email": 18,
"FileHash-MD5": 317,
"FileHash-SHA1": 164
},
"indicator_count": 11341,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b92a27c47d4e28927364",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:24:26.110000",
"created": "2026-03-12T13:01:30.067000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 51,
"modified_text": "38 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b9295603a6100edfa8c8",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:24:25.387000",
"created": "2026-03-12T13:01:29.284000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "38 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b927aa7f10e82639d204",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:27.872000",
"created": "2026-03-12T13:01:27.872000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b927c086397130c5d114",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:27.275000",
"created": "2026-03-12T13:01:27.275000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b926871746ed8a1bc324",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:26.440000",
"created": "2026-03-12T13:01:26.440000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b925e85c948d4dd608cc",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:25.852000",
"created": "2026-03-12T13:01:25.852000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8e974189d2c41f07ed8",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:25.910000",
"created": "2026-03-12T13:00:25.910000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8e74d2b3effd55f88c3",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:23.173000",
"created": "2026-03-12T13:00:23.173000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8dfbf8426a7a1d0146d",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:15.427000",
"created": "2026-03-12T13:00:15.427000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8d7123610591625b8fb",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:07.354000",
"created": "2026-03-12T13:00:07.354000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8d61e3f64a8f1f169b6",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:06.214000",
"created": "2026-03-12T13:00:06.214000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8d24eeb4200bdb1d702",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:02.096000",
"created": "2026-03-12T13:00:02.096000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "695555b664c8998371393b8f",
"name": "\u200emyMetro App - App Store \u2022 Access Attack via iOS App",
"description": "Apple iOS attack. Drive by compromise. Device fully compromised. Service provider incorrect. Device user does not use MetroPCS as Cellular carrier. \n\n#cyberwarfare #pegasus #endgame #apple #earsinthecornfield #compromised_device #zombie",
"modified": "2026-01-30T16:01:37.437000",
"created": "2025-12-31T16:56:22.577000",
"tags": [
"espaol",
"metro pcs",
"metro",
"english",
"data",
"privacy",
"learn",
"requires",
"strong",
"see all",
"bernie",
"mint",
"never",
"example",
"click",
"indonesia",
"\u2019m",
"win32mydoom dec",
"united",
"trojan",
"name servers",
"servers",
"expiration date",
"backdoor",
"found",
"passive dns",
"gmt connection",
"control",
"content type",
"twitter",
"title",
"aaaa",
"ember cli",
"ember view",
"certificate",
"win32",
"invalid url",
"body html",
"head title",
"title head",
"body h1",
"reference",
"urls",
"akamai",
"unknown ns",
"domain",
"search",
"ipv4",
"files",
"reverse dns",
"location united",
"america flag",
"america asn",
"dynamicloader",
"port",
"high",
"medium",
"windows",
"displayname",
"write",
"destination",
"tofsee",
"stream",
"malware",
"hostile",
"read c",
"show",
"rgba",
"unicode",
"whitelisted",
"memcommit",
"delete",
"execution",
"dock",
"persistence",
"msie",
"chrome",
"ip address",
"otx telemetry",
"unknown soa",
"gmt content",
"for privacy",
"moved",
"record value",
"ubuntu date",
"encrypt",
"a domains",
"welcome",
"type",
"content length",
"ipv4 add",
"url analysis",
"accept",
"overview domain",
"files ip",
"address",
"location france",
"asn as16276",
"tags none",
"indicator facts",
"historical otx",
"france unknown",
"ovhcloud meta",
"domain add",
"present dec",
"status",
"service",
"win32cutwail",
"setcookie",
"gmt server",
"refloadapihash",
"virtool",
"present nov",
"present oct",
"all ipv4",
"hostname",
"present jul",
"saudi arabia",
"present mar",
"present jun",
"present feb",
"entries",
"france asn",
"asn as16509",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"pattern match",
"ascii text",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"sha1",
"hybrid",
"local",
"path",
"strings",
"delete c",
"okrndate",
"grum",
"powershell",
"pegasus",
"unknown",
"crlf line",
"ff d5",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"f0 ff",
"ff bb",
"push",
"autorun",
"suspicious",
"pulse pulses",
"date",
"music",
"apple",
"apple id",
"show process",
"flag",
"markmonitor",
"name tactics",
"informative",
"command",
"adversaries",
"spawns",
"access att",
"t1566 phishing",
"zerobits",
"allocationtype",
"protect",
"programfiles",
"processhandle",
"commitsize",
"viewsize",
"regionsize",
"handles modules",
"files amsi",
"filehandle",
"path filehandle",
"porthandle",
"copy md5",
"copy sha1",
"copy sha256",
"href",
"null",
"refresh",
"body",
"span",
"general",
"error",
"tools",
"look",
"verify",
"restart",
"html",
"x22scriptx22",
"binary file",
"t1189",
"cyberwarfare",
"brian sabey",
"never say anything",
"christopher ahmann",
"colorado state",
"quasi",
"zombie device",
"present may",
"emails",
"exif standard",
"tiff image",
"windows nt",
"wow64",
"slcc2",
"media center",
"jpeg image",
"copy",
"next",
"pecompact",
"february",
"packer",
"delphi",
"code",
"tlsv1",
"ogoogle trust",
"xserver",
"lowfi",
"creation date",
"domain name",
"showing",
"ids detections",
"yara detections",
"worm",
"arial",
"present aug",
"meta",
"dns domain",
"site",
"free dns",
"msil",
"dnssec",
"penetration",
"injections",
"dead host"
],
"references": [
"https://apps.apple.com/app/",
"metropcs.com/account/sign-in.html",
"smtp.google.com \u2022 www.google.com/images/errors/robot.png",
"https://www.endgamesystems.com/ \u2022 https://www.endgames.com/",
"https://freedns.afraid.org/images/exclamation",
"xred.mooo.com \u2022 mooo.com \u2022 afraid.org",
"admin@bigtits.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "\u2019m",
"display_name": "\u2019m",
"target": null
},
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Worm:Win32/Mydoom",
"display_name": "Worm:Win32/Mydoom",
"target": "/malware/Worm:Win32/Mydoom"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Win.Trojan.Installcore-877",
"display_name": "Win.Trojan.Installcore-877",
"target": null
},
{
"id": "Win.Downloader.Small",
"display_name": "Win.Downloader.Small",
"target": null
},
{
"id": "Win.Trojan.Barys-10005825-0",
"display_name": "Win.Trojan.Barys-10005825-0",
"target": null
},
{
"id": "Tibs",
"display_name": "Tibs",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "ALF:JASYP:PUA:Win32/4Shared",
"display_name": "ALF:JASYP:PUA:Win32/4Shared",
"target": null
}
],
"attack_ids": [
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1418",
"name": "Application Discovery",
"display_name": "T1418 - Application Discovery"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1195.001",
"name": "Compromise Software Dependencies and Development Tools",
"display_name": "T1195.001 - Compromise Software Dependencies and Development Tools"
},
{
"id": "T1577",
"name": "Compromise Application Executable",
"display_name": "T1577 - Compromise Application Executable"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1086",
"name": "PowerShell",
"display_name": "T1086 - PowerShell"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1863,
"URL": 4952,
"FileHash-SHA256": 1990,
"FileHash-MD5": 981,
"FileHash-SHA1": 791,
"email": 26,
"domain": 1277,
"SSLCertFingerprint": 24
},
"indicator_count": 11904,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "78 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69314926519256e3ef0a9358",
"name": "BeeLineRouter.Net \u2022 Apple Access",
"description": "",
"modified": "2026-01-03T07:00:45.529000",
"created": "2025-12-04T08:41:06.657000",
"tags": [
"mitre att",
"network traffic",
"ck id",
"show technique",
"ck matrix",
"threat score",
"december",
"default browser",
"guest system",
"united",
"dynadot inc",
"name server",
"contacted hosts",
"process details",
"windir",
"openurl c",
"prefetch2",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"access att",
"t1566 phishing",
"ascii text",
"pattern match",
"show process",
"t1071",
"general",
"local",
"path",
"click",
"beelinerouter",
"access",
"router",
"apple",
"regopenkeyexw",
"regsz",
"process32nextw",
"english",
"post http",
"search",
"observed dns",
"query",
"sinkhole cookie",
"malware",
"possible",
"win32",
"updater",
"write",
"next",
"found",
"ip address",
"domain",
"name servers",
"unknown ns",
"ip whois",
"registrar",
"cloudflare",
"title",
"passive dns",
"urls",
"files",
"location united",
"asn as14618",
"bq dec",
"virtool",
"backdoor",
"checkin",
"ipv4 add",
"trojan",
"dynamicloader",
"msie",
"windows nt",
"slcc2",
"media center",
"unknown",
"show",
"internal",
"encrypt",
"veailmboprd",
"dns query",
"wow64",
"gecko http",
"entries",
"medium",
"ransom",
"khtml",
"gecko",
"delete",
"installer",
"win32cve may",
"america flag",
"overview ip",
"asn as20940",
"expiration",
"url https",
"no expiration",
"url http",
"pulse show",
"type indicator",
"role title",
"related pulses",
"record value",
"domain xn"
],
"references": [
"HTTPS://BeeLineRouter.Net",
"eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com",
"https://appleid.xn--appe-70a.com/",
"https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.sweetheartvideo.com/tsara-brashears",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://vgt.pl/r.n%20-",
"8-25-220-162-static.reverse.queryfoundry.net",
"queryfoundry.net",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://117-114-251-162-static.reverse.queryfoundry.net/",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://68-178-128-104-static.reverse.queryfoundry.net/",
"0-209-98-172-static.reverse.queryfoundry.net",
"154-143-182-107-static.reverse.queryfoundry.net",
"http://51-235-245-104-static.reverse.queryfoundry.net/",
"167-16-68-38-static.reverse.queryfoundry.net",
"http://49-116-251-162-static.reverse.queryfoundry./net/",
"177-231-69-38-static.reverse.queryfoundry.net",
"http://36-243-60-103-static.reverse.queryfoundry.net/",
"http://237-189-251-104-static.reverse.queryfoundry.net/",
"http://227-98-248-162-static.reverse.queryfoundry.net/",
"237-189-251-104-static.reverse.queryfoundry.net",
"http://207-214-98-172-static.reverse.queryfoundry.net/",
"181-135-182-107-static.reverse.queryfoundry.net",
"http://201-191-251-104-static.reverse.queryfoundry.net/",
"67-228-69-38-static.reverse.queryfoundry.net",
"http://0-209-98-172-static.reverse.queryfoundry.net/",
"http://10-241-60-103-static.reverse.queryfoundry.net/",
"http://142-232-245-104-static.reverse.queryfoundry.net/",
"http://154-143-182-107-static.reverse.queryfoundry.net/",
"http://167-16-68-38-static.reverse.queryfoundry.net/",
"http://177-231-69-38-static.reverse.queryfoundry.net/",
"http://181-135-182-107-static.reverse.queryfoundry.net/",
"http://195-214-98-172-static.reverse.queryfoundry.net/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Simda",
"display_name": "Simda",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "GandCrab Ransomware",
"display_name": "GandCrab Ransomware",
"target": null
},
{
"id": "Win.Virus.Expiro",
"display_name": "Win.Virus.Expiro",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "#VirTool:Win32/Obfuscator.ADB",
"display_name": "#VirTool:Win32/Obfuscator.ADB",
"target": "/malware/#VirTool:Win32/Obfuscator.ADB"
}
],
"attack_ids": [
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 310,
"FileHash-SHA1": 295,
"FileHash-SHA256": 3634,
"URL": 5839,
"CVE": 2,
"domain": 1048,
"email": 15,
"hostname": 1944,
"SSLCertFingerprint": 2
},
"indicator_count": 13089,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "106 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69314920e287845f6b36a265",
"name": "BeeLineRouter.Net \u2022 Apple Access",
"description": "",
"modified": "2026-01-03T07:00:45.529000",
"created": "2025-12-04T08:41:04.190000",
"tags": [
"mitre att",
"network traffic",
"ck id",
"show technique",
"ck matrix",
"threat score",
"december",
"default browser",
"guest system",
"united",
"dynadot inc",
"name server",
"contacted hosts",
"process details",
"windir",
"openurl c",
"prefetch2",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"access att",
"t1566 phishing",
"ascii text",
"pattern match",
"show process",
"t1071",
"general",
"local",
"path",
"click",
"beelinerouter",
"access",
"router",
"apple",
"regopenkeyexw",
"regsz",
"process32nextw",
"english",
"post http",
"search",
"observed dns",
"query",
"sinkhole cookie",
"malware",
"possible",
"win32",
"updater",
"write",
"next",
"found",
"ip address",
"domain",
"name servers",
"unknown ns",
"ip whois",
"registrar",
"cloudflare",
"title",
"passive dns",
"urls",
"files",
"location united",
"asn as14618",
"bq dec",
"virtool",
"backdoor",
"checkin",
"ipv4 add",
"trojan",
"dynamicloader",
"msie",
"windows nt",
"slcc2",
"media center",
"unknown",
"show",
"internal",
"encrypt",
"veailmboprd",
"dns query",
"wow64",
"gecko http",
"entries",
"medium",
"ransom",
"khtml",
"gecko",
"delete",
"installer",
"win32cve may",
"america flag",
"overview ip",
"asn as20940",
"expiration",
"url https",
"no expiration",
"url http",
"pulse show",
"type indicator",
"role title",
"related pulses",
"record value",
"domain xn"
],
"references": [
"HTTPS://BeeLineRouter.Net",
"eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com",
"https://appleid.xn--appe-70a.com/",
"https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.sweetheartvideo.com/tsara-brashears",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://vgt.pl/r.n%20-",
"8-25-220-162-static.reverse.queryfoundry.net",
"queryfoundry.net",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://117-114-251-162-static.reverse.queryfoundry.net/",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://68-178-128-104-static.reverse.queryfoundry.net/",
"0-209-98-172-static.reverse.queryfoundry.net",
"154-143-182-107-static.reverse.queryfoundry.net",
"http://51-235-245-104-static.reverse.queryfoundry.net/",
"167-16-68-38-static.reverse.queryfoundry.net",
"http://49-116-251-162-static.reverse.queryfoundry./net/",
"177-231-69-38-static.reverse.queryfoundry.net",
"http://36-243-60-103-static.reverse.queryfoundry.net/",
"http://237-189-251-104-static.reverse.queryfoundry.net/",
"http://227-98-248-162-static.reverse.queryfoundry.net/",
"237-189-251-104-static.reverse.queryfoundry.net",
"http://207-214-98-172-static.reverse.queryfoundry.net/",
"181-135-182-107-static.reverse.queryfoundry.net",
"http://201-191-251-104-static.reverse.queryfoundry.net/",
"67-228-69-38-static.reverse.queryfoundry.net",
"http://0-209-98-172-static.reverse.queryfoundry.net/",
"http://10-241-60-103-static.reverse.queryfoundry.net/",
"http://142-232-245-104-static.reverse.queryfoundry.net/",
"http://154-143-182-107-static.reverse.queryfoundry.net/",
"http://167-16-68-38-static.reverse.queryfoundry.net/",
"http://177-231-69-38-static.reverse.queryfoundry.net/",
"http://181-135-182-107-static.reverse.queryfoundry.net/",
"http://195-214-98-172-static.reverse.queryfoundry.net/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Simda",
"display_name": "Simda",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "GandCrab Ransomware",
"display_name": "GandCrab Ransomware",
"target": null
},
{
"id": "Win.Virus.Expiro",
"display_name": "Win.Virus.Expiro",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "#VirTool:Win32/Obfuscator.ADB",
"display_name": "#VirTool:Win32/Obfuscator.ADB",
"target": "/malware/#VirTool:Win32/Obfuscator.ADB"
}
],
"attack_ids": [
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 310,
"FileHash-SHA1": 295,
"FileHash-SHA256": 3634,
"URL": 5839,
"CVE": 2,
"domain": 1048,
"email": 15,
"hostname": 1944,
"SSLCertFingerprint": 2
},
"indicator_count": 13089,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "106 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "693148dc0eb85adc8edfe1a2",
"name": "BeeLineRouter.Net \u2022 Isolated / Apple Baxkdoor",
"description": "",
"modified": "2026-01-03T07:00:45.529000",
"created": "2025-12-04T08:39:56.180000",
"tags": [
"mitre att",
"network traffic",
"ck id",
"show technique",
"ck matrix",
"threat score",
"december",
"default browser",
"guest system",
"united",
"dynadot inc",
"name server",
"contacted hosts",
"process details",
"windir",
"openurl c",
"prefetch2",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"access att",
"t1566 phishing",
"ascii text",
"pattern match",
"show process",
"t1071",
"general",
"local",
"path",
"click",
"beelinerouter",
"access",
"router",
"apple",
"regopenkeyexw",
"regsz",
"process32nextw",
"english",
"post http",
"search",
"observed dns",
"query",
"sinkhole cookie",
"malware",
"possible",
"win32",
"updater",
"write",
"next",
"found",
"ip address",
"domain",
"name servers",
"unknown ns",
"ip whois",
"registrar",
"cloudflare",
"title",
"passive dns",
"urls",
"files",
"location united",
"asn as14618",
"bq dec",
"virtool",
"backdoor",
"checkin",
"ipv4 add",
"trojan",
"dynamicloader",
"msie",
"windows nt",
"slcc2",
"media center",
"unknown",
"show",
"internal",
"encrypt",
"veailmboprd",
"dns query",
"wow64",
"gecko http",
"entries",
"medium",
"ransom",
"khtml",
"gecko",
"delete",
"installer",
"win32cve may",
"america flag",
"overview ip",
"asn as20940",
"expiration",
"url https",
"no expiration",
"url http",
"pulse show",
"type indicator",
"role title",
"related pulses",
"record value",
"domain xn"
],
"references": [
"HTTPS://BeeLineRouter.Net",
"eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com",
"https://appleid.xn--appe-70a.com/",
"https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.sweetheartvideo.com/tsara-brashears",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://vgt.pl/r.n%20-",
"8-25-220-162-static.reverse.queryfoundry.net",
"queryfoundry.net",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://117-114-251-162-static.reverse.queryfoundry.net/",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://68-178-128-104-static.reverse.queryfoundry.net/",
"0-209-98-172-static.reverse.queryfoundry.net",
"154-143-182-107-static.reverse.queryfoundry.net",
"http://51-235-245-104-static.reverse.queryfoundry.net/",
"167-16-68-38-static.reverse.queryfoundry.net",
"http://49-116-251-162-static.reverse.queryfoundry./net/",
"177-231-69-38-static.reverse.queryfoundry.net",
"http://36-243-60-103-static.reverse.queryfoundry.net/",
"http://237-189-251-104-static.reverse.queryfoundry.net/",
"http://227-98-248-162-static.reverse.queryfoundry.net/",
"237-189-251-104-static.reverse.queryfoundry.net",
"http://207-214-98-172-static.reverse.queryfoundry.net/",
"181-135-182-107-static.reverse.queryfoundry.net",
"http://201-191-251-104-static.reverse.queryfoundry.net/",
"67-228-69-38-static.reverse.queryfoundry.net",
"http://0-209-98-172-static.reverse.queryfoundry.net/",
"http://10-241-60-103-static.reverse.queryfoundry.net/",
"http://142-232-245-104-static.reverse.queryfoundry.net/",
"http://154-143-182-107-static.reverse.queryfoundry.net/",
"http://167-16-68-38-static.reverse.queryfoundry.net/",
"http://177-231-69-38-static.reverse.queryfoundry.net/",
"http://181-135-182-107-static.reverse.queryfoundry.net/",
"http://195-214-98-172-static.reverse.queryfoundry.net/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Simda",
"display_name": "Simda",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "GandCrab Ransomware",
"display_name": "GandCrab Ransomware",
"target": null
},
{
"id": "Win.Virus.Expiro",
"display_name": "Win.Virus.Expiro",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "#VirTool:Win32/Obfuscator.ADB",
"display_name": "#VirTool:Win32/Obfuscator.ADB",
"target": "/malware/#VirTool:Win32/Obfuscator.ADB"
}
],
"attack_ids": [
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1049,
"URL": 5839,
"hostname": 1944,
"FileHash-SHA256": 3634,
"FileHash-MD5": 310,
"FileHash-SHA1": 295,
"CVE": 2,
"email": 15,
"SSLCertFingerprint": 2
},
"indicator_count": 13090,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "106 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "692e8cd886e0bb692e8a9d08",
"name": "Blocker Ransomware affecting Apple and iCloud | Injection",
"description": "Wild! Hackers attack-ack-acking!\nThey\u2019re quite good. Persistent. Angry. \nIt\u2019s the same group of hackers.",
"modified": "2026-01-01T06:01:02.583000",
"created": "2025-12-02T06:53:12.823000",
"tags": [
"url https",
"url http",
"domain",
"fh no",
"ipv4",
"united",
"flag",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"pattern match",
"mitre att",
"ck id",
"ck matrix",
"ascii text",
"href",
"network traffic",
"general",
"local",
"click",
"strings",
"learn",
"name tactics",
"suspicious",
"informative",
"found",
"command",
"adversaries",
"spawns",
"defense evasion",
"dynamicloader",
"windows nt",
"wow64",
"khtml",
"gecko",
"write c",
"unknown",
"virtool",
"write",
"defender",
"malware",
"delete",
"alerts",
"backdoor",
"high",
"ip address",
"t1045",
"packing",
"t1055",
"injection",
"t1060",
"run keys",
"startup",
"folder",
"t1119",
"t1027",
"tools",
"families",
"mirai",
"indicator role",
"active related",
"hackers",
"ahmann",
"usual suspects"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "#VirTool:Win32/Obfuscator.ADB",
"display_name": "#VirTool:Win32/Obfuscator.ADB",
"target": "/malware/#VirTool:Win32/Obfuscator.ADB"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Backdoor:Win32/Drixed",
"display_name": "Backdoor:Win32/Drixed",
"target": "/malware/Backdoor:Win32/Drixed"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "VirTool:Win32/Injector",
"display_name": "VirTool:Win32/Injector",
"target": "/malware/VirTool:Win32/Injector"
},
{
"id": "Ransom:Win32/Blocker.NN!MTB",
"display_name": "Ransom:Win32/Blocker.NN!MTB",
"target": "/malware/Ransom:Win32/Blocker.NN!MTB"
},
{
"id": "Unix.Trojan.Mirai-7135937-0",
"display_name": "Unix.Trojan.Mirai-7135937-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1470",
"name": "Obtain Device Cloud Backups",
"display_name": "T1470 - Obtain Device Cloud Backups"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1066",
"name": "Indicator Removal from Tools",
"display_name": "T1066 - Indicator Removal from Tools"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1408",
"name": "Disguise Root/Jailbreak Indicators",
"display_name": "T1408 - Disguise Root/Jailbreak Indicators"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
},
{
"id": "T1054",
"name": "Indicator Blocking",
"display_name": "T1054 - Indicator Blocking"
},
{
"id": "T1590.002",
"name": "DNS",
"display_name": "T1590.002 - DNS"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 234,
"FileHash-SHA1": 219,
"FileHash-SHA256": 841,
"URL": 2606,
"domain": 298,
"hostname": 772,
"SSLCertFingerprint": 2,
"CVE": 1
},
"indicator_count": 4973,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "108 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6952fbca42c1b0da7431e6a7",
"name": "Pegasus / Pegacloud - Infiltration (10-2013 or 2014 to Current/ Ongoing) ",
"description": "",
"modified": "2025-12-29T22:08:10.280000",
"created": "2025-12-29T22:08:10.280000",
"tags": [
"backdoor",
"cyprus",
"trojan",
"mtb sep",
"passive dns",
"ddos",
"mtb oct",
"mtb aug",
"ipv4 add",
"smokeloader",
"trojandropper",
"extraction",
"se extraction",
"failed",
"data upload",
"enter s",
"enter sc",
"data u",
"extrac please",
"prop",
"extre data",
"type",
"extr data",
"include review",
"exclude",
"find s",
"typ data",
"source tir",
"extri",
"exclude sugges",
"se type",
"extra",
"include data",
"exclude review",
"show",
"showinil tvnes",
"dom dom",
"sc cat959",
"drop",
"pulse pulses",
"worm",
"files show",
"date hash",
"avast avg",
"win32",
"susp",
"cyprus showing",
"entries",
"next associated",
"urls show",
"date checked",
"url hostname",
"server response",
"ip address",
"google safe",
"server",
"registrar abuse",
"iana id",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"registrar",
"se cre",
"pul use",
"url list",
"status http",
"linkid182227",
"linkid151642",
"first",
"domain list",
"ii llc",
"sc data",
"ukl extract",
"hiloti style",
"msle",
"win3 data",
"onio",
"observea",
"data data",
"stop data",
"monitored target",
"tsara",
"pegasus",
"social engineering"
],
"references": [
"http://fakejuko.site40/",
"pegacloud.net",
"IDS: Hiloti Style GET to PHP with invalid terse MSIE headers",
"IDS: Win32/Ibashade CnC Beacon",
"IDS: Win32.Scar.hhrw POST",
"IDS: Trojan.Win32.Cosmu.cdqg Checkin",
"IDS: OnionDuke CnC Beacon 1",
"IDS: Observed Suspicious UA (Mozilla/5.0)",
"IDS: Data POST to an image file (jpg)",
"cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win32:WormX-gen [Wrm]",
"display_name": "Win32:WormX-gen [Wrm]",
"target": null
},
{
"id": "Worm:Win32:Drolnux",
"display_name": "Worm:Win32:Drolnux",
"target": null
},
{
"id": "Pegasus - MOB-S0005",
"display_name": "Pegasus - MOB-S0005",
"target": null
}
],
"attack_ids": [],
"industries": [
"Technology",
"Telecommunications",
"Government"
],
"TLP": "white",
"cloned_from": "6877422df67773a07ef450c2",
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1630,
"URL": 4078,
"FileHash-MD5": 245,
"FileHash-SHA1": 246,
"FileHash-SHA256": 2561,
"CVE": 2,
"domain": 1307,
"email": 1
},
"indicator_count": 10070,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "110 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "687992eceac6f12e9cebd65f",
"name": "Operation Endgame | ThreatIntelligence | Pegasus | Mirai | Berbew | Emotet",
"description": "Operation Endgame - Mass spying on civilians suspected of involvement in illegal activity. This spying can last for years. Law enforcement and intelligence agencies use infrastructures from Google, Bing, Apple, Amazon, Coudflare, Microsoft, among other companies. Traffic can be masked in DNS and encrypted connections to go undetected. It is recommended to abandon closed-source services and software and opt for fully open-source software and install a powerful firewall. The use of a secure VPN is recommended. \nThere may be repeated indicators and some false positives due to the nature of the threats. We are working to eliminate duplicate entries and false positives. Check the comment box for important notifications. Follow our Telegram channel: @PrivacyNotACrime",
"modified": "2025-12-28T19:04:27.449000",
"created": "2025-07-18T00:18:50.968000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": null,
"export_count": 375,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 7,
"follower_count": 0,
"vote": 0,
"author": {
"username": "privacynotacrime",
"id": "349346",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 121,
"modified_text": "111 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69138a8144a8bf8040a92711",
"name": "Lawyers & Lazarus | Apple Spy : Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Counsel for egregious criminal acts \u2022 Christopher P. Ahmann attorney at Large",
"description": "",
"modified": "2025-12-09T17:03:48.645000",
"created": "2025-11-11T19:12:01.843000",
"tags": [
"url http",
"apple",
"california",
"apple public",
"server rsa",
"organization",
"stateprovince",
"ocsp",
"nids united",
"files",
"united",
"unknown ns",
"ip address",
"domain",
"urls files",
"passive dns",
"found title",
"sf hello",
"myriad set",
"pro myriad",
"set lucida",
"grande arial",
"sf mono",
"ipv4",
"location united",
"america flag",
"america asn",
"verdict",
"files ip",
"address",
"as42 woodynet",
"domain add",
"ipv4 add",
"reverse dns",
"trojan",
"name servers",
"emails",
"for privacy",
"ltd dba",
"com laude",
"servers",
"expiration date",
"urls",
"meta",
"a domains",
"country code",
"store home",
"title",
"accept",
"espaol",
"english",
"evil corp",
"see all",
"cyber hack",
"republic",
"canada",
"season",
"joe tidy",
"sarah rainsford",
"podcast",
"bank",
"ukraine",
"dead",
"indonesia",
"police",
"premium",
"napoleon",
"revolution",
"michelangelo",
"mozart",
"global",
"solid",
"lazarus",
"jabber zeus",
"harrods",
"ta markmonitor",
"markmonitor",
"search",
"present aug",
"unknown aaaa",
"unknown soa",
"win32",
"invalid url",
"trojanspy",
"mtb apr",
"backdoor",
"next associated",
"win64",
"trojandropper",
"twitter",
"virtool",
"ransom",
"worm",
"dynamicloader",
"tlsv1",
"high",
"globalc",
"medium",
"windows",
"cmd c",
"delete c",
"stream",
"write",
"next",
"process32nextw",
"http host",
"dns query",
"likely gandcrab",
"et trojan",
"windows nt",
"wow64",
"malware",
"ms windows",
"as16509",
"as54113",
"yara rule",
"pe32 executable",
"as15169",
"powershell",
"unknown",
"response ip",
"address google",
"safe browsing",
"hostname add",
"port",
"destination",
"pe32",
"intel",
"error",
"show",
"delphi",
"dcom",
"form",
"canvas",
"united kingdom",
"content type",
"security",
"moved",
"great britain",
"unknown a",
"body doctype",
"html public",
"ietfdtd html",
"showing",
"packing t1045",
"bytes",
"read",
"default",
"christoper p ahmann",
"target",
"victims",
"tsara brashears",
"url https",
"type indicator",
"role title",
"added active",
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"present nov",
"present oct",
"date",
"tcpmemhit",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"sha256",
"sha1",
"mitre att",
"pattern match",
"show technique",
"ck matrix",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"tools",
"look",
"verify",
"restart",
"palantir",
"foundry",
"hitmen",
"quasi",
"government contracts",
"jeffrey reimer",
"hallrender",
"workers compensation",
"record value",
"certificate"
],
"references": [
"apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC",
"https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"bpc-old.palantirfoundry.com",
"OTX auto populated targeted groups.",
"You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists",
"Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint",
"Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support",
"Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.",
"They blatantly steal from citizens , blame foreign entities.",
"This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents."
],
"public": 1,
"adversary": "Lazarus",
"targeted_countries": [
"Bangladesh",
"Japan",
"United States of America"
],
"malware_families": [
{
"id": "ALF:SpikeAexR.PEVPSZL",
"display_name": "ALF:SpikeAexR.PEVPSZL",
"target": null
},
{
"id": "Ransom:MSIL/GandCrab",
"display_name": "Ransom:MSIL/GandCrab",
"target": "/malware/Ransom:MSIL/GandCrab"
},
{
"id": "Zeus",
"display_name": "Zeus",
"target": null
},
{
"id": "Ransom:Win32/Gandcrab.H!MTB",
"display_name": "Ransom:Win32/Gandcrab.H!MTB",
"target": "/malware/Ransom:Win32/Gandcrab.H!MTB"
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [
"Banks",
"Crypto",
"Entertainment",
"Bank"
],
"TLP": "white",
"cloned_from": "6910cafb096eae0dcb39a800",
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4572,
"FileHash-MD5": 196,
"domain": 1523,
"hostname": 1393,
"FileHash-SHA256": 2400,
"FileHash-SHA1": 175,
"email": 18,
"SSLCertFingerprint": 8
},
"indicator_count": 10285,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "130 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6910cafb096eae0dcb39a800",
"name": "Lawyers & Lazarus | Apple Spy : Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious",
"description": "Chronicles of how quasi government , a State owned criminal defense attorney , protects sexual assaulter Jeffrey Reimer DPT. victim Palantir harassed, withheld healthcare , diagnoses, justice, monetary award for injured, stole insurance policies, hacked Denver artists, sold music her to artists whom profited, hacked Denver music studios, hired stalkers, human, controlled phone , car and everything in targets life including , doctors, attorneys, hospitals. It\u2019s always been clear to coming us that Anonymous and Lazarus are the police, judge , lawyer, ransom racist.\nThis group alone has cost the US billions! Responsible for 2014 Sony hack , FMOE.\nDirect Link. by phone , email in person contact , forced settlement hearing,. Adversarial Christopher P. Ahmann , relationship w / Lazarus group, hitmen , cyber crime and other crimes against persons.\n #rip #christopher_ahmann #palantir #lazarus #target_tsara_brashears",
"modified": "2025-12-09T17:03:48.645000",
"created": "2025-11-09T17:10:19.498000",
"tags": [
"url http",
"apple",
"california",
"apple public",
"server rsa",
"organization",
"stateprovince",
"ocsp",
"nids united",
"files",
"united",
"unknown ns",
"ip address",
"domain",
"urls files",
"passive dns",
"found title",
"sf hello",
"myriad set",
"pro myriad",
"set lucida",
"grande arial",
"sf mono",
"ipv4",
"location united",
"america flag",
"america asn",
"verdict",
"files ip",
"address",
"as42 woodynet",
"domain add",
"ipv4 add",
"reverse dns",
"trojan",
"name servers",
"emails",
"for privacy",
"ltd dba",
"com laude",
"servers",
"expiration date",
"urls",
"meta",
"a domains",
"country code",
"store home",
"title",
"accept",
"espaol",
"english",
"evil corp",
"see all",
"cyber hack",
"republic",
"canada",
"season",
"joe tidy",
"sarah rainsford",
"podcast",
"bank",
"ukraine",
"dead",
"indonesia",
"police",
"premium",
"napoleon",
"revolution",
"michelangelo",
"mozart",
"global",
"solid",
"lazarus",
"jabber zeus",
"harrods",
"ta markmonitor",
"markmonitor",
"search",
"present aug",
"unknown aaaa",
"unknown soa",
"win32",
"invalid url",
"trojanspy",
"mtb apr",
"backdoor",
"next associated",
"win64",
"trojandropper",
"twitter",
"virtool",
"ransom",
"worm",
"dynamicloader",
"tlsv1",
"high",
"globalc",
"medium",
"windows",
"cmd c",
"delete c",
"stream",
"write",
"next",
"process32nextw",
"http host",
"dns query",
"likely gandcrab",
"et trojan",
"windows nt",
"wow64",
"malware",
"ms windows",
"as16509",
"as54113",
"yara rule",
"pe32 executable",
"as15169",
"powershell",
"unknown",
"response ip",
"address google",
"safe browsing",
"hostname add",
"port",
"destination",
"pe32",
"intel",
"error",
"show",
"delphi",
"dcom",
"form",
"canvas",
"united kingdom",
"content type",
"security",
"moved",
"great britain",
"unknown a",
"body doctype",
"html public",
"ietfdtd html",
"showing",
"packing t1045",
"bytes",
"read",
"default",
"christoper p ahmann",
"target",
"victims",
"tsara brashears",
"url https",
"type indicator",
"role title",
"added active",
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"present nov",
"present oct",
"date",
"tcpmemhit",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"sha256",
"sha1",
"mitre att",
"pattern match",
"show technique",
"ck matrix",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"tools",
"look",
"verify",
"restart",
"palantir",
"foundry",
"hitmen",
"quasi",
"government contracts",
"jeffrey reimer",
"hallrender",
"workers compensation",
"record value",
"certificate"
],
"references": [
"apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC",
"https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"bpc-old.palantirfoundry.com",
"OTX auto populated targeted groups.",
"You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists",
"Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint",
"Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support",
"Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.",
"They blatantly steal from citizens , blame foreign entities.",
"This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents."
],
"public": 1,
"adversary": "Lazarus",
"targeted_countries": [
"Bangladesh",
"Japan",
"United States of America"
],
"malware_families": [
{
"id": "ALF:SpikeAexR.PEVPSZL",
"display_name": "ALF:SpikeAexR.PEVPSZL",
"target": null
},
{
"id": "Ransom:MSIL/GandCrab",
"display_name": "Ransom:MSIL/GandCrab",
"target": "/malware/Ransom:MSIL/GandCrab"
},
{
"id": "Zeus",
"display_name": "Zeus",
"target": null
},
{
"id": "Ransom:Win32/Gandcrab.H!MTB",
"display_name": "Ransom:Win32/Gandcrab.H!MTB",
"target": "/malware/Ransom:Win32/Gandcrab.H!MTB"
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [
"Banks",
"Crypto",
"Entertainment",
"Bank"
],
"TLP": "white",
"cloned_from": null,
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4572,
"FileHash-MD5": 196,
"domain": 1523,
"hostname": 1393,
"FileHash-SHA256": 2400,
"FileHash-SHA1": 175,
"email": 18,
"SSLCertFingerprint": 8
},
"indicator_count": 10285,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "130 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68fd0cc422cea2fd989581fd",
"name": "LevelBlue - Open Threat Exchange (Malicious Attacks)",
"description": "I\u2019ll\nrefer to these bad actors as the .lol .fun group. London, Australia , South Africa with US base External resources. With this group, you e probably met though attackers.. OTX errors! Difficult to pulse. There are some profiles in here that are shady and attempt or do co connect to your products. They usually begin social engineering by saying that you have a \u2018problem\u2019 just like they do. Say they are from Canada or\nFrance , somewhere abroad when they are down the street using your services. There was user \u2018Merkd\u2019 whose entire system seem to become infected by someone or someone about this platform. Check the IP address at all\nTo see if it matches or is on the same block as OTC, region will show as well. Hackers may potentially cnc / move your profile on their own block. What happened today was weird. Alien Vault became a PHP and turned bright pink and black, requesting I download page. Keep your systems locked down if you\u2019re researching not reporting vulnerabilities.",
"modified": "2025-11-24T17:02:12.441000",
"created": "2025-10-25T17:45:40.291000",
"tags": [
"ipv4",
"levelblue",
"open threat",
"date sat",
"connection",
"etag w",
"cloudfront",
"sameorigin age",
"vary",
"ip address",
"kb body",
"gtmkvjvztk",
"utc gcfezl5ynvb",
"utc na",
"utc google",
"analytics na",
"utc linkedin",
"insight tag",
"learn",
"exchange og",
"levelblue open",
"threat exchange",
"exchange",
"google tag",
"iocs",
"search otx",
"included iocs",
"review iocs",
"data upload",
"extraction",
"layer protocol",
"v full",
"reports v",
"port t1571",
"t1573",
"oc0006 http",
"c0014",
"get http",
"dns resolutions",
"user",
"data",
"datacrashpad",
"edge",
"tag manager",
"us er",
"help files",
"shell",
"html",
"cve202323397",
"iframe tags",
"community score",
"url http",
"url https",
"united",
"united kingdom",
"netherlands",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"indicator role",
"title added",
"active related",
"otc oct",
"report spam",
"week ago",
"scan",
"learn more",
"filehashmd5",
"filehashsha1",
"domain",
"australia",
"does",
"josh",
"created",
"filehashsha256",
"present jul",
"present oct",
"date",
"a domains",
"script urls",
"for privacy",
"moved",
"script domains",
"meta",
"title",
"body",
"pragma",
"encrypt",
"ck ids",
"t1060",
"run keys",
"startup",
"folder",
"t1027",
"files",
"information",
"t1055",
"injection",
"capture",
"south korea",
"malaysia",
"pulses",
"fatal error",
"hacker known",
"name",
"unknown",
"risk",
"weeks ago",
"scary",
"sova",
"colorado",
"wire",
"name unknown",
"thursday",
"denver",
"types of",
"indicators hong",
"kong",
"tsara brashears",
"african",
"ethiopia",
"b8reactjs",
"india",
"america",
"x ua",
"hostname",
"dicator role",
"pulses url",
"airplane",
"icator role",
"t1432",
"access contact",
"list",
"t1525",
"image",
"security scan",
"heuristic oct",
"discovery",
"t1069",
"t1071",
"protocol",
"t1105",
"tool transfer",
"t1114",
"t1480",
"internal image",
"brian sabey",
"month ago",
"modified",
"days ago",
"green well",
"sabey stash",
"service",
"t1040",
"sniffing",
"t1045",
"packing",
"t1053",
"taskjob"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Sova",
"display_name": "Sova",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1022",
"name": "Data Encrypted",
"display_name": "T1022 - Data Encrypted"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1525",
"name": "Implant Internal Image",
"display_name": "T1525 - Implant Internal Image"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1448",
"name": "Carrier Billing Fraud",
"display_name": "T1448 - Carrier Billing Fraud"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 956,
"FileHash-SHA1": 906,
"FileHash-SHA256": 2651,
"URL": 4450,
"domain": 708,
"hostname": 2403,
"CVE": 1,
"email": 5
},
"indicator_count": 12080,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "145 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68ee5e9f8cfc5fbc73142660",
"name": "Gaming Studios - YouTube - MyDoom",
"description": "",
"modified": "2025-11-13T12:05:32.283000",
"created": "2025-10-14T14:30:55.471000",
"tags": [
"no expiration",
"url https",
"url http",
"iocs",
"ipv4",
"enter source",
"indicator role",
"title added",
"active related",
"united",
"present jul",
"unknown ns",
"search",
"for privacy",
"moved",
"ip address",
"encrypt",
"a domains",
"script urls",
"meta",
"pragma",
"general full",
"reverse dns",
"software",
"resource",
"security tls",
"piscataway",
"asn20473",
"asn15169",
"google",
"asvultr",
"portfolio",
"josh theriault",
"upei",
"university",
"island",
"roblox",
"jmt studios",
"moon engine",
"android",
"icpc",
"north america",
"qualifier",
"hello",
"apache",
"runner",
"eric everest",
"games",
"cloudflar",
"amazon02",
"as autonomous",
"system",
"canada",
"value",
"domainpath name",
"cgjerrieegaggq",
"name value",
"form",
"game development",
"blog",
"jmt99",
"developer",
"event",
"bullseye",
"trick or treat",
"unofficial trick or treat 2014",
"unofficial trick or treat 2015",
"egg hunt",
"gift hunt",
"hallows quest",
"studio",
"experience",
"fall",
"january",
"july",
"founder",
"studio head",
"passive dns",
"urls",
"registrar",
"title",
"roblox jmt99 \"jmt studios\" \"trick or treat\" \"egg hunt\"",
"press copyright",
"contact",
"privacy policy",
"safety how",
"youtube",
"test",
"nfl sunday",
"ticket",
"google llc",
"data upload",
"extraction",
"failed",
"files",
"twitter",
"variables",
"cgjjtbieggagla",
"nid value",
"expiration date",
"files ip",
"dynamicloader",
"write c",
"delete c",
"intel",
"ms windows",
"medium",
"default",
"write",
"guard",
"mozilla",
"malware",
"defender",
"unknown",
"domains",
"hashes",
"url analysis",
"unknown aaaa",
"script domains",
"certificate",
"game",
"servers",
"unofficial",
"settings",
"public",
"endpoints",
"currently",
"game servers",
"current",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"request",
"role title",
"related pulses",
"domain v",
"url indicator",
"nameilname",
"ascii text",
"mitre att",
"ck id",
"ck matrix",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"pe file",
"high",
"yara detections",
"dynamic",
"v hostname",
"se fos",
"include v",
"domain url",
"data",
"alltypes",
"win32mydoom oct",
"trojan",
"url add",
"http",
"related nids",
"files location",
"canada flag",
"canada hostname",
"canada unknown",
"canada",
"present aug",
"name servers",
"present sep",
"aaaa",
"present oct",
"crlf line",
"unicode text",
"music",
"suspicious",
"bricked.wtf",
"flag united",
"google safe",
"domain",
"address domain",
"united states",
"filehashsha256",
"hostname xn",
"finland unknown",
"filehashmd5",
"indicators hong",
"kong",
"south korea",
"present jun",
"present mar",
"present may",
"olet",
"cnr12",
"tlsv1",
"get updates",
"upatre",
"added active",
"apple",
"everest",
"josh paul",
"upadter",
"convagent",
"info stealing",
"delete service",
"phishing",
"fraud",
"social engineering",
"gamer",
"hacker",
"adversaries",
"icloud",
"found",
"gmt content",
"error",
"redacted for",
"meta http",
"content",
"gmt server",
"france unknown",
"poland unknown",
"content type",
"xml title",
"hostname add",
"address",
"location united",
"life",
"century link llc",
"xfinity",
"livesex",
"domain add",
"users",
"show",
"delete",
"blocked by quad9",
"showing",
"record value",
"location canada",
"canada asn",
"accept",
"cookie",
"macbook",
"ipv4 add",
"america flag",
"america asn",
"asn as714",
"less",
"woodynet",
"next associated",
"status",
"exclude sugges",
"ip related",
"t1027.013"
],
"references": [
"https://www.jmtstudios.org/farewell/",
"https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw",
"graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system",
"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html",
"ConventionEngine_Term_Dropbox \u2022 Dropbox",
"http://api.jmtstudios.org/",
"bricked.wtf",
"ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com",
"http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com",
"careersandenterprise.appleid.com \u2022 http://apple.appleid.com/",
"https://forwardemail.net/es/blog/open-source/apple-email-clients",
"accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud",
"http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link",
"http://www.visitbooker.com/Dropbox-07/index.htm",
"dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/",
"Appears to be closely associated with close relative and initial victim of attack.",
"Potentially disturbing , personal , invasive, aggressive, intimate behavior of party."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Hong Kong",
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Convagent-9981433-0",
"display_name": "Win.Malware.Convagent-9981433-0",
"target": null
},
{
"id": "Upadter",
"display_name": "Upadter",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 23,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6996,
"FileHash-MD5": 281,
"FileHash-SHA1": 220,
"FileHash-SHA256": 2673,
"domain": 1747,
"email": 24,
"hostname": 2803,
"SSLCertFingerprint": 3
},
"indicator_count": 14747,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "157 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68ee5ea4d51d4a1cabdb4ee9",
"name": "Gaming Studios - YouTube - MyDoom",
"description": "",
"modified": "2025-11-13T12:05:32.283000",
"created": "2025-10-14T14:31:00.172000",
"tags": [
"no expiration",
"url https",
"url http",
"iocs",
"ipv4",
"enter source",
"indicator role",
"title added",
"active related",
"united",
"present jul",
"unknown ns",
"search",
"for privacy",
"moved",
"ip address",
"encrypt",
"a domains",
"script urls",
"meta",
"pragma",
"general full",
"reverse dns",
"software",
"resource",
"security tls",
"piscataway",
"asn20473",
"asn15169",
"google",
"asvultr",
"portfolio",
"josh theriault",
"upei",
"university",
"island",
"roblox",
"jmt studios",
"moon engine",
"android",
"icpc",
"north america",
"qualifier",
"hello",
"apache",
"runner",
"eric everest",
"games",
"cloudflar",
"amazon02",
"as autonomous",
"system",
"canada",
"value",
"domainpath name",
"cgjerrieegaggq",
"name value",
"form",
"game development",
"blog",
"jmt99",
"developer",
"event",
"bullseye",
"trick or treat",
"unofficial trick or treat 2014",
"unofficial trick or treat 2015",
"egg hunt",
"gift hunt",
"hallows quest",
"studio",
"experience",
"fall",
"january",
"july",
"founder",
"studio head",
"passive dns",
"urls",
"registrar",
"title",
"roblox jmt99 \"jmt studios\" \"trick or treat\" \"egg hunt\"",
"press copyright",
"contact",
"privacy policy",
"safety how",
"youtube",
"test",
"nfl sunday",
"ticket",
"google llc",
"data upload",
"extraction",
"failed",
"files",
"twitter",
"variables",
"cgjjtbieggagla",
"nid value",
"expiration date",
"files ip",
"dynamicloader",
"write c",
"delete c",
"intel",
"ms windows",
"medium",
"default",
"write",
"guard",
"mozilla",
"malware",
"defender",
"unknown",
"domains",
"hashes",
"url analysis",
"unknown aaaa",
"script domains",
"certificate",
"game",
"servers",
"unofficial",
"settings",
"public",
"endpoints",
"currently",
"game servers",
"current",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"request",
"role title",
"related pulses",
"domain v",
"url indicator",
"nameilname",
"ascii text",
"mitre att",
"ck id",
"ck matrix",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"pe file",
"high",
"yara detections",
"dynamic",
"v hostname",
"se fos",
"include v",
"domain url",
"data",
"alltypes",
"win32mydoom oct",
"trojan",
"url add",
"http",
"related nids",
"files location",
"canada flag",
"canada hostname",
"canada unknown",
"canada",
"present aug",
"name servers",
"present sep",
"aaaa",
"present oct",
"crlf line",
"unicode text",
"music",
"suspicious",
"bricked.wtf",
"flag united",
"google safe",
"domain",
"address domain",
"united states",
"filehashsha256",
"hostname xn",
"finland unknown",
"filehashmd5",
"indicators hong",
"kong",
"south korea",
"present jun",
"present mar",
"present may",
"olet",
"cnr12",
"tlsv1",
"get updates",
"upatre",
"added active",
"apple",
"everest",
"josh paul",
"upadter",
"convagent",
"info stealing",
"delete service",
"phishing",
"fraud",
"social engineering",
"gamer",
"hacker",
"adversaries",
"icloud",
"found",
"gmt content",
"error",
"redacted for",
"meta http",
"content",
"gmt server",
"france unknown",
"poland unknown",
"content type",
"xml title",
"hostname add",
"address",
"location united",
"life",
"century link llc",
"xfinity",
"livesex",
"domain add",
"users",
"show",
"delete",
"blocked by quad9",
"showing",
"record value",
"location canada",
"canada asn",
"accept",
"cookie",
"macbook",
"ipv4 add",
"america flag",
"america asn",
"asn as714",
"less",
"woodynet",
"next associated",
"status",
"exclude sugges",
"ip related",
"t1027.013"
],
"references": [
"https://www.jmtstudios.org/farewell/",
"https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw",
"graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system",
"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html",
"ConventionEngine_Term_Dropbox \u2022 Dropbox",
"http://api.jmtstudios.org/",
"bricked.wtf",
"ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com",
"http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com",
"careersandenterprise.appleid.com \u2022 http://apple.appleid.com/",
"https://forwardemail.net/es/blog/open-source/apple-email-clients",
"accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud",
"http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link",
"http://www.visitbooker.com/Dropbox-07/index.htm",
"dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/",
"Appears to be closely associated with close relative and initial victim of attack.",
"Potentially disturbing , personal , invasive, aggressive, intimate behavior of party."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Hong Kong",
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Convagent-9981433-0",
"display_name": "Win.Malware.Convagent-9981433-0",
"target": null
},
{
"id": "Upadter",
"display_name": "Upadter",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 27,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6996,
"FileHash-MD5": 281,
"FileHash-SHA1": 220,
"FileHash-SHA256": 2673,
"domain": 1747,
"email": 24,
"hostname": 2803,
"SSLCertFingerprint": 3
},
"indicator_count": 14747,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "157 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68edc1c2be848e73a32ab9ba",
"name": "Fatal Error - Hacker Known \u2022 Name Unknown | Lives @ risk",
"description": "I am connected to targeteds phone. My location is autonomous _ will show up in Colorado most likely. \n\nScary, this weekend a woman dressed like a peasant somehow managed to give me a letter past Thursday with information about a death in the 11th floor of an Apartment in Denver. The Sova. Alleged drug overdose may have actually been a homicide, I sound & feel crazy, there were names inside , emails , plans for Airplane attacks affecting civilians this month. I couldn\u2019t, wouldn\u2019t create this. Apparently UK born citizens sponsored by a Google hierarchy were able to weave their way into the lives a family member & Tsara Brashears . These are white males, anlso involved are citizens from African, Ethiopia, India and America deeply involved. They used fake names and I have said too much. If there is an helpful person on here please help!!! There\nis worse and it might be legal hits to insight money for war!\n#nso_related",
"modified": "2025-11-13T02:02:12.454000",
"created": "2025-10-14T03:21:38.305000",
"tags": [
"pulses ipv4",
"ipv4",
"div div",
"united",
"script script",
"a li",
"present jul",
"param",
"entries",
"present aug",
"certificate",
"global domains",
"date",
"title",
"class",
"meta",
"agent",
"stack",
"life",
"a domains",
"passive dns",
"urls",
"ok server",
"gmt content",
"type",
"hostname add",
"pulse pulses",
"files",
"win32mydoom oct",
"trojan",
"next associated",
"pulse",
"reverse dns",
"twitter",
"body",
"dynamicloader",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"unknown",
"copy",
"write",
"malware",
"push",
"next",
"autorun",
"suspicious",
"ip address",
"unknown ns",
"unknown aaaa",
"ipv4 add",
"location united",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"request",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"pattern match",
"ck id",
"show technique",
"mitre att",
"path",
"error",
"fatalerror",
"general",
"hybrid",
"local",
"click",
"strings",
"filehashsha256",
"filehashmd5",
"filehashsha1",
"iist",
"malware family",
"mydoom att",
"ck ids",
"t1060",
"run keys",
"indicator role",
"title added",
"active related",
"showing",
"url https",
"url http",
"startup",
"folder",
"web protocols",
"t1105",
"tool transfer",
"indicators hong",
"kong",
"china",
"germany",
"australia",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"wire",
"t1071"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1022",
"name": "Data Encrypted",
"display_name": "T1022 - Data Encrypted"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1525",
"name": "Implant Internal Image",
"display_name": "T1525 - Implant Internal Image"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2724,
"hostname": 1212,
"domain": 410,
"FileHash-MD5": 408,
"email": 9,
"FileHash-SHA256": 604,
"FileHash-SHA1": 307
},
"indicator_count": 5674,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "157 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6894fd48178a2cc0c287af71",
"name": "Polymorphic | Worm & Trojan:Win32/Mydoom. IoC\u2019s + | Device local *Remowted.com",
"description": "",
"modified": "2025-09-06T19:01:20.165000",
"created": "2025-08-07T19:23:52.346000",
"tags": [
"filehashmd5",
"indicator role",
"title added",
"active related",
"filehashsha256",
"t1105",
"tool transfer",
"t1480",
"guardrails",
"t1566",
"t1568",
"t1012",
"t1023",
"t1031",
"service",
"filehashsha1",
"iocs",
"learn more",
"hostname",
"types of",
"netherlands",
"united",
"denmark",
"belgium",
"dynamicloader",
"yara rule",
"vmdetect",
"write c",
"search",
"medium",
"show",
"entries",
"high",
"worm",
"copy",
"write",
"unknown",
"markus",
"malware",
"suspicious",
"crlf line",
"unicode text",
"utf8",
"ascii text",
"trojan",
"music",
"next",
"autorun"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 221,
"FileHash-SHA1": 129,
"FileHash-SHA256": 713,
"URL": 2616,
"domain": 338,
"hostname": 598,
"email": 7
},
"indicator_count": 4622,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "224 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6877422df67773a07ef450c2",
"name": "Pegasus / Pegacloud - Infiltration",
"description": "Pegasus IoC\u2019s found in the periphery of research. Appears target contacted a \u2018fake host\u2019 after finding name in multiple highly malicious domains. May have appeared between 12/2013 - 11-2014. Target was contacted by telephone and asked \u2018 have you checked Googled yourself\u2019, to which target answered \u2018Not really\u2019. Target was told \u2018you really should Google yourself\u2019. Target, upset about content clicked and began a takedown effort with host.\n\nThis seems to be at the start of many malicious campaigns. Requires further investigation.",
"modified": "2025-08-15T05:01:22.570000",
"created": "2025-07-16T06:09:49.704000",
"tags": [
"backdoor",
"cyprus",
"trojan",
"mtb sep",
"passive dns",
"ddos",
"mtb oct",
"mtb aug",
"ipv4 add",
"smokeloader",
"trojandropper",
"extraction",
"se extraction",
"failed",
"data upload",
"enter s",
"enter sc",
"data u",
"extrac please",
"prop",
"extre data",
"type",
"extr data",
"include review",
"exclude",
"find s",
"typ data",
"source tir",
"extri",
"exclude sugges",
"se type",
"extra",
"include data",
"exclude review",
"show",
"showinil tvnes",
"dom dom",
"sc cat959",
"drop",
"pulse pulses",
"worm",
"files show",
"date hash",
"avast avg",
"win32",
"susp",
"cyprus showing",
"entries",
"next associated",
"urls show",
"date checked",
"url hostname",
"server response",
"ip address",
"google safe",
"server",
"registrar abuse",
"iana id",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"registrar",
"se cre",
"pul use",
"url list",
"status http",
"linkid182227",
"linkid151642",
"first",
"domain list",
"ii llc",
"sc data",
"ukl extract",
"hiloti style",
"msle",
"win3 data",
"onio",
"observea",
"data data",
"stop data",
"monitored target",
"tsara",
"pegasus",
"social engineering"
],
"references": [
"http://fakejuko.site40/",
"pegacloud.net",
"IDS: Hiloti Style GET to PHP with invalid terse MSIE headers",
"IDS: Win32/Ibashade CnC Beacon",
"IDS: Win32.Scar.hhrw POST",
"IDS: Trojan.Win32.Cosmu.cdqg Checkin",
"IDS: OnionDuke CnC Beacon 1",
"IDS: Observed Suspicious UA (Mozilla/5.0)",
"IDS: Data POST to an image file (jpg)",
"cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win32:WormX-gen [Wrm]",
"display_name": "Win32:WormX-gen [Wrm]",
"target": null
},
{
"id": "Worm:Win32:Drolnux",
"display_name": "Worm:Win32:Drolnux",
"target": null
},
{
"id": "Pegasus - MOB-S0005",
"display_name": "Pegasus - MOB-S0005",
"target": null
}
],
"attack_ids": [],
"industries": [
"Technology",
"Telecommunications",
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1630,
"URL": 4078,
"FileHash-MD5": 245,
"FileHash-SHA1": 246,
"FileHash-SHA256": 2561,
"CVE": 2,
"domain": 1307,
"email": 1
},
"indicator_count": 10070,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "247 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"",
"http://audaxgroup.appleid.com/",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"bricked.wtf",
"IDS: Observed Suspicious UA (Mozilla/5.0)",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"I apologize for the lack of reference.",
"https://aspmx.l.google.com/",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"0-209-98-172-static.reverse.queryfoundry.net",
"queryfoundry.net",
"Verification failure observed in automated verification handlers during sandbox replay.",
"It appears there are 5-7 known affected that I was able to find",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://49-116-251-162-static.reverse.queryfoundry./net/",
"Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support",
"Appears to be closely associated with close relative and initial victim of attack.",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"smtp.google.com \u2022 www.google.com/images/errors/robot.png",
"http://117-114-251-162-static.reverse.queryfoundry.net/",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents.",
"bpc-old.palantirfoundry.com",
"http://237-189-251-104-static.reverse.queryfoundry.net/",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"https://icloud.ch/",
"monitoring.eurovision.net",
"181-135-182-107-static.reverse.queryfoundry.net",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"metropcs.com/account/sign-in.html",
"accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Same legal , and quasi governmental pattern identified",
"pegacloud.net",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"167-16-68-38-static.reverse.queryfoundry.net",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"http://177-231-69-38-static.reverse.queryfoundry.net/",
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"237-189-251-104-static.reverse.queryfoundry.net",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"OTX auto populated targeted groups.",
"https://forwardemail.net/es/blog/open-source/apple-email-clients",
"Requires further research.",
"iphonegermany.com",
"https://apps.apple.com/app/",
"http://201-191-251-104-static.reverse.queryfoundry.net/",
"admin@bigtits.com",
"http://167-16-68-38-static.reverse.queryfoundry.net/",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"careersandenterprise.appleid.com \u2022 http://apple.appleid.com/",
"https://freedns.afraid.org/images/exclamation",
"dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"http://227-98-248-162-static.reverse.queryfoundry.net/",
"http://51-235-245-104-static.reverse.queryfoundry.net/",
"smtp2.icl-privaterelay.appleid.com",
"Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.",
"https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291",
"http://195-214-98-172-static.reverse.queryfoundry.net/",
"http://api.jmtstudios.org/",
"oas-japac-domains-applecomputer.cn",
"apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC",
"They blatantly steal from citizens , blame foreign entities.",
"eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com",
"IDS: Win32/Ibashade CnC Beacon",
"IDS: Data POST to an image file (jpg)",
"http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link",
"8-25-220-162-static.reverse.queryfoundry.net",
"IDS: Hiloti Style GET to PHP with invalid terse MSIE headers",
"ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"http://142-232-245-104-static.reverse.queryfoundry.net/",
"graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system",
"ConventionEngine_Term_Dropbox \u2022 Dropbox",
"http://apple.support.com/ht***** redirect",
"Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint",
"IDS: Win32.Scar.hhrw POST",
"https://www.jmtstudios.org/farewell/",
"177-231-69-38-static.reverse.queryfoundry.net",
"You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists",
"http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com",
"apple.com(-inc.cc)",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"xred.mooo.com \u2022 mooo.com \u2022 afraid.org",
"cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214",
"div>
",
"http://68-178-128-104-static.reverse.queryfoundry.net/",
"http://0-209-98-172-static.reverse.queryfoundry.net/",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"https://appleid.xn--appe-70a.com/",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"IDS: Trojan.Win32.Cosmu.cdqg Checkin",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"https://www.sweetheartvideo.com/tsara-brashears",
"https://www.endgamesystems.com/ \u2022 https://www.endgames.com/",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://www.visitbooker.com/Dropbox-07/index.htm",
"robert-aebi.appleid.com",
"154-143-182-107-static.reverse.queryfoundry.net",
"http://www.icloud-sms-alert.com/",
"Redirect: schemas.microsoft.com",
"https://l.us-1.a.mimecastprotect.com/l",
"mac.store",
"http://10-241-60-103-static.reverse.queryfoundry.net/",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"http://vgt.pl/r.n%20-",
"67-228-69-38-static.reverse.queryfoundry.net",
"http://154-143-182-107-static.reverse.queryfoundry.net/",
"http://181-135-182-107-static.reverse.queryfoundry.net/",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069",
"Potentially disturbing , personal , invasive, aggressive, intimate behavior of party.",
"http://fakejuko.site40/",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
"http://207-214-98-172-static.reverse.queryfoundry.net/",
"IDS: OnionDuke CnC Beacon 1",
"monitor.kyos.ninja",
"https://icloud.ch/cn/ipod-touch/",
"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html",
"http://36-243-60-103-static.reverse.queryfoundry.net/",
"HTTPS://BeeLineRouter.Net"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"Lazarus",
"NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others"
],
"malware_families": [
"#lowfi:lua:dllsuspiciousexport.a",
"\u2019m",
"Win.malware.jaik-9968280-0",
"Pegasus for mac",
"Mirai",
"Win32:wormx-gen [wrm]",
"#lowfi:hstr:win32/mediadownloader",
"Worm:win32/bloored",
"Virtool:win32/injector",
"Other malware",
"#hstr:hacktool:win32/remoteshell",
"#lowfi:exploit:java/cve-2012-0507",
"Alf:backdoor:java/webshell",
"Icedid",
"Zeus",
"Backdoor:linux/mirai",
"Ransom:msil/gandcrab",
"Trojan:win32/icedid.di!mtb",
"Win.trojan.barys-10005825-0",
"Tibs",
"Graphite (pegasus variant)",
"Starfighter (javascript)",
"Paragon (pegasus variant)",
"Gandcrab ransomware",
"Alf:spikeaexr.pevpszl",
"Trojan:win32/smkldr.h!mtb",
"Ransom:win32/gandcrab.h!mtb",
"Unix.trojan.mirai-7135937-0",
"Trojan:js/berbew",
"Ransom:win32/blocker.nn!mtb",
"Worm:win32/mydoom",
"Tofsee",
"Backdoor:win32/drixed",
"Mydoom",
"Upadter",
"Pegasus for android - mob-s0032",
"Pegasus rdp module for windows",
"Alf:jasyp:pua:win32/4shared",
"Win.malware.elenooka-6996044-0",
"Zeroaccess - s0027",
"Pegasus - mob-s0005",
"Trojandownloader:linux/mirai",
"#lowfitrojan:html/iframe",
"Win.downloader.small",
"#lowfi:siga:trojandownloader:msil/genmaldow",
"Alf:html/phishing",
"Win.trojan.installcore-877",
"Trojandownloader:win32/cutwail",
"Simda",
"Emotet",
"Win.virus.expiro",
"Skynet",
"Sova",
"Careto",
"Win.malware.convagent-9981433-0",
"Xloader for ios - s0490",
"Mirai (windows)",
"Pegasus for ios - s0289",
"#virtool:win32/obfuscator.adb",
"Worm:win32:drolnux",
"Alf:backdoor:powershell/reverseshell",
"Worm:win32/autorun",
"Html smuggling"
],
"industries": [
"Government",
"Entertainment",
"Banks",
"Bank",
"Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in",
"Telecom",
"People",
"Civil",
"Civilians",
"Legal",
"Technology",
"Telecommunications",
"Crypto"
],
"unique_indicators": 494033
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/apple-technology-services.com",
"whois": "http://whois.domaintools.com/apple-technology-services.com",
"domain": "apple-technology-services.com",
"hostname": "certapple.apple-technology-services.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 32,
"pulses": [
{
"id": "698e93e1ab02db8c49e8c3ed",
"name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
"description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
"modified": "2026-04-19T08:11:41.130000",
"created": "2026-02-13T03:00:49.872000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27678,
"FileHash-SHA256": 47676,
"FileHash-MD5": 42534,
"FileHash-SHA1": 23213,
"hostname": 33703,
"URL": 75433,
"SSLCertFingerprint": 30,
"CVE": 7582,
"email": 313,
"FileHash-IMPHASH": 8,
"CIDR": 26205,
"JA3": 1,
"IPv4": 80,
"URI": 5
},
"indicator_count": 284461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "6 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf64eccb5d39a90a3c391e",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:32.565000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "23 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf64e1d5e06aa6207f78de",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:21.863000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "23 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699c6ef61298b57cd7275728",
"name": "Apple Support IOC\u2019s IcedID | Bloored | Mydoom worm | iOS IOC\u2019s",
"description": "A list of Apple and Apple related iOS\u2019s linked to a malicious redirect found in an apple.support.com redirect. Two separate Apple ID\u2019s on one iPhone. | Mimecast compromised with Emotet. iCloud siphoning. Related to Pulse found in references. | IOC\u2019s came from a single url.",
"modified": "2026-03-25T07:05:10.628000",
"created": "2026-02-23T15:15:02.857000",
"tags": [
"ipv4",
"http",
"passive dns",
"files domain",
"united",
"unknown ns",
"for privacy",
"ip address",
"domain",
"dynamicloader",
"antivirus",
"yara rule",
"fe ff",
"write c",
"msvisualcpp60",
"rsds",
"e8 c8",
"e8 a8",
"ff e1",
"unknown",
"worm",
"launch",
"write",
"explorer",
"february",
"push",
"service",
"files",
"reverse dns",
"america flag",
"america asn",
"url add",
"otx logo",
"all ipv4",
"searc",
"date checked",
"server response",
"results dec",
"unknown soa",
"present aug",
"present oct",
"present sep",
"present nov",
"moved",
"error",
"title",
"win32mydoom feb",
"aaaa",
"name servers",
"trojan",
"servers",
"virtool",
"united states",
"apple",
"crlf line",
"unicode text",
"utf8",
"ff d5",
"ascii text",
"ee fc",
"suspicious",
"music",
"malware",
"role title",
"ttl value",
".cc",
"d4 f5",
"msvisualcpp2002",
"msvisualcpp2005",
"apple support",
".ch",
"privaterelay",
"pattern match",
"ck id",
"mitre att",
"ck matrix",
"href",
"et info",
"general",
"local",
"path",
"click",
"learn",
"command",
"name tactics",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"present jun",
"backdoor",
"present may",
"status",
"ransom",
"high",
"medium",
"windows",
"tofsee",
"loaderid",
"lidfileupd",
"localcfg",
"rndhex",
"stream",
"delete",
"emotet",
"bot network",
"mitm",
"screenshot",
"mimecast"
],
"references": [
"http://apple.support.com/ht***** redirect",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"mac.store",
"https://icloud.ch/cn/ipod-touch/",
"https://icloud.ch/",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"Redirect: schemas.microsoft.com",
"apple.com(-inc.cc)",
"oas-japac-domains-applecomputer.cn",
"robert-aebi.appleid.com",
"smtp2.icl-privaterelay.appleid.com",
"http://audaxgroup.appleid.com/",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"iphonegermany.com",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"https://aspmx.l.google.com/",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"http://www.icloud-sms-alert.com/",
"monitoring.eurovision.net",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"monitor.kyos.ninja"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/IcedId.DI!MTB",
"display_name": "Trojan:Win32/IcedId.DI!MTB",
"target": "/malware/Trojan:Win32/IcedId.DI!MTB"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Worm:Win32/Bloored",
"display_name": "Worm:Win32/Bloored",
"target": "/malware/Worm:Win32/Bloored"
},
{
"id": "Win.Malware.Elenooka-6996044-0",
"display_name": "Win.Malware.Elenooka-6996044-0",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6031,
"hostname": 1971,
"domain": 1125,
"FileHash-SHA256": 1715,
"email": 18,
"FileHash-MD5": 317,
"FileHash-SHA1": 164
},
"indicator_count": 11341,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b92a27c47d4e28927364",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:24:26.110000",
"created": "2026-03-12T13:01:30.067000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 51,
"modified_text": "38 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b9295603a6100edfa8c8",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:24:25.387000",
"created": "2026-03-12T13:01:29.284000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "38 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b927aa7f10e82639d204",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:27.872000",
"created": "2026-03-12T13:01:27.872000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b927c086397130c5d114",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:27.275000",
"created": "2026-03-12T13:01:27.275000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b926871746ed8a1bc324",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:26.440000",
"created": "2026-03-12T13:01:26.440000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://certapple.apple-technology-services.com",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://certapple.apple-technology-services.com",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776611347.9204023
}