{ "type": "URL", "indicator": "https://challenges.cloudflare.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://challenges.cloudflare.com", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #465", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #268", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain cloudflare.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain cloudflare.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 4171977513, "indicator": "https://challenges.cloudflare.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "6a191c2f71c868406024097f", "name": "\u0432\u0437\u043b\u043e\u043c\u0430\u043d\u043d\u044b\u0439", "description": "\u041a \u0447\u0451\u0440\u0442\u0443 \u044d\u0442\u0443 \u043f\u0440\u043e\u0432\u0438\u043d\u0446\u0438\u044e. \u0417\u0430\u0445\u043e\u0434\u0438\u0442\u0435 \u0432\u0441\u0435, \u0432\u043e\u0434\u0430 \u043e\u0442\u043b\u0438\u0447\u043d\u0430\u044f.", "modified": "2026-05-29T04:55:11.325000", "created": "2026-05-29T04:55:11.325000", "tags": [ "tuca", "sct1", "seg0", "gaz1", "p1780029305477", "sid1780029305", "euaaaaagac", "nsi1", "p1780029178835", "ccc https", "locale" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "Poland" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 543, "FileHash-MD5": 3, "FileHash-SHA256": 3, "IPv4": 119, "domain": 44, "hostname": 86 }, "indicator_count": 798, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f8063076830566d0d1d5c6", "name": "Analysis 16e21d8e11a8b078f6be0fa21cc710d9b8ab4be34ce3ee687c38f9231b13b7c4.file (MD5: FB4D263B724C53BA045523F5CCDEFA87) Malicious activity - Interactive analysis ANY.RUN", "description": "", "modified": "2026-05-05T04:47:38.924000", "created": "2026-05-04T02:36:32.055000", "tags": [ "online malware", "urlfix1" ], "references": [ "https://app.any.run/tasks/61da8b58-7716-4943-894b-5b7192f30449", "https://app.any.run/browses/e0f66b30-2069-48f4-ac4a-5c9e97101af0", "https://app.any.run/tasks/95817d27-6b8f-4bf6-a56e-cd0be0572405" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 62, "FileHash-MD5": 115, "FileHash-SHA256": 308, "hostname": 268, "URL": 318, "FileHash-SHA1": 73, "IPv6": 35, "IPv4": 473, "email": 3 }, "indicator_count": 1655, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ca4a306066375786947f52", "name": "Who is safe?", "description": "<.>\nhttps://www.virustotal.com/gui/file/c656b145ce73a997b6d95ec21dcfbee1ded90d7fff2ca0bc48765c4bb671d58c/behavior", "modified": "2026-04-30T15:30:17.242000", "created": "2026-03-30T10:02:24.092000", "tags": [ "pulse analysis", "pulses otx", "pulses", "related tags", "email domain", "withheld", "privacy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 170, "domain": 88, "email": 5, "FileHash-SHA1": 170, "FileHash-SHA256": 1028, "URL": 288, "hostname": 76 }, "indicator_count": 1825, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695555b664c8998371393b8f", "name": "\u200emyMetro App - App Store \u2022 Access Attack via iOS App", "description": "Apple iOS attack. Drive by compromise. Device fully compromised. Service provider incorrect. Device user does not use MetroPCS as Cellular carrier. \n\n#cyberwarfare #pegasus #endgame #apple #earsinthecornfield #compromised_device #zombie", "modified": "2026-01-30T16:01:37.437000", "created": "2025-12-31T16:56:22.577000", "tags": [ "espaol", "metro pcs", "metro", "english", "data", "privacy", "learn", "requires", "strong", "see all", "bernie", "mint", "never", "example", "click", "indonesia", "\u2019m", "win32mydoom dec", "united", "trojan", "name servers", "servers", "expiration date", "backdoor", "found", "passive dns", "gmt connection", "control", "content type", "twitter", "title", "aaaa", "ember cli", "ember view", "certificate", "win32", "invalid url", "body html", "head title", "title head", "body h1", "reference", "urls", "akamai", "unknown ns", "domain", "search", "ipv4", "files", "reverse dns", "location united", "america flag", "america asn", "dynamicloader", "port", "high", "medium", "windows", "displayname", "write", "destination", "tofsee", "stream", "malware", "hostile", "read c", "show", "rgba", "unicode", "whitelisted", "memcommit", "delete", "execution", "dock", "persistence", "msie", "chrome", "ip address", "otx telemetry", "unknown soa", "gmt content", "for privacy", "moved", "record value", "ubuntu date", "encrypt", "a domains", "welcome", "type", "content length", "ipv4 add", "url analysis", "accept", "overview domain", "files ip", "address", "location france", "asn as16276", "tags none", "indicator facts", "historical otx", "france unknown", "ovhcloud meta", "domain add", "present dec", "status", "service", "win32cutwail", "setcookie", "gmt server", "refloadapihash", "virtool", "present nov", "present oct", "all ipv4", "hostname", "present jul", "saudi arabia", "present mar", "present jun", "present feb", "entries", "france asn", "asn as16509", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "pattern match", "ascii text", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "hybrid", "local", "path", "strings", "delete c", "okrndate", "grum", "powershell", "pegasus", "unknown", "crlf line", "ff d5", "unicode text", "utf8", "ee fc", "yara rule", "f0 ff", "ff bb", "push", "autorun", "suspicious", "pulse pulses", "date", "music", "apple", "apple id", "show process", "flag", "markmonitor", "name tactics", "informative", "command", "adversaries", "spawns", "access att", "t1566 phishing", "zerobits", "allocationtype", "protect", "programfiles", "processhandle", "commitsize", "viewsize", "regionsize", "handles modules", "files amsi", "filehandle", "path filehandle", "porthandle", "copy md5", "copy sha1", "copy sha256", "href", "null", "refresh", "body", "span", "general", "error", "tools", "look", "verify", "restart", "html", "x22scriptx22", "binary file", "t1189", "cyberwarfare", "brian sabey", "never say anything", "christopher ahmann", "colorado state", "quasi", "zombie device", "present may", "emails", "exif standard", "tiff image", "windows nt", "wow64", "slcc2", "media center", "jpeg image", "copy", "next", "pecompact", "february", "packer", "delphi", "code", "tlsv1", "ogoogle trust", "xserver", "lowfi", "creation date", "domain name", "showing", "ids detections", "yara detections", "worm", "arial", "present aug", "meta", "dns domain", "site", "free dns", "msil", "dnssec", "penetration", "injections", "dead host" ], "references": [ "https://apps.apple.com/app/", "metropcs.com/account/sign-in.html", "smtp.google.com \u2022 www.google.com/images/errors/robot.png", "https://www.endgamesystems.com/ \u2022 https://www.endgames.com/", "https://freedns.afraid.org/images/exclamation", "xred.mooo.com \u2022 mooo.com \u2022 afraid.org", "admin@bigtits.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Worm:Win32/Mydoom", "display_name": "Worm:Win32/Mydoom", "target": "/malware/Worm:Win32/Mydoom" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win.Trojan.Installcore-877", "display_name": "Win.Trojan.Installcore-877", "target": null }, { "id": "Win.Downloader.Small", "display_name": "Win.Downloader.Small", "target": null }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "Tibs", "display_name": "Tibs", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ALF:JASYP:PUA:Win32/4Shared", "display_name": "ALF:JASYP:PUA:Win32/4Shared", "target": null } ], "attack_ids": [ { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1577", "name": "Compromise Application Executable", "display_name": "T1577 - Compromise Application Executable" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1086", "name": "PowerShell", "display_name": "T1086 - PowerShell" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1863, "URL": 4952, "FileHash-SHA256": 1990, "FileHash-MD5": 981, "FileHash-SHA1": 791, "email": 26, "domain": 1277, "SSLCertFingerprint": 24 }, "indicator_count": 11904, "is_author": false, "is_subscribing": null, "subscriber_count": 147, "modified_text": "121 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "xred.mooo.com \u2022 mooo.com \u2022 afraid.org", "metropcs.com/account/sign-in.html", "https://app.any.run/browses/e0f66b30-2069-48f4-ac4a-5c9e97101af0", "smtp.google.com \u2022 www.google.com/images/errors/robot.png", "https://www.endgamesystems.com/ \u2022 https://www.endgames.com/", "https://apps.apple.com/app/", "https://app.any.run/tasks/95817d27-6b8f-4bf6-a56e-cd0be0572405", "admin@bigtits.com", "https://freedns.afraid.org/images/exclamation", "https://app.any.run/tasks/61da8b58-7716-4943-894b-5b7192f30449" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win.trojan.barys-10005825-0", "Trojandownloader:win32/cutwail", "Worm:win32/mydoom", "Win.trojan.installcore-877", "Tofsee", "\u2019m", "Alf:jasyp:pua:win32/4shared", "Win.malware.jaik-9968280-0", "Emotet", "Worm:win32/autorun", "Tibs", "Win.downloader.small" ], "industries": [ "Government", "Education" ], "unique_indicators": 14832 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/cloudflare.com", "whois": "http://whois.domaintools.com/cloudflare.com", "domain": "cloudflare.com", "hostname": "challenges.cloudflare.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "6a191c2f71c868406024097f", "name": "\u0432\u0437\u043b\u043e\u043c\u0430\u043d\u043d\u044b\u0439", "description": "\u041a \u0447\u0451\u0440\u0442\u0443 \u044d\u0442\u0443 \u043f\u0440\u043e\u0432\u0438\u043d\u0446\u0438\u044e. \u0417\u0430\u0445\u043e\u0434\u0438\u0442\u0435 \u0432\u0441\u0435, \u0432\u043e\u0434\u0430 \u043e\u0442\u043b\u0438\u0447\u043d\u0430\u044f.", "modified": "2026-05-29T04:55:11.325000", "created": "2026-05-29T04:55:11.325000", "tags": [ "tuca", "sct1", "seg0", "gaz1", "p1780029305477", "sid1780029305", "euaaaaagac", "nsi1", "p1780029178835", "ccc https", "locale" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "Poland" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 543, "FileHash-MD5": 3, "FileHash-SHA256": 3, "IPv4": 119, "domain": 44, "hostname": 86 }, "indicator_count": 798, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f8063076830566d0d1d5c6", "name": "Analysis 16e21d8e11a8b078f6be0fa21cc710d9b8ab4be34ce3ee687c38f9231b13b7c4.file (MD5: FB4D263B724C53BA045523F5CCDEFA87) Malicious activity - Interactive analysis ANY.RUN", "description": "", "modified": "2026-05-05T04:47:38.924000", "created": "2026-05-04T02:36:32.055000", "tags": [ "online malware", "urlfix1" ], "references": [ "https://app.any.run/tasks/61da8b58-7716-4943-894b-5b7192f30449", "https://app.any.run/browses/e0f66b30-2069-48f4-ac4a-5c9e97101af0", "https://app.any.run/tasks/95817d27-6b8f-4bf6-a56e-cd0be0572405" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 62, "FileHash-MD5": 115, "FileHash-SHA256": 308, "hostname": 268, "URL": 318, "FileHash-SHA1": 73, "IPv6": 35, "IPv4": 473, "email": 3 }, "indicator_count": 1655, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ca4a306066375786947f52", "name": "Who is safe?", "description": "<.>\nhttps://www.virustotal.com/gui/file/c656b145ce73a997b6d95ec21dcfbee1ded90d7fff2ca0bc48765c4bb671d58c/behavior", "modified": "2026-04-30T15:30:17.242000", "created": "2026-03-30T10:02:24.092000", "tags": [ "pulse analysis", "pulses otx", "pulses", "related tags", "email domain", "withheld", "privacy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 170, "domain": 88, "email": 5, "FileHash-SHA1": 170, "FileHash-SHA256": 1028, "URL": 288, "hostname": 76 }, "indicator_count": 1825, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695555b664c8998371393b8f", "name": "\u200emyMetro App - App Store \u2022 Access Attack via iOS App", "description": "Apple iOS attack. Drive by compromise. Device fully compromised. Service provider incorrect. Device user does not use MetroPCS as Cellular carrier. \n\n#cyberwarfare #pegasus #endgame #apple #earsinthecornfield #compromised_device #zombie", "modified": "2026-01-30T16:01:37.437000", "created": "2025-12-31T16:56:22.577000", "tags": [ "espaol", "metro pcs", "metro", "english", "data", "privacy", "learn", "requires", "strong", "see all", "bernie", "mint", "never", "example", "click", "indonesia", "\u2019m", "win32mydoom dec", "united", "trojan", "name servers", "servers", "expiration date", "backdoor", "found", "passive dns", "gmt connection", "control", "content type", "twitter", "title", "aaaa", "ember cli", "ember view", "certificate", "win32", "invalid url", "body html", "head title", "title head", "body h1", "reference", "urls", "akamai", "unknown ns", "domain", "search", "ipv4", "files", "reverse dns", "location united", "america flag", "america asn", "dynamicloader", "port", "high", "medium", "windows", "displayname", "write", "destination", "tofsee", "stream", "malware", "hostile", "read c", "show", "rgba", "unicode", "whitelisted", "memcommit", "delete", "execution", "dock", "persistence", "msie", "chrome", "ip address", "otx telemetry", "unknown soa", "gmt content", "for privacy", "moved", "record value", "ubuntu date", "encrypt", "a domains", "welcome", "type", "content length", "ipv4 add", "url analysis", "accept", "overview domain", "files ip", "address", "location france", "asn as16276", "tags none", "indicator facts", "historical otx", "france unknown", "ovhcloud meta", "domain add", "present dec", "status", "service", "win32cutwail", "setcookie", "gmt server", "refloadapihash", "virtool", "present nov", "present oct", "all ipv4", "hostname", "present jul", "saudi arabia", "present mar", "present jun", "present feb", "entries", "france asn", "asn as16509", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "pattern match", "ascii text", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "hybrid", "local", "path", "strings", "delete c", "okrndate", "grum", "powershell", "pegasus", "unknown", "crlf line", "ff d5", "unicode text", "utf8", "ee fc", "yara rule", "f0 ff", "ff bb", "push", "autorun", "suspicious", "pulse pulses", "date", "music", "apple", "apple id", "show process", "flag", "markmonitor", "name tactics", "informative", "command", "adversaries", "spawns", "access att", "t1566 phishing", "zerobits", "allocationtype", "protect", "programfiles", "processhandle", "commitsize", "viewsize", "regionsize", "handles modules", "files amsi", "filehandle", "path filehandle", "porthandle", "copy md5", "copy sha1", "copy sha256", "href", "null", "refresh", "body", "span", "general", "error", "tools", "look", "verify", "restart", "html", "x22scriptx22", "binary file", "t1189", "cyberwarfare", "brian sabey", "never say anything", "christopher ahmann", "colorado state", "quasi", "zombie device", "present may", "emails", "exif standard", "tiff image", "windows nt", "wow64", "slcc2", "media center", "jpeg image", "copy", "next", "pecompact", "february", "packer", "delphi", "code", "tlsv1", "ogoogle trust", "xserver", "lowfi", "creation date", "domain name", "showing", "ids detections", "yara detections", "worm", "arial", "present aug", "meta", "dns domain", "site", "free dns", "msil", "dnssec", "penetration", "injections", "dead host" ], "references": [ "https://apps.apple.com/app/", "metropcs.com/account/sign-in.html", "smtp.google.com \u2022 www.google.com/images/errors/robot.png", "https://www.endgamesystems.com/ \u2022 https://www.endgames.com/", "https://freedns.afraid.org/images/exclamation", "xred.mooo.com \u2022 mooo.com \u2022 afraid.org", "admin@bigtits.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Worm:Win32/Mydoom", "display_name": "Worm:Win32/Mydoom", "target": "/malware/Worm:Win32/Mydoom" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win.Trojan.Installcore-877", "display_name": "Win.Trojan.Installcore-877", "target": null }, { "id": "Win.Downloader.Small", "display_name": "Win.Downloader.Small", "target": null }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "Tibs", "display_name": "Tibs", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ALF:JASYP:PUA:Win32/4Shared", "display_name": "ALF:JASYP:PUA:Win32/4Shared", "target": null } ], "attack_ids": [ { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1577", "name": "Compromise Application Executable", "display_name": "T1577 - Compromise Application Executable" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1086", "name": "PowerShell", "display_name": "T1086 - PowerShell" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1863, "URL": 4952, "FileHash-SHA256": 1990, "FileHash-MD5": 981, "FileHash-SHA1": 791, "email": 26, "domain": 1277, "SSLCertFingerprint": 24 }, "indicator_count": 11904, "is_author": false, "is_subscribing": null, "subscriber_count": 147, "modified_text": "121 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://challenges.cloudflare.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://challenges.cloudflare.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780264593.0998073 }