{ "type": "URL", "indicator": "https://checkip.afraid.org", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://checkip.afraid.org", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 2969059553, "indicator": "https://checkip.afraid.org", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "69d1396bb42208f8aa25b8ae", "name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable", "description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.", "modified": "2026-04-04T16:16:43.680000", "created": "2026-04-04T16:16:43.680000", "tags": [ "binary", "yara rule", "binary file", "yara", "pe section", "av detections", "ip address", "url analysis", "urls", "singapore", "singapore asn", "as14061", "edgeview drive", "suite", "broomfield", "colorado", "key usage", "handle", "v3 serial", "number", "cert validity", "asia pacific", "traefik default", "cert", "thumbprint", "name", "all filehash", "learn", "adversaries", "calls", "ck id", "name tactics", "suspicious", "informative", "reads", "defense evasion", "loads", "model", "call", "getprocaddress", "span", "path", "mitre att", "ck matrix", "access type", "value", "windir", "open", "error", "click", "contact", "meta", "april", "hybrid", "format", "strings", "united", "b778b1", "div div", "d9e4f4", "edf2f8", "status", "fastest privacy", "first dns", "trojan", "pegasus", "title", "dynamicloader", "ms windows", "intel", "pe32 executable", "win32", "medium", "pe32", "high", "mozilla", "delphi", "injectdll", "write", "malware", "observer", "stream", "unknown", "lredmond", "stwa", "omicrosoft", "stwashington", "server ca", "https domain", "accept", "read c", "ogoogle trust", "worm", "code", "td td", "td tr", "a td", "dynamic dns", "name servers", "arial", "zeppelin", "null", "enough", "hosts", "fast", "tls sni", "cloudflare dns", "google dns", "showing", "get icarus", "show", "ascii text", "global", "next", "cc fd", "d4 dc", "a3 ad", "a8 c7", "bb c7", "f0 f1", "f4 ca", "bc a1", "win64", "local", "otx logo", "hostname", "passive dns", "files", "less", "related tags", "servers", "certificate", "domain", "cloudflare", "khtml", "gecko", "ids detections", "yara detections", "ip lookup", "encrypt", "elf executable", "sysv", "linux", "elf64 operation", "unix", "exec amd6464", "elf geomi", "modify system", "process l", "t1543", "systemd service", "ta0004", "techniques", "process create", "modify syst", "t1036 indicator", "remc t1070", "file", "directoi t1222", "t1027 masquerac", "t1070", "data upload", "extraction", "failed", "ta0005", "t1027", "memory pattern", "domains", "dns resolutions", "full reports", "v ip", "traffic tcp", "g sh", "c tmpsample", "binrm f", "usrbinid id", "usrbinsystemctl", "proc1environ", "proccpuinfo", "include", "review exclude", "sample", "https", "performs dns", "tls version", "mitre attack", "network info", "file type", "persistence", "include review", "exclude sugges", "find s", "unique ru", "review occ", "exclude data", "alvoes", "include data", "suggest", "find c", "typ filet", "filet ce", "layer protocol", "http performs", "reads cpu", "proc indicative", "filet filet", "pulse", "file hach", "h1256", "filer data", "typ data", "filer filehuon", "filet filer", "exchange all", "typ no", "no entri", "exclude", "suggested ocs", "manualy", "hua muicalul", "find", "indicatore", "typ innicatad", "new threat", "dive into", "zergeca botnet", "reference", "report publish", "zergeca", "all se", "matches edolavd", "matches data", "matches matches", "type", "extr", "tico data", "get hello", "mirai variant", "useragent", "hello", "outbound", "world", "search", "hackingtrio ua", "inbound", "mirai", "info", "shell", "pulse pulses", "files ip", "address domain", "ip related", "labs pulses", "pulses", "post", "http traffic", "tocstut", "reference id", "xor key", "canada", "america", "germany", "doh", "ddos", "botnet", "en", "xor", "twitter", "stop", "loader", "downloader", "zerg", "mirai", "golang", "c2 resolution", "germany", "c2 ip", "virustotal", "smux", "ck ids", "t1082", "applescript", "t1190", "application", "private server", "t1609", "command", "unix shell", "software supply", "service", "chain", "t1499", "entries", "otx telemetry", "next associated", "backdoor", "detections", "sha256 add", "alerts", "heur", "all domain", "creation date", "record value", "aaaa", "date", "unknown ns", "ponmocup post", "infection dns", "mtb nov", "ipv4 add", "external ip", "copy" ], "references": [ "www.joewa.com", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "Loads modules at runtime Looks up procedures from modules", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "Crowdsourced SIGMA Below:", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS Below:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Unique rule identifier: This rule belongs to a private collection.", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "crypto-pool.fr", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "IDS: Observed Suspicious UA (Hello, World)", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: cape_detected_threat", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "https://dns.google/resolve?name=SELECT", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Address shows an place of origin: Broomfield , Co", "Believed to be originating from Germany and Russia", "BGP Hurricane Electric seen", "Potentially Pegasus related . Found to be affecting an IOS device", "Indicators seen may have affected a few OTX users. Is ongoing", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "This pulse is so huge it\u2019s a mess. Will break down." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Thailand", "Germany", "Canada" ], "malware_families": [ { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Trojan.Sagnt/R011c0dfs24", "display_name": "Trojan.Sagnt/R011c0dfs24", "target": null }, { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "Unix.Trojan.Mirai", "display_name": "Unix.Trojan.Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-7669677-0", "display_name": "Unix.Trojan.Mirai-7669677-0", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 795, "FileHash-SHA1": 648, "FileHash-SHA256": 3708, "IPv4": 294, "URL": 2587, "domain": 739, "hostname": 1129, "email": 14, "CIDR": 15, "IPv6": 27, "SSLCertFingerprint": 18, "CVE": 4 }, "indicator_count": 9978, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d1395ab63bf8e8d2c384eb", "name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable", "description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.", "modified": "2026-04-04T16:16:26.128000", "created": "2026-04-04T16:16:26.128000", "tags": [ "binary", "yara rule", "binary file", "yara", "pe section", "av detections", "ip address", "url analysis", "urls", "singapore", "singapore asn", "as14061", "edgeview drive", "suite", "broomfield", "colorado", "key usage", "handle", "v3 serial", "number", "cert validity", "asia pacific", "traefik default", "cert", "thumbprint", "name", "all filehash", "learn", "adversaries", "calls", "ck id", "name tactics", "suspicious", "informative", "reads", "defense evasion", "loads", "model", "call", "getprocaddress", "span", "path", "mitre att", "ck matrix", "access type", "value", "windir", "open", "error", "click", "contact", "meta", "april", "hybrid", "format", "strings", "united", "b778b1", "div div", "d9e4f4", "edf2f8", "status", "fastest privacy", "first dns", "trojan", "pegasus", "title", "dynamicloader", "ms windows", "intel", "pe32 executable", "win32", "medium", "pe32", "high", "mozilla", "delphi", "injectdll", "write", "malware", "observer", "stream", "unknown", "lredmond", "stwa", "omicrosoft", "stwashington", "server ca", "https domain", "accept", "read c", "ogoogle trust", "worm", "code", "td td", "td tr", "a td", "dynamic dns", "name servers", "arial", "zeppelin", "null", "enough", "hosts", "fast", "tls sni", "cloudflare dns", "google dns", "showing", "get icarus", "show", "ascii text", "global", "next", "cc fd", "d4 dc", "a3 ad", "a8 c7", "bb c7", "f0 f1", "f4 ca", "bc a1", "win64", "local", "otx logo", "hostname", "passive dns", "files", "less", "related tags", "servers", "certificate", "domain", "cloudflare", "khtml", "gecko", "ids detections", "yara detections", "ip lookup", "encrypt", "elf executable", "sysv", "linux", "elf64 operation", "unix", "exec amd6464", "elf geomi", "modify system", "process l", "t1543", "systemd service", "ta0004", "techniques", "process create", "modify syst", "t1036 indicator", "remc t1070", "file", "directoi t1222", "t1027 masquerac", "t1070", "data upload", "extraction", "failed", "ta0005", "t1027", "memory pattern", "domains", "dns resolutions", "full reports", "v ip", "traffic tcp", "g sh", "c tmpsample", "binrm f", "usrbinid id", "usrbinsystemctl", "proc1environ", "proccpuinfo", "include", "review exclude", "sample", "https", "performs dns", "tls version", "mitre attack", "network info", "file type", "persistence", "include review", "exclude sugges", "find s", "unique ru", "review occ", "exclude data", "alvoes", "include data", "suggest", "find c", "typ filet", "filet ce", "layer protocol", "http performs", "reads cpu", "proc indicative", "filet filet", "pulse", "file hach", "h1256", "filer data", "typ data", "filer filehuon", "filet filer", "exchange all", "typ no", "no entri", "exclude", "suggested ocs", "manualy", "hua muicalul", "find", "indicatore", "typ innicatad", "new threat", "dive into", "zergeca botnet", "reference", "report publish", "zergeca", "all se", "matches edolavd", "matches data", "matches matches", "type", "extr", "tico data", "get hello", "mirai variant", "useragent", "hello", "outbound", "world", "search", "hackingtrio ua", "inbound", "mirai", "info", "shell", "pulse pulses", "files ip", "address domain", "ip related", "labs pulses", "pulses", "post", "http traffic", "tocstut", "reference id", "xor key", "canada", "america", "germany", "doh", "ddos", "botnet", "en", "xor", "twitter", "stop", "loader", "downloader", "zerg", "mirai", "golang", "c2 resolution", "germany", "c2 ip", "virustotal", "smux", "ck ids", "t1082", "applescript", "t1190", "application", "private server", "t1609", "command", "unix shell", "software supply", "service", "chain", "t1499", "entries", "otx telemetry", "next associated", "backdoor", "detections", "sha256 add", "alerts", "heur", "all domain", "creation date", "record value", "aaaa", "date", "unknown ns", "ponmocup post", "infection dns", "mtb nov", "ipv4 add", "external ip", "copy" ], "references": [ "www.joewa.com", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "Loads modules at runtime Looks up procedures from modules", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "Crowdsourced SIGMA Below:", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS Below:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Unique rule identifier: This rule belongs to a private collection.", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "crypto-pool.fr", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "IDS: Observed Suspicious UA (Hello, World)", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: cape_detected_threat", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "https://dns.google/resolve?name=SELECT", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Address shows an place of origin: Broomfield , Co", "Believed to be originating from Germany and Russia", "BGP Hurricane Electric seen", "Potentially Pegasus related . Found to be affecting an IOS device", "Indicators seen may have affected a few OTX users. Is ongoing", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "This pulse is so huge it\u2019s a mess. Will break down." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Thailand", "Germany", "Canada" ], "malware_families": [ { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Trojan.Sagnt/R011c0dfs24", "display_name": "Trojan.Sagnt/R011c0dfs24", "target": null }, { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "Unix.Trojan.Mirai", "display_name": "Unix.Trojan.Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-7669677-0", "display_name": "Unix.Trojan.Mirai-7669677-0", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 795, "FileHash-SHA1": 648, "FileHash-SHA256": 3708, "IPv4": 294, "URL": 2587, "domain": 739, "hostname": 1129, "email": 14, "CIDR": 15, "IPv6": 27, "SSLCertFingerprint": 18, "CVE": 4 }, "indicator_count": 9978, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f7ced2cf17d264b49628bc", "name": "NIDS - Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information", "description": "Multiple malware\u2019s targeting Dropbox & Ebay accounts. Referenced in earlier pukses. Further investigation shows link found in apps on multiple Apple devices. Afraid. Org still running & wreaking havoc globally. Currently targets a Music studio in Clear Creek County Co. The signal bounces from Fire station directly to studio gaining full access to everything.\n\nI am very disappointed with the abuses in f the Palantir , Gotham , Foundry products being abused by law firms and Private Investigators.\nIt is very destructive, causing loss, these firms are literally stealing and making money with other people\u2019s intellectual property and tough luck on the actual inventor, artist, writer because they even steal , cancel your insurance or back accounts leaving you unable to make a claim. \n\nGreat discretion should be used to qualify for these tools used to track, terrorize and access private information as well as tarnish the names of civilians , family ,businesses, stalking tracking known location.", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T18:20:02.120000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f80c6bcd3fff3a4f126a68", "name": "Sventore \u2022 Agent Tesla Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information ", "description": "", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T22:42:51.657000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": "68f7ced2cf17d264b49628bc", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6694bb9be1b61bf820500004", "name": "YouTube Creator Cyber Attacks | Jays Youtube Bot.exe | YT Botnet", "description": "YouTube Creator account attacks. Critical alerts, botnets, YT bots. I cannot adequately describe attack right now. Retaliation for targets YT channel Song Culture stems from retaliation shortly after a crime against target. Id be interested to learn more. An ITC Intercepter records traffic passed through Song Culture YouTube channel m redirects to other channels. Not reflected in the 1.5 million followers or the 3.2 million views. They just stopped. Then managing director was notified as all of Song Cultures social media Twitter, Instagram, Pinterest succumbed to Emotet attack. Social engineering did occur. Several parties. Alleged eBay , health insurance representatives, an attorney, alleged PI's music managers contacted by phone. A man from Great Britain also began an SE campaign, The strange part is following, confrontations, dangerous attacks, MIB, and other curious in person encounter, critical injuries, financial devastation has caused target to remain isolated.", "modified": "2024-08-14T05:03:59.815000", "created": "2024-07-15T06:03:07.423000", "tags": [ "historical ssl", "referrer", "december", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "highly targeted", "cyber attack", "emotet", "critical", "copy", "united", "command decode", "suricata ipv4", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "name server", "date", "hybrid", "general", "click", "strings", "contact", "song culture", "tsara lynn", "culture", "chime sa", "mediawarning", "youtube twitter", "secchuabitness", "secchuamodel", "secchuawow64", "secchuaplatform", "pragma", "form", "hope", "karma", "learn", "suspicious", "flag", "pe resource", "synaptics", "apeaksoft ios", "hiddentear", "urls", "domains", "contacted", "markmonitor", "win32 exe", "parents", "type name", "msrsaapp", "youtube bot", "rar jays", "mozilla firefox", "twitch", "samplename", "rar youtube", "zip youtube", "social bots", "files", "file type", "kb file", "b file", "graph", "get https", "msie", "windows nt", "win64", "slcc2", "media center", "request", "gmt server", "referer https", "amd64 accept", "accept", "code", "rwx memory", "managed code", "calls unmanaged", "native", "often seen", "base64 encrypt", "trojan", "tsara brashears", "red team hacking", "process32nextw", "regsetvalueexa", "regdword", "high", "medium", "objects", "regbinary", "module load", "t1129", "t1060", "crash", "dock", "persistence", "execution", "okhfjrtblzo", "ip check", "windows", "http host", "controlservice", "domain", "registry", "tools", "service", "worm", "malware", "win32", "bits", "read c", "intel", "ms windows", "pe32", "search", "type read", "show", "wow64", "stop", "write", "unknown", "waiting", "push", "next", "asnone united", "aaaa", "united kingdom", "as20738 host", "moved", "passive dns", "default", "delete c", "pe32 executable", "document file", "v2 document", "floodfix", "floxif", "name servers", "susp", "showing", "as55286", "scan endpoints", "all scoreblue", "ransom", "amadey", "songculture", "spreader", "tracey richter", "roberts", "michael roberts", "jays", "sabey", "rexxfield", "darklivity" ], "references": [ "https://www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Jays Youtube Bot.exe", "https://www.virustotal.com/gui/url/b766d444d21c2ad2d777ae4a5ef7b7b7b97f2097805732e9651834e0a76be1f4/details", "Jays Youtube Bot.exe > FileHash-SHA256\t00514527e00ee001d042", "Matches rule DotNet_Reactor from ruleset DotNet_Reactor by @bartblaze", "https://www.virustotal.com/gui/file/00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5/detection", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://freedns.afraid.org/subdomain/edit.php?data_id=21091713", "Ransom: message.htm.com", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H | IDS Detections: Win32.Floxif.A Checkin 403 Forbidden", "Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho", "Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception", "Alerts: infostealer_browser creates_exe suspicious_process modifies_certificates stealth_window exe_appdata", "Antivirus Detections: Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa-6057105-0 , Worm:Win32/Pykspa.C IDS Detections Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host) IP Check Domain (showmyipaddress .com in HTTP Host) IP Check Domain (whatismyipaddress .com in HTTP Host) 403 Forbidden Yara Detections None Alerts network_icmp disables_security antiav_servicestop antisandbox_sleep persistence_autorun modify_uac_prompt antivm_vmware_in_instruction network_http recon_checkip creates_exe create", "Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa , Worm:Win32/Pykspa.C: FileHash-SHA256 0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd trojan", "https://otx.alienvault.com/indicator/file/0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd", "Jays Youtube Bot.exe | **http://ur.now.afraid.org/update/bft.exe | https://avsono.com/networkmanager/ | http://fatah.afraid.org/files/books/Embedded.Linux.Programming.pdf", "https://otx.alienvault.com/indicator/file/da06b3d7e20045b6edad50f28ce8bac1", "FileHash-MD5 da06b3d7e20045b6edad50f28ce8bac1", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H", "IDS Detections: Win32.Floxif.A Checkin 403 Forbidden | |", "Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho modifies_certificates", "Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception infostealer_browser", "Alerts: stealth_windowcreates_exe suspicious_process exe_appdata", "http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg [Tsara Brashears > Song Culture & Samantha Borrego> dorkingbeaty]", "https://otx.alienvault.com/indicator/url/http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg", "https://otx.alienvault.com/indicator/url/https://my.newzapp.co.uk/t/click/1684555348/129495091/17547390 [Target:SongCulture/Tsara Brashears YT]", "Related somehow, pulse modified by?https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "http://ur.now.afraid.org/update/bft.exe (Joshua Anderson Address 4120 Douglas Blvd #306-199 City\tGranite Bay Country US ?)", "https://otx.alienvault.com/indicator/domain/mywebsitetransfer.com [really?]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Backdoor.Xtreme", "display_name": "Backdoor.Xtreme", "target": null }, { "id": "W32.AIDetectMalware.CS", "display_name": "W32.AIDetectMalware.CS", "target": null }, { "id": "Win.Virus.Pioneer-9111434-0", "display_name": "Win.Virus.Pioneer-9111434-0", "target": null }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" }, { "id": "Win32:Renos-KY\\ [Trj]", "display_name": "Win32:Renos-KY\\ [Trj]", "target": null }, { "id": ", Win.Worm.Pykspa-6057105-0", "display_name": ", Win.Worm.Pykspa-6057105-0", "target": null }, { "id": "Worm:Win32/Pykspa.C", "display_name": "Worm:Win32/Pykspa.C", "target": "/malware/Worm:Win32/Pykspa.C" }, { "id": "PUP/Hacktool", "display_name": "PUP/Hacktool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 439, "FileHash-SHA1": 386, "FileHash-SHA256": 2320, "URL": 1873, "domain": 478, "hostname": 839, "SSLCertFingerprint": 9, "email": 7 }, "indicator_count": 6351, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "613 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e863bebbf95e0dc5a4169a", "name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack expected", "description": "Network compromised updated Apple device was directed (303) to a server. This is one of several botnets found. onthewifi \u2206 {Win32:BotX-gen\\ [Trj]} \u2022 Injection process | Password bypass. Studies targets behavior | Checks for other devices | Glupteba: \n Glupteba is a trojan-type program, malicious software that installs other programs of this type. Cyber criminals can perform a number of actions of a malicious hacker's choice on your device.", "modified": "2024-04-05T12:00:46.637000", "created": "2024-03-06T12:38:22.052000", "tags": [ "referrer", "tsara brashears", "password bypass", "apple phone", "unlocker", "shell code", "script", "pe resource", "execution", "sneaky server", "emotet", "android", "download", "malware", "relic", "monitoring", "installer", "formbook", "urls", "contacted", "win32 exe", "parents", "type name", "msrsaapp", "files", "file type", "kb file", "b file", "graph", "pe32 executable", "ms windows", "intel", "generic cil", "executable", "mono", "win32 dynamic", "link library", "win16 ne", "samplename", "samplepath", "jays youtube", "rticon neutral", "details", "header intel", "name md5", "type", "language", "contained", "ico rtgroupicon", "neutral", "net technology", "corporation", "domains", "markmonitor inc", "malicious", "cnc", "network", "bypass password", "network probe", "dns query", "as20940", "united", "aaaa", "search", "showing", "date", "passive dns", "registrar", "unknown", "encrypt", "next", "domain", "emails", "name servers", "as199524", "record value", "rst seen", "last seen", "asn country", "cname", "as15169 google", "scan endpoints", "all octoseek", "pulse pulses", "files ip", "as4788", "address", "pulses", "win32", "entries", "dadjoke", "ms defender", "united kingdom", "germany unknown", "as46606", "as14061", "servers", "as12576 ee", "russia unknown", "as3320 deutsche", "gamaredon", "armageddon", "as8068", "script urls", "for privacy", "script domains", "certificate", "meta", "creation date", "as14627", "ipv4", "onthewifi", "as54113", "trojan", "flywheel", "sea x", "accept", "ransom", "post http", "langserbian", "sublangdefault", "rticon", "process32nextw", "medium", "t1055", "high", "ip address", "generic", "body", "markus", "june", "copy", "bitcoin" ], "references": [ "FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb", "FormBook: 45.159.189.105", "FormBook: http://45.159.189.105/bot/regex", "Emotet: www.youtube.com/watch?v=GyuMozsVyYs", "Relic: bam.nr-data.net [Apple Private Data Collection]", "capitana.onthewifi.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Cryptor", "display_name": "Win32:Cryptor", "target": null }, { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Glupteba.KM!MTB", "display_name": "Trojan:Win32/Glupteba.KM!MTB", "target": "/malware/Trojan:Win32/Glupteba.KM!MTB" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1188", "name": "Multi-hop Proxy", "display_name": "T1188 - Multi-hop Proxy" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 309, "FileHash-SHA1": 307, "FileHash-SHA256": 3084, "URL": 3066, "domain": 1085, "hostname": 1709, "CVE": 1, "email": 7 }, "indicator_count": 9568, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65ea6410c1e1b1185951ef98", "name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack executed (Copy)", "description": "", "modified": "2024-04-05T12:00:46.637000", "created": "2024-03-08T01:04:16.906000", "tags": [ "referrer", "tsara brashears", "password bypass", "apple phone", "unlocker", "shell code", "script", "pe resource", "execution", "sneaky server", "emotet", "android", "download", "malware", "relic", "monitoring", "installer", "formbook", "urls", "contacted", "win32 exe", "parents", "type name", "msrsaapp", "files", "file type", "kb file", "b file", "graph", "pe32 executable", "ms windows", "intel", "generic cil", "executable", "mono", "win32 dynamic", "link library", "win16 ne", "samplename", "samplepath", "jays youtube", "rticon neutral", "details", "header intel", "name md5", "type", "language", "contained", "ico rtgroupicon", "neutral", "net technology", "corporation", "domains", "markmonitor inc", "malicious", "cnc", "network", "bypass password", "network probe", "dns query", "as20940", "united", "aaaa", "search", "showing", "date", "passive dns", "registrar", "unknown", "encrypt", "next", "domain", "emails", "name servers", "as199524", "record value", "rst seen", "last seen", "asn country", "cname", "as15169 google", "scan endpoints", "all octoseek", "pulse pulses", "files ip", "as4788", "address", "pulses", "win32", "entries", "dadjoke", "ms defender", "united kingdom", "germany unknown", "as46606", "as14061", "servers", "as12576 ee", "russia unknown", "as3320 deutsche", "gamaredon", "armageddon", "as8068", "script urls", "for privacy", "script domains", "certificate", "meta", "creation date", "as14627", "ipv4", "onthewifi", "as54113", "trojan", "flywheel", "sea x", "accept", "ransom", "post http", "langserbian", "sublangdefault", "rticon", "process32nextw", "medium", "t1055", "high", "ip address", "generic", "body", "markus", "june", "copy", "bitcoin" ], "references": [ "FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb", "FormBook: 45.159.189.105", "FormBook: http://45.159.189.105/bot/regex", "Emotet: www.youtube.com/watch?v=GyuMozsVyYs", "Relic: bam.nr-data.net [Apple Private Data Collection]", "capitana.onthewifi.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Cryptor", "display_name": "Win32:Cryptor", "target": null }, { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Glupteba.KM!MTB", "display_name": "Trojan:Win32/Glupteba.KM!MTB", "target": "/malware/Trojan:Win32/Glupteba.KM!MTB" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1188", "name": "Multi-hop Proxy", "display_name": "T1188 - Multi-hop Proxy" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [], "TLP": "green", "cloned_from": "65e863bebbf95e0dc5a4169a", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 309, "FileHash-SHA1": 307, "FileHash-SHA256": 3084, "URL": 3066, "domain": 1085, "hostname": 1709, "CVE": 1, "email": 7 }, "indicator_count": 9568, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708aacc81003c0b481e48f", "name": "inforextreme.com (3)", "description": "", "modified": "2023-12-06T14:52:26.313000", "created": "2023-12-06T14:52:26.313000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-SHA256": 2369, "hostname": 1853, "URL": 5088, "domain": 745, "FileHash-SHA1": 1, "FileHash-MD5": 2 }, "indicator_count": 10062, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "624b1b24fcf576f6d340a00c", "name": "inforextreme.com (3)", "description": "", "modified": "2022-05-04T00:05:07.263000", "created": "2022-04-04T16:21:56.802000", "tags": [ "whois record", "ssl certificate", "whois", "new collection", "vt graph", "lucifer", "doublepulsar", "synaptics", "copy", "echelon", "njrat", "malware", "sorefang", "sunburst" ], "references": [ "https://www.virustotal.com/graph/gf379170e2b17454ba4088d6d6e0f3379fd716d4ff5e94b38b12ee3af4ce860d8" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Australia", "Ukraine" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 98, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5088, "hostname": 1853, "domain": 745, "FileHash-SHA256": 2369, "CVE": 4, "FileHash-MD5": 2, "FileHash-SHA1": 1 }, "indicator_count": 10062, "is_author": false, "is_subscribing": null, "subscriber_count": 416, "modified_text": "1446 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "consolefoundry.date \u2022 http://consolefoundry.date", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "http://freedns.afraid.org/subdomain/edit.php?data_id=21091713", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg [Tsara Brashears > Song Culture & Samantha Borrego> dorkingbeaty]", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Crowdsourced IDS Below:", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "Indicators seen may have affected a few OTX users. Is ongoing", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "www.joewa.com", "afraid.org | evergreen.afraid.org", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "Alerts: infostealer_browser creates_exe suspicious_process modifies_certificates stealth_window exe_appdata", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "Antivirus Detections: Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa-6057105-0 , Worm:Win32/Pykspa.C IDS Detections Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host) IP Check Domain (showmyipaddress .com in HTTP Host) IP Check Domain (whatismyipaddress .com in HTTP Host) 403 Forbidden Yara Detections None Alerts network_icmp disables_security antiav_servicestop antisandbox_sleep persistence_autorun modify_uac_prompt antivm_vmware_in_instruction network_http recon_checkip creates_exe create", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "https://www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Jays Youtube Bot.exe", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb", "http://ur.now.afraid.org/update/bft.exe (Joshua Anderson Address 4120 Douglas Blvd #306-199 City\tGranite Bay Country US ?)", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Believed to be originating from Germany and Russia", "crypto-pool.fr", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "target.dropboxbusiness.com", "https://otx.alienvault.com/indicator/url/https://my.newzapp.co.uk/t/click/1684555348/129495091/17547390 [Target:SongCulture/Tsara Brashears YT]", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "FormBook: 45.159.189.105", "Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Jays Youtube Bot.exe | **http://ur.now.afraid.org/update/bft.exe | https://avsono.com/networkmanager/ | http://fatah.afraid.org/files/books/Embedded.Linux.Programming.pdf", "Alerts: stealth_windowcreates_exe suspicious_process exe_appdata", "https://www.virustotal.com/gui/file/00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5/detection", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Jays Youtube Bot.exe > FileHash-SHA256\t00514527e00ee001d042", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "gitea.neconsside.com \u2022 http://f7194.vip/login", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H | IDS Detections: Win32.Floxif.A Checkin 403 Forbidden", "Ransom: message.htm.com", "https://api.strem.io/api/addonCollectionGet%", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://dns.google/resolve?name=SELECT", "https://www.virustotal.com/gui/url/b766d444d21c2ad2d777ae4a5ef7b7b7b97f2097805732e9651834e0a76be1f4/details", "Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa , Worm:Win32/Pykspa.C: FileHash-SHA256 0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd trojan", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "capitana.onthewifi.com", "Address shows an place of origin: Broomfield , Co", "Matches rule DotNet_Reactor from ruleset DotNet_Reactor by @bartblaze", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Potentially Pegasus related . Found to be affecting an IOS device", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception", "BGP Hurricane Electric seen", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction", "2012647\tDropbox.com Offsite File Backup in Use", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "Matches rule ET POLICY External IP Lookup ipinfo.io", "aohhpesayw.lawsonengineers.co.", "https://otx.alienvault.com/indicator/url/http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg", "https://otx.alienvault.com/indicator/domain/mywebsitetransfer.com [really?]", "Loads modules at runtime Looks up procedures from modules", "https://otx.alienvault.com/indicator/file/da06b3d7e20045b6edad50f28ce8bac1", "Emotet: www.youtube.com/watch?v=GyuMozsVyYs", "https://www.virustotal.com/graph/gf379170e2b17454ba4088d6d6e0f3379fd716d4ff5e94b38b12ee3af4ce860d8", "This pulse is so huge it\u2019s a mess. Will break down.", "Relic: bam.nr-data.net [Apple Private Data Collection]", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception infostealer_browser", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "Related somehow, pulse modified by?https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Alerts: cape_detected_threat", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho modifies_certificates", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "https://otx.alienvault.com/indicator/file/0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H", "FormBook: http://45.159.189.105/bot/regex", "IDS: Observed Suspicious UA (Hello, World)", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com", "FileHash-MD5 da06b3d7e20045b6edad50f28ce8bac1", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "Crowdsourced SIGMA Below:", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Unique rule identifier: This rule belongs to a private collection.", "IDS Detections: Win32.Floxif.A Checkin 403 Forbidden | |", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win32:renos-ky\\ [trj]", "Win.virus.pioneer-9111434-0", "Win.trojan.tofsee-7102058-0", "Cve-2018-10562", "Win32:botx-gen\\ [trj]", "Unix.trojan.mirai", "Slf:trojan:win32/grandoreiro.a", "Zegost", "Win.trojan.vbgeneric-6735875-0", "Neshta", "Worm:win32/autorun.xxy!bit", "Win.virus.polyransom-5704625-0", "Worm:win32/mofksys.rnd!mtb", "Cve-2025-20393", "Trojan:win32/glupteba.km!mtb", "Win32:cryptor", "Trojan.sagnt/r011c0dfs24", "Trojan:win32/pariham.a", "Alf:jasyp:trojandownloader:win32/smallagent!atmn", "Worm:win32/autorun.b", "Kentuchy", "Cve-2024-6387", "Emotet", "Win.trojan.emotet-9850453-0", "Malwarex-gen", "Cve-2023-22518", "#lowfidetectsvmware", "Nids", "Zergeca", "Worm:win32/autorun!atmn", "Win32:trojan-gen", "Unix.trojan.mirai-7669677-0", ", win.worm.pykspa-6057105-0", "Win.malware.salat-10058846-0", "Virus:win32/floxif.h", "Backdoor:win32/tofsee.t", "Worm:win32/pykspa.c", "Pup/hacktool", "Backdoor:win32/fynloski.a", "Backdoor.xtreme", "Other malware", "W32.aidetectmalware.cs" ], "industries": [], "unique_indicators": 40338 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/afraid.org", "whois": "http://whois.domaintools.com/afraid.org", "domain": "afraid.org", "hostname": "checkip.afraid.org" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "69d1396bb42208f8aa25b8ae", "name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable", "description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.", "modified": "2026-04-04T16:16:43.680000", "created": "2026-04-04T16:16:43.680000", "tags": [ "binary", "yara rule", "binary file", "yara", "pe section", "av detections", "ip address", "url analysis", "urls", "singapore", "singapore asn", "as14061", "edgeview drive", "suite", "broomfield", "colorado", "key usage", "handle", "v3 serial", "number", "cert validity", "asia pacific", "traefik default", "cert", "thumbprint", "name", "all filehash", "learn", "adversaries", "calls", "ck id", "name tactics", "suspicious", "informative", "reads", "defense evasion", "loads", "model", "call", "getprocaddress", "span", "path", "mitre att", "ck matrix", "access type", "value", "windir", "open", "error", "click", "contact", "meta", "april", "hybrid", "format", "strings", "united", "b778b1", "div div", "d9e4f4", "edf2f8", "status", "fastest privacy", "first dns", "trojan", "pegasus", "title", "dynamicloader", "ms windows", "intel", "pe32 executable", "win32", "medium", "pe32", "high", "mozilla", "delphi", "injectdll", "write", "malware", "observer", "stream", "unknown", "lredmond", "stwa", "omicrosoft", "stwashington", "server ca", "https domain", "accept", "read c", "ogoogle trust", "worm", "code", "td td", "td tr", "a td", "dynamic dns", "name servers", "arial", "zeppelin", "null", "enough", "hosts", "fast", "tls sni", "cloudflare dns", "google dns", "showing", "get icarus", "show", "ascii text", "global", "next", "cc fd", "d4 dc", "a3 ad", "a8 c7", "bb c7", "f0 f1", "f4 ca", "bc a1", "win64", "local", "otx logo", "hostname", "passive dns", "files", "less", "related tags", "servers", "certificate", "domain", "cloudflare", "khtml", "gecko", "ids detections", "yara detections", "ip lookup", "encrypt", "elf executable", "sysv", "linux", "elf64 operation", "unix", "exec amd6464", "elf geomi", "modify system", "process l", "t1543", "systemd service", "ta0004", "techniques", "process create", "modify syst", "t1036 indicator", "remc t1070", "file", "directoi t1222", "t1027 masquerac", "t1070", "data upload", "extraction", "failed", "ta0005", "t1027", "memory pattern", "domains", "dns resolutions", "full reports", "v ip", "traffic tcp", "g sh", "c tmpsample", "binrm f", "usrbinid id", "usrbinsystemctl", "proc1environ", "proccpuinfo", "include", "review exclude", "sample", "https", "performs dns", "tls version", "mitre attack", "network info", "file type", "persistence", "include review", "exclude sugges", "find s", "unique ru", "review occ", "exclude data", "alvoes", "include data", "suggest", "find c", "typ filet", "filet ce", "layer protocol", "http performs", "reads cpu", "proc indicative", "filet filet", "pulse", "file hach", "h1256", "filer data", "typ data", "filer filehuon", "filet filer", "exchange all", "typ no", "no entri", "exclude", "suggested ocs", "manualy", "hua muicalul", "find", "indicatore", "typ innicatad", "new threat", "dive into", "zergeca botnet", "reference", "report publish", "zergeca", "all se", "matches edolavd", "matches data", "matches matches", "type", "extr", "tico data", "get hello", "mirai variant", "useragent", "hello", "outbound", "world", "search", "hackingtrio ua", "inbound", "mirai", "info", "shell", "pulse pulses", "files ip", "address domain", "ip related", "labs pulses", "pulses", "post", "http traffic", "tocstut", "reference id", "xor key", "canada", "america", "germany", "doh", "ddos", "botnet", "en", "xor", "twitter", "stop", "loader", "downloader", "zerg", "mirai", "golang", "c2 resolution", "germany", "c2 ip", "virustotal", "smux", "ck ids", "t1082", "applescript", "t1190", "application", "private server", "t1609", "command", "unix shell", "software supply", "service", "chain", "t1499", "entries", "otx telemetry", "next associated", "backdoor", "detections", "sha256 add", "alerts", "heur", "all domain", "creation date", "record value", "aaaa", "date", "unknown ns", "ponmocup post", "infection dns", "mtb nov", "ipv4 add", "external ip", "copy" ], "references": [ "www.joewa.com", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "Loads modules at runtime Looks up procedures from modules", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "Crowdsourced SIGMA Below:", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS Below:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Unique rule identifier: This rule belongs to a private collection.", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "crypto-pool.fr", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "IDS: Observed Suspicious UA (Hello, World)", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: cape_detected_threat", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "https://dns.google/resolve?name=SELECT", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Address shows an place of origin: Broomfield , Co", "Believed to be originating from Germany and Russia", "BGP Hurricane Electric seen", "Potentially Pegasus related . Found to be affecting an IOS device", "Indicators seen may have affected a few OTX users. Is ongoing", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "This pulse is so huge it\u2019s a mess. Will break down." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Thailand", "Germany", "Canada" ], "malware_families": [ { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Trojan.Sagnt/R011c0dfs24", "display_name": "Trojan.Sagnt/R011c0dfs24", "target": null }, { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "Unix.Trojan.Mirai", "display_name": "Unix.Trojan.Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-7669677-0", "display_name": "Unix.Trojan.Mirai-7669677-0", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 795, "FileHash-SHA1": 648, "FileHash-SHA256": 3708, "IPv4": 294, "URL": 2587, "domain": 739, "hostname": 1129, "email": 14, "CIDR": 15, "IPv6": 27, "SSLCertFingerprint": 18, "CVE": 4 }, "indicator_count": 9978, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d1395ab63bf8e8d2c384eb", "name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable", "description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.", "modified": "2026-04-04T16:16:26.128000", "created": "2026-04-04T16:16:26.128000", "tags": [ "binary", "yara rule", "binary file", "yara", "pe section", "av detections", "ip address", "url analysis", "urls", "singapore", "singapore asn", "as14061", "edgeview drive", "suite", "broomfield", "colorado", "key usage", "handle", "v3 serial", "number", "cert validity", "asia pacific", "traefik default", "cert", "thumbprint", "name", "all filehash", "learn", "adversaries", "calls", "ck id", "name tactics", "suspicious", "informative", "reads", "defense evasion", "loads", "model", "call", "getprocaddress", "span", "path", "mitre att", "ck matrix", "access type", "value", "windir", "open", "error", "click", "contact", "meta", "april", "hybrid", "format", "strings", "united", "b778b1", "div div", "d9e4f4", "edf2f8", "status", "fastest privacy", "first dns", "trojan", "pegasus", "title", "dynamicloader", "ms windows", "intel", "pe32 executable", "win32", "medium", "pe32", "high", "mozilla", "delphi", "injectdll", "write", "malware", "observer", "stream", "unknown", "lredmond", "stwa", "omicrosoft", "stwashington", "server ca", "https domain", "accept", "read c", "ogoogle trust", "worm", "code", "td td", "td tr", "a td", "dynamic dns", "name servers", "arial", "zeppelin", "null", "enough", "hosts", "fast", "tls sni", "cloudflare dns", "google dns", "showing", "get icarus", "show", "ascii text", "global", "next", "cc fd", "d4 dc", "a3 ad", "a8 c7", "bb c7", "f0 f1", "f4 ca", "bc a1", "win64", "local", "otx logo", "hostname", "passive dns", "files", "less", "related tags", "servers", "certificate", "domain", "cloudflare", "khtml", "gecko", "ids detections", "yara detections", "ip lookup", "encrypt", "elf executable", "sysv", "linux", "elf64 operation", "unix", "exec amd6464", "elf geomi", "modify system", "process l", "t1543", "systemd service", "ta0004", "techniques", "process create", "modify syst", "t1036 indicator", "remc t1070", "file", "directoi t1222", "t1027 masquerac", "t1070", "data upload", "extraction", "failed", "ta0005", "t1027", "memory pattern", "domains", "dns resolutions", "full reports", "v ip", "traffic tcp", "g sh", "c tmpsample", "binrm f", "usrbinid id", "usrbinsystemctl", "proc1environ", "proccpuinfo", "include", "review exclude", "sample", "https", "performs dns", "tls version", "mitre attack", "network info", "file type", "persistence", "include review", "exclude sugges", "find s", "unique ru", "review occ", "exclude data", "alvoes", "include data", "suggest", "find c", "typ filet", "filet ce", "layer protocol", "http performs", "reads cpu", "proc indicative", "filet filet", "pulse", "file hach", "h1256", "filer data", "typ data", "filer filehuon", "filet filer", "exchange all", "typ no", "no entri", "exclude", "suggested ocs", "manualy", "hua muicalul", "find", "indicatore", "typ innicatad", "new threat", "dive into", "zergeca botnet", "reference", "report publish", "zergeca", "all se", "matches edolavd", "matches data", "matches matches", "type", "extr", "tico data", "get hello", "mirai variant", "useragent", "hello", "outbound", "world", "search", "hackingtrio ua", "inbound", "mirai", "info", "shell", "pulse pulses", "files ip", "address domain", "ip related", "labs pulses", "pulses", "post", "http traffic", "tocstut", "reference id", "xor key", "canada", "america", "germany", "doh", "ddos", "botnet", "en", "xor", "twitter", "stop", "loader", "downloader", "zerg", "mirai", "golang", "c2 resolution", "germany", "c2 ip", "virustotal", "smux", "ck ids", "t1082", "applescript", "t1190", "application", "private server", "t1609", "command", "unix shell", "software supply", "service", "chain", "t1499", "entries", "otx telemetry", "next associated", "backdoor", "detections", "sha256 add", "alerts", "heur", "all domain", "creation date", "record value", "aaaa", "date", "unknown ns", "ponmocup post", "infection dns", "mtb nov", "ipv4 add", "external ip", "copy" ], "references": [ "www.joewa.com", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "Loads modules at runtime Looks up procedures from modules", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "Crowdsourced SIGMA Below:", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS Below:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Unique rule identifier: This rule belongs to a private collection.", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "crypto-pool.fr", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "IDS: Observed Suspicious UA (Hello, World)", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: cape_detected_threat", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "https://dns.google/resolve?name=SELECT", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Address shows an place of origin: Broomfield , Co", "Believed to be originating from Germany and Russia", "BGP Hurricane Electric seen", "Potentially Pegasus related . Found to be affecting an IOS device", "Indicators seen may have affected a few OTX users. Is ongoing", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "This pulse is so huge it\u2019s a mess. Will break down." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Thailand", "Germany", "Canada" ], "malware_families": [ { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Trojan.Sagnt/R011c0dfs24", "display_name": "Trojan.Sagnt/R011c0dfs24", "target": null }, { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "Unix.Trojan.Mirai", "display_name": "Unix.Trojan.Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-7669677-0", "display_name": "Unix.Trojan.Mirai-7669677-0", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 795, "FileHash-SHA1": 648, "FileHash-SHA256": 3708, "IPv4": 294, "URL": 2587, "domain": 739, "hostname": 1129, "email": 14, "CIDR": 15, "IPv6": 27, "SSLCertFingerprint": 18, "CVE": 4 }, "indicator_count": 9978, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f7ced2cf17d264b49628bc", "name": "NIDS - Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information", "description": "Multiple malware\u2019s targeting Dropbox & Ebay accounts. Referenced in earlier pukses. Further investigation shows link found in apps on multiple Apple devices. Afraid. Org still running & wreaking havoc globally. Currently targets a Music studio in Clear Creek County Co. The signal bounces from Fire station directly to studio gaining full access to everything.\n\nI am very disappointed with the abuses in f the Palantir , Gotham , Foundry products being abused by law firms and Private Investigators.\nIt is very destructive, causing loss, these firms are literally stealing and making money with other people\u2019s intellectual property and tough luck on the actual inventor, artist, writer because they even steal , cancel your insurance or back accounts leaving you unable to make a claim. \n\nGreat discretion should be used to qualify for these tools used to track, terrorize and access private information as well as tarnish the names of civilians , family ,businesses, stalking tracking known location.", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T18:20:02.120000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f80c6bcd3fff3a4f126a68", "name": "Sventore \u2022 Agent Tesla Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information ", "description": "", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T22:42:51.657000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": "68f7ced2cf17d264b49628bc", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6694bb9be1b61bf820500004", "name": "YouTube Creator Cyber Attacks | Jays Youtube Bot.exe | YT Botnet", "description": "YouTube Creator account attacks. Critical alerts, botnets, YT bots. I cannot adequately describe attack right now. Retaliation for targets YT channel Song Culture stems from retaliation shortly after a crime against target. Id be interested to learn more. An ITC Intercepter records traffic passed through Song Culture YouTube channel m redirects to other channels. Not reflected in the 1.5 million followers or the 3.2 million views. They just stopped. Then managing director was notified as all of Song Cultures social media Twitter, Instagram, Pinterest succumbed to Emotet attack. Social engineering did occur. Several parties. Alleged eBay , health insurance representatives, an attorney, alleged PI's music managers contacted by phone. A man from Great Britain also began an SE campaign, The strange part is following, confrontations, dangerous attacks, MIB, and other curious in person encounter, critical injuries, financial devastation has caused target to remain isolated.", "modified": "2024-08-14T05:03:59.815000", "created": "2024-07-15T06:03:07.423000", "tags": [ "historical ssl", "referrer", "december", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "highly targeted", "cyber attack", "emotet", "critical", "copy", "united", "command decode", "suricata ipv4", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "name server", "date", "hybrid", "general", "click", "strings", "contact", "song culture", "tsara lynn", "culture", "chime sa", "mediawarning", "youtube twitter", "secchuabitness", "secchuamodel", "secchuawow64", "secchuaplatform", "pragma", "form", "hope", "karma", "learn", "suspicious", "flag", "pe resource", "synaptics", "apeaksoft ios", "hiddentear", "urls", "domains", "contacted", "markmonitor", "win32 exe", "parents", "type name", "msrsaapp", "youtube bot", "rar jays", "mozilla firefox", "twitch", "samplename", "rar youtube", "zip youtube", "social bots", "files", "file type", "kb file", "b file", "graph", "get https", "msie", "windows nt", "win64", "slcc2", "media center", "request", "gmt server", "referer https", "amd64 accept", "accept", "code", "rwx memory", "managed code", "calls unmanaged", "native", "often seen", "base64 encrypt", "trojan", "tsara brashears", "red team hacking", "process32nextw", "regsetvalueexa", "regdword", "high", "medium", "objects", "regbinary", "module load", "t1129", "t1060", "crash", "dock", "persistence", "execution", "okhfjrtblzo", "ip check", "windows", "http host", "controlservice", "domain", "registry", "tools", "service", "worm", "malware", "win32", "bits", "read c", "intel", "ms windows", "pe32", "search", "type read", "show", "wow64", "stop", "write", "unknown", "waiting", "push", "next", "asnone united", "aaaa", "united kingdom", "as20738 host", "moved", "passive dns", "default", "delete c", "pe32 executable", "document file", "v2 document", "floodfix", "floxif", "name servers", "susp", "showing", "as55286", "scan endpoints", "all scoreblue", "ransom", "amadey", "songculture", "spreader", "tracey richter", "roberts", "michael roberts", "jays", "sabey", "rexxfield", "darklivity" ], "references": [ "https://www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Jays Youtube Bot.exe", "https://www.virustotal.com/gui/url/b766d444d21c2ad2d777ae4a5ef7b7b7b97f2097805732e9651834e0a76be1f4/details", "Jays Youtube Bot.exe > FileHash-SHA256\t00514527e00ee001d042", "Matches rule DotNet_Reactor from ruleset DotNet_Reactor by @bartblaze", "https://www.virustotal.com/gui/file/00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5/detection", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://freedns.afraid.org/subdomain/edit.php?data_id=21091713", "Ransom: message.htm.com", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H | IDS Detections: Win32.Floxif.A Checkin 403 Forbidden", "Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho", "Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception", "Alerts: infostealer_browser creates_exe suspicious_process modifies_certificates stealth_window exe_appdata", "Antivirus Detections: Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa-6057105-0 , Worm:Win32/Pykspa.C IDS Detections Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host) IP Check Domain (showmyipaddress .com in HTTP Host) IP Check Domain (whatismyipaddress .com in HTTP Host) 403 Forbidden Yara Detections None Alerts network_icmp disables_security antiav_servicestop antisandbox_sleep persistence_autorun modify_uac_prompt antivm_vmware_in_instruction network_http recon_checkip creates_exe create", "Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa , Worm:Win32/Pykspa.C: FileHash-SHA256 0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd trojan", "https://otx.alienvault.com/indicator/file/0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd", "Jays Youtube Bot.exe | **http://ur.now.afraid.org/update/bft.exe | https://avsono.com/networkmanager/ | http://fatah.afraid.org/files/books/Embedded.Linux.Programming.pdf", "https://otx.alienvault.com/indicator/file/da06b3d7e20045b6edad50f28ce8bac1", "FileHash-MD5 da06b3d7e20045b6edad50f28ce8bac1", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H", "IDS Detections: Win32.Floxif.A Checkin 403 Forbidden | |", "Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho modifies_certificates", "Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception infostealer_browser", "Alerts: stealth_windowcreates_exe suspicious_process exe_appdata", "http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg [Tsara Brashears > Song Culture & Samantha Borrego> dorkingbeaty]", "https://otx.alienvault.com/indicator/url/http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg", "https://otx.alienvault.com/indicator/url/https://my.newzapp.co.uk/t/click/1684555348/129495091/17547390 [Target:SongCulture/Tsara Brashears YT]", "Related somehow, pulse modified by?https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "http://ur.now.afraid.org/update/bft.exe (Joshua Anderson Address 4120 Douglas Blvd #306-199 City\tGranite Bay Country US ?)", "https://otx.alienvault.com/indicator/domain/mywebsitetransfer.com [really?]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Backdoor.Xtreme", "display_name": "Backdoor.Xtreme", "target": null }, { "id": "W32.AIDetectMalware.CS", "display_name": "W32.AIDetectMalware.CS", "target": null }, { "id": "Win.Virus.Pioneer-9111434-0", "display_name": "Win.Virus.Pioneer-9111434-0", "target": null }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" }, { "id": "Win32:Renos-KY\\ [Trj]", "display_name": "Win32:Renos-KY\\ [Trj]", "target": null }, { "id": ", Win.Worm.Pykspa-6057105-0", "display_name": ", Win.Worm.Pykspa-6057105-0", "target": null }, { "id": "Worm:Win32/Pykspa.C", "display_name": "Worm:Win32/Pykspa.C", "target": "/malware/Worm:Win32/Pykspa.C" }, { "id": "PUP/Hacktool", "display_name": "PUP/Hacktool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 439, "FileHash-SHA1": 386, "FileHash-SHA256": 2320, "URL": 1873, "domain": 478, "hostname": 839, "SSLCertFingerprint": 9, "email": 7 }, "indicator_count": 6351, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "613 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e863bebbf95e0dc5a4169a", "name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack expected", "description": "Network compromised updated Apple device was directed (303) to a server. This is one of several botnets found. onthewifi \u2206 {Win32:BotX-gen\\ [Trj]} \u2022 Injection process | Password bypass. Studies targets behavior | Checks for other devices | Glupteba: \n Glupteba is a trojan-type program, malicious software that installs other programs of this type. Cyber criminals can perform a number of actions of a malicious hacker's choice on your device.", "modified": "2024-04-05T12:00:46.637000", "created": "2024-03-06T12:38:22.052000", "tags": [ "referrer", "tsara brashears", "password bypass", "apple phone", "unlocker", "shell code", "script", "pe resource", "execution", "sneaky server", "emotet", "android", "download", "malware", "relic", "monitoring", "installer", "formbook", "urls", "contacted", "win32 exe", "parents", "type name", "msrsaapp", "files", "file type", "kb file", "b file", "graph", "pe32 executable", "ms windows", "intel", "generic cil", "executable", "mono", "win32 dynamic", "link library", "win16 ne", "samplename", "samplepath", "jays youtube", "rticon neutral", "details", "header intel", "name md5", "type", "language", "contained", "ico rtgroupicon", "neutral", "net technology", "corporation", "domains", "markmonitor inc", "malicious", "cnc", "network", "bypass password", "network probe", "dns query", "as20940", "united", "aaaa", "search", "showing", "date", "passive dns", "registrar", "unknown", "encrypt", "next", "domain", "emails", "name servers", "as199524", "record value", "rst seen", "last seen", "asn country", "cname", "as15169 google", "scan endpoints", "all octoseek", "pulse pulses", "files ip", "as4788", "address", "pulses", "win32", "entries", "dadjoke", "ms defender", "united kingdom", "germany unknown", "as46606", "as14061", "servers", "as12576 ee", "russia unknown", "as3320 deutsche", "gamaredon", "armageddon", "as8068", "script urls", "for privacy", "script domains", "certificate", "meta", "creation date", "as14627", "ipv4", "onthewifi", "as54113", "trojan", "flywheel", "sea x", "accept", "ransom", "post http", "langserbian", "sublangdefault", "rticon", "process32nextw", "medium", "t1055", "high", "ip address", "generic", "body", "markus", "june", "copy", "bitcoin" ], "references": [ "FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb", "FormBook: 45.159.189.105", "FormBook: http://45.159.189.105/bot/regex", "Emotet: www.youtube.com/watch?v=GyuMozsVyYs", "Relic: bam.nr-data.net [Apple Private Data Collection]", "capitana.onthewifi.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Cryptor", "display_name": "Win32:Cryptor", "target": null }, { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Glupteba.KM!MTB", "display_name": "Trojan:Win32/Glupteba.KM!MTB", "target": "/malware/Trojan:Win32/Glupteba.KM!MTB" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1188", "name": "Multi-hop Proxy", "display_name": "T1188 - Multi-hop Proxy" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 309, "FileHash-SHA1": 307, "FileHash-SHA256": 3084, "URL": 3066, "domain": 1085, "hostname": 1709, "CVE": 1, "email": 7 }, "indicator_count": 9568, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65ea6410c1e1b1185951ef98", "name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack executed (Copy)", "description": "", "modified": "2024-04-05T12:00:46.637000", "created": "2024-03-08T01:04:16.906000", "tags": [ "referrer", "tsara brashears", "password bypass", "apple phone", "unlocker", "shell code", "script", "pe resource", "execution", "sneaky server", "emotet", "android", "download", "malware", "relic", "monitoring", "installer", "formbook", "urls", "contacted", "win32 exe", "parents", "type name", "msrsaapp", "files", "file type", "kb file", "b file", "graph", "pe32 executable", "ms windows", "intel", "generic cil", "executable", "mono", "win32 dynamic", "link library", "win16 ne", "samplename", "samplepath", "jays youtube", "rticon neutral", "details", "header intel", "name md5", "type", "language", "contained", "ico rtgroupicon", "neutral", "net technology", "corporation", "domains", "markmonitor inc", "malicious", "cnc", "network", "bypass password", "network probe", "dns query", "as20940", "united", "aaaa", "search", "showing", "date", "passive dns", "registrar", "unknown", "encrypt", "next", "domain", "emails", "name servers", "as199524", "record value", "rst seen", "last seen", "asn country", "cname", "as15169 google", "scan endpoints", "all octoseek", "pulse pulses", "files ip", "as4788", "address", "pulses", "win32", "entries", "dadjoke", "ms defender", "united kingdom", "germany unknown", "as46606", "as14061", "servers", "as12576 ee", "russia unknown", "as3320 deutsche", "gamaredon", "armageddon", "as8068", "script urls", "for privacy", "script domains", "certificate", "meta", "creation date", "as14627", "ipv4", "onthewifi", "as54113", "trojan", "flywheel", "sea x", "accept", "ransom", "post http", "langserbian", "sublangdefault", "rticon", "process32nextw", "medium", "t1055", "high", "ip address", "generic", "body", "markus", "june", "copy", "bitcoin" ], "references": [ "FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb", "FormBook: 45.159.189.105", "FormBook: http://45.159.189.105/bot/regex", "Emotet: www.youtube.com/watch?v=GyuMozsVyYs", "Relic: bam.nr-data.net [Apple Private Data Collection]", "capitana.onthewifi.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Cryptor", "display_name": "Win32:Cryptor", "target": null }, { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Glupteba.KM!MTB", "display_name": "Trojan:Win32/Glupteba.KM!MTB", "target": "/malware/Trojan:Win32/Glupteba.KM!MTB" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1188", "name": "Multi-hop Proxy", "display_name": "T1188 - Multi-hop Proxy" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [], "TLP": "green", "cloned_from": "65e863bebbf95e0dc5a4169a", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 309, "FileHash-SHA1": 307, "FileHash-SHA256": 3084, "URL": 3066, "domain": 1085, "hostname": 1709, "CVE": 1, "email": 7 }, "indicator_count": 9568, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708aacc81003c0b481e48f", "name": "inforextreme.com (3)", "description": "", "modified": "2023-12-06T14:52:26.313000", "created": "2023-12-06T14:52:26.313000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-SHA256": 2369, "hostname": 1853, "URL": 5088, "domain": 745, "FileHash-SHA1": 1, "FileHash-MD5": 2 }, "indicator_count": 10062, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "624b1b24fcf576f6d340a00c", "name": "inforextreme.com (3)", "description": "", "modified": "2022-05-04T00:05:07.263000", "created": "2022-04-04T16:21:56.802000", "tags": [ "whois record", "ssl certificate", "whois", "new collection", "vt graph", "lucifer", "doublepulsar", "synaptics", "copy", "echelon", "njrat", "malware", "sorefang", "sunburst" ], "references": [ "https://www.virustotal.com/graph/gf379170e2b17454ba4088d6d6e0f3379fd716d4ff5e94b38b12ee3af4ce860d8" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Australia", "Ukraine" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 98, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5088, "hostname": 1853, "domain": 745, "FileHash-SHA256": 2369, "CVE": 4, "FileHash-MD5": 2, "FileHash-SHA1": 1 }, "indicator_count": 10062, "is_author": false, "is_subscribing": null, "subscriber_count": 416, "modified_text": "1446 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://checkip.afraid.org", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://checkip.afraid.org", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776638816.5033438 }