{ "type": "URL", "indicator": "https://chocolate.cliapi.mergechocolate.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://chocolate.cliapi.mergechocolate.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3739903904, "indicator": "https://chocolate.cliapi.mergechocolate.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 23, "pulses": [ { "id": "66b8fe985a7460e0ee01be8a", "name": "r3.o.lencr.org", "description": "", "modified": "2024-08-11T18:14:13.378000", "created": "2024-08-11T18:10:32.276000", "tags": [ "as20940", "united", "trojan", "search", "passive dns", "urls", "entries", "dashboard", "browse scan", "endpoints all", "date", "a domains", "aaaa", "record value", "scan endpoints", "all search", "otx octoseek", "domain related", "showing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "64dc045f5344129c48c41826", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 664, "email": 13, "hostname": 1352, "FileHash-SHA256": 2550, "URL": 5422, "FileHash-MD5": 761, "FileHash-SHA1": 615 }, "indicator_count": 11377, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "616 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a989843b7acf6d0a79ac", "name": "Qakbot. Again. Today. Pulled from own device. Quasar RAT, Malvertizing", "description": "", "modified": "2023-12-06T17:04:09.133000", "created": "2023-12-06T17:04:09.133000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 290, "FileHash-SHA256": 1478, "hostname": 1047, "URL": 4055, "FileHash-MD5": 89, "FileHash-SHA1": 85, "email": 1, "FilePath": 2, "Mutex": 1, "CIDR": 1 }, "indicator_count": 7051, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a921559dd331e2b31e4c", "name": "Brontok", "description": "", "modified": "2023-12-06T17:02:25.638000", "created": "2023-12-06T17:02:25.638000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 21, "hostname": 432, "domain": 161, "FileHash-SHA256": 714, "URL": 750, "FileHash-MD5": 1400, "FileHash-SHA1": 706, "Mutex": 1, "FilePath": 1, "URI": 1 }, "indicator_count": 4187, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a79534c615a8f10f3380", "name": "Qakbot | Info Stealer | Sourced: Part-RU", "description": "", "modified": "2023-12-06T16:55:49.669000", "created": "2023-12-06T16:55:49.669000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2383, "hostname": 1027, "domain": 418, "URL": 2673, "FileHash-MD5": 99, "FileHash-SHA1": 98 }, "indicator_count": 6698, "is_author": false, "is_subscribing": null, "subscriber_count": 112, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6545be6e02e0f9f82cb1febf", "name": "Vawtrak credential stealer | CNC", "description": "", "modified": "2023-11-30T07:01:37.424000", "created": "2023-11-04T03:45:50.234000", "tags": [ "contacted", "resolutions", "origin1", "ip address", "list", "communicating", "cyber threat", "united", "phishing", "phishing site", "covid19", "threat report", "ip summary", "url summary", "summary", "detection list", "installcore", "nymaim", "suppobox", "malicious", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "malware site", "malicious site", "heur", "exploit", "alexa", "riskware", "team", "blacklist https", "blacklist", "facebook", "engineering", "iframe", "downloader", "unsafe", "artemis", "trojanx", "agent", "unruy", "win64", "fakealert", "fusioncore", "redirector", "killav", "trojan", "lokibot", "emotet", "redline stealer", "cobalt strike", "citadel", "vawtrak", "qakbot", "qbot", "bankerx", "dropper", "nimda", "formbook", "swrort", "adwind", "crack", "generic", "wacatac", "opencandy", "nircmd", "downldr", "filetour", "cleaner", "conduit", "tiggre", "presenoker", "zpevdo", "webcompanion", "seraph", "tofsee", "xrat", "xtrat", "patcher", "adload", "stealer", "vidar", "raccoon", "bank", "urls", "generic malware", "noname057", "reimer", "agency", "charles", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "name verdict", "date", "root ca", "markmonitor", "name server", "windir", "unknown", "swisscom root", "post root", "trust", "hybrid", "general", "click", "strings", "class", "generator", "critical", "error", "defence", "fraud", "logistics", "ipv4", "scan endpoints", "all search", "otx octoseek", "report spam", "author", "cyber warfare", "created", "months ago", "modified", "next", "url https", "url http", "all octoseek", "month ago", "utmsourcemailer", "ck id", "t1140", "filehashsha256", "keylogger", "sample path", "Miles IT" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "65413ea960cc79abf6d446fb", "export_count": 86, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 166, "FileHash-SHA1": 125, "FileHash-SHA256": 5688, "URL": 15015, "domain": 3262, "hostname": 4687, "CVE": 16, "email": 8 }, "indicator_count": 28967, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65413ea960cc79abf6d446fb", "name": "Vawtrak credential stealer | CNC", "description": "Cyber warfare\nTracking\nMonitoring\nMalvertizing\nCNC\nKeylogging\nBotNet\nSever Privacy Invasion", "modified": "2023-11-30T07:01:37.424000", "created": "2023-10-31T17:51:37.016000", "tags": [ "contacted", "resolutions", "origin1", "ip address", "list", "communicating", "cyber threat", "united", "phishing", "phishing site", "covid19", "threat report", "ip summary", "url summary", "summary", "detection list", "installcore", "nymaim", "suppobox", "malicious", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "malware site", "malicious site", "heur", "exploit", "alexa", "riskware", "team", "blacklist https", "blacklist", "facebook", "engineering", "iframe", "downloader", "unsafe", "artemis", "trojanx", "agent", "unruy", "win64", "fakealert", "fusioncore", "redirector", "killav", "trojan", "lokibot", "emotet", "redline stealer", "cobalt strike", "citadel", "vawtrak", "qakbot", "qbot", "bankerx", "dropper", "nimda", "formbook", "swrort", "adwind", "crack", "generic", "wacatac", "opencandy", "nircmd", "downldr", "filetour", "cleaner", "conduit", "tiggre", "presenoker", "zpevdo", "webcompanion", "seraph", "tofsee", "xrat", "xtrat", "patcher", "adload", "stealer", "vidar", "raccoon", "bank", "urls", "generic malware", "noname057", "reimer", "agency", "charles", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "name verdict", "date", "root ca", "markmonitor", "name server", "windir", "unknown", "swisscom root", "post root", "trust", "hybrid", "general", "click", "strings", "class", "generator", "critical", "error", "defence", "fraud", "logistics", "ipv4", "scan endpoints", "all search", "otx octoseek", "report spam", "author", "cyber warfare", "created", "months ago", "modified", "next", "url https", "url http", "all octoseek", "month ago", "utmsourcemailer", "ck id", "t1140", "filehashsha256", "keylogger", "sample path", "Miles IT" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 166, "FileHash-SHA1": 125, "FileHash-SHA256": 5688, "URL": 15015, "domain": 3262, "hostname": 4687, "CVE": 16, "email": 8 }, "indicator_count": 28967, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654136c8e530066ae793dc64", "name": "Cyber Espionage", "description": "Cyber warfare. Extravagant attack that includes, phishing, monitoring, spyware, tracking, remote vehicle tracking, API calls after identification of anything computerized; car, phone, mobile phone, mail, ups, television. Apple private data services nr-data.net. This may be a Honeypot. Interesting. Attacker alleging to be a government contractor actively attacks and porn smears alleged SA victim assaulted by someone with his last name. Coincidence or Honeypot?\nTarget still at risk.\nTarget again is Tsara Brashears. \nSevere privacy invasion.\nShhhh....Active Silencing", "modified": "2023-11-30T07:01:37.424000", "created": "2023-10-31T17:18:00.623000", "tags": [ "contacted", "resolutions", "origin1", "ip address", "list", "communicating", "cyber threat", "united", "phishing", "phishing site", "covid19", "threat report", "ip summary", "url summary", "summary", "detection list", "installcore", "nymaim", "suppobox", "malicious", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "malware site", "malicious site", "heur", "exploit", "alexa", "riskware", "team", "blacklist https", "blacklist", "facebook", "engineering", "iframe", "downloader", "unsafe", "artemis", "trojanx", "agent", "unruy", "win64", "fakealert", "fusioncore", "redirector", "killav", "trojan", "lokibot", "emotet", "redline stealer", "cobalt strike", "citadel", "vawtrak", "qakbot", "qbot", "bankerx", "dropper", "nimda", "formbook", "swrort", "adwind", "crack", "generic", "wacatac", "opencandy", "nircmd", "downldr", "filetour", "cleaner", "conduit", "tiggre", "presenoker", "zpevdo", "webcompanion", "seraph", "tofsee", "xrat", "xtrat", "patcher", "adload", "stealer", "vidar", "raccoon", "bank", "urls", "generic malware", "noname057", "reimer", "agency", "charles", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "name verdict", "date", "root ca", "markmonitor", "name server", "windir", "unknown", "swisscom root", "post root", "trust", "hybrid", "general", "click", "strings", "class", "generator", "critical", "error", "defence", "fraud", "logistics", "ipv4", "scan endpoints", "all search", "otx octoseek", "report spam", "author", "cyber warfare", "created", "months ago", "modified", "next", "url https", "url http", "all octoseek", "month ago", "utmsourcemailer", "ck id", "t1140", "filehashsha256", "tsara brashears", "adult content", "pornography", "malvertizing", "privacy invasion", "privilege escalation", "packed", "aig.com", "aig.rastreator.mx", "apple", "ios", "tracking", "monitoring", "nr-data.net", "asp.net" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" } ], "industries": [ "Defense", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 69, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 166, "FileHash-SHA1": 125, "FileHash-SHA256": 5806, "URL": 16475, "domain": 3302, "hostname": 5135, "CVE": 16, "email": 8 }, "indicator_count": 31033, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654136c1ac991f85328604d2", "name": "Cyber Espionage", "description": "Cyber warfare. Extravagant attack that includes, phishing, monitoring, spyware, tracking, remote vehicle tracking, API calls after identification of anything computerized; car, phone, mobile phone, mail, ups, television. Apple private data services nr-data.net. This may be a Honeypot. Interesting. Attacker alleging to be a government contractor actively attacks and porn smears alleged SA victim assaulted by someone with his last name. Coincidence or Honeypot?\nTarget still at risk.\nTarget again is Tsara Brashears. \nSevere privacy invasion.\nShhhh....Active Silencing", "modified": "2023-11-30T07:01:37.424000", "created": "2023-10-31T17:17:52.382000", "tags": [ "contacted", "resolutions", "origin1", "ip address", "list", "communicating", "cyber threat", "united", "phishing", "phishing site", "covid19", "threat report", "ip summary", "url summary", "summary", "detection list", "installcore", "nymaim", "suppobox", "malicious", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "malware site", "malicious site", "heur", "exploit", "alexa", "riskware", "team", "blacklist https", "blacklist", "facebook", "engineering", "iframe", "downloader", "unsafe", "artemis", "trojanx", "agent", "unruy", "win64", "fakealert", "fusioncore", "redirector", "killav", "trojan", "lokibot", "emotet", "redline stealer", "cobalt strike", "citadel", "vawtrak", "qakbot", "qbot", "bankerx", "dropper", "nimda", "formbook", "swrort", "adwind", "crack", "generic", "wacatac", "opencandy", "nircmd", "downldr", "filetour", "cleaner", "conduit", "tiggre", "presenoker", "zpevdo", "webcompanion", "seraph", "tofsee", "xrat", "xtrat", "patcher", "adload", "stealer", "vidar", "raccoon", "bank", "urls", "generic malware", "noname057", "reimer", "agency", "charles", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "name verdict", "date", "root ca", "markmonitor", "name server", "windir", "unknown", "swisscom root", "post root", "trust", "hybrid", "general", "click", "strings", "class", "generator", "critical", "error", "defence", "fraud", "logistics", "ipv4", "scan endpoints", "all search", "otx octoseek", "report spam", "author", "cyber warfare", "created", "months ago", "modified", "next", "url https", "url http", "all octoseek", "month ago", "utmsourcemailer", "ck id", "t1140", "filehashsha256", "tsara brashears", "adult content", "pornography", "malvertizing", "privacy invasion", "privilege escalation", "packed", "aig.com", "aig.rastreator.mx", "apple", "ios", "tracking", "monitoring", "nr-data.net", "asp.net" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" } ], "industries": [ "Defense", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 69, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 166, "FileHash-SHA1": 125, "FileHash-SHA256": 5806, "URL": 16475, "domain": 3302, "hostname": 5135, "CVE": 16, "email": 8 }, "indicator_count": 31033, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654136b5eb9bdd21070ff9d7", "name": "Cyber Espionage", "description": "Cyber warfare. Extravagant attack that includes, phishing, monitoring, spyware, tracking, remote vehicle tracking, API calls after identification of anything computerized; car, phone, mobile phone, mail, ups, television. Apple private data services nr-data.net. This may be a Honeypot. Interesting. Attacker alleging to be a government contractor actively attacks and porn smears alleged SA victim assaulted by someone with his last name. Coincidence or Honeypot?\nTarget still at risk.\nTarget again is Tsara Brashears. \nSevere privacy invasion.\nShhhh....Active Silencing", "modified": "2023-11-30T07:01:37.424000", "created": "2023-10-31T17:17:41.263000", "tags": [ "contacted", "resolutions", "origin1", "ip address", "list", "communicating", "cyber threat", "united", "phishing", "phishing site", "covid19", "threat report", "ip summary", "url summary", "summary", "detection list", "installcore", "nymaim", "suppobox", "malicious", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "malware site", "malicious site", "heur", "exploit", "alexa", "riskware", "team", "blacklist https", "blacklist", "facebook", "engineering", "iframe", "downloader", "unsafe", "artemis", "trojanx", "agent", "unruy", "win64", "fakealert", "fusioncore", "redirector", "killav", "trojan", "lokibot", "emotet", "redline stealer", "cobalt strike", "citadel", "vawtrak", "qakbot", "qbot", "bankerx", "dropper", "nimda", "formbook", "swrort", "adwind", "crack", "generic", "wacatac", "opencandy", "nircmd", "downldr", "filetour", "cleaner", "conduit", "tiggre", "presenoker", "zpevdo", "webcompanion", "seraph", "tofsee", "xrat", "xtrat", "patcher", "adload", "stealer", "vidar", "raccoon", "bank", "urls", "generic malware", "noname057", "reimer", "agency", "charles", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "name verdict", "date", "root ca", "markmonitor", "name server", "windir", "unknown", "swisscom root", "post root", "trust", "hybrid", "general", "click", "strings", "class", "generator", "critical", "error", "defence", "fraud", "logistics", "ipv4", "scan endpoints", "all search", "otx octoseek", "report spam", "author", "cyber warfare", "created", "months ago", "modified", "next", "url https", "url http", "all octoseek", "month ago", "utmsourcemailer", "ck id", "t1140", "filehashsha256", "tsara brashears", "adult content", "pornography", "malvertizing", "privacy invasion", "privilege escalation", "packed", "aig.com", "aig.rastreator.mx", "apple", "ios", "tracking", "monitoring", "nr-data.net", "asp.net" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" } ], "industries": [ "Defense", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 70, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 166, "FileHash-SHA1": 125, "FileHash-SHA256": 5806, "URL": 16475, "domain": 3302, "hostname": 5135, "CVE": 16, "email": 8 }, "indicator_count": 31033, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f200c20e12f03f749c403", "name": "114.114.114.114 Tracking | Botnet | Malvertizing", "description": "", "modified": "2023-11-19T00:04:57.528000", "created": "2023-10-30T03:16:28.252000", "tags": [ "contacted", "tsara brashears", "whois record", "whois whois", "threat roundup", "december", "execution", "referrer", "pe resource", "remcos", "malware", "quasar", "nanocore", "attack", "core", "qakbot", "azorult", "njrat", "colibri loader", "metro", "nokoyawa", "formbook", "bank", "installer", "daxin", "awful", "open", "korplug", "dark power", "cobalt strike", "hacktool", "emotet", "chaos", "ransomexx", "ursnif", "ransomware", "pattern match", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "beginstring", "script", "segoe ui", "null", "error", "unknown", "span", "date", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "hybrid", "general", "click", "strings", "meta", "xiongmao group", "district", "nanjing", "china country", "beijing", "please", "apnic person", "road", "china phone", "whois lookup", "cnnic", "dns replication", "domain", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "type name", "android", "win32 dll", "cyber criminals", "cyber stalking", "cyber warfare", "framing", "tulach.cc", "exploit_source", "scanning_host", "phishing", "adware", "command_and_control", "C2", "technology", "virustotal xn", "technology xn", "rich text", "format po", "jyoti cnc", "detection list", "blacklist", "noname057", "proxy", "prism.exe", "password cracker", "skynet", "malvertizing", "spyware", "colorado", "arizona", "prism command line tool", "keyloggers", "apple", "I'm being followed", "threats", "sha256", "osint", "vmware", "gpt", "nginx", "piracy", "intellectual property", "spammer", "honeypot", "tracker", "tracking campaign", "Botnet campaign" ], "references": [ "114.114.1114.114", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \tketogenic switch , BitcoinAussie", "wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io BitcoinAussie", "www.sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/Tracker and Botnet campaign", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian password cracker", "a-poster.info [tagging tool]", "https://tulach.cc/ phishing | Proxy | Skynet", "67.227.226.240 command_and_control. [lb01.parklogic.com] Lansing Michigan", "20.99.186.246 exploit_source", "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e/652c962002e18b99e20e891a", "1.62.64.108 malware_hosting", "110.249.196.101. malware_hosting", "CVE-2022-26134", "www.anyxxxtube.net prism.exe", "https://www.pornhub.com prism.exe [Massachusetts, US]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 [Colorado, US referenced malvertizing outfit]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 [Colorado, US references]", "https://twitter.com/PORNO_SEXYBABES - Nokoyawa catapult spider", "https://twitter.com/ catapult spider/spider", "nr-data.net Private Apple data collection", "tv.apple.com Apple hacking", "newrelic.se New Update Apple iPhone 199.59.243.222", "0.0.0.0 iplocal=comcast [iplocalpple.com, possibly misconfigured] exploit", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 exploit [You can pair older Samsung watches with an iPhone by downloading the Samsung Galaxy Watch (Gear S) app from the iOS App. Abused remotely?]", "itunes.apple.com. [https:///app/apple-store", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [HappyRabbit]", "a0bc39001c6efcf39dbc6b7684232cce5126dcf0364c37e902714898ec097e94 [apple to windows China ??]", "https://otx.alienvault.com/indicator/url/https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 ? A target on my devices?", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 Another target?", "https://lelosexgame.com/datingsm?ad_campaign_id=3161239&cost=0&creative_id=2032565&external_id=0&keyword=%25KW%25&ref=https://example.com&ref_domain=example.com&server_node=0&source=0", "199.249.230.74 traffic group 78", "https://gpt.ocloo.cn/auth", "vmwarevmc.com", "http://karnalketo.com/sound-found error code 432 server nginx", "http://ww1.karnalketo.com/astroshift-soundtrack-cheat-code-incl-product-key-download-3264bit-latest/ error code 432 server nginx", "64.190.63.136 Malicious. IP: Sedo GmbH", "www.sweetheartvideo.com Tracking and Botnet campaign" ], "public": 1, "adversary": "[Unnamed US Teams and Hacker group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "Colbalt Strike", "display_name": "Colbalt Strike", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Colibri Loader", "display_name": "Colibri Loader", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Nokoyawa", "display_name": "Nokoyawa", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Ursnif - S0386", "display_name": "Ursnif - S0386", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "Daxin", "display_name": "Daxin", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Virus:WM/Look", "display_name": "Virus:WM/Look", "target": "/malware/Virus:WM/Look" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ketogenic switch", "display_name": "ketogenic switch", "target": null }, { "id": "BitcoinAussie", "display_name": "BitcoinAussie", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "green", "cloned_from": "6533b20cf4ad384a0193c655", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 173, "FileHash-SHA1": 166, "FileHash-SHA256": 2841, "URL": 6670, "CVE": 4, "domain": 684, "hostname": 1930, "CIDR": 2, "email": 3 }, "indicator_count": 12473, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "883 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65580ba704bae549b90948b5", "name": "Tracker and Botnet campaign - Canto XXVI", "description": "", "modified": "2023-11-19T00:04:57.528000", "created": "2023-11-18T00:56:07.651000", "tags": [ "contacted", "tsara brashears", "whois record", "whois whois", "threat roundup", "december", "execution", "referrer", "pe resource", "remcos", "malware", "quasar", "nanocore", "attack", "core", "qakbot", "azorult", "njrat", "colibri loader", "metro", "nokoyawa", "formbook", "bank", "installer", "daxin", "awful", "open", "korplug", "dark power", "cobalt strike", "hacktool", "emotet", "chaos", "ransomexx", "ursnif", "ransomware", "pattern match", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "beginstring", "script", "segoe ui", "null", "error", "unknown", "span", "date", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "hybrid", "general", "click", "strings", "meta", "xiongmao group", "district", "nanjing", "china country", "beijing", "please", "apnic person", "road", "china phone", "whois lookup", "cnnic", "dns replication", "domain", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "type name", "android", "win32 dll", "cyber criminals", "cyber stalking", "cyber warfare", "framing", "tulach.cc", "exploit_source", "scanning_host", "phishing", "adware", "command_and_control", "C2", "technology", "virustotal xn", "technology xn", "rich text", "format po", "jyoti cnc", "detection list", "blacklist", "noname057", "proxy", "prism.exe", "password cracker", "skynet", "malvertizing", "spyware", "colorado", "arizona", "prism command line tool", "keyloggers", "apple", "I'm being followed", "threats", "sha256", "osint", "vmware", "gpt", "nginx", "piracy", "intellectual property", "spammer", "honeypot", "tracker", "tracking campaign", "Botnet campaign" ], "references": [ "114.114.1114.114", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \tketogenic switch , BitcoinAussie", "wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io BitcoinAussie", "www.sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/Tracker and Botnet campaign", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian password cracker", "a-poster.info [tagging tool]", "https://tulach.cc/ phishing | Proxy | Skynet", "67.227.226.240 command_and_control. [lb01.parklogic.com] Lansing Michigan", "20.99.186.246 exploit_source", "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e/652c962002e18b99e20e891a", "1.62.64.108 malware_hosting", "110.249.196.101. malware_hosting", "CVE-2022-26134", "www.anyxxxtube.net prism.exe", "https://www.pornhub.com prism.exe [Massachusetts, US]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 [Colorado, US referenced malvertizing outfit]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 [Colorado, US references]", "https://twitter.com/PORNO_SEXYBABES - Nokoyawa catapult spider", "https://twitter.com/ catapult spider/spider", "nr-data.net Private Apple data collection", "tv.apple.com Apple hacking", "newrelic.se New Update Apple iPhone 199.59.243.222", "0.0.0.0 iplocal=comcast [iplocalpple.com, possibly misconfigured] exploit", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 exploit [You can pair older Samsung watches with an iPhone by downloading the Samsung Galaxy Watch (Gear S) app from the iOS App. Abused remotely?]", "itunes.apple.com. [https:///app/apple-store", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [HappyRabbit]", "a0bc39001c6efcf39dbc6b7684232cce5126dcf0364c37e902714898ec097e94 [apple to windows China ??]", "https://otx.alienvault.com/indicator/url/https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 ? A target on my devices?", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 Another target?", "https://lelosexgame.com/datingsm?ad_campaign_id=3161239&cost=0&creative_id=2032565&external_id=0&keyword=%25KW%25&ref=https://example.com&ref_domain=example.com&server_node=0&source=0", "199.249.230.74 traffic group 78", "https://gpt.ocloo.cn/auth", "vmwarevmc.com", "http://karnalketo.com/sound-found error code 432 server nginx", "http://ww1.karnalketo.com/astroshift-soundtrack-cheat-code-incl-product-key-download-3264bit-latest/ error code 432 server nginx", "64.190.63.136 Malicious. IP: Sedo GmbH", "www.sweetheartvideo.com Tracking and Botnet campaign" ], "public": 1, "adversary": "[Unnamed US Teams and Hacker group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "Colbalt Strike", "display_name": "Colbalt Strike", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Colibri Loader", "display_name": "Colibri Loader", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Nokoyawa", "display_name": "Nokoyawa", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Ursnif - S0386", "display_name": "Ursnif - S0386", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "Daxin", "display_name": "Daxin", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Virus:WM/Look", "display_name": "Virus:WM/Look", "target": "/malware/Virus:WM/Look" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ketogenic switch", "display_name": "ketogenic switch", "target": null }, { "id": "BitcoinAussie", "display_name": "BitcoinAussie", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "green", "cloned_from": "653f1ffb074d89724cb81371", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 173, "FileHash-SHA1": 166, "FileHash-SHA256": 2841, "URL": 6670, "CVE": 4, "domain": 684, "hostname": 1930, "CIDR": 2, "email": 3 }, "indicator_count": 12473, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "883 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f205bac4b92f025125962", "name": "Tracker and Botnet campaign - Canto XXVI", "description": "", "modified": "2023-11-19T00:04:57.528000", "created": "2023-10-30T03:17:47.051000", "tags": [ "contacted", "tsara brashears", "whois record", "whois whois", "threat roundup", "december", "execution", "referrer", "pe resource", "remcos", "malware", "quasar", "nanocore", "attack", "core", "qakbot", "azorult", "njrat", "colibri loader", "metro", "nokoyawa", "formbook", "bank", "installer", "daxin", "awful", "open", "korplug", "dark power", "cobalt strike", "hacktool", "emotet", "chaos", "ransomexx", "ursnif", "ransomware", "pattern match", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "beginstring", "script", "segoe ui", "null", "error", "unknown", "span", "date", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "hybrid", "general", "click", "strings", "meta", "xiongmao group", "district", "nanjing", "china country", "beijing", "please", "apnic person", "road", "china phone", "whois lookup", "cnnic", "dns replication", "domain", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "type name", "android", "win32 dll", "cyber criminals", "cyber stalking", "cyber warfare", "framing", "tulach.cc", "exploit_source", "scanning_host", "phishing", "adware", "command_and_control", "C2", "technology", "virustotal xn", "technology xn", "rich text", "format po", "jyoti cnc", "detection list", "blacklist", "noname057", "proxy", "prism.exe", "password cracker", "skynet", "malvertizing", "spyware", "colorado", "arizona", "prism command line tool", "keyloggers", "apple", "I'm being followed", "threats", "sha256", "osint", "vmware", "gpt", "nginx", "piracy", "intellectual property", "spammer", "honeypot", "tracker", "tracking campaign", "Botnet campaign" ], "references": [ "114.114.1114.114", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \tketogenic switch , BitcoinAussie", "wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io BitcoinAussie", "www.sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/Tracker and Botnet campaign", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian password cracker", "a-poster.info [tagging tool]", "https://tulach.cc/ phishing | Proxy | Skynet", "67.227.226.240 command_and_control. [lb01.parklogic.com] Lansing Michigan", "20.99.186.246 exploit_source", "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e/652c962002e18b99e20e891a", "1.62.64.108 malware_hosting", "110.249.196.101. malware_hosting", "CVE-2022-26134", "www.anyxxxtube.net prism.exe", "https://www.pornhub.com prism.exe [Massachusetts, US]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 [Colorado, US referenced malvertizing outfit]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 [Colorado, US references]", "https://twitter.com/PORNO_SEXYBABES - Nokoyawa catapult spider", "https://twitter.com/ catapult spider/spider", "nr-data.net Private Apple data collection", "tv.apple.com Apple hacking", "newrelic.se New Update Apple iPhone 199.59.243.222", "0.0.0.0 iplocal=comcast [iplocalpple.com, possibly misconfigured] exploit", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 exploit [You can pair older Samsung watches with an iPhone by downloading the Samsung Galaxy Watch (Gear S) app from the iOS App. Abused remotely?]", "itunes.apple.com. [https:///app/apple-store", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [HappyRabbit]", "a0bc39001c6efcf39dbc6b7684232cce5126dcf0364c37e902714898ec097e94 [apple to windows China ??]", "https://otx.alienvault.com/indicator/url/https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 ? A target on my devices?", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 Another target?", "https://lelosexgame.com/datingsm?ad_campaign_id=3161239&cost=0&creative_id=2032565&external_id=0&keyword=%25KW%25&ref=https://example.com&ref_domain=example.com&server_node=0&source=0", "199.249.230.74 traffic group 78", "https://gpt.ocloo.cn/auth", "vmwarevmc.com", "http://karnalketo.com/sound-found error code 432 server nginx", "http://ww1.karnalketo.com/astroshift-soundtrack-cheat-code-incl-product-key-download-3264bit-latest/ error code 432 server nginx", "64.190.63.136 Malicious. IP: Sedo GmbH", "www.sweetheartvideo.com Tracking and Botnet campaign" ], "public": 1, "adversary": "[Unnamed US Teams and Hacker group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "Colbalt Strike", "display_name": "Colbalt Strike", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Colibri Loader", "display_name": "Colibri Loader", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Nokoyawa", "display_name": "Nokoyawa", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Ursnif - S0386", "display_name": "Ursnif - S0386", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "Daxin", "display_name": "Daxin", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Virus:WM/Look", "display_name": "Virus:WM/Look", "target": "/malware/Virus:WM/Look" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ketogenic switch", "display_name": "ketogenic switch", "target": null }, { "id": "BitcoinAussie", "display_name": "BitcoinAussie", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "green", "cloned_from": "653323d24f9946946c804be4", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 173, "FileHash-SHA1": 166, "FileHash-SHA256": 2841, "URL": 6670, "CVE": 4, "domain": 684, "hostname": 1930, "CIDR": 2, "email": 3 }, "indicator_count": 12473, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "883 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1ffb074d89724cb81371", "name": "Tracker and Botnet campaign - Canto XXVI", "description": "", "modified": "2023-11-19T00:04:57.528000", "created": "2023-10-30T03:16:11.181000", "tags": [ "contacted", "tsara brashears", "whois record", "whois whois", "threat roundup", "december", "execution", "referrer", "pe resource", "remcos", "malware", "quasar", "nanocore", "attack", "core", "qakbot", "azorult", "njrat", "colibri loader", "metro", "nokoyawa", "formbook", "bank", "installer", "daxin", "awful", "open", "korplug", "dark power", "cobalt strike", "hacktool", "emotet", "chaos", "ransomexx", "ursnif", "ransomware", "pattern match", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "beginstring", "script", "segoe ui", "null", "error", "unknown", "span", "date", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "hybrid", "general", "click", "strings", "meta", "xiongmao group", "district", "nanjing", "china country", "beijing", "please", "apnic person", "road", "china phone", "whois lookup", "cnnic", "dns replication", "domain", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "type name", "android", "win32 dll", "cyber criminals", "cyber stalking", "cyber warfare", "framing", "tulach.cc", "exploit_source", "scanning_host", "phishing", "adware", "command_and_control", "C2", "technology", "virustotal xn", "technology xn", "rich text", "format po", "jyoti cnc", "detection list", "blacklist", "noname057", "proxy", "prism.exe", "password cracker", "skynet", "malvertizing", "spyware", "colorado", "arizona", "prism command line tool", "keyloggers", "apple", "I'm being followed", "threats", "sha256", "osint", "vmware", "gpt", "nginx", "piracy", "intellectual property", "spammer", "honeypot", "tracker", "tracking campaign", "Botnet campaign" ], "references": [ "114.114.1114.114", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \tketogenic switch , BitcoinAussie", "wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io BitcoinAussie", "www.sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/Tracker and Botnet campaign", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian password cracker", "a-poster.info [tagging tool]", "https://tulach.cc/ phishing | Proxy | Skynet", "67.227.226.240 command_and_control. [lb01.parklogic.com] Lansing Michigan", "20.99.186.246 exploit_source", "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e/652c962002e18b99e20e891a", "1.62.64.108 malware_hosting", "110.249.196.101. malware_hosting", "CVE-2022-26134", "www.anyxxxtube.net prism.exe", "https://www.pornhub.com prism.exe [Massachusetts, US]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 [Colorado, US referenced malvertizing outfit]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 [Colorado, US references]", "https://twitter.com/PORNO_SEXYBABES - Nokoyawa catapult spider", "https://twitter.com/ catapult spider/spider", "nr-data.net Private Apple data collection", "tv.apple.com Apple hacking", "newrelic.se New Update Apple iPhone 199.59.243.222", "0.0.0.0 iplocal=comcast [iplocalpple.com, possibly misconfigured] exploit", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 exploit [You can pair older Samsung watches with an iPhone by downloading the Samsung Galaxy Watch (Gear S) app from the iOS App. Abused remotely?]", "itunes.apple.com. [https:///app/apple-store", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [HappyRabbit]", "a0bc39001c6efcf39dbc6b7684232cce5126dcf0364c37e902714898ec097e94 [apple to windows China ??]", "https://otx.alienvault.com/indicator/url/https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 ? A target on my devices?", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 Another target?", "https://lelosexgame.com/datingsm?ad_campaign_id=3161239&cost=0&creative_id=2032565&external_id=0&keyword=%25KW%25&ref=https://example.com&ref_domain=example.com&server_node=0&source=0", "199.249.230.74 traffic group 78", "https://gpt.ocloo.cn/auth", "vmwarevmc.com", "http://karnalketo.com/sound-found error code 432 server nginx", "http://ww1.karnalketo.com/astroshift-soundtrack-cheat-code-incl-product-key-download-3264bit-latest/ error code 432 server nginx", "64.190.63.136 Malicious. IP: Sedo GmbH", "www.sweetheartvideo.com Tracking and Botnet campaign" ], "public": 1, "adversary": "[Unnamed US Teams and Hacker group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "Colbalt Strike", "display_name": "Colbalt Strike", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Colibri Loader", "display_name": "Colibri Loader", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Nokoyawa", "display_name": "Nokoyawa", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Ursnif - S0386", "display_name": "Ursnif - S0386", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "Daxin", "display_name": "Daxin", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Virus:WM/Look", "display_name": "Virus:WM/Look", "target": "/malware/Virus:WM/Look" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ketogenic switch", "display_name": "ketogenic switch", "target": null }, { "id": "BitcoinAussie", "display_name": "BitcoinAussie", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "green", "cloned_from": "653323de61317f6ca7a3e875", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 173, "FileHash-SHA1": 166, "FileHash-SHA256": 2841, "URL": 6670, "CVE": 4, "domain": 684, "hostname": 1930, "CIDR": 2, "email": 3 }, "indicator_count": 12473, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "883 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6533b20cf4ad384a0193c655", "name": "114.114.114.114 Tracking | Botnet | Malvertizing ", "description": "", "modified": "2023-11-19T00:04:57.528000", "created": "2023-10-21T11:12:12.005000", "tags": [ "contacted", "tsara brashears", "whois record", "whois whois", "threat roundup", "december", "execution", "referrer", "pe resource", "remcos", "malware", "quasar", "nanocore", "attack", "core", "qakbot", "azorult", "njrat", "colibri loader", "metro", "nokoyawa", "formbook", "bank", "installer", "daxin", "awful", "open", "korplug", "dark power", "cobalt strike", "hacktool", "emotet", "chaos", "ransomexx", "ursnif", "ransomware", "pattern match", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "beginstring", "script", "segoe ui", "null", "error", "unknown", "span", "date", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "hybrid", "general", "click", "strings", "meta", "xiongmao group", "district", "nanjing", "china country", "beijing", "please", "apnic person", "road", "china phone", "whois lookup", "cnnic", "dns replication", "domain", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "type name", "android", "win32 dll", "cyber criminals", "cyber stalking", "cyber warfare", "framing", "tulach.cc", "exploit_source", "scanning_host", "phishing", "adware", "command_and_control", "C2", "technology", "virustotal xn", "technology xn", "rich text", "format po", "jyoti cnc", "detection list", "blacklist", "noname057", "proxy", "prism.exe", "password cracker", "skynet", "malvertizing", "spyware", "colorado", "arizona", "prism command line tool", "keyloggers", "apple", "I'm being followed", "threats", "sha256", "osint", "vmware", "gpt", "nginx", "piracy", "intellectual property", "spammer", "honeypot", "tracker", "tracking campaign", "Botnet campaign" ], "references": [ "114.114.1114.114", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \tketogenic switch , BitcoinAussie", "wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io BitcoinAussie", "www.sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/Tracker and Botnet campaign", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian password cracker", "a-poster.info [tagging tool]", "https://tulach.cc/ phishing | Proxy | Skynet", "67.227.226.240 command_and_control. [lb01.parklogic.com] Lansing Michigan", "20.99.186.246 exploit_source", "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e/652c962002e18b99e20e891a", "1.62.64.108 malware_hosting", "110.249.196.101. malware_hosting", "CVE-2022-26134", "www.anyxxxtube.net prism.exe", "https://www.pornhub.com prism.exe [Massachusetts, US]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 [Colorado, US referenced malvertizing outfit]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 [Colorado, US references]", "https://twitter.com/PORNO_SEXYBABES - Nokoyawa catapult spider", "https://twitter.com/ catapult spider/spider", "nr-data.net Private Apple data collection", "tv.apple.com Apple hacking", "newrelic.se New Update Apple iPhone 199.59.243.222", "0.0.0.0 iplocal=comcast [iplocalpple.com, possibly misconfigured] exploit", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 exploit [You can pair older Samsung watches with an iPhone by downloading the Samsung Galaxy Watch (Gear S) app from the iOS App. Abused remotely?]", "itunes.apple.com. [https:///app/apple-store", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [HappyRabbit]", "a0bc39001c6efcf39dbc6b7684232cce5126dcf0364c37e902714898ec097e94 [apple to windows China ??]", "https://otx.alienvault.com/indicator/url/https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 ? A target on my devices?", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 Another target?", "https://lelosexgame.com/datingsm?ad_campaign_id=3161239&cost=0&creative_id=2032565&external_id=0&keyword=%25KW%25&ref=https://example.com&ref_domain=example.com&server_node=0&source=0", "199.249.230.74 traffic group 78", "https://gpt.ocloo.cn/auth", "vmwarevmc.com", "http://karnalketo.com/sound-found error code 432 server nginx", "http://ww1.karnalketo.com/astroshift-soundtrack-cheat-code-incl-product-key-download-3264bit-latest/ error code 432 server nginx", "64.190.63.136 Malicious. IP: Sedo GmbH", "www.sweetheartvideo.com Tracking and Botnet campaign" ], "public": 1, "adversary": "[Unnamed US Teams and Hacker group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "Colbalt Strike", "display_name": "Colbalt Strike", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Colibri Loader", "display_name": "Colibri Loader", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Nokoyawa", "display_name": "Nokoyawa", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Ursnif - S0386", "display_name": "Ursnif - S0386", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "Daxin", "display_name": "Daxin", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Virus:WM/Look", "display_name": "Virus:WM/Look", "target": "/malware/Virus:WM/Look" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ketogenic switch", "display_name": "ketogenic switch", "target": null }, { "id": "BitcoinAussie", "display_name": "BitcoinAussie", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "green", "cloned_from": "653323d24f9946946c804be4", "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 173, "FileHash-SHA1": 166, "FileHash-SHA256": 2841, "URL": 6670, "CVE": 4, "domain": 684, "hostname": 1930, "CIDR": 2, "email": 3 }, "indicator_count": 12473, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "883 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653323de61317f6ca7a3e875", "name": "Tracker and Botnet campaign - Canto XXVI", "description": "Sounds crazy made up. This is an expensive campaign. Talented, lost individuals.\nI'm naming this campaign.\n'Canto XXVI' Bolgia 8 \u2013 Counsellors of Fraud\nThat's where they'll return.", "modified": "2023-11-19T00:04:57.528000", "created": "2023-10-21T01:05:34.166000", "tags": [ "contacted", "tsara brashears", "whois record", "whois whois", "threat roundup", "december", "execution", "referrer", "pe resource", "remcos", "malware", "quasar", "nanocore", "attack", "core", "qakbot", "azorult", "njrat", "colibri loader", "metro", "nokoyawa", "formbook", "bank", "installer", "daxin", "awful", "open", "korplug", "dark power", "cobalt strike", "hacktool", "emotet", "chaos", "ransomexx", "ursnif", "ransomware", "pattern match", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "beginstring", "script", "segoe ui", "null", "error", "unknown", "span", "date", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "hybrid", "general", "click", "strings", "meta", "xiongmao group", "district", "nanjing", "china country", "beijing", "please", "apnic person", "road", "china phone", "whois lookup", "cnnic", "dns replication", "domain", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "type name", "android", "win32 dll", "cyber criminals", "cyber stalking", "cyber warfare", "framing", "tulach.cc", "exploit_source", "scanning_host", "phishing", "adware", "command_and_control", "C2", "technology", "virustotal xn", "technology xn", "rich text", "format po", "jyoti cnc", "detection list", "blacklist", "noname057", "proxy", "prism.exe", "password cracker", "skynet", "malvertizing", "spyware", "colorado", "arizona", "prism command line tool", "keyloggers", "apple", "I'm being followed", "threats", "sha256", "osint", "vmware", "gpt", "nginx", "piracy", "intellectual property", "spammer", "honeypot", "tracker", "tracking campaign", "Botnet campaign" ], "references": [ "114.114.1114.114", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \tketogenic switch , BitcoinAussie", "wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io BitcoinAussie", "www.sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/Tracker and Botnet campaign", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian password cracker", "a-poster.info [tagging tool]", "https://tulach.cc/ phishing | Proxy | Skynet", "67.227.226.240 command_and_control. [lb01.parklogic.com] Lansing Michigan", "20.99.186.246 exploit_source", "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e/652c962002e18b99e20e891a", "1.62.64.108 malware_hosting", "110.249.196.101. malware_hosting", "CVE-2022-26134", "www.anyxxxtube.net prism.exe", "https://www.pornhub.com prism.exe [Massachusetts, US]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 [Colorado, US referenced malvertizing outfit]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 [Colorado, US references]", "https://twitter.com/PORNO_SEXYBABES - Nokoyawa catapult spider", "https://twitter.com/ catapult spider/spider", "nr-data.net Private Apple data collection", "tv.apple.com Apple hacking", "newrelic.se New Update Apple iPhone 199.59.243.222", "0.0.0.0 iplocal=comcast [iplocalpple.com, possibly misconfigured] exploit", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 exploit [You can pair older Samsung watches with an iPhone by downloading the Samsung Galaxy Watch (Gear S) app from the iOS App. Abused remotely?]", "itunes.apple.com. [https:///app/apple-store", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [HappyRabbit]", "a0bc39001c6efcf39dbc6b7684232cce5126dcf0364c37e902714898ec097e94 [apple to windows China ??]", "https://otx.alienvault.com/indicator/url/https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 ? A target on my devices?", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 Another target?", "https://lelosexgame.com/datingsm?ad_campaign_id=3161239&cost=0&creative_id=2032565&external_id=0&keyword=%25KW%25&ref=https://example.com&ref_domain=example.com&server_node=0&source=0", "199.249.230.74 traffic group 78", "https://gpt.ocloo.cn/auth", "vmwarevmc.com", "http://karnalketo.com/sound-found error code 432 server nginx", "http://ww1.karnalketo.com/astroshift-soundtrack-cheat-code-incl-product-key-download-3264bit-latest/ error code 432 server nginx", "64.190.63.136 Malicious. IP: Sedo GmbH", "www.sweetheartvideo.com Tracking and Botnet campaign" ], "public": 1, "adversary": "[Unnamed US Teams and Hacker group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "Colbalt Strike", "display_name": "Colbalt Strike", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Colibri Loader", "display_name": "Colibri Loader", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Nokoyawa", "display_name": "Nokoyawa", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Ursnif - S0386", "display_name": "Ursnif - S0386", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "Daxin", "display_name": "Daxin", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Virus:WM/Look", "display_name": "Virus:WM/Look", "target": "/malware/Virus:WM/Look" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ketogenic switch", "display_name": "ketogenic switch", "target": null }, { "id": "BitcoinAussie", "display_name": "BitcoinAussie", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 173, "FileHash-SHA1": 166, "FileHash-SHA256": 2841, "URL": 6670, "CVE": 4, "domain": 684, "hostname": 1930, "CIDR": 2, "email": 3 }, "indicator_count": 12473, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "883 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653323d24f9946946c804be4", "name": "Tracker and Botnet campaign - Canto XXVI", "description": "Sounds crazy made up. This is an expensive campaign. Talented, lost individuals.\nI'm naming this campaign.\n'Canto XXVI' Bolgia 8 \u2013 Counsellors of Fraud\nThat's where they'll return.", "modified": "2023-11-19T00:04:57.528000", "created": "2023-10-21T01:05:22.903000", "tags": [ "contacted", "tsara brashears", "whois record", "whois whois", "threat roundup", "december", "execution", "referrer", "pe resource", "remcos", "malware", "quasar", "nanocore", "attack", "core", "qakbot", "azorult", "njrat", "colibri loader", "metro", "nokoyawa", "formbook", "bank", "installer", "daxin", "awful", "open", "korplug", "dark power", "cobalt strike", "hacktool", "emotet", "chaos", "ransomexx", "ursnif", "ransomware", "pattern match", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "beginstring", "script", "segoe ui", "null", "error", "unknown", "span", "date", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "hybrid", "general", "click", "strings", "meta", "xiongmao group", "district", "nanjing", "china country", "beijing", "please", "apnic person", "road", "china phone", "whois lookup", "cnnic", "dns replication", "domain", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "type name", "android", "win32 dll", "cyber criminals", "cyber stalking", "cyber warfare", "framing", "tulach.cc", "exploit_source", "scanning_host", "phishing", "adware", "command_and_control", "C2", "technology", "virustotal xn", "technology xn", "rich text", "format po", "jyoti cnc", "detection list", "blacklist", "noname057", "proxy", "prism.exe", "password cracker", "skynet", "malvertizing", "spyware", "colorado", "arizona", "prism command line tool", "keyloggers", "apple", "I'm being followed", "threats", "sha256", "osint", "vmware", "gpt", "nginx", "piracy", "intellectual property", "spammer", "honeypot", "tracker", "tracking campaign", "Botnet campaign" ], "references": [ "114.114.1114.114", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \tketogenic switch , BitcoinAussie", "wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io BitcoinAussie", "www.sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/Tracker and Botnet campaign", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian password cracker", "a-poster.info [tagging tool]", "https://tulach.cc/ phishing | Proxy | Skynet", "67.227.226.240 command_and_control. [lb01.parklogic.com] Lansing Michigan", "20.99.186.246 exploit_source", "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e/652c962002e18b99e20e891a", "1.62.64.108 malware_hosting", "110.249.196.101. malware_hosting", "CVE-2022-26134", "www.anyxxxtube.net prism.exe", "https://www.pornhub.com prism.exe [Massachusetts, US]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 [Colorado, US referenced malvertizing outfit]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 [Colorado, US references]", "https://twitter.com/PORNO_SEXYBABES - Nokoyawa catapult spider", "https://twitter.com/ catapult spider/spider", "nr-data.net Private Apple data collection", "tv.apple.com Apple hacking", "newrelic.se New Update Apple iPhone 199.59.243.222", "0.0.0.0 iplocal=comcast [iplocalpple.com, possibly misconfigured] exploit", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 exploit [You can pair older Samsung watches with an iPhone by downloading the Samsung Galaxy Watch (Gear S) app from the iOS App. Abused remotely?]", "itunes.apple.com. [https:///app/apple-store", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [HappyRabbit]", "a0bc39001c6efcf39dbc6b7684232cce5126dcf0364c37e902714898ec097e94 [apple to windows China ??]", "https://otx.alienvault.com/indicator/url/https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 ? A target on my devices?", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 Another target?", "https://lelosexgame.com/datingsm?ad_campaign_id=3161239&cost=0&creative_id=2032565&external_id=0&keyword=%25KW%25&ref=https://example.com&ref_domain=example.com&server_node=0&source=0", "199.249.230.74 traffic group 78", "https://gpt.ocloo.cn/auth", "vmwarevmc.com", "http://karnalketo.com/sound-found error code 432 server nginx", "http://ww1.karnalketo.com/astroshift-soundtrack-cheat-code-incl-product-key-download-3264bit-latest/ error code 432 server nginx", "64.190.63.136 Malicious. IP: Sedo GmbH", "www.sweetheartvideo.com Tracking and Botnet campaign" ], "public": 1, "adversary": "[Unnamed US Teams and Hacker group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "Colbalt Strike", "display_name": "Colbalt Strike", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Colibri Loader", "display_name": "Colibri Loader", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Nokoyawa", "display_name": "Nokoyawa", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Ursnif - S0386", "display_name": "Ursnif - S0386", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "Daxin", "display_name": "Daxin", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Virus:WM/Look", "display_name": "Virus:WM/Look", "target": "/malware/Virus:WM/Look" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ketogenic switch", "display_name": "ketogenic switch", "target": null }, { "id": "BitcoinAussie", "display_name": "BitcoinAussie", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 173, "FileHash-SHA1": 166, "FileHash-SHA256": 2841, "URL": 6670, "CVE": 4, "domain": 684, "hostname": 1930, "CIDR": 2, "email": 3 }, "indicator_count": 12473, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "883 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65331eeded285a25c31d63a4", "name": "Tracking and Botnet campaign", "description": "US attackers making an exit by dumping to my devices & spreading to various other unsuspecting?\nRevenge for researching? Dumping to make it hard to implicate a single source. \nDump of Tsara Brashears and other adult content , malvertizing by a cyber stalker campaigners. As reported previously, entered my device and took control. Evidence pulled from a device while attack in progress. Device read Michigan, shopping, advertising, news, etc. Location not associated with any failed privacy controls on devices listing other locations.\nI listed a few IOC's Dumped to device in references. \nDump was continuous. Device modification for storage, new systems interface created upon device update. Moderete byte load per minute. Example 227 KB per minute. Prism command line tool\nChina foolish enough to implicate themselves for unclear crimes against American citizens? If an alleged crime against a target was allegedly committed in US someone is silencing her big time. There are a few other names as well. Targets?", "modified": "2023-11-19T00:04:57.528000", "created": "2023-10-21T00:44:29.344000", "tags": [ "contacted", "tsara brashears", "whois record", "whois whois", "threat roundup", "december", "execution", "referrer", "pe resource", "remcos", "malware", "quasar", "nanocore", "attack", "core", "qakbot", "azorult", "njrat", "colibri loader", "metro", "nokoyawa", "formbook", "bank", "installer", "daxin", "awful", "open", "korplug", "dark power", "cobalt strike", "hacktool", "emotet", "chaos", "ransomexx", "ursnif", "ransomware", "pattern match", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "beginstring", "script", "segoe ui", "null", "error", "unknown", "span", "date", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "hybrid", "general", "click", "strings", "meta", "xiongmao group", "district", "nanjing", "china country", "beijing", "please", "apnic person", "road", "china phone", "whois lookup", "cnnic", "dns replication", "domain", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "type name", "android", "win32 dll", "cyber criminals", "cyber stalking", "cyber warfare", "framing", "tulach.cc", "exploit_source", "scanning_host", "phishing", "adware", "command_and_control", "C2", "technology", "virustotal xn", "technology xn", "rich text", "format po", "jyoti cnc", "detection list", "blacklist", "noname057", "proxy", "prism.exe", "password cracker", "skynet", "malvertizing", "spyware", "colorado", "arizona", "prism command line tool", "keyloggers", "apple", "I'm being followed", "threats", "sha256", "osint", "vmware", "gpt", "nginx", "piracy", "intellectual property", "spammer", "honeypot", "tracker", "tracking campaign", "Botnet campaign" ], "references": [ "114.114.1114.114", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \tketogenic switch , BitcoinAussie", "wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io BitcoinAussie", "www.sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/Tracker and Botnet campaign", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian password cracker", "a-poster.info [tagging tool]", "https://tulach.cc/ phishing | Proxy | Skynet", "67.227.226.240 command_and_control. [lb01.parklogic.com] Lansing Michigan", "20.99.186.246 exploit_source", "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e/652c962002e18b99e20e891a", "1.62.64.108 malware_hosting", "110.249.196.101. malware_hosting", "CVE-2022-26134", "www.anyxxxtube.net prism.exe", "https://www.pornhub.com prism.exe [Massachusetts, US]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 [Colorado, US referenced malvertizing outfit]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 [Colorado, US references]", "https://twitter.com/PORNO_SEXYBABES - Nokoyawa catapult spider", "https://twitter.com/ catapult spider/spider", "nr-data.net Private Apple data collection", "tv.apple.com Apple hacking", "newrelic.se New Update Apple iPhone 199.59.243.222", "0.0.0.0 iplocal=comcast [iplocalpple.com, possibly misconfigured] exploit", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 exploit [You can pair older Samsung watches with an iPhone by downloading the Samsung Galaxy Watch (Gear S) app from the iOS App. Abused remotely?]", "itunes.apple.com. [https:///app/apple-store", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [HappyRabbit]", "a0bc39001c6efcf39dbc6b7684232cce5126dcf0364c37e902714898ec097e94 [apple to windows China ??]", "https://otx.alienvault.com/indicator/url/https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 ? A target on my devices?", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 Another target?", "https://lelosexgame.com/datingsm?ad_campaign_id=3161239&cost=0&creative_id=2032565&external_id=0&keyword=%25KW%25&ref=https://example.com&ref_domain=example.com&server_node=0&source=0", "199.249.230.74 traffic group 78", "https://gpt.ocloo.cn/auth", "vmwarevmc.com", "http://karnalketo.com/sound-found error code 432 server nginx", "http://ww1.karnalketo.com/astroshift-soundtrack-cheat-code-incl-product-key-download-3264bit-latest/ error code 432 server nginx", "64.190.63.136 Malicious. IP: Sedo GmbH", "www.sweetheartvideo.com Tracking and Botnet campaign" ], "public": 1, "adversary": "[Unnamed US Teams and Hacker group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "Colbalt Strike", "display_name": "Colbalt Strike", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Colibri Loader", "display_name": "Colibri Loader", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Nokoyawa", "display_name": "Nokoyawa", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Ursnif - S0386", "display_name": "Ursnif - S0386", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "Daxin", "display_name": "Daxin", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Virus:WM/Look", "display_name": "Virus:WM/Look", "target": "/malware/Virus:WM/Look" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ketogenic switch", "display_name": "ketogenic switch", "target": null }, { "id": "BitcoinAussie", "display_name": "BitcoinAussie", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 173, "FileHash-SHA1": 166, "FileHash-SHA256": 2841, "URL": 6670, "CVE": 4, "domain": 684, "hostname": 1930, "CIDR": 2, "email": 3 }, "indicator_count": 12473, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "883 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652cc4de6aa3848c3722e9a6", "name": "Qakbot. Again. Today. Pulled from own device. Quasar RAT, Malvertizing", "description": "Serious concerns. Approached, threatened & told no cyber tool or literature would help me by a stranger in public place seconds after a male demanded to know if I had a SQL book or knowledge, asked for phone #, a date , to buy only 2 books and come with him? WHAT? He really wanted my number not me. he got so close to, I thought he had a wearable hacktool device. Ongoing. I realized dumping when I typed, the letter T only for another search term, results = Tsara Brashears dead? Clean search browser history. No Auto DL file titled: government Qbot Qakbot?! I couldn't open it. Last night I got a free unauthorized penetration test, apps, awful attack. Adult content dumping from listed in references. . I don't attack is China based despite server locations.. It's too easy to appear to be attacking from another country. Can't make it up. Ongoing long. Major disruption. Issue predates research.", "modified": "2023-11-15T01:03:46.666000", "created": "2023-10-16T05:06:38.412000", "tags": [ "whois record", "tsara brashears", "contacted", "threat roundup", "whois whois", "remcos", "iocs", "cyberstalking", "cry kill", "nanocore", "attack", "core", "qakbot", "azorult", "njrat", "colibri loader", "metro", "nokoyawa", "formbook", "bank", "installer", "daxin", "malware", "awful", "open", "korplug", "execution", "pe resource", "referrer", "dark power", "cobalt strike", "hacktool", "emotet", "chaos", "ransomexx", "quasar", "ursnif", "name verdict", "falcon sandbox", "sha256", "size", "sha1", "show process", "runtime process", "unicode", "crlf line", "ascii text", "mitre att", "type data", "hybrid", "general", "local", "path", "click", "strings", "nanjing xinfeng", "xiongmao group", "road descr", "district", "nanjing", "jiangsu", "china country", "apnic irt", "beijing", "china email", "copy md5", "copy sha1", "copy sha256", "AMERICA", "threat", "cyber criminal", "teams", "bounce", "Please Stop \u2205", "eminent threat", "Apple", "Android", "adversarial", "injection", "Tulach.cc malware", "scanning_host", "exploit_source", "ransomware" ], "references": [ "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e", "114.114.114.114", "http://login.live.com/oauth20_remoteconnect.srf", "a-poster.info", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "[Unnamed Teams Hacking Group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Wanna Cry Kill Switch", "display_name": "Wanna Cry Kill Switch", "target": null }, { "id": "RansomEXX (Windows)", "display_name": "RansomEXX (Windows)", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Daxin", "display_name": "Daxin", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4055, "FileHash-MD5": 89, "FileHash-SHA1": 85, "FileHash-SHA256": 1478, "domain": 290, "hostname": 1047, "FilePath": 2, "Mutex": 1, "CVE": 2, "CIDR": 1, "email": 1 }, "indicator_count": 7051, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "887 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1d0b195d4b6afe502318", "name": "Brontok", "description": "", "modified": "2023-11-13T15:00:53.499000", "created": "2023-10-30T03:03:39.499000", "tags": [ "united", "proxy", "firehol", "anonymizer", "host", "team malware", "noname057", "cisco umbrella", "heur", "site", "safe site", "malware", "alexa top", "million", "phishing site", "malicious site", "artemis", "installcore", "unsafe", "alexa", "redline stealer", "outbreak", "iobit", "dropper", "crack", "riskware", "acint", "conduit", "installpack", "mediaget", "live", "presenoker", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "agent", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "team", "unruy", "trojanx", "webshell", "exploit", "maltiverse", "generic malware", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "site top", "html", "malware site", "win64", "opencandy", "phishing", "fusioncore", "wacatac", "iframe", "downldr", "softcnapp", "cleaner", "tiggre", "vidar", "raccoon", "union", "xtrat", "bank", "cve201711882", "phish", "nsis", "xrat", "stealer", "download", "first", "vnc", "slimware", "trojanspy", "blacklist https", "Phishing Banco De Brasil", "remote", "msil, rat,revenge-rat -evasive" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VNC", "display_name": "VNC", "target": null }, { "id": "Slimware", "display_name": "Slimware", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "PUP.Bundler", "display_name": "PUP.Bundler", "target": null }, { "id": "DangerousObject. Agent", "display_name": "DangerousObject. Agent", "target": null }, { "id": "WebToolBar.Backdoor", "display_name": "WebToolBar.Backdoor", "target": null }, { "id": "Gregory", "display_name": "Gregory", "target": null }, { "id": "NBAE", "display_name": "NBAE", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": "652ac38b58830eb3825f84e8", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 21, "domain": 161, "hostname": 432, "FileHash-MD5": 1400, "FileHash-SHA1": 706, "FileHash-SHA256": 714, "URL": 750, "Mutex": 1, "FilePath": 1, "URI": 1 }, "indicator_count": 4187, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "888 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652ac38b58830eb3825f84e8", "name": "Brontok", "description": "Colorado Malicious link found in Colorado Secretary of State Website. \n.\nhttps://www.sos.state.co.us/ucc/pages/biz/bizSearch.xhtml \nCritical vulnerabilities:\nVNC Server Authentication-less; The VNC server installed on the remote host allows an attacker to connect to the remote host as no authentication is required to access this service.\n\nBrontok: a computer worm running on Microsoft Windows \n\nRedLine Stealer: infostealer malware stealing password credentials, credit card numbers, etc,. \n\nVulnerable to CVE exploits: 21 CVE's over time.\ncyber criminal web attack?", "modified": "2023-11-13T15:00:53.499000", "created": "2023-10-14T16:36:27.390000", "tags": [ "united", "proxy", "firehol", "anonymizer", "host", "team malware", "noname057", "cisco umbrella", "heur", "site", "safe site", "malware", "alexa top", "million", "phishing site", "malicious site", "artemis", "installcore", "unsafe", "alexa", "redline stealer", "outbreak", "iobit", "dropper", "crack", "riskware", "acint", "conduit", "installpack", "mediaget", "live", "presenoker", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "agent", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "team", "unruy", "trojanx", "webshell", "exploit", "maltiverse", "generic malware", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "site top", "html", "malware site", "win64", "opencandy", "phishing", "fusioncore", "wacatac", "iframe", "downldr", "softcnapp", "cleaner", "tiggre", "vidar", "raccoon", "union", "xtrat", "bank", "cve201711882", "phish", "nsis", "xrat", "stealer", "download", "first", "vnc", "slimware", "trojanspy", "blacklist https", "Phishing Banco De Brasil", "remote", "msil, rat,revenge-rat -evasive" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VNC", "display_name": "VNC", "target": null }, { "id": "Slimware", "display_name": "Slimware", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "PUP.Bundler", "display_name": "PUP.Bundler", "target": null }, { "id": "DangerousObject. Agent", "display_name": "DangerousObject. Agent", "target": null }, { "id": "WebToolBar.Backdoor", "display_name": "WebToolBar.Backdoor", "target": null }, { "id": "Gregory", "display_name": "Gregory", "target": null }, { "id": "NBAE", "display_name": "NBAE", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 21, "domain": 161, "hostname": 432, "FileHash-MD5": 1400, "FileHash-SHA1": 706, "FileHash-SHA256": 714, "URL": 750, "Mutex": 1, "FilePath": 1, "URI": 1 }, "indicator_count": 4187, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "888 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1344cd54f3a86745a617", "name": "Qakbot | Info Stealer | Sourced: Part-RU", "description": "", "modified": "2023-10-31T16:03:29.760000", "created": "2023-10-30T02:21:56.497000", "tags": [ "ssl certificate", "contacted", "whois record", "execution", "bundled", "resolutions", "referrer", "communicating", "network", "historical ssl", "malware", "twitter", "hacktool", "june" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "6519c4b76612eda702942ad6", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 98, "FileHash-SHA256": 2383, "URL": 2673, "domain": 418, "hostname": 1027 }, "indicator_count": 6698, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "901 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6519c4b76612eda702942ad6", "name": "Qakbot | Info Stealer | Sourced: Part-RU", "description": "Info Stealer\nET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 789", "modified": "2023-10-31T16:03:29.760000", "created": "2023-10-01T19:12:55.573000", "tags": [ "ssl certificate", "contacted", "whois record", "execution", "bundled", "resolutions", "referrer", "communicating", "network", "historical ssl", "malware", "twitter", "hacktool", "june" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 98, "FileHash-SHA256": 2383, "URL": 2673, "domain": 418, "hostname": 1027 }, "indicator_count": 6698, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "901 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64dc045f5344129c48c41826", "name": "r3.o.lencr.org", "description": "Malware. R3.o.lencr.org is a browser-redirecting app aka browser hijacking, that attaches itself to main browser in devices. Ability to take control over some settings. Tracker. Scammers use Lencr.org/ LetsEncrypt in websites that have malicious content and activities. \nMalicious Activity:\nALF:Trojan:Win32/Cassini_f9070846!ibt\nALFPER:CERT:SoftwareBundler:Win32/InstallMonetizer\nTrojan:Win32/Dorv.A!rfn\nTrojan:Win32/Prepscram\nTrojan:Win32/Zbot.SIBG!MTB\nTrojanDownloader:Win32/Banload\nTrojanDownloader:Win32/Upatre.D\nTrojanDownloader:Win32/Upatre.J\nWin.Downloader.Mailru-9797354-1\nWin.Dropper.Agent-185636\nRiskware\nMalicious Adware spamming \n\n(Auto Generated Description: A complete list of malicious files has been published on the website of Cloudflare.com, the company that provides access to the service for users who use its services to access their email addresses.)", "modified": "2023-09-15T04:05:29.096000", "created": "2023-08-15T23:03:59.403000", "tags": [ "as20940", "united", "trojan", "search", "passive dns", "urls", "entries", "dashboard", "browse scan", "endpoints all", "date", "a domains", "aaaa", "record value", "scan endpoints", "all search", "otx octoseek", "domain related", "showing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 664, "email": 13, "hostname": 1352, "FileHash-SHA256": 1750, "URL": 5422, "FileHash-MD5": 207, "FileHash-SHA1": 61 }, "indicator_count": 9469, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "947 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "tv.apple.com Apple hacking", "CVE-2022-26134", "1.62.64.108 malware_hosting", "199.249.230.74 traffic group 78", "https://lelosexgame.com/datingsm?ad_campaign_id=3161239&cost=0&creative_id=2032565&external_id=0&keyword=%25KW%25&ref=https://example.com&ref_domain=example.com&server_node=0&source=0", "wallpapers-nature.com", "110.249.196.101. malware_hosting", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 [Colorado, US references]", "0.0.0.0 iplocal=comcast [iplocalpple.com, possibly misconfigured] exploit", "a-poster.info [tagging tool]", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [HappyRabbit]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e/652c962002e18b99e20e891a", "https://twitter.com/ catapult spider/spider", "64.190.63.136 Malicious. IP: Sedo GmbH", "https://gpt.ocloo.cn/auth", "https://www.sweetheartvideo.com/tsara-brashears/Tracker and Botnet campaign", "newrelic.se New Update Apple iPhone 199.59.243.222", "itunes.apple.com. [https:///app/apple-store", "http://ww1.karnalketo.com/astroshift-soundtrack-cheat-code-incl-product-key-download-3264bit-latest/ error code 432 server nginx", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 Another target?", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \tketogenic switch , BitcoinAussie", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 [Colorado, US referenced malvertizing outfit]", "www.anyxxxtube.net prism.exe", "a0bc39001c6efcf39dbc6b7684232cce5126dcf0364c37e902714898ec097e94 [apple to windows China ??]", "http://karnalketo.com/sound-found error code 432 server nginx", "www.sweetheartvideo.com Tracking and Botnet campaign", "a-poster.info", "vmwarevmc.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 exploit [You can pair older Samsung watches with an iPhone by downloading the Samsung Galaxy Watch (Gear S) app from the iOS App. Abused remotely?]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian password cracker", "https://twitter.com/PORNO_SEXYBABES - Nokoyawa catapult spider", "https://otx.alienvault.com/indicator/url/https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 ? A target on my devices?", "114.114.1114.114", "www.sweetheartvideo.com", "67.227.226.240 command_and_control. [lb01.parklogic.com] Lansing Michigan", "114.114.114.114", "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e", "nr-data.net Private Apple data collection", "https://tulach.cc/ phishing | Proxy | Skynet", "20.99.186.246 exploit_source", "http://login.live.com/oauth20_remoteconnect.srf", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io BitcoinAussie", "https://www.pornhub.com prism.exe [Massachusetts, US]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "[Unnamed Teams Hacking Group]", "[Unnamed US Teams and Hacker group]" ], "malware_families": [ "Maltiverse", "Qakbot - s0650", "Skynet", "Wanna cry kill switch", "Emotet", "Quasar rat", "Korplug", "Remcos", "Cobalt strike", "Azorult - s0344", "Ransomware", "Webtoolbar.backdoor", "Slimware", "Virus:dos/nanjing", "Nbae", "Formbook", "Ransomexx (windows)", "Tulach", "Ursnif - s0386", "Dangerousobject. agent", "Trojanspy", "Virus:wm/look", "Ketogenic switch", "Vnc", "Daxin", "Ransomexx", "Njrat - s0385", "Colibri loader", "Bitcoinaussie", "Pup.bundler", "Nanocore rat", "Chaos", "Gregory", "Dark power", "Nokoyawa", "Colbalt strike" ], "industries": [ "Government", "Defense" ], "unique_indicators": 58840 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/mergechocolate.com", "whois": "http://whois.domaintools.com/mergechocolate.com", "domain": "mergechocolate.com", "hostname": "chocolate.cliapi.mergechocolate.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 23, "pulses": [ { "id": "66b8fe985a7460e0ee01be8a", "name": "r3.o.lencr.org", "description": "", "modified": "2024-08-11T18:14:13.378000", "created": "2024-08-11T18:10:32.276000", "tags": [ "as20940", "united", "trojan", "search", "passive dns", "urls", "entries", "dashboard", "browse scan", "endpoints all", "date", "a domains", "aaaa", "record value", "scan endpoints", "all search", "otx octoseek", "domain related", "showing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "64dc045f5344129c48c41826", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 664, "email": 13, "hostname": 1352, "FileHash-SHA256": 2550, "URL": 5422, "FileHash-MD5": 761, "FileHash-SHA1": 615 }, "indicator_count": 11377, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "616 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a989843b7acf6d0a79ac", "name": "Qakbot. Again. Today. Pulled from own device. Quasar RAT, Malvertizing", "description": "", "modified": "2023-12-06T17:04:09.133000", "created": "2023-12-06T17:04:09.133000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 290, "FileHash-SHA256": 1478, "hostname": 1047, "URL": 4055, "FileHash-MD5": 89, "FileHash-SHA1": 85, "email": 1, "FilePath": 2, "Mutex": 1, "CIDR": 1 }, "indicator_count": 7051, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a921559dd331e2b31e4c", "name": "Brontok", "description": "", "modified": "2023-12-06T17:02:25.638000", "created": "2023-12-06T17:02:25.638000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 21, "hostname": 432, "domain": 161, "FileHash-SHA256": 714, "URL": 750, "FileHash-MD5": 1400, "FileHash-SHA1": 706, "Mutex": 1, "FilePath": 1, "URI": 1 }, "indicator_count": 4187, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a79534c615a8f10f3380", "name": "Qakbot | Info Stealer | Sourced: Part-RU", "description": "", "modified": "2023-12-06T16:55:49.669000", "created": "2023-12-06T16:55:49.669000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2383, "hostname": 1027, "domain": 418, "URL": 2673, "FileHash-MD5": 99, "FileHash-SHA1": 98 }, "indicator_count": 6698, "is_author": false, "is_subscribing": null, "subscriber_count": 112, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6545be6e02e0f9f82cb1febf", "name": "Vawtrak credential stealer | CNC", "description": "", "modified": "2023-11-30T07:01:37.424000", "created": "2023-11-04T03:45:50.234000", "tags": [ "contacted", "resolutions", "origin1", "ip address", "list", "communicating", "cyber threat", "united", "phishing", "phishing site", "covid19", "threat report", "ip summary", "url summary", "summary", "detection list", "installcore", "nymaim", "suppobox", "malicious", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "malware site", "malicious site", "heur", "exploit", "alexa", "riskware", "team", "blacklist https", "blacklist", "facebook", "engineering", "iframe", "downloader", "unsafe", "artemis", "trojanx", "agent", "unruy", "win64", "fakealert", "fusioncore", "redirector", "killav", "trojan", "lokibot", "emotet", "redline stealer", "cobalt strike", "citadel", "vawtrak", "qakbot", "qbot", "bankerx", "dropper", "nimda", "formbook", "swrort", "adwind", "crack", "generic", "wacatac", "opencandy", "nircmd", "downldr", "filetour", "cleaner", "conduit", "tiggre", "presenoker", "zpevdo", "webcompanion", "seraph", "tofsee", "xrat", "xtrat", "patcher", "adload", "stealer", "vidar", "raccoon", "bank", "urls", "generic malware", "noname057", "reimer", "agency", "charles", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "name verdict", "date", "root ca", "markmonitor", "name server", "windir", "unknown", "swisscom root", "post root", "trust", "hybrid", "general", "click", "strings", "class", "generator", "critical", "error", "defence", "fraud", "logistics", "ipv4", "scan endpoints", "all search", "otx octoseek", "report spam", "author", "cyber warfare", "created", "months ago", "modified", "next", "url https", "url http", "all octoseek", "month ago", "utmsourcemailer", "ck id", "t1140", "filehashsha256", "keylogger", "sample path", "Miles IT" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "65413ea960cc79abf6d446fb", "export_count": 86, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 166, "FileHash-SHA1": 125, "FileHash-SHA256": 5688, "URL": 15015, "domain": 3262, "hostname": 4687, "CVE": 16, "email": 8 }, "indicator_count": 28967, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65413ea960cc79abf6d446fb", "name": "Vawtrak credential stealer | CNC", "description": "Cyber warfare\nTracking\nMonitoring\nMalvertizing\nCNC\nKeylogging\nBotNet\nSever Privacy Invasion", "modified": "2023-11-30T07:01:37.424000", "created": "2023-10-31T17:51:37.016000", "tags": [ "contacted", "resolutions", "origin1", "ip address", "list", "communicating", "cyber threat", "united", "phishing", "phishing site", "covid19", "threat report", "ip summary", "url summary", "summary", "detection list", "installcore", "nymaim", "suppobox", "malicious", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "malware site", "malicious site", "heur", "exploit", "alexa", "riskware", "team", "blacklist https", "blacklist", "facebook", "engineering", "iframe", "downloader", "unsafe", "artemis", "trojanx", "agent", "unruy", "win64", "fakealert", "fusioncore", "redirector", "killav", "trojan", "lokibot", "emotet", "redline stealer", "cobalt strike", "citadel", "vawtrak", "qakbot", "qbot", "bankerx", "dropper", "nimda", "formbook", "swrort", "adwind", "crack", "generic", "wacatac", "opencandy", "nircmd", "downldr", "filetour", "cleaner", "conduit", "tiggre", "presenoker", "zpevdo", "webcompanion", "seraph", "tofsee", "xrat", "xtrat", "patcher", "adload", "stealer", "vidar", "raccoon", "bank", "urls", "generic malware", "noname057", "reimer", "agency", "charles", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "name verdict", "date", "root ca", "markmonitor", "name server", "windir", "unknown", "swisscom root", "post root", "trust", "hybrid", "general", "click", "strings", "class", "generator", "critical", "error", "defence", "fraud", "logistics", "ipv4", "scan endpoints", "all search", "otx octoseek", "report spam", "author", "cyber warfare", "created", "months ago", "modified", "next", "url https", "url http", "all octoseek", "month ago", "utmsourcemailer", "ck id", "t1140", "filehashsha256", "keylogger", "sample path", "Miles IT" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 166, "FileHash-SHA1": 125, "FileHash-SHA256": 5688, "URL": 15015, "domain": 3262, "hostname": 4687, "CVE": 16, "email": 8 }, "indicator_count": 28967, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654136c8e530066ae793dc64", "name": "Cyber Espionage", "description": "Cyber warfare. Extravagant attack that includes, phishing, monitoring, spyware, tracking, remote vehicle tracking, API calls after identification of anything computerized; car, phone, mobile phone, mail, ups, television. Apple private data services nr-data.net. This may be a Honeypot. Interesting. Attacker alleging to be a government contractor actively attacks and porn smears alleged SA victim assaulted by someone with his last name. Coincidence or Honeypot?\nTarget still at risk.\nTarget again is Tsara Brashears. \nSevere privacy invasion.\nShhhh....Active Silencing", "modified": "2023-11-30T07:01:37.424000", "created": "2023-10-31T17:18:00.623000", "tags": [ "contacted", "resolutions", "origin1", "ip address", "list", "communicating", "cyber threat", "united", "phishing", "phishing site", "covid19", "threat report", "ip summary", "url summary", "summary", "detection list", "installcore", "nymaim", "suppobox", "malicious", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "malware site", "malicious site", "heur", "exploit", "alexa", "riskware", "team", "blacklist https", "blacklist", "facebook", "engineering", "iframe", "downloader", "unsafe", "artemis", "trojanx", "agent", "unruy", "win64", "fakealert", "fusioncore", "redirector", "killav", "trojan", "lokibot", "emotet", "redline stealer", "cobalt strike", "citadel", "vawtrak", "qakbot", "qbot", "bankerx", "dropper", "nimda", "formbook", "swrort", "adwind", "crack", "generic", "wacatac", "opencandy", "nircmd", "downldr", "filetour", "cleaner", "conduit", "tiggre", "presenoker", "zpevdo", "webcompanion", "seraph", "tofsee", "xrat", "xtrat", "patcher", "adload", "stealer", "vidar", "raccoon", "bank", "urls", "generic malware", "noname057", "reimer", "agency", "charles", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "name verdict", "date", "root ca", "markmonitor", "name server", "windir", "unknown", "swisscom root", "post root", "trust", "hybrid", "general", "click", "strings", "class", "generator", "critical", "error", "defence", "fraud", "logistics", "ipv4", "scan endpoints", "all search", "otx octoseek", "report spam", "author", "cyber warfare", "created", "months ago", "modified", "next", "url https", "url http", "all octoseek", "month ago", "utmsourcemailer", "ck id", "t1140", "filehashsha256", "tsara brashears", "adult content", "pornography", "malvertizing", "privacy invasion", "privilege escalation", "packed", "aig.com", "aig.rastreator.mx", "apple", "ios", "tracking", "monitoring", "nr-data.net", "asp.net" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" } ], "industries": [ "Defense", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 69, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 166, "FileHash-SHA1": 125, "FileHash-SHA256": 5806, "URL": 16475, "domain": 3302, "hostname": 5135, "CVE": 16, "email": 8 }, "indicator_count": 31033, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654136c1ac991f85328604d2", "name": "Cyber Espionage", "description": "Cyber warfare. Extravagant attack that includes, phishing, monitoring, spyware, tracking, remote vehicle tracking, API calls after identification of anything computerized; car, phone, mobile phone, mail, ups, television. Apple private data services nr-data.net. This may be a Honeypot. Interesting. Attacker alleging to be a government contractor actively attacks and porn smears alleged SA victim assaulted by someone with his last name. Coincidence or Honeypot?\nTarget still at risk.\nTarget again is Tsara Brashears. \nSevere privacy invasion.\nShhhh....Active Silencing", "modified": "2023-11-30T07:01:37.424000", "created": "2023-10-31T17:17:52.382000", "tags": [ "contacted", "resolutions", "origin1", "ip address", "list", "communicating", "cyber threat", "united", "phishing", "phishing site", "covid19", "threat report", "ip summary", "url summary", "summary", "detection list", "installcore", "nymaim", "suppobox", "malicious", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "malware site", "malicious site", "heur", "exploit", "alexa", "riskware", "team", "blacklist https", "blacklist", "facebook", "engineering", "iframe", "downloader", "unsafe", "artemis", "trojanx", "agent", "unruy", "win64", "fakealert", "fusioncore", "redirector", "killav", "trojan", "lokibot", "emotet", "redline stealer", "cobalt strike", "citadel", "vawtrak", "qakbot", "qbot", "bankerx", "dropper", "nimda", "formbook", "swrort", "adwind", "crack", "generic", "wacatac", "opencandy", "nircmd", "downldr", "filetour", "cleaner", "conduit", "tiggre", "presenoker", "zpevdo", "webcompanion", "seraph", "tofsee", "xrat", "xtrat", "patcher", "adload", "stealer", "vidar", "raccoon", "bank", "urls", "generic malware", "noname057", "reimer", "agency", "charles", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "name verdict", "date", "root ca", "markmonitor", "name server", "windir", "unknown", "swisscom root", "post root", "trust", "hybrid", "general", "click", "strings", "class", "generator", "critical", "error", "defence", "fraud", "logistics", "ipv4", "scan endpoints", "all search", "otx octoseek", "report spam", "author", "cyber warfare", "created", "months ago", "modified", "next", "url https", "url http", "all octoseek", "month ago", "utmsourcemailer", "ck id", "t1140", "filehashsha256", "tsara brashears", "adult content", "pornography", "malvertizing", "privacy invasion", "privilege escalation", "packed", "aig.com", "aig.rastreator.mx", "apple", "ios", "tracking", "monitoring", "nr-data.net", "asp.net" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" } ], "industries": [ "Defense", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 69, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 166, "FileHash-SHA1": 125, "FileHash-SHA256": 5806, "URL": 16475, "domain": 3302, "hostname": 5135, "CVE": 16, "email": 8 }, "indicator_count": 31033, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654136b5eb9bdd21070ff9d7", "name": "Cyber Espionage", "description": "Cyber warfare. Extravagant attack that includes, phishing, monitoring, spyware, tracking, remote vehicle tracking, API calls after identification of anything computerized; car, phone, mobile phone, mail, ups, television. Apple private data services nr-data.net. This may be a Honeypot. Interesting. Attacker alleging to be a government contractor actively attacks and porn smears alleged SA victim assaulted by someone with his last name. Coincidence or Honeypot?\nTarget still at risk.\nTarget again is Tsara Brashears. \nSevere privacy invasion.\nShhhh....Active Silencing", "modified": "2023-11-30T07:01:37.424000", "created": "2023-10-31T17:17:41.263000", "tags": [ "contacted", "resolutions", "origin1", "ip address", "list", "communicating", "cyber threat", "united", "phishing", "phishing site", "covid19", "threat report", "ip summary", "url summary", "summary", "detection list", "installcore", "nymaim", "suppobox", "malicious", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "malware site", "malicious site", "heur", "exploit", "alexa", "riskware", "team", "blacklist https", "blacklist", "facebook", "engineering", "iframe", "downloader", "unsafe", "artemis", "trojanx", "agent", "unruy", "win64", "fakealert", "fusioncore", "redirector", "killav", "trojan", "lokibot", "emotet", "redline stealer", "cobalt strike", "citadel", "vawtrak", "qakbot", "qbot", "bankerx", "dropper", "nimda", "formbook", "swrort", "adwind", "crack", "generic", "wacatac", "opencandy", "nircmd", "downldr", "filetour", "cleaner", "conduit", "tiggre", "presenoker", "zpevdo", "webcompanion", "seraph", "tofsee", "xrat", "xtrat", "patcher", "adload", "stealer", "vidar", "raccoon", "bank", "urls", "generic malware", "noname057", "reimer", "agency", "charles", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "name verdict", "date", "root ca", "markmonitor", "name server", "windir", "unknown", "swisscom root", "post root", "trust", "hybrid", "general", "click", "strings", "class", "generator", "critical", "error", "defence", "fraud", "logistics", "ipv4", "scan endpoints", "all search", "otx octoseek", "report spam", "author", "cyber warfare", "created", "months ago", "modified", "next", "url https", "url http", "all octoseek", "month ago", "utmsourcemailer", "ck id", "t1140", "filehashsha256", "tsara brashears", "adult content", "pornography", "malvertizing", "privacy invasion", "privilege escalation", "packed", "aig.com", "aig.rastreator.mx", "apple", "ios", "tracking", "monitoring", "nr-data.net", "asp.net" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" } ], "industries": [ "Defense", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 70, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 166, "FileHash-SHA1": 125, "FileHash-SHA256": 5806, "URL": 16475, "domain": 3302, "hostname": 5135, "CVE": 16, "email": 8 }, "indicator_count": 31033, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f200c20e12f03f749c403", "name": "114.114.114.114 Tracking | Botnet | Malvertizing", "description": "", "modified": "2023-11-19T00:04:57.528000", "created": "2023-10-30T03:16:28.252000", "tags": [ "contacted", "tsara brashears", "whois record", "whois whois", "threat roundup", "december", "execution", "referrer", "pe resource", "remcos", "malware", "quasar", "nanocore", "attack", "core", "qakbot", "azorult", "njrat", "colibri loader", "metro", "nokoyawa", "formbook", "bank", "installer", "daxin", "awful", "open", "korplug", "dark power", "cobalt strike", "hacktool", "emotet", "chaos", "ransomexx", "ursnif", "ransomware", "pattern match", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "beginstring", "script", "segoe ui", "null", "error", "unknown", "span", "date", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "hybrid", "general", "click", "strings", "meta", "xiongmao group", "district", "nanjing", "china country", "beijing", "please", "apnic person", "road", "china phone", "whois lookup", "cnnic", "dns replication", "domain", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "type name", "android", "win32 dll", "cyber criminals", "cyber stalking", "cyber warfare", "framing", "tulach.cc", "exploit_source", "scanning_host", "phishing", "adware", "command_and_control", "C2", "technology", "virustotal xn", "technology xn", "rich text", "format po", "jyoti cnc", "detection list", "blacklist", "noname057", "proxy", "prism.exe", "password cracker", "skynet", "malvertizing", "spyware", "colorado", "arizona", "prism command line tool", "keyloggers", "apple", "I'm being followed", "threats", "sha256", "osint", "vmware", "gpt", "nginx", "piracy", "intellectual property", "spammer", "honeypot", "tracker", "tracking campaign", "Botnet campaign" ], "references": [ "114.114.1114.114", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \tketogenic switch , BitcoinAussie", "wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io BitcoinAussie", "www.sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/Tracker and Botnet campaign", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian password cracker", "a-poster.info [tagging tool]", "https://tulach.cc/ phishing | Proxy | Skynet", "67.227.226.240 command_and_control. [lb01.parklogic.com] Lansing Michigan", "20.99.186.246 exploit_source", "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e/652c962002e18b99e20e891a", "1.62.64.108 malware_hosting", "110.249.196.101. malware_hosting", "CVE-2022-26134", "www.anyxxxtube.net prism.exe", "https://www.pornhub.com prism.exe [Massachusetts, US]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 [Colorado, US referenced malvertizing outfit]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 [Colorado, US references]", "https://twitter.com/PORNO_SEXYBABES - Nokoyawa catapult spider", "https://twitter.com/ catapult spider/spider", "nr-data.net Private Apple data collection", "tv.apple.com Apple hacking", "newrelic.se New Update Apple iPhone 199.59.243.222", "0.0.0.0 iplocal=comcast [iplocalpple.com, possibly misconfigured] exploit", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 exploit [You can pair older Samsung watches with an iPhone by downloading the Samsung Galaxy Watch (Gear S) app from the iOS App. Abused remotely?]", "itunes.apple.com. [https:///app/apple-store", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [HappyRabbit]", "a0bc39001c6efcf39dbc6b7684232cce5126dcf0364c37e902714898ec097e94 [apple to windows China ??]", "https://otx.alienvault.com/indicator/url/https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 ? A target on my devices?", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 Another target?", "https://lelosexgame.com/datingsm?ad_campaign_id=3161239&cost=0&creative_id=2032565&external_id=0&keyword=%25KW%25&ref=https://example.com&ref_domain=example.com&server_node=0&source=0", "199.249.230.74 traffic group 78", "https://gpt.ocloo.cn/auth", "vmwarevmc.com", "http://karnalketo.com/sound-found error code 432 server nginx", "http://ww1.karnalketo.com/astroshift-soundtrack-cheat-code-incl-product-key-download-3264bit-latest/ error code 432 server nginx", "64.190.63.136 Malicious. IP: Sedo GmbH", "www.sweetheartvideo.com Tracking and Botnet campaign" ], "public": 1, "adversary": "[Unnamed US Teams and Hacker group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "Colbalt Strike", "display_name": "Colbalt Strike", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Colibri Loader", "display_name": "Colibri Loader", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Nokoyawa", "display_name": "Nokoyawa", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Ursnif - S0386", "display_name": "Ursnif - S0386", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "Daxin", "display_name": "Daxin", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Virus:WM/Look", "display_name": "Virus:WM/Look", "target": "/malware/Virus:WM/Look" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ketogenic switch", "display_name": "ketogenic switch", "target": null }, { "id": "BitcoinAussie", "display_name": "BitcoinAussie", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "green", "cloned_from": "6533b20cf4ad384a0193c655", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 173, "FileHash-SHA1": 166, "FileHash-SHA256": 2841, "URL": 6670, "CVE": 4, "domain": 684, "hostname": 1930, "CIDR": 2, "email": 3 }, "indicator_count": 12473, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "883 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://chocolate.cliapi.mergechocolate.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://chocolate.cliapi.mergechocolate.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776651083.3766098 }