{ "type": "URL", "indicator": "https://client.konnect.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://client.konnect.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3755006005, "indicator": "https://client.konnect.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 25, "pulses": [ { "id": "69e1f53e6b3e17deca1277b7", "name": "VirusTotal report\n for program.exe", "description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]", "modified": "2026-04-18T04:12:56.823000", "created": "2026-04-17T08:54:22.034000", "tags": [ "executable", "msdos", "pe32 executable", "intel", "ms windows", "dos borland", "generic windos", "dos executable", "pe32 compiler", "borland delphi", "delphi", "file type", "json", "ascii", "ascii text", "drops pe", "pe file", "sample", "persistence", "malicious", "next", "network capture", "wireshark pcap", "next generation", "dump file", "format", "little endian", "pcap", "nothing", "registry keys", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "read registry", "apis nothing", "https", "urls", "creates", "pe32", "sigma", "window", "mailpassview", "default", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha256", "cname", "inprocserver32", "accept", "shutdown", "guard", "darkgate", "windows sandbox", "calls process", "systemroot", "commands", "created", "xcaxdb xcaxdb", "x82xec x82xec", "x83xc4 x83xc4", "xc1 x", "xffu xffu", "x8be x8be", "x81e x81e", "xc4 xc4", "x81i x81i", "xf3x86 xf3x86", "activator", "detail info", "tickcount", "processid", "threadid", "startaddress", "parameter", "offset", "socket", "text", "classname", "behaviour", "class", "shell", "find", "mitre attack", "network info", "processes extra", "program", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "title", "phishing", "cape sandbox", "t1055", "style", "courier", "ip address", "port", "gmt ifnonematch", "machine summary", "meta", "inter" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2", "https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk", "https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG", "https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic", "https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ", "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1200", "name": "Hardware Additions", "display_name": "T1200 - Hardware Additions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 686, "FileHash-MD5": 96, "FileHash-SHA1": 136, "IPv4": 98, "URL": 562, "hostname": 313, "domain": 105, "IPv6": 2, "email": 2, "YARA": 1 }, "indicator_count": 2001, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e1f52e424e1151ddd9c696", "name": "VirusTotal report\n for program.exe", "description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]", "modified": "2026-04-18T04:12:55.719000", "created": "2026-04-17T08:54:06.864000", "tags": [ "executable", "msdos", "pe32 executable", "intel", "ms windows", "dos borland", "generic windos", "dos executable", "pe32 compiler", "borland delphi", "delphi", "file type", "json", "ascii", "ascii text", "drops pe", "pe file", "sample", "persistence", "malicious", "next", "network capture", "wireshark pcap", "next generation", "dump file", "format", "little endian", "pcap", "nothing", "registry keys", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "read registry", "apis nothing", "https", "urls", "creates", "pe32", "sigma", "window", "mailpassview", "default", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha256", "cname", "inprocserver32", "accept", "shutdown", "guard", "darkgate", "windows sandbox", "calls process", "systemroot", "commands", "created", "xcaxdb xcaxdb", "x82xec x82xec", "x83xc4 x83xc4", "xc1 x", "xffu xffu", "x8be x8be", "x81e x81e", "xc4 xc4", "x81i x81i", "xf3x86 xf3x86", "activator", "detail info", "tickcount", "processid", "threadid", "startaddress", "parameter", "offset", "socket", "text", "classname", "behaviour", "class", "shell", "find", "mitre attack", "network info", "processes extra", "program", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "title", "phishing", "cape sandbox", "t1055", "style", "courier", "ip address", "port", "gmt ifnonematch", "machine summary", "meta", "inter" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2", "https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk", "https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG", "https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic", "https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ", "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1200", "name": "Hardware Additions", "display_name": "T1200 - Hardware Additions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 714, "FileHash-MD5": 128, "FileHash-SHA1": 152, "IPv4": 98, "URL": 692, "hostname": 456, "domain": 121, "IPv6": 2, "email": 2, "YARA": 5 }, "indicator_count": 2370, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e1f540bec93625fc7c7466", "name": "VirusTotal report\n for program.exe", "description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]", "modified": "2026-04-18T01:05:57.196000", "created": "2026-04-17T08:54:24.226000", "tags": [ "executable", "msdos", "pe32 executable", "intel", "ms windows", "dos borland", "generic windos", "dos executable", "pe32 compiler", "borland delphi", "delphi", "file type", "json", "ascii", "ascii text", "drops pe", "pe file", "sample", "persistence", "malicious", "next", "network capture", "wireshark pcap", "next generation", "dump file", "format", "little endian", "pcap", "nothing", "registry keys", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "read registry", "apis nothing", "https", "urls", "creates", "pe32", "sigma", "window", "mailpassview", "default", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha256", "cname", "inprocserver32", "accept", "shutdown", "guard", "darkgate", "windows sandbox", "calls process", "systemroot", "commands", "created", "xcaxdb xcaxdb", "x82xec x82xec", "x83xc4 x83xc4", "xc1 x", "xffu xffu", "x8be x8be", "x81e x81e", "xc4 xc4", "x81i x81i", "xf3x86 xf3x86", "activator", "detail info", "tickcount", "processid", "threadid", "startaddress", "parameter", "offset", "socket", "text", "classname", "behaviour", "class", "shell", "find", "mitre attack", "network info", "processes extra", "program", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "title", "phishing", "cape sandbox", "t1055", "style", "courier", "ip address", "port", "gmt ifnonematch", "machine summary", "meta", "inter" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2", "https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk", "https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG", "https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic", "https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ", "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1200", "name": "Hardware Additions", "display_name": "T1200 - Hardware Additions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 686, "FileHash-MD5": 96, "FileHash-SHA1": 136, "IPv4": 97, "URL": 561, "hostname": 316, "domain": 105, "IPv6": 2, "email": 2 }, "indicator_count": 2001, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e1e3701bff1800614838dc", "name": "wireshark", "description": "", "modified": "2026-04-18T01:04:50.751000", "created": "2026-04-17T07:38:24.668000", "tags": [ "wireshark pcap", "next generation", "dump file", "format", "little endian", "pcap" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 707, "FileHash-MD5": 281, "FileHash-SHA1": 271, "IPv4": 357, "URL": 123, "domain": 69, "hostname": 608, "email": 1 }, "indicator_count": 2417, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e1f540aa36f336eb92ff53", "name": "VirusTotal report\n for program.exe", "description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]", "modified": "2026-04-18T00:53:20.700000", "created": "2026-04-17T08:54:24.517000", "tags": [ "executable", "msdos", "pe32 executable", "intel", "ms windows", "dos borland", "generic windos", "dos executable", "pe32 compiler", "borland delphi", "delphi", "file type", "json", "ascii", "ascii text", "drops pe", "pe file", "sample", "persistence", "malicious", "next", "network capture", "wireshark pcap", "next generation", "dump file", "format", "little endian", "pcap", "nothing", "registry keys", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "read registry", "apis nothing", "https", "urls", "creates", "pe32", "sigma", "window", "mailpassview", "default", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha256", "cname", "inprocserver32", "accept", "shutdown", "guard", "darkgate", "windows sandbox", "calls process", "systemroot", "commands", "created", "xcaxdb xcaxdb", "x82xec x82xec", "x83xc4 x83xc4", "xc1 x", "xffu xffu", "x8be x8be", "x81e x81e", "xc4 xc4", "x81i x81i", "xf3x86 xf3x86", "activator", "detail info", "tickcount", "processid", "threadid", "startaddress", "parameter", "offset", "socket", "text", "classname", "behaviour", "class", "shell", "find", "mitre attack", "network info", "processes extra", "program", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "title", "phishing", "cape sandbox", "t1055", "style", "courier", "ip address", "port", "gmt ifnonematch", "machine summary", "meta", "inter" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2", "https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk", "https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG", "https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic", "https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ", "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1200", "name": "Hardware Additions", "display_name": "T1200 - Hardware Additions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 860, "FileHash-MD5": 180, "FileHash-SHA1": 224, "IPv4": 97, "URL": 639, "hostname": 362, "domain": 107, "IPv6": 2, "email": 2 }, "indicator_count": 2473, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ded8198b25581a09b90824", "name": "BearShare \u2022 Solarwinds? \u2022 SearchSuite \u2022 Healthcare Administration", "description": "", "modified": "2026-04-15T00:13:13.981000", "created": "2026-04-15T00:13:13.981000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": "69dab27a0493e0e80a0f35cd", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69db05f833d3d6d2231fb201", "name": "CREDIT: Q.Vashti's research: SearchSuite \u2022 Healthcare Administration CREATED 6 HOURS AGO by Q.Vashti", "description": "", "modified": "2026-04-12T02:39:52.993000", "created": "2026-04-12T02:39:52.993000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": "69dab27a0493e0e80a0f35cd", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dab27a0493e0e80a0f35cd", "name": "SearchSuite \u2022 Healthcare Administration", "description": "Embedded in communication between a healthcare system and a client. \n\nThis is just one of countless internal issues causing a gap in communication, malicious adware, spyware, system sweeps, injection, system modification, downloads , call failures.", "modified": "2026-04-11T20:43:38.695000", "created": "2026-04-11T20:43:38.695000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d1f8041acb7d71607578f3", "name": "CAPE Sandbox", "description": "<>", "modified": "2026-04-05T06:02:06.057000", "created": "2026-04-05T05:49:56.708000", "tags": [ "verisign", "verisign class", "display driver", "verisign trust", "network o", "pulses", "code signing", "mon feb", "public primary", "digital id", "class", "win32 exe", "pe32", "ms windows", "icons library", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "status", "issuer verisign", "ca valid", "from", "valid", "valid usage", "algorithm", "thumbprint", "ca status", "g5 valid", "verisign status", "valid issuer", "client auth", "hash", "cf b8", "b7 b4", "a8 f0", "ab c5", "bb f6", "f7 a3", "name verisign", "g5 issuer", "microsoft code", "valid from", "thumbprint md5", "serial number", "ec f2", "init", "copyright", "product monitor", "original name", "file version", "word document", "file v2", "document", "outlook", "settings", "generic ole2", "multistream", "compound", "time stamping", "signer", "g4 issuer", "symantec time", "stamping", "g2 valid", "open xml", "zip archive", "word microsoft", "office open", "xml format", "open packaging", "cf f4", "c8 fe", "digicert sha2", "assured id" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 54, "FileHash-SHA256": 1900, "URL": 684, "IPv4": 135, "hostname": 657, "domain": 387 }, "indicator_count": 3888, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d1f8066431fee3647fa5ff", "name": "CAPE Sandbox", "description": "<>", "modified": "2026-04-05T05:53:01.644000", "created": "2026-04-05T05:49:58.156000", "tags": [ "verisign", "verisign class", "display driver", "verisign trust", "network o", "pulses", "code signing", "mon feb", "public primary", "digital id", "class", "win32 exe", "pe32", "ms windows", "icons library", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "status", "issuer verisign", "ca valid", "from", "valid", "valid usage", "algorithm", "thumbprint", "ca status", "g5 valid", "verisign status", "valid issuer", "client auth", "hash", "cf b8", "b7 b4", "a8 f0", "ab c5", "bb f6", "f7 a3", "name verisign", "g5 issuer", "microsoft code", "valid from", "thumbprint md5", "serial number", "ec f2", "init", "copyright", "product monitor", "original name", "file version", "word document", "file v2", "document", "outlook", "settings", "generic ole2", "multistream", "compound", "time stamping", "signer", "g4 issuer", "symantec time", "stamping", "g2 valid", "open xml", "zip archive", "word microsoft", "office open", "xml format", "open packaging", "cf f4", "c8 fe", "digicert sha2", "assured id" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 54, "FileHash-SHA256": 1900, "URL": 684, "IPv4": 135, "hostname": 657, "domain": 387, "CVE": 6 }, "indicator_count": 3894, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b92a27c47d4e28927364", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:24:26.110000", "created": "2026-03-12T13:01:30.067000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 51, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b9295603a6100edfa8c8", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:24:25.387000", "created": "2026-03-12T13:01:29.284000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b927aa7f10e82639d204", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:01:27.872000", "created": "2026-03-12T13:01:27.872000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b927c086397130c5d114", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:01:27.275000", "created": "2026-03-12T13:01:27.275000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b926871746ed8a1bc324", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:01:26.440000", "created": "2026-03-12T13:01:26.440000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b925e85c948d4dd608cc", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:01:25.852000", "created": "2026-03-12T13:01:25.852000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b8e974189d2c41f07ed8", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:00:25.910000", "created": "2026-03-12T13:00:25.910000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b8e74d2b3effd55f88c3", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:00:23.173000", "created": "2026-03-12T13:00:23.173000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b8dfbf8426a7a1d0146d", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:00:15.427000", "created": "2026-03-12T13:00:15.427000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b8d7123610591625b8fb", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:00:07.354000", "created": "2026-03-12T13:00:07.354000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b8d61e3f64a8f1f169b6", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:00:06.214000", "created": "2026-03-12T13:00:06.214000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b8d24eeb4200bdb1d702", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:00:02.096000", "created": "2026-03-12T13:00:02.096000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687992eceac6f12e9cebd65f", "name": "Operation Endgame | ThreatIntelligence | Pegasus | Mirai | Berbew | Emotet", "description": "Operation Endgame - Mass spying on civilians suspected of involvement in illegal activity. This spying can last for years. Law enforcement and intelligence agencies use infrastructures from Google, Bing, Apple, Amazon, Coudflare, Microsoft, among other companies. Traffic can be masked in DNS and encrypted connections to go undetected. It is recommended to abandon closed-source services and software and opt for fully open-source software and install a powerful firewall. The use of a secure VPN is recommended. \nThere may be repeated indicators and some false positives due to the nature of the threats. We are working to eliminate duplicate entries and false positives. Check the comment box for important notifications. Follow our Telegram channel: @PrivacyNotACrime", "modified": "2025-12-28T19:04:27.449000", "created": "2025-07-18T00:18:50.968000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": null, "export_count": 375, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 7, "follower_count": 0, "vote": 0, "author": { "username": "privacynotacrime", "id": "349346", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 121, "modified_text": "112 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655b9a90e44a70d0fbbde981", "name": "Domain Seized - http://server3.elgenero.com/cgi-bin/xdown.cgi", "description": "Domain stated ' SEIZED' by Departing Homeland Security\nSeizure links below seem a bit questionable: \n\nhttp://server3.elgenero.com/iprc_seized_banner.png\nhttp://kickass.to/IPRC_Seized_2016_kat.jpg\nhttp://kickass.to/the-adventures-of-tom-sawyer-t2068537.html\t\nhttp://bludv.tv/iprc_seized_banner.png\nhttp://z-lib.org/iprc_seized_banner.png\nIPRC_Seized_2016_kat.jpg\n... just banners? Moved and continue? Okay.\nListed below also listed in seized domain. Domains,URL's and Botnetwork Hosts still seem to exist.\nhttp://alohatube.xyz/search/tsara-brashears\nalohatube.xyz\nhttps://alohatube.xyz/search/tsara-brashears\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/\nhttp://45.159.189.105/bot/regex\t\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbia\t\nnr-data.net", "modified": "2023-12-20T17:01:34.161000", "created": "2023-11-20T17:42:40.771000", "tags": [ "safe site", "million", "cisco umbrella", "alexa top", "site", "tag count", "tld count", "jul jan", "team alexa", "count blacklist", "maltiverse", "redirme", "cronup threat", "intel malware", "malicious site", "malware", "no data", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "united", "cyber threat", "engineering", "team", "malware site", "covid19", "phishing site", "phishing", "phishtank", "bank", "zbot", "malicious", "download", "suppobox", "zeus", "nymaim", "matsnu", "artemis", "virut", "panama", "smsspy", "cobalt strike", "emotet", "bradesco", "stealer", "facebook", "service", "simda", "runescape", "cutwail", "unruy", "bandoo", "tinba", "pykspa", "domaiq", "ave maria", "citadel", "pony", "keitaro", "ponmocup", "ransomware", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha256", "sha1", "ascii text", "date", "unknown", "body", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "malicious url", "union", "unsafe", "node tcp", "traffic", "tor known", "tor relayrouter", "spammer", "threats et", "ssl certificate", "contacted", "whois record", "whois whois", "historical ssl", "apple ios", "resolutions", "bundled", "referrer", "collections", "android", "banker", "keylogger", "generic malware", "generic", "blacklist http", "ac32a", "heur", "alexa", "xtrat", "iframe", "installcore", "win64", "crack", "xrat", "nircmd", "swrort", "agent", "filetour", "cleaner", "patcher", "adload", "wacatac", "riskware", "acint", "conduit", "fakealert", "opencandy", "xtreme", "downldr", "outbreak", "iobit", "rostpay", "dropper", "mediaget", "installpack", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "presenoker", "fusioncore", "exploit", "filerepmetagen", "download json", "hostname", "hostnames", "mail spammer", "anonymizer", "firehol proxy", "asyncrat", "genkryptik", "fuery", "webtoolbar", "trojanspy", "dropped", "execution", "contacted urls", "http spammer", "host", "ip address", "site top", "site safe", "blacklist https", "tsara brashears", "kgs0", "kls0", "critical risk", "attack", "hacktool", "installer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Latvia", "Poland", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1117, "FileHash-SHA1": 664, "FileHash-SHA256": 3426, "domain": 977, "hostname": 2269, "URL": 5554, "CVE": 23, "URI": 8, "Mutex": 1 }, "indicator_count": 14039, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a9c2eeebaf7b69d0e12ba", "name": "Domain Seized - http://server3.elgenero.com/cgi-bin/xdown.cgi", "description": "", "modified": "2023-12-20T17:01:34.161000", "created": "2023-12-02T02:53:34.585000", "tags": [ "safe site", "million", "cisco umbrella", "alexa top", "site", "tag count", "tld count", "jul jan", "team alexa", "count blacklist", "maltiverse", "redirme", "cronup threat", "intel malware", "malicious site", "malware", "no data", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "united", "cyber threat", "engineering", "team", "malware site", "covid19", "phishing site", "phishing", "phishtank", "bank", "zbot", "malicious", "download", "suppobox", "zeus", "nymaim", "matsnu", "artemis", "virut", "panama", "smsspy", "cobalt strike", "emotet", "bradesco", "stealer", "facebook", "service", "simda", "runescape", "cutwail", "unruy", "bandoo", "tinba", "pykspa", "domaiq", "ave maria", "citadel", "pony", "keitaro", "ponmocup", "ransomware", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha256", "sha1", "ascii text", "date", "unknown", "body", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "malicious url", "union", "unsafe", "node tcp", "traffic", "tor known", "tor relayrouter", "spammer", "threats et", "ssl certificate", "contacted", "whois record", "whois whois", "historical ssl", "apple ios", "resolutions", "bundled", "referrer", "collections", "android", "banker", "keylogger", "generic malware", "generic", "blacklist http", "ac32a", "heur", "alexa", "xtrat", "iframe", "installcore", "win64", "crack", "xrat", "nircmd", "swrort", "agent", "filetour", "cleaner", "patcher", "adload", "wacatac", "riskware", "acint", "conduit", "fakealert", "opencandy", "xtreme", "downldr", "outbreak", "iobit", "rostpay", "dropper", "mediaget", "installpack", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "presenoker", "fusioncore", "exploit", "filerepmetagen", "download json", "hostname", "hostnames", "mail spammer", "anonymizer", "firehol proxy", "asyncrat", "genkryptik", "fuery", "webtoolbar", "trojanspy", "dropped", "execution", "contacted urls", "http spammer", "host", "ip address", "site top", "site safe", "blacklist https", "tsara brashears", "kgs0", "kls0", "critical risk", "attack", "hacktool", "installer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Latvia", "Poland", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655b9a90e44a70d0fbbde981", "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1117, "FileHash-SHA1": 664, "FileHash-SHA256": 3426, "domain": 977, "hostname": 2269, "URL": 5554, "CVE": 23, "URI": 8, "Mutex": 1 }, "indicator_count": 14039, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "account-apple.com", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic", "BearShare Install File Version 12.0.0.135802", "https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ", "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "http://console.applemarketingtools.com/", "http://cab.applemarketingtools.com", "Yara Detections: Tofsee", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz", "Musiclab, LLC", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "africa.konnect.com", "https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "xn--cloud-4sa.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "b9e4e47c3f96846c30581c08acf5bc56.virus", "euw-serp-dev-testing19.duck.ai", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "ids-apple.com \u2022 itunes.org", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others" ], "malware_families": [ "Pegasus rdp module for windows", "Win.trojan.tofsee-7102058-0", "Paragon (pegasus variant)", "Xloader for ios - s0490", "Backdoor:linux/mirai", "Trojan:js/berbew", "Webtoolbar", "Backdoor:win32/tofsee.t", "Trojandownloader:linux/mirai", "Exploit:win32/cve-2017-0147", "Pegasus for android - mob-s0032", "Alf:backdoor:powershell/reverseshell", "Skynet", "Alf:backdoor:java/webshell", "Alf:html/phishing", "#lowfi:siga:trojandownloader:msil/genmaldow", "#lowfi:hstr:win32/mediadownloader", "Cve-2023-22518", "Win32/searchsuite", "#lowfitrojan:html/iframe", "Win32.application.bearshare.a", "Starfighter (javascript)", "Graphite (pegasus variant)", "Html smuggling", "Trojanspy", "Trojandownloader:win32/cutwail", "#lowfi:exploit:java/cve-2012-0507", "Careto", "Pegasus for ios - s0289", "Mirai (windows)", "Pegasus for mac", "Generic", "Zeroaccess - s0027", "#hstr:hacktool:win32/remoteshell", "Win.packed.bandook-9882274-1" ], "industries": [ "Civil", "Government", "Healthcare", "People", "Technology", "Civilians" ], "unique_indicators": 317291 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/konnect.com", "whois": "http://whois.domaintools.com/konnect.com", "domain": "konnect.com", "hostname": "client.konnect.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 25, "pulses": [ { "id": "69e1f53e6b3e17deca1277b7", "name": "VirusTotal report\n for program.exe", "description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]", "modified": "2026-04-18T04:12:56.823000", "created": "2026-04-17T08:54:22.034000", "tags": [ "executable", "msdos", "pe32 executable", "intel", "ms windows", "dos borland", "generic windos", "dos executable", "pe32 compiler", "borland delphi", "delphi", "file type", "json", "ascii", "ascii text", "drops pe", "pe file", "sample", "persistence", "malicious", "next", "network capture", "wireshark pcap", "next generation", "dump file", "format", "little endian", "pcap", "nothing", "registry keys", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "read registry", "apis nothing", "https", "urls", "creates", "pe32", "sigma", "window", "mailpassview", "default", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha256", "cname", "inprocserver32", "accept", "shutdown", "guard", "darkgate", "windows sandbox", "calls process", "systemroot", "commands", "created", "xcaxdb xcaxdb", "x82xec x82xec", "x83xc4 x83xc4", "xc1 x", "xffu xffu", "x8be x8be", "x81e x81e", "xc4 xc4", "x81i x81i", "xf3x86 xf3x86", "activator", "detail info", "tickcount", "processid", "threadid", "startaddress", "parameter", "offset", "socket", "text", "classname", "behaviour", "class", "shell", "find", "mitre attack", "network info", "processes extra", "program", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "title", "phishing", "cape sandbox", "t1055", "style", "courier", "ip address", "port", "gmt ifnonematch", "machine summary", "meta", "inter" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2", "https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk", "https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG", "https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic", "https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ", "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1200", "name": "Hardware Additions", "display_name": "T1200 - Hardware Additions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 686, "FileHash-MD5": 96, "FileHash-SHA1": 136, "IPv4": 98, "URL": 562, "hostname": 313, "domain": 105, "IPv6": 2, "email": 2, "YARA": 1 }, "indicator_count": 2001, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e1f52e424e1151ddd9c696", "name": "VirusTotal report\n for program.exe", "description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]", "modified": "2026-04-18T04:12:55.719000", "created": "2026-04-17T08:54:06.864000", "tags": [ "executable", "msdos", "pe32 executable", "intel", "ms windows", "dos borland", "generic windos", "dos executable", "pe32 compiler", "borland delphi", "delphi", "file type", "json", "ascii", "ascii text", "drops pe", "pe file", "sample", "persistence", "malicious", "next", "network capture", "wireshark pcap", "next generation", "dump file", "format", "little endian", "pcap", "nothing", "registry keys", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "read registry", "apis nothing", "https", "urls", "creates", "pe32", "sigma", "window", "mailpassview", "default", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha256", "cname", "inprocserver32", "accept", "shutdown", "guard", "darkgate", "windows sandbox", "calls process", "systemroot", "commands", "created", "xcaxdb xcaxdb", "x82xec x82xec", "x83xc4 x83xc4", "xc1 x", "xffu xffu", "x8be x8be", "x81e x81e", "xc4 xc4", "x81i x81i", "xf3x86 xf3x86", "activator", "detail info", "tickcount", "processid", "threadid", "startaddress", "parameter", "offset", "socket", "text", "classname", "behaviour", "class", "shell", "find", "mitre attack", "network info", "processes extra", "program", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "title", "phishing", "cape sandbox", "t1055", "style", "courier", "ip address", "port", "gmt ifnonematch", "machine summary", "meta", "inter" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2", "https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk", "https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG", "https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic", "https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ", "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1200", "name": "Hardware Additions", "display_name": "T1200 - Hardware Additions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 714, "FileHash-MD5": 128, "FileHash-SHA1": 152, "IPv4": 98, "URL": 692, "hostname": 456, "domain": 121, "IPv6": 2, "email": 2, "YARA": 5 }, "indicator_count": 2370, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e1f540bec93625fc7c7466", "name": "VirusTotal report\n for program.exe", "description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]", "modified": "2026-04-18T01:05:57.196000", "created": "2026-04-17T08:54:24.226000", "tags": [ "executable", "msdos", "pe32 executable", "intel", "ms windows", "dos borland", "generic windos", "dos executable", "pe32 compiler", "borland delphi", "delphi", "file type", "json", "ascii", "ascii text", "drops pe", "pe file", "sample", "persistence", "malicious", "next", "network capture", "wireshark pcap", "next generation", "dump file", "format", "little endian", "pcap", "nothing", "registry keys", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "read registry", "apis nothing", "https", "urls", "creates", "pe32", "sigma", "window", "mailpassview", "default", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha256", "cname", "inprocserver32", "accept", "shutdown", "guard", "darkgate", "windows sandbox", "calls process", "systemroot", "commands", "created", "xcaxdb xcaxdb", "x82xec x82xec", "x83xc4 x83xc4", "xc1 x", "xffu xffu", "x8be x8be", "x81e x81e", "xc4 xc4", "x81i x81i", "xf3x86 xf3x86", "activator", "detail info", "tickcount", "processid", "threadid", "startaddress", "parameter", "offset", "socket", "text", "classname", "behaviour", "class", "shell", "find", "mitre attack", "network info", "processes extra", "program", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "title", "phishing", "cape sandbox", "t1055", "style", "courier", "ip address", "port", "gmt ifnonematch", "machine summary", "meta", "inter" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2", "https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk", "https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG", "https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic", "https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ", "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1200", "name": "Hardware Additions", "display_name": "T1200 - Hardware Additions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 686, "FileHash-MD5": 96, "FileHash-SHA1": 136, "IPv4": 97, "URL": 561, "hostname": 316, "domain": 105, "IPv6": 2, "email": 2 }, "indicator_count": 2001, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e1e3701bff1800614838dc", "name": "wireshark", "description": "", "modified": "2026-04-18T01:04:50.751000", "created": "2026-04-17T07:38:24.668000", "tags": [ "wireshark pcap", "next generation", "dump file", "format", "little endian", "pcap" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 707, "FileHash-MD5": 281, "FileHash-SHA1": 271, "IPv4": 357, "URL": 123, "domain": 69, "hostname": 608, "email": 1 }, "indicator_count": 2417, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e1f540aa36f336eb92ff53", "name": "VirusTotal report\n for program.exe", "description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]", "modified": "2026-04-18T00:53:20.700000", "created": "2026-04-17T08:54:24.517000", "tags": [ "executable", "msdos", "pe32 executable", "intel", "ms windows", "dos borland", "generic windos", "dos executable", "pe32 compiler", "borland delphi", "delphi", "file type", "json", "ascii", "ascii text", "drops pe", "pe file", "sample", "persistence", "malicious", "next", "network capture", "wireshark pcap", "next generation", "dump file", "format", "little endian", "pcap", "nothing", "registry keys", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "read registry", "apis nothing", "https", "urls", "creates", "pe32", "sigma", "window", "mailpassview", "default", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha256", "cname", "inprocserver32", "accept", "shutdown", "guard", "darkgate", "windows sandbox", "calls process", "systemroot", "commands", "created", "xcaxdb xcaxdb", "x82xec x82xec", "x83xc4 x83xc4", "xc1 x", "xffu xffu", "x8be x8be", "x81e x81e", "xc4 xc4", "x81i x81i", "xf3x86 xf3x86", "activator", "detail info", "tickcount", "processid", "threadid", "startaddress", "parameter", "offset", "socket", "text", "classname", "behaviour", "class", "shell", "find", "mitre attack", "network info", "processes extra", "program", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "title", "phishing", "cape sandbox", "t1055", "style", "courier", "ip address", "port", "gmt ifnonematch", "machine summary", "meta", "inter" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2", "https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk", "https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG", "https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic", "https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ", "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1200", "name": "Hardware Additions", "display_name": "T1200 - Hardware Additions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 860, "FileHash-MD5": 180, "FileHash-SHA1": 224, "IPv4": 97, "URL": 639, "hostname": 362, "domain": 107, "IPv6": 2, "email": 2 }, "indicator_count": 2473, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ded8198b25581a09b90824", "name": "BearShare \u2022 Solarwinds? \u2022 SearchSuite \u2022 Healthcare Administration", "description": "", "modified": "2026-04-15T00:13:13.981000", "created": "2026-04-15T00:13:13.981000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": "69dab27a0493e0e80a0f35cd", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69db05f833d3d6d2231fb201", "name": "CREDIT: Q.Vashti's research: SearchSuite \u2022 Healthcare Administration CREATED 6 HOURS AGO by Q.Vashti", "description": "", "modified": "2026-04-12T02:39:52.993000", "created": "2026-04-12T02:39:52.993000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": "69dab27a0493e0e80a0f35cd", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dab27a0493e0e80a0f35cd", "name": "SearchSuite \u2022 Healthcare Administration", "description": "Embedded in communication between a healthcare system and a client. \n\nThis is just one of countless internal issues causing a gap in communication, malicious adware, spyware, system sweeps, injection, system modification, downloads , call failures.", "modified": "2026-04-11T20:43:38.695000", "created": "2026-04-11T20:43:38.695000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d1f8041acb7d71607578f3", "name": "CAPE Sandbox", "description": "<>", "modified": "2026-04-05T06:02:06.057000", "created": "2026-04-05T05:49:56.708000", "tags": [ "verisign", "verisign class", "display driver", "verisign trust", "network o", "pulses", "code signing", "mon feb", "public primary", "digital id", "class", "win32 exe", "pe32", "ms windows", "icons library", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "status", "issuer verisign", "ca valid", "from", "valid", "valid usage", "algorithm", "thumbprint", "ca status", "g5 valid", "verisign status", "valid issuer", "client auth", "hash", "cf b8", "b7 b4", "a8 f0", "ab c5", "bb f6", "f7 a3", "name verisign", "g5 issuer", "microsoft code", "valid from", "thumbprint md5", "serial number", "ec f2", "init", "copyright", "product monitor", "original name", "file version", "word document", "file v2", "document", "outlook", "settings", "generic ole2", "multistream", "compound", "time stamping", "signer", "g4 issuer", "symantec time", "stamping", "g2 valid", "open xml", "zip archive", "word microsoft", "office open", "xml format", "open packaging", "cf f4", "c8 fe", "digicert sha2", "assured id" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 54, "FileHash-SHA256": 1900, "URL": 684, "IPv4": 135, "hostname": 657, "domain": 387 }, "indicator_count": 3888, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d1f8066431fee3647fa5ff", "name": "CAPE Sandbox", "description": "<>", "modified": "2026-04-05T05:53:01.644000", "created": "2026-04-05T05:49:58.156000", "tags": [ "verisign", "verisign class", "display driver", "verisign trust", "network o", "pulses", "code signing", "mon feb", "public primary", "digital id", "class", "win32 exe", "pe32", "ms windows", "icons library", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "status", "issuer verisign", "ca valid", "from", "valid", "valid usage", "algorithm", "thumbprint", "ca status", "g5 valid", "verisign status", "valid issuer", "client auth", "hash", "cf b8", "b7 b4", "a8 f0", "ab c5", "bb f6", "f7 a3", "name verisign", "g5 issuer", "microsoft code", "valid from", "thumbprint md5", "serial number", "ec f2", "init", "copyright", "product monitor", "original name", "file version", "word document", "file v2", "document", "outlook", "settings", "generic ole2", "multistream", "compound", "time stamping", "signer", "g4 issuer", "symantec time", "stamping", "g2 valid", "open xml", "zip archive", "word microsoft", "office open", "xml format", "open packaging", "cf f4", "c8 fe", "digicert sha2", "assured id" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 54, "FileHash-SHA256": 1900, "URL": 684, "IPv4": 135, "hostname": 657, "domain": 387, "CVE": 6 }, "indicator_count": 3894, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://client.konnect.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://client.konnect.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776630004.9753385 }