{ "type": "URL", "indicator": "https://codewiki.google/search", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://codewiki.google/search", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4173784804, "indicator": "https://codewiki.google/search", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "6964c08bf79bcb252eaa9e15", "name": "TrojanSpy - Spotify account under an attack which conceals artists releases / deletes followers", "description": "Spotify Attacks: TrojanSpy - Streamer Spotify account under an attack which conceals artists releases / deletes followers. The attack is adversarial. I\u2019m unclear how widespread it is. . Further research required. OTX auto generated Pegasus. Released work that was once viewable is now concealed, followers deleted.\n#cloudfront #spyware #delete_service #cloudfront_attacks", "modified": "2026-02-11T09:03:20.933000", "created": "2026-01-12T09:36:11.701000", "tags": [ "google", "fastly", "googlecl", "january", "http", "domain", "akamaias", "cloudflar", "page url", "de summary", "april", "reverse dns", "url https", "general full", "software", "united", "resource hash", "protocol h3", "security quic", "protocol h2", "security tls", "main", "present jan", "title", "gmt max", "certificate", "moved", "lowfi", "gmt content", "meta", "present dec", "status", "aaaa", "passive dns", "urls", "search", "expiration date", "win32", "files", "verdict", "files ip", "address", "mtb jan", "trojandropper", "backdoor", "win32upatre jan", "origin trial", "gmt cache", "443 ma2592000", "possible", "worm", "trojan", "ip address", "record value", "dark", "found", "ipv4 add", "error", "trojanspy", "emails", "servers", "pegasus", "america flag", "america asn", "tlsv1", "read c", "show", "medium", "lstockholm", "ospotify ab", "odigicert inc", "execution", "next", "dock", "write", "persistence", "dynamicloader", "yara rule", "ms windows", "pe32", "named pipe", "smartassembly", "delphi", "malware", "united states", "pe file", "filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "high", "write c", "tls sni", "tls handshake", "delete", "as15169", "stun binding", "request", "port", "win64", "themida", "guard", "risepro", "sha256", "sha1", "pattern match", "ascii text", "size", "mitre att", "ck id", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "learn", "command", "name tactics", "suspicious", "informative", "spawns", "ck techniques", "evasion att", "t1480 execution", "directui", "element", "hwndhost", "classinfobase", "hwndelement", "value", "explorer", "insert", "movie", "hacktool", "showing", "entries http", "scans show", "california", "location united", "next associated", "pulse pulses", "name servers", "found request", "unique", "url add", "related nids", "files location", "expiration", "flag united", "present nov", "present sep", "href", "suricata stream", "command decode", "starfield", "encrypt", "iframe", "date", "title error", "hostname", "pulse submit", "memcommit", "checks", "windows", "capture", "cloudfront", "colorado", "creation date", "hostname add", "eset", "binary file", "pdb path", "internalname", "nod32", "amon" ], "references": [ "open.spotify.com \u2022", "https://open.spotify.com/intl-de/track/5KjB1j0u54VXg6M8SN8hH2", "https://open.spotify.com/track/5KjB1j0u54VXg6M8SN8hH2", "FileHash-SHA256 cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "events.launchdarkly.com \u2022 clientstream.launchdarkly. \u2022 app.launchdarkly.com", "https://target.tccwest.www.littleswimmers.fr/", "www.onyx-ware.com \u2022 endgamesystems.com", "cloudfront.net \u2022 d127qq8ld0aiq5.cloudfront.net" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Packed.Stealerc-10017074-0", "display_name": "Win.Packed.Stealerc-10017074-0", "target": null }, { "id": "#Lowfi:Win32/AutoIt", "display_name": "#Lowfi:Win32/AutoIt", "target": "/malware/#Lowfi:Win32/AutoIt" }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "TrojanSpy:MSIL/Yakbeex.A", "display_name": "TrojanSpy:MSIL/Yakbeex.A", "target": "/malware/TrojanSpy:MSIL/Yakbeex.A" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Win32:HacktoolX-gen\\ [Trj]", "display_name": "Win32:HacktoolX-gen\\ [Trj]", "target": null }, { "id": "nUFS_unicode", "display_name": "nUFS_unicode", "target": null }, { "id": "HackTool:Win32/CobaltStrike.A", "display_name": "HackTool:Win32/CobaltStrike.A", "target": "/malware/HackTool:Win32/CobaltStrike.A" }, { "id": "Win.Dropper.PoisonIvy-9876745-0", "display_name": "Win.Dropper.PoisonIvy-9876745-0", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" } ], "industries": [ "Entertainment", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1293, "URL": 3389, "FileHash-MD5": 635, "FileHash-SHA1": 531, "FileHash-SHA256": 2345, "domain": 501, "email": 12, "SSLCertFingerprint": 16 }, "indicator_count": 8722, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "67 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69642a749490c0bf404aa8ac", "name": "Google Services - Malware Packed Google Branded Services", "description": "Contacted Google services | Service (1 of 3) || GoogleChromeElevationService | Mofksys \u2022 Unruy | Relationship: https://otx.alienvault.com/pulse/69640c0afc9805a6fa2da07b | \n#affilliated #worm _#exploit #alternate_google #infection #spyware", "modified": "2026-02-10T22:01:54.041000", "created": "2026-01-11T22:55:48.308000", "tags": [ "write c", "write", "delete c", "ms windows", "pe32 executable", "globalc", "united", "worm", "malware", "defender", "united states", "google", "google account", "mtb ids", "cloudflare dns", "https domain", "tls sni", "medium priority", "yara detections", "alerts", "google play", "google api", "google chrome", "mofksys", "exploit", "process32nextw", "msie", "windows nt", "wow64", "slcc2", "media center", "search", "precreate read", "read c", "dock", "unknown", "suspicious", "alt google", "execution att", "lowfi", "mtb jan", "trojandropper", "passive dns", "backdoor", "win32upatre jan", "origin trial", "gmt cache", "443 ma2592000", "possible", "trojan", "title", "mtb dec", "ipv4 add", "state", "trojan", "dropper", "phishing", "ransom", "of colorado" ], "references": [ "accounts.google.com \u2022 apis.google.com clients2.google.com \u2022 clients2.googleusercontent.com", "142.251.9.95 \u2022 https://clients2.google.com/cr/report \u2022 accounts.google.com \u2022", "ogads-pa.clients6.google.com \u2022 optimizationguide-pa.googleapis.com \u2022 play.google.com", "update.googleapis.com \u2022 www.google.com \u2022 clientservices.googleapis.com", "Worm:Win32/Mofksys.RND!MTB | Yara Detections: SUSP_Imphash_Mar23_2", "IDS Detection: Observed Cloudflare DNS over HTTPS \u2022 Domain (cloudflare-dns .com in TLS SNI)", "Alerts: suspicious_iocontrol_codes infostealer_cookies persistence_autorun antisandbox_sleep", "Alerts: persistence_autorun_tasks polymorphic procmem_yara static_pe_anomaly antiav_detectfile", "Alerts: antiav_detectreg antivm_bochs_keys antivm_generic_disk infostealer_mail injection_write", "Alerts: suspicious_command_tools anomalous_deletefile mouse_movement_detect", "Alerts: dynamic_function_loading resumethread_remote_process stealth_hiddenreg", "Contacted Google services", "SERVICE NAME: SSDPSRV \u2022 Delete upnphost\tDelete \u2022 GoogleChromeElevationService", "https://otx.alienvault.com/indicator/file/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "codewiki.google", "Win.Malware.Unruy-6912804-0 IDS Detections: Win32/Unruy.C Activity 403 Forbidden", "Alerts: network_icmp persistence_autorun antivm_vmware_in_instruction", "Alerts: network_http antisandbox_sleep creates_exe dropper stealth_window", "Alerts: injection_process_search protection_rx", "IP\u2019s Contacted: 142.250.74.68 142.250.74.99 18.66.121.69 185.53.179.170 2.22.41.134 204.79.197.200", "IP\u2019s Contacted: 208.91.196.46 209.197.3.8 216.239.32.29 35.186.238.101", "Domains Contacted: www.microsoft.com www.bing.com www2.megawebdeals.com www.google.com", "Domains Contacted: ocsp.pki.goog www.download.windowsupdate.com ifdnzact.com", "Domains Contacted: d38psrni17bvxu.cloudfront.net www2.megawebfind.com www6.megawebfind.com", "PE Version Information : TJprojMain.exe", "Found in : https://otx.alienvault.com/pulse/69640c0afc9805a6fa2da07b", "IDS Detections Win32/Unruy.C Activity \u2022 403 Forbidden" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Malware.Unruy-6912804-0", "display_name": "Win.Malware.Unruy-6912804-0", "target": null }, { "id": "Win.Packed.Eyestye-9754938-0", "display_name": "Win.Packed.Eyestye-9754938-0", "target": null }, { "id": "Eyestye", "display_name": "Eyestye", "target": null }, { "id": "AutoRun", "display_name": "AutoRun", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Trojan:Win32/EyeStye.T", "display_name": "Trojan:Win32/EyeStye.T", "target": "/malware/Trojan:Win32/EyeStye.T" }, { "id": "ALF:HeraklezEval:PUA:Win32/4Shared", "display_name": "ALF:HeraklezEval:PUA:Win32/4Shared", "target": null }, { "id": "Cassini", "display_name": "Cassini", "target": null }, { "id": "DarkMoon", "display_name": "DarkMoon", "target": null }, { "id": "PolyRansom", "display_name": "PolyRansom", "target": null }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1078.003", "name": "Local Accounts", "display_name": "T1078.003 - Local Accounts" }, { "id": "T1078.001", "name": "Default Accounts", "display_name": "T1078.001 - Default Accounts" }, { "id": "T1087.003", "name": "Email Account", "display_name": "T1087.003 - Email Account" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1090.004", "name": "Domain Fronting", "display_name": "T1090.004 - Domain Fronting" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 198, "FileHash-SHA1": 165, "FileHash-SHA256": 867, "URL": 1461, "hostname": 429, "domain": 221, "SSLCertFingerprint": 1 }, "indicator_count": 3342, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "67 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Alerts: suspicious_iocontrol_codes infostealer_cookies persistence_autorun antisandbox_sleep", "Domains Contacted: www.microsoft.com www.bing.com www2.megawebdeals.com www.google.com", "open.spotify.com \u2022", "FileHash-SHA256 cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "Domains Contacted: d38psrni17bvxu.cloudfront.net www2.megawebfind.com www6.megawebfind.com", "Win.Malware.Unruy-6912804-0 IDS Detections: Win32/Unruy.C Activity 403 Forbidden", "IP\u2019s Contacted: 208.91.196.46 209.197.3.8 216.239.32.29 35.186.238.101", "SERVICE NAME: SSDPSRV \u2022 Delete upnphost\tDelete \u2022 GoogleChromeElevationService", "https://open.spotify.com/track/5KjB1j0u54VXg6M8SN8hH2", "Alerts: dynamic_function_loading resumethread_remote_process stealth_hiddenreg", "codewiki.google", "IDS Detections Win32/Unruy.C Activity \u2022 403 Forbidden", "Alerts: network_http antisandbox_sleep creates_exe dropper stealth_window", "IDS Detection: Observed Cloudflare DNS over HTTPS \u2022 Domain (cloudflare-dns .com in TLS SNI)", "Alerts: persistence_autorun_tasks polymorphic procmem_yara static_pe_anomaly antiav_detectfile", "https://target.tccwest.www.littleswimmers.fr/", "ogads-pa.clients6.google.com \u2022 optimizationguide-pa.googleapis.com \u2022 play.google.com", "https://open.spotify.com/intl-de/track/5KjB1j0u54VXg6M8SN8hH2", "accounts.google.com \u2022 apis.google.com clients2.google.com \u2022 clients2.googleusercontent.com", "Alerts: injection_process_search protection_rx", "Domains Contacted: ocsp.pki.goog www.download.windowsupdate.com ifdnzact.com", "IP\u2019s Contacted: 142.250.74.68 142.250.74.99 18.66.121.69 185.53.179.170 2.22.41.134 204.79.197.200", "Alerts: network_icmp persistence_autorun antivm_vmware_in_instruction", "142.251.9.95 \u2022 https://clients2.google.com/cr/report \u2022 accounts.google.com \u2022", "events.launchdarkly.com \u2022 clientstream.launchdarkly. \u2022 app.launchdarkly.com", "Alerts: antiav_detectreg antivm_bochs_keys antivm_generic_disk infostealer_mail injection_write", "https://otx.alienvault.com/indicator/file/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "PE Version Information : TJprojMain.exe", "Found in : https://otx.alienvault.com/pulse/69640c0afc9805a6fa2da07b", "Alerts: suspicious_command_tools anomalous_deletefile mouse_movement_detect", "update.googleapis.com \u2022 www.google.com \u2022 clientservices.googleapis.com", "Contacted Google services", "cloudfront.net \u2022 d127qq8ld0aiq5.cloudfront.net", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "Worm:Win32/Mofksys.RND!MTB | Yara Detections: SUSP_Imphash_Mar23_2", "www.onyx-ware.com \u2022 endgamesystems.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win.packed.eyestye-9754938-0", "Trojan:win32/eyestye.t", "Win.packed.stealerc-10017074-0", "Win.dropper.poisonivy-9876745-0", "Trojanspy:msil/yakbeex.a", "Trojan:win32/zombie.a", "Trojanspy", "Darkmoon", "Malware packed", "Worm:win32/mofksys.rnd!mtb", "Cassini", "Upatre", "Win32:hacktoolx-gen\\ [trj]", "Win.packed.generic-9967832-0", "Pegasus", "Autorun", "Nufs_unicode", "Hacktool:win32/cobaltstrike.a", "#lowfi:win32/autoit", "Eyestye", "Alf:heraklezeval:pua:win32/4shared", "Polyransom", "Win.malware.unruy-6912804-0", "Win.trojan.barys-10005825-0", "Tofsee" ], "industries": [ "Entertainment", "Technology" ], "unique_indicators": 11068 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/codewiki.google", "whois": "http://whois.domaintools.com/codewiki.google", "domain": "codewiki.google", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "6964c08bf79bcb252eaa9e15", "name": "TrojanSpy - Spotify account under an attack which conceals artists releases / deletes followers", "description": "Spotify Attacks: TrojanSpy - Streamer Spotify account under an attack which conceals artists releases / deletes followers. The attack is adversarial. I\u2019m unclear how widespread it is. . Further research required. OTX auto generated Pegasus. Released work that was once viewable is now concealed, followers deleted.\n#cloudfront #spyware #delete_service #cloudfront_attacks", "modified": "2026-02-11T09:03:20.933000", "created": "2026-01-12T09:36:11.701000", "tags": [ "google", "fastly", "googlecl", "january", "http", "domain", "akamaias", "cloudflar", "page url", "de summary", "april", "reverse dns", "url https", "general full", "software", "united", "resource hash", "protocol h3", "security quic", "protocol h2", "security tls", "main", "present jan", "title", "gmt max", "certificate", "moved", "lowfi", "gmt content", "meta", "present dec", "status", "aaaa", "passive dns", "urls", "search", "expiration date", "win32", "files", "verdict", "files ip", "address", "mtb jan", "trojandropper", "backdoor", "win32upatre jan", "origin trial", "gmt cache", "443 ma2592000", "possible", "worm", "trojan", "ip address", "record value", "dark", "found", "ipv4 add", "error", "trojanspy", "emails", "servers", "pegasus", "america flag", "america asn", "tlsv1", "read c", "show", "medium", "lstockholm", "ospotify ab", "odigicert inc", "execution", "next", "dock", "write", "persistence", "dynamicloader", "yara rule", "ms windows", "pe32", "named pipe", "smartassembly", "delphi", "malware", "united states", "pe file", "filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "high", "write c", "tls sni", "tls handshake", "delete", "as15169", "stun binding", "request", "port", "win64", "themida", "guard", "risepro", "sha256", "sha1", "pattern match", "ascii text", "size", "mitre att", "ck id", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "learn", "command", "name tactics", "suspicious", "informative", "spawns", "ck techniques", "evasion att", "t1480 execution", "directui", "element", "hwndhost", "classinfobase", "hwndelement", "value", "explorer", "insert", "movie", "hacktool", "showing", "entries http", "scans show", "california", "location united", "next associated", "pulse pulses", "name servers", "found request", "unique", "url add", "related nids", "files location", "expiration", "flag united", "present nov", "present sep", "href", "suricata stream", "command decode", "starfield", "encrypt", "iframe", "date", "title error", "hostname", "pulse submit", "memcommit", "checks", "windows", "capture", "cloudfront", "colorado", "creation date", "hostname add", "eset", "binary file", "pdb path", "internalname", "nod32", "amon" ], "references": [ "open.spotify.com \u2022", "https://open.spotify.com/intl-de/track/5KjB1j0u54VXg6M8SN8hH2", "https://open.spotify.com/track/5KjB1j0u54VXg6M8SN8hH2", "FileHash-SHA256 cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "events.launchdarkly.com \u2022 clientstream.launchdarkly. \u2022 app.launchdarkly.com", "https://target.tccwest.www.littleswimmers.fr/", "www.onyx-ware.com \u2022 endgamesystems.com", "cloudfront.net \u2022 d127qq8ld0aiq5.cloudfront.net" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Packed.Stealerc-10017074-0", "display_name": "Win.Packed.Stealerc-10017074-0", "target": null }, { "id": "#Lowfi:Win32/AutoIt", "display_name": "#Lowfi:Win32/AutoIt", "target": "/malware/#Lowfi:Win32/AutoIt" }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "TrojanSpy:MSIL/Yakbeex.A", "display_name": "TrojanSpy:MSIL/Yakbeex.A", "target": "/malware/TrojanSpy:MSIL/Yakbeex.A" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Win32:HacktoolX-gen\\ [Trj]", "display_name": "Win32:HacktoolX-gen\\ [Trj]", "target": null }, { "id": "nUFS_unicode", "display_name": "nUFS_unicode", "target": null }, { "id": "HackTool:Win32/CobaltStrike.A", "display_name": "HackTool:Win32/CobaltStrike.A", "target": "/malware/HackTool:Win32/CobaltStrike.A" }, { "id": "Win.Dropper.PoisonIvy-9876745-0", "display_name": "Win.Dropper.PoisonIvy-9876745-0", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" } ], "industries": [ "Entertainment", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1293, "URL": 3389, "FileHash-MD5": 635, "FileHash-SHA1": 531, "FileHash-SHA256": 2345, "domain": 501, "email": 12, "SSLCertFingerprint": 16 }, "indicator_count": 8722, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "67 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69642a749490c0bf404aa8ac", "name": "Google Services - Malware Packed Google Branded Services", "description": "Contacted Google services | Service (1 of 3) || GoogleChromeElevationService | Mofksys \u2022 Unruy | Relationship: https://otx.alienvault.com/pulse/69640c0afc9805a6fa2da07b | \n#affilliated #worm _#exploit #alternate_google #infection #spyware", "modified": "2026-02-10T22:01:54.041000", "created": "2026-01-11T22:55:48.308000", "tags": [ "write c", "write", "delete c", "ms windows", "pe32 executable", "globalc", "united", "worm", "malware", "defender", "united states", "google", "google account", "mtb ids", "cloudflare dns", "https domain", "tls sni", "medium priority", "yara detections", "alerts", "google play", "google api", "google chrome", "mofksys", "exploit", "process32nextw", "msie", "windows nt", "wow64", "slcc2", "media center", "search", "precreate read", "read c", "dock", "unknown", "suspicious", "alt google", "execution att", "lowfi", "mtb jan", "trojandropper", "passive dns", "backdoor", "win32upatre jan", "origin trial", "gmt cache", "443 ma2592000", "possible", "trojan", "title", "mtb dec", "ipv4 add", "state", "trojan", "dropper", "phishing", "ransom", "of colorado" ], "references": [ "accounts.google.com \u2022 apis.google.com clients2.google.com \u2022 clients2.googleusercontent.com", "142.251.9.95 \u2022 https://clients2.google.com/cr/report \u2022 accounts.google.com \u2022", "ogads-pa.clients6.google.com \u2022 optimizationguide-pa.googleapis.com \u2022 play.google.com", "update.googleapis.com \u2022 www.google.com \u2022 clientservices.googleapis.com", "Worm:Win32/Mofksys.RND!MTB | Yara Detections: SUSP_Imphash_Mar23_2", "IDS Detection: Observed Cloudflare DNS over HTTPS \u2022 Domain (cloudflare-dns .com in TLS SNI)", "Alerts: suspicious_iocontrol_codes infostealer_cookies persistence_autorun antisandbox_sleep", "Alerts: persistence_autorun_tasks polymorphic procmem_yara static_pe_anomaly antiav_detectfile", "Alerts: antiav_detectreg antivm_bochs_keys antivm_generic_disk infostealer_mail injection_write", "Alerts: suspicious_command_tools anomalous_deletefile mouse_movement_detect", "Alerts: dynamic_function_loading resumethread_remote_process stealth_hiddenreg", "Contacted Google services", "SERVICE NAME: SSDPSRV \u2022 Delete upnphost\tDelete \u2022 GoogleChromeElevationService", "https://otx.alienvault.com/indicator/file/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "codewiki.google", "Win.Malware.Unruy-6912804-0 IDS Detections: Win32/Unruy.C Activity 403 Forbidden", "Alerts: network_icmp persistence_autorun antivm_vmware_in_instruction", "Alerts: network_http antisandbox_sleep creates_exe dropper stealth_window", "Alerts: injection_process_search protection_rx", "IP\u2019s Contacted: 142.250.74.68 142.250.74.99 18.66.121.69 185.53.179.170 2.22.41.134 204.79.197.200", "IP\u2019s Contacted: 208.91.196.46 209.197.3.8 216.239.32.29 35.186.238.101", "Domains Contacted: www.microsoft.com www.bing.com www2.megawebdeals.com www.google.com", "Domains Contacted: ocsp.pki.goog www.download.windowsupdate.com ifdnzact.com", "Domains Contacted: d38psrni17bvxu.cloudfront.net www2.megawebfind.com www6.megawebfind.com", "PE Version Information : TJprojMain.exe", "Found in : https://otx.alienvault.com/pulse/69640c0afc9805a6fa2da07b", "IDS Detections Win32/Unruy.C Activity \u2022 403 Forbidden" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Malware.Unruy-6912804-0", "display_name": "Win.Malware.Unruy-6912804-0", "target": null }, { "id": "Win.Packed.Eyestye-9754938-0", "display_name": "Win.Packed.Eyestye-9754938-0", "target": null }, { "id": "Eyestye", "display_name": "Eyestye", "target": null }, { "id": "AutoRun", "display_name": "AutoRun", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Trojan:Win32/EyeStye.T", "display_name": "Trojan:Win32/EyeStye.T", "target": "/malware/Trojan:Win32/EyeStye.T" }, { "id": "ALF:HeraklezEval:PUA:Win32/4Shared", "display_name": "ALF:HeraklezEval:PUA:Win32/4Shared", "target": null }, { "id": "Cassini", "display_name": "Cassini", "target": null }, { "id": "DarkMoon", "display_name": "DarkMoon", "target": null }, { "id": "PolyRansom", "display_name": "PolyRansom", "target": null }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1078.003", "name": "Local Accounts", "display_name": "T1078.003 - Local Accounts" }, { "id": "T1078.001", "name": "Default Accounts", "display_name": "T1078.001 - Default Accounts" }, { "id": "T1087.003", "name": "Email Account", "display_name": "T1087.003 - Email Account" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1090.004", "name": "Domain Fronting", "display_name": "T1090.004 - Domain Fronting" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 198, "FileHash-SHA1": 165, "FileHash-SHA256": 867, "URL": 1461, "hostname": 429, "domain": 221, "SSLCertFingerprint": 1 }, "indicator_count": 3342, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "67 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://codewiki.google/search", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://codewiki.google/search", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776622157.5648398 }