{ "type": "URL", "indicator": "https://cp.local.pl/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://cp.local.pl/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4168843414, "indicator": "https://cp.local.pl/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69d6619d62ea0c3bbf0ebf75", "name": "Mac OS Unwanted Programs | Mac Booster application potentially installed in background without target\u2019s knowledge", "description": "Not installed by users I\u2019m researching for. Downloaded as an unwanted program Overview of com.iobit.MacBooster-3\ncom.iobit.MacBooster-3 is the package identifier for MacBooster 3, a software application developed by IObit. This application is specifically designed for optimizing and maintaining Mac computers.\nKey Features\nMacBooster 3 includes several essential features aimed at enhancing the performance and security of Mac systems:\nSystem Cleanup: .\nPerformance Boosting: \nMalware Protection: .\nCompatibility\nMacBooster 3 is compatible with macOS versions starting from OS X 10.9. False - \nWhat are the potential risks of using MacBooster 3 on a Mac computer?\nUsing MacBooster 3 on a Mac computer can lead to potentially unwanted program (PUP) behavior, including browser interference, frequent pop-ups, and the installation of unnecessary software.", "modified": "2026-04-08T14:09:33.432000", "created": "2026-04-08T14:09:33.432000", "tags": [ "issuer apple", "valid from", "valid", "serial number", "macho", "macho 64bit", "mac os", "x macho", "intel", "file version", "team identifier", "apple root", "ca feb", "am ma9eduzpcw", "signers", "issuer valid", "from valid", "status issuer", "apple inc", "valid apple", "a9 a8", "process32nextw", "regsetvalueexa", "read c", "regdword", "tls handshake", "failure", "msie", "malware", "write", "win32", "unknown", "dynamicloader", "high", "myapp", "device driver", "host", "worm", "delphi", "error", "code", "defender", "next", "file score", "cryp", "virus", "checkin tls", "forbidden yara", "msvisualcpp2008", "less ip", "contacted", "scanning host", "trojan", "exploit host", "apple inc", "monitored target", "targeting", "name servers", "servers", "expiration date", "value emails", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "tulach" ], "references": [ "com.iobit.MacBooster-3", "IDS Detections: Win32.Floxif.A Checkin TLS Handshake Failure 403 Forbidden", "Yara Detections: Malware_Floxif_mpsvc_dll , stack_string , MS_Visual_Cpp_2008 ,", "Yara Detections: KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun", "Alerts: modifies_proxy_wpad antivm_vmware_in_instruction dumped_buffer", "Alerts: network_cnc_http network_http allocates_rwx antisandbox_sleep creates_exe", "Alerts: injection_process_search antivm_network_adapters privilege_luid_check", "Alerts: checks_debugger has_pdb raises_exception", "IP\u2019s Contacted: 104.200.23.95 174.139.10.194 198.35.26.96", "Domains Contacted: en.wikipedia.org 5isohu.com www.aieov.com", "Monitored targets. Tsara Brashears, UAlberta (disable_duck) seen", "I can\u2019t speak for behavior of targets. Seems unlikely programs were intentionally installed.", "https://otx.alienvault.com/indicator/cve/CVE-2023-22518", "Issue! Team member found CVE-2023-22518 have origins from the State of Colorado", "Issue! Multiple IoC\u2019s missing.", "A user StreamMiningEx copied pulses: octoseek, scoreblue, KAILULA4, callmeDoris , dorkingbeauty1 and more", "I can\u2019t help but notice a trend. IoC\u2019s found by actual targets are removed from pulses. Recent users are listed in place", "Issue! What I am troubled about the s the deletion service that has plagued OTX/ LevelBlue", "Brian Sabey, Tulach, other adversaries working illegally to remove IoC\u2019s", "Disturbed pulses of mercenary attacks S/A NSO Pegasus NOT reported to CISA or Citizens Lab.", "Reporting is an expected protocol. Is this more of a \u2018bounty\u2019 focused, a honeypot?", "Researching using an easy powerful tool like this has led to confrontations.", "I liked the tool. There is something strange happening with the pulses & IoC\u2019s", "I did not clone my pulse to read Bit.io", "I am not cloning pulses belonging to others without crediting. I\u2019m one of a few who credit. This has happened to other team members", "There are serious researchers on here for a short time hoping to resolve serious cyber issues", "I am unable to reach Level Blue regarding issues. Mailer Daemon only", "It\u2019s not just me. I have contacted from very secured emails, networks, devices", "I typically follow targets who have truly dangerous situations who no longer pulse.", "This would be sent in an email but \u2026.", "About pulse, found in peripheral.", "When your pulse says contacted, who is contacted besides OTX?", "An earlier version contacted entities affected or affecting targets." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "Ransom:Win32/CVE-2017-0147", "display_name": "Ransom:Win32/CVE-2017-0147", "target": "/malware/Ransom:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 75, "FileHash-MD5": 102, "FileHash-SHA256": 2076, "IPv4": 111, "URL": 2496, "CVE": 2, "domain": 483, "hostname": 938, "email": 4, "SSLCertFingerprint": 2 }, "indicator_count": 6289, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69598203b317ca9c39d22d24", "name": "Perl<==>PL 2020", "description": "The collection from 12 Virustotal graphs focused on Polish domains using the same domain names as frequently used IT terms (of course not all are included) such are prompts, commands commonly used in programming, shells, networking , cloud services ... in progress.", "modified": "2026-02-02T21:00:33.305000", "created": "2026-01-03T20:54:27.614000", "tags": [ "aftermarket", "pl", "Perl", "Linux", "vgt.pl", "allegro", "sanselo", "ginko", "adorno", "garden", "strefa=1003.v.vgt.pl", "franas", "logo.png", "style.css", "MKQZ", "information system", "cyber-volks", "update", "CERTHosts", "11 FBI Tools Emilyano Zapota", "Bitdefender", "factura.exe" ], "references": [ "https://www.virustotal.com/gui/collection/4a8dd95ef74a602bb1e310bb7983505017771b18a52ef7b554eca501ffaedc8d", "https://www.virustotal.com/gui/collection/64ae980a5d7b7eb3c27ede4a1c16f9fad502703cc72f0547185821974193748a", "https://www.virustotal.com/gui/collection/70e8893574d21e80a1f62512dd4d581684b9a65d5e8c511336b7277b3ebced89", "https://www.virustotal.com/gui/collection/924c72b474ebeb15b3fa374c619b258f527b861ea7ec284a86018af1585f8fff", "https://www.virustotal.com/gui/collection/b5ae7b0f2b072228395cf4cca8aa59ad83c70597b5f866117f6474190fed57ce", "https://www.virustotal.com/gui/collection/790677adc368e43b05183ed0b8f9237a9da486766dd708e6c6c2c5594bfae005", "https://www.virustotal.com/gui/collection/75633becc3e3625672d5b8623983983e76bf1d7d18bf0d7f8affcd3e22511a18", "https://www.virustotal.com/gui/collection/01010ec53219cf99ce0e46efe1d93f93e23c90d236fb6248420d283edd323c81", "https://www.virustotal.com/gui/collection/ac012a02b56f84ed78ab15a8344f812e1d66d0f1e22d6546670ced5108a82da4", "https://www.virustotal.com/gui/collection/b6570f7a26955ea25ee47c451b0d5ed48db2e6c38e8c7082f7b2fd45aaacd969", "https://www.virustotal.com/gui/collection/4a6474d024bcd082d21b09e0b8fe9154a5f26b8426216b1ed19259203255f0d6", "https://www.virustotal.com/gui/collection/f51a32f88ce67e629cf85563eabfc986e4d7da7e093814a3bc2c30fcaaff7341" ], "public": 1, "adversary": "", "targeted_countries": [ "Poland", "Canada", "Slovakia", "Czechia" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education", "Finance" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "userlolxxl", "id": "276085", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_276085/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 36, "FileHash-SHA1": 36, "FileHash-SHA256": 205, "URL": 187, "domain": 38, "hostname": 263 }, "indicator_count": 765, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "76 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694dc80ac6e7fd5474b316a1", "name": "Malicious DDOS attacks targeting Brand New 2025 | Updated Apple Products affecting IRS payment portal", "description": "Malicious actors continue to target certain users attempting to pay the IRS. Victim is redirected to : http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan after typing in IRS.gov (w/ secure header \u2018https\u2019 )\nOnce information is input it is payment is rejected, levy against bank accounts and assets and other threats. There is social engineering as one victim is communicating with someone allegedly from the IRS? \nAlthough malicious entities contacted , malicious behavior continues. Adversaries in the Middle attack. US hacker group. Denver, Iowa, Arizona, NY and abroad. \n\n*Targets: https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main |", "modified": "2026-01-24T22:05:13.068000", "created": "2025-12-25T23:26:02.712000", "tags": [ "hash avast", "avg clamav", "msdefender feb", "url http", "url https", "zipcode", "active related", "cage01195 dec", "passports", "ipv4", "active", "irs", "apple", "role title", "indicator role", "malware attacks", "find encrypted", "lumen", "fastly", "create c", "read c", "delete", "write", "default", "medium", "rgba", "dock", "execution", "xport", "united", "passive dns", "urls", "expiration date", "unknown ns", "unknown aaaa", "pulse pulses", "merit", "dod network", "type indicator", "related pulses", "name", "name servers", "ffffff", "ip address", "emails", "object", "clsid6bf52a52", "cookie", "meta", "united kingdom", "germany", "russia", "search", "added active", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "href", "pattern match", "ascii text", "ck id", "mitre att", "ck matrix", "t1071", "general", "local", "path", "iframe", "click", "beginstring", "segoe ui", "null", "refresh", "span", "hybrid", "strings", "error", "tools", "title", "look", "verify", "restart", "data upload", "extraction", "failed", "include data", "entries", "unicode", "high", "memcommit", "next", "flag", "process details", "path expiresthu", "moved", "gmt set", "domain", "httponly path", "encrypt", "leaseweb", "iowa", "title added", "bad traffic", "et info", "tls handshake", "failure", "command decode", "suricata stream", "circle", "f5f8fa", "learn", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "development att", "suricata http", "windows nt", "date", "ips initial", "prefetch8", "localappdata", "prefetch1", "programfiles", "edge", "access att", "t1566 phishing", "initial access", "show process", "show technique", "process", "t1057", "contacted", "ck techniques", "evasion att", "body", "report spam", "apple", "ddos", "irs created", "hours ago", "white", "apple user", "industries", "government", "finance", "trojandropper", "appleservice", "mirai", "trojan", "next associated", "fastly error", "please", "sea p", "mozilla", "accept", "alerts", "filehash", "md5 add", "av detections", "ids detections", "yara detections", "analysis date", "file score", "medium risk", "copy", "richhash", "finding notes", "clamav malware", "files matching", "number", "sample analysis", "samples show", "date hash", "yara rule", "msie", "t1063", "windows", "malware", "detected", "https domain", "tls sni", "markus", "smartassembly", "win64", "exif data", "present dec", "status", "showing", "show", "icmp traffic", "pdb path", "crlf line", "mutex", "ms defender", "mtb malware", "hide samples", "rootkit", "apple webkit", "macbook pro", "apple ios" ], "references": [ "sa.www4.irs.gov \u2022 sa1.www4.irs.gov \u2022 sa2.www4.irs.gov \u2022 apps.irs.gov \u2022 freetaxassistance.for.irs.gov \u2022 home.treasury.gov \u2022", "132.3.48.38 \u2022 Description: CC=US ASN=AS721 dod network information center", "154.35.132.70\t\u2022 Description: CC=US ASN=AS14987 rethem hosting llc", "165.206.254.134 \u2022 Description: CC=US ASN=AS6122", "192.85.127.130 \u2022 Description: CC=US ASN=AS2173 hewlett-packard company", "195.128.76.205 \u2022 Description: CC=RU ASN=AS8470 jsc macomnet", "205.181.242.243 \u2022 Description: CC=US ASN=AS3738 state street bank and trust company", "207.75.164.17 \u2022 Description: CC=US ASN=AS237 merit network", "207.75.164.210 \u2022 Description: CC=US ASN=AS237 merit network", "214.25.9.149 \u2022 Description: CC=US ASN=AS344 dod network information center", "216.252.199.59 \u2022 Description: CC=US ASN=AS31827 biz net technologies", "78.46.218.253 \u2022 Description: CC=DE ASN=AS24940 hetzner online gmbh", "95.211.7.168 \u2022Description: CC=NL ASN=AS60781 leaseweb netherlands b.v.", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing - Adult Content", "http://www.anyxxxtube.net/search-porn/tsara-brashears - Adult Content", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ - Adult Content", "http://www.anyxxxtube.net/search-porn/ - Adult Content", "https://eliyporasa.life/uelbu/5/151504-harleyxwest-porn - Adult Content", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net - Adult Content", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t- Adult Content", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io\t- Adult Content", "https://wallpapers-nature.com/tsara-brashears/urlscan-io - Adult Content", "http://sissy.com/default - Adult Content", "https://eliyporasa - Adult Content", "64.38.232.180 - Adult Content IP", "www.anyxxxtube.net - Adult Content", "www.anyxxxtube.net - Adult Content IP", "http://www.iranianporn.com/ \u2022 iranianporn.com - Adult Content", "http://www.italianporn.com/ \u2022 italianporn.com - Adult Content IP", "jamaicansex.com \u2022 onlinesexmags.com \u2022 sexbible.com \u2022 bestsex.com - Adult Content IP", "https://www.anyxxxtube.net/video/2241/big-titted-sexy-chick-august-ames/ - Adult Content IP", "http://geometry.ru/articles/blinkovsexcircle.pdf- Adult Content IP", "http://www.onlinesexmags.com/members/gent/current/ - Adult Content IP", "http://sissy.com/default.php?qry=xinb0NVH3vxGQfarWy4r54j5FWwjyNsIfAXqPpjmSCTYnrY20orAEt5QcaKNVYpHM3.AFndEsyGlSb_SXAGpMTdue0rkjANJ3fQ0wH3yzmI9qKCDJp39iCno_V.ci7VYf_I4t_Y2ibuGhE_rlOAs3FGeaahClLHQmyX30MRH5AfpY6B5N9LDoau6dxnMaf3qGZEX_xCRYTdVAigxUMX2qRyl16DvSb9DohTpdet4E_v0QjzIjDwGGS4PYEDpjmzIeKlCSItsv09pHL84QDb6V_fvuFw0jX8tfoI8VQmpnaeudPhO0nDmV3c5G7HjNNcF&tgt=NO+TOKEN&searchKey=free+porn&wp=1&skp=3_2402 - Adult Content IP", "httpssa.www4.irs.gov \u2022 jobs.irs.gov \u2022 https://sa.www4.irs.gov/ \u2022 https://sa.www4.irs.gov \u2022 www.directfile.irs.gov \u2022", "http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan \u2022 www4.irs.gov \u2022 www.drupal.org", "asp.bet", "apple.co \u2022 apple.com \u2022 apple.info \u2022 apple.net", "https://www.freeiconspng.com/thumbs/icloud-logo/icloud-drive-mac-mail-cloud-apple-pc-works-c", "https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main", "http://usw2.apple.com/ \u2022 https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "applefilmmaker.com \u2022 appleid.com \u2022 appleiservices.com", "jobs.lumen.com \u2022 lumen.com \u2022 msradc.lumen.com \u2022 voip.lumen.com \u2022 www.lumen.com", "https://otx.alienvault.com/pulse/694d7d426afd8c1c816ddb9e", "Information gathered equals 2 pulses. Pulse (1) included", "https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d/694d9e6a07ba5e76e203a672", "https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d", "https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3", "https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676", "https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3/694d9a33a2febcb826005ed5", "https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676", "Follow up need. This is a serious financial crime following the victims.", "Victims have lost financial assets, jobs, vehicles", "Persistent. Is Christopher P. Ahmann, Brian Sabey, State of Colorado", "After an attack a different victim had awe , tax refund seized, Insurance became Medicaid, Was audited by the IRs and there was attempts on life w/ bad outcome" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Win.Malware.Msilperseus-6989564-0", "display_name": "Win.Malware.Msilperseus-6989564-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.Ramnit-1847", "display_name": "Win.Trojan.Ramnit-1847", "target": null }, { "id": "Win.Trojan.Fenomengame-14", "display_name": "Win.Trojan.Fenomengame-14", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Pandex!gen1", "display_name": "Pandex!gen1", "target": null }, { "id": "Mirai Sim Swap", "display_name": "Mirai Sim Swap", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Lumen IP", "display_name": "Lumen IP", "target": null }, { "id": "Unknown Malware \u2018Can't access file\u2019", "display_name": "Unknown Malware \u2018Can't access file\u2019", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Win.Trojan.Fenomengame-8", "display_name": "Win.Trojan.Fenomengame-8", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/Adialer", "display_name": "ALF:JASYP:Trojan:Win32/Adialer", "target": null }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "ELF:DDoS-S\\ [Trj]", "display_name": "ELF:DDoS-S\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Gafgyt-6981154-0", "display_name": "Unix.Trojan.Gafgyt-6981154-0", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [ "Financial", "Government", "Technology", "IRS" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 363, "FileHash-SHA1": 360, "FileHash-SHA256": 3009, "URL": 3504, "domain": 879, "email": 15, "hostname": 1487, "SSLCertFingerprint": 3 }, "indicator_count": 9620, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "85 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694d7d426afd8c1c816ddb9e", "name": "Apple \u2022 IRS | ELF:DDoS |\tUnix.Trojan.Gafgyt redirects and blocks US taxpayers from making payments to IRS", "description": "This truly requires further research. This is a serious issue. There is are US adversaries blocking fiscally financial taxpayers from paying genie income taxes, threatening a levy, and other financially damaging consequences. It\u2019s clear to me the website is fraudulent. One target is an Apple user and an accountant. \n\n\nThere have been millions on financial crimes against this victim who I am now labeling a \u2018target\u2019. There are 4 other females\u2019 going through same thing. Losing assets, unable to reconcile taxes despite", "modified": "2026-01-24T17:05:40.719000", "created": "2025-12-25T18:06:58.222000", "tags": [ "united", "et trojan", "hello ssl", "whitelisted", "unknown", "ciphersuite", "sessionid", "asnone", "united kingdom", "show", "write", "virustotal", "drweb", "vipre", "mcafee", "panda", "malware", "pandex!gen1", "et", "aaaa", "present sep", "gmt secure", "passive dns", "urls", "gmt cache", "service", "title", "brazil as16625", "akamai", "top source", "tcp include", "top destination", "source source", "destination", "port", "gtmkv978zl", "utc gzy6fm95cs5", "utc na", "utc google", "analytics na", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "mitre att", "ck techniques", "access att", "bad traffic", "et info", "tls handshake", "failure", "windir", "openurl c", "prefetch2", "dns requests", "domain address", "poland unknown", "ip address", "search", "present oct", "a domains", "body head", "document moved", "unique", "maxage86400", "httponly", "google safe", "browsing", "whois", "virustotal api", "screenshots", "comments", "pragma", "data upload", "extraction", "type", "extr", "delete c", "writeconsolew", "windows", "t1045", "read c", "susp", "dock", "win64", "alerts", "icmp traffic", "pdb path", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "yara detections", "lumen", "lumen ip", "public bgp", "address range", "cidr", "network name", "allocation type", "whois server", "entity lpl141", "handle", "url add", "http", "hostname", "files domain", "files related", "pulses none", "related tags", "status", "showing", "domain", "trojan", "trojandropper", "next associated", "fastly error", "please", "sea p", "mozilla", "accept", "ipv4 add", "files", "location united", "america flag", "america asn", "nethandle", "net4", "net40000", "lpl141", "llc orgid", "city", "la postalcode", "dynamicloader", "write c", "medium", "named pipe", "yara rule", "high", "ms windows", "encrypt", "pegasus", "markus", "smartassembly", "next", "msie", "t1063", "windows nt", "fastly", "foundry", "palantir", "bgp", "webkit bugzilla", "record value", "content type", "bugzilla", "meta", "present nov", "entries", "atom", "apple", "chrome", "moved", "apple center", "gmt content", "name servers", "servers", "expiration date", "pulse submit", "url analysis", "date", "apple server", "apple dns", "asp.bet", "data collection", "bgp ip", "lumen control", "lumen admin", "level 3", "ipv4", "reverse dns", "found", "hostname add", "present jul", "present jun", "belize", "unknown ns", "present aug", "domain add", "creation date", "failed", "enter sc", "extra data", "include", "review exclude", "america united", "dns resolutions", "linuxgafgyt feb" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Canada" ], "malware_families": [ { "id": "Pandex!gen1", "display_name": "Pandex!gen1", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Lumen IP", "display_name": "Lumen IP", "target": null }, { "id": "Win.Malware.Msilperseus-6989564-0", "display_name": "Win.Malware.Msilperseus-6989564-0", "target": null }, { "id": "Unknown Malware \u2018Can't access file\u2019", "display_name": "Unknown Malware \u2018Can't access file\u2019", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Win.Trojan.Fenomengame-8", "display_name": "Win.Trojan.Fenomengame-8", "target": null }, { "id": "ALF:JASYP:Trojan:Win3", "display_name": "ALF:JASYP:Trojan:Win3", "target": null }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "ELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0", "display_name": "ELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Mirai Sim Swap", "display_name": "Mirai Sim Swap", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" } ], "industries": [ "Government", "Finance", "Telecommunications", "Technology", "Civil Society", "IRS" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4187, "hostname": 1574, "FileHash-SHA256": 2387, "FileHash-MD5": 189, "FileHash-SHA1": 161, "domain": 800, "CVE": 1, "email": 13, "CIDR": 1, "SSLCertFingerprint": 4 }, "indicator_count": 9317, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "85 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://www.onlinesexmags.com/members/gent/current/ - Adult Content IP", "www.anyxxxtube.net - Adult Content", "https://otx.alienvault.com/pulse/694d7d426afd8c1c816ddb9e", "165.206.254.134 \u2022 Description: CC=US ASN=AS6122", "192.85.127.130 \u2022 Description: CC=US ASN=AS2173 hewlett-packard company", "I am not cloning pulses belonging to others without crediting. I\u2019m one of a few who credit. This has happened to other team members", "sa.www4.irs.gov \u2022 sa1.www4.irs.gov \u2022 sa2.www4.irs.gov \u2022 apps.irs.gov \u2022 freetaxassistance.for.irs.gov \u2022 home.treasury.gov \u2022", "After an attack a different victim had awe , tax refund seized, Insurance became Medicaid, Was audited by the IRs and there was attempts on life w/ bad outcome", "132.3.48.38 \u2022 Description: CC=US ASN=AS721 dod network information center", "asp.bet", "https://otx.alienvault.com/indicator/cve/CVE-2023-22518", "http://www.anyxxxtube.net/search-porn/tsara-brashears - Adult Content", "http://www.anyxxxtube.net/search-porn/ - Adult Content", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing - Adult Content", "httpssa.www4.irs.gov \u2022 jobs.irs.gov \u2022 https://sa.www4.irs.gov/ \u2022 https://sa.www4.irs.gov \u2022 www.directfile.irs.gov \u2022", "Yara Detections: KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "I liked the tool. There is something strange happening with the pulses & IoC\u2019s", "https://eliyporasa.life/uelbu/5/151504-harleyxwest-porn - Adult Content", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ - Adult Content", "Information gathered equals 2 pulses. Pulse (1) included", "https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3/694d9a33a2febcb826005ed5", "https://www.virustotal.com/gui/collection/ac012a02b56f84ed78ab15a8344f812e1d66d0f1e22d6546670ced5108a82da4", "I can\u2019t help but notice a trend. IoC\u2019s found by actual targets are removed from pulses. Recent users are listed in place", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t- Adult Content", "http://usw2.apple.com/ \u2022 https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "207.75.164.210 \u2022 Description: CC=US ASN=AS237 merit network", "214.25.9.149 \u2022 Description: CC=US ASN=AS344 dod network information center", "When your pulse says contacted, who is contacted besides OTX?", "jobs.lumen.com \u2022 lumen.com \u2022 msradc.lumen.com \u2022 voip.lumen.com \u2022 www.lumen.com", "http://sissy.com/default.php?qry=xinb0NVH3vxGQfarWy4r54j5FWwjyNsIfAXqPpjmSCTYnrY20orAEt5QcaKNVYpHM3.AFndEsyGlSb_SXAGpMTdue0rkjANJ3fQ0wH3yzmI9qKCDJp39iCno_V.ci7VYf_I4t_Y2ibuGhE_rlOAs3FGeaahClLHQmyX30MRH5AfpY6B5N9LDoau6dxnMaf3qGZEX_xCRYTdVAigxUMX2qRyl16DvSb9DohTpdet4E_v0QjzIjDwGGS4PYEDpjmzIeKlCSItsv09pHL84QDb6V_fvuFw0jX8tfoI8VQmpnaeudPhO0nDmV3c5G7HjNNcF&tgt=NO+TOKEN&searchKey=free+porn&wp=1&skp=3_2402 - Adult Content IP", "Issue! Multiple IoC\u2019s missing.", "https://www.freeiconspng.com/thumbs/icloud-logo/icloud-drive-mac-mail-cloud-apple-pc-works-c", "195.128.76.205 \u2022 Description: CC=RU ASN=AS8470 jsc macomnet", "205.181.242.243 \u2022 Description: CC=US ASN=AS3738 state street bank and trust company", "Persistent. Is Christopher P. Ahmann, Brian Sabey, State of Colorado", "http://sissy.com/default - Adult Content", "Issue! Team member found CVE-2023-22518 have origins from the State of Colorado", "95.211.7.168 \u2022Description: CC=NL ASN=AS60781 leaseweb netherlands b.v.", "216.252.199.59 \u2022 Description: CC=US ASN=AS31827 biz net technologies", "https://www.virustotal.com/gui/collection/790677adc368e43b05183ed0b8f9237a9da486766dd708e6c6c2c5594bfae005", "Researching using an easy powerful tool like this has led to confrontations.", "Monitored targets. Tsara Brashears, UAlberta (disable_duck) seen", "https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676", "78.46.218.253 \u2022 Description: CC=DE ASN=AS24940 hetzner online gmbh", "com.iobit.MacBooster-3", "https://www.virustotal.com/gui/collection/b5ae7b0f2b072228395cf4cca8aa59ad83c70597b5f866117f6474190fed57ce", "https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d/694d9e6a07ba5e76e203a672", "About pulse, found in peripheral.", "https://www.virustotal.com/gui/collection/75633becc3e3625672d5b8623983983e76bf1d7d18bf0d7f8affcd3e22511a18", "https://wallpapers-nature.com/tsara-brashears/urlscan-io - Adult Content", "I am unable to reach Level Blue regarding issues. Mailer Daemon only", "Issue! What I am troubled about the s the deletion service that has plagued OTX/ LevelBlue", "I can\u2019t speak for behavior of targets. Seems unlikely programs were intentionally installed.", "Reporting is an expected protocol. Is this more of a \u2018bounty\u2019 focused, a honeypot?", "https://www.virustotal.com/gui/collection/f51a32f88ce67e629cf85563eabfc986e4d7da7e093814a3bc2c30fcaaff7341", "https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main", "Alerts: injection_process_search antivm_network_adapters privilege_luid_check", "Alerts: network_cnc_http network_http allocates_rwx antisandbox_sleep creates_exe", "Brian Sabey, Tulach, other adversaries working illegally to remove IoC\u2019s", "https://www.virustotal.com/gui/collection/924c72b474ebeb15b3fa374c619b258f527b861ea7ec284a86018af1585f8fff", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun", "I typically follow targets who have truly dangerous situations who no longer pulse.", "https://www.virustotal.com/gui/collection/01010ec53219cf99ce0e46efe1d93f93e23c90d236fb6248420d283edd323c81", "IDS Detections: Win32.Floxif.A Checkin TLS Handshake Failure 403 Forbidden", "http://geometry.ru/articles/blinkovsexcircle.pdf- Adult Content IP", "https://www.virustotal.com/gui/collection/70e8893574d21e80a1f62512dd4d581684b9a65d5e8c511336b7277b3ebced89", "http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan \u2022 www4.irs.gov \u2022 www.drupal.org", "It\u2019s not just me. I have contacted from very secured emails, networks, devices", "This would be sent in an email but \u2026.", "Follow up need. This is a serious financial crime following the victims.", "Disturbed pulses of mercenary attacks S/A NSO Pegasus NOT reported to CISA or Citizens Lab.", "Victims have lost financial assets, jobs, vehicles", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net - Adult Content", "applefilmmaker.com \u2022 appleid.com \u2022 appleiservices.com", "Yara Detections: Malware_Floxif_mpsvc_dll , stack_string , MS_Visual_Cpp_2008 ,", "https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d", "www.anyxxxtube.net - Adult Content IP", "There are serious researchers on here for a short time hoping to resolve serious cyber issues", "A user StreamMiningEx copied pulses: octoseek, scoreblue, KAILULA4, callmeDoris , dorkingbeauty1 and more", "64.38.232.180 - Adult Content IP", "207.75.164.17 \u2022 Description: CC=US ASN=AS237 merit network", "http://www.iranianporn.com/ \u2022 iranianporn.com - Adult Content", "https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3", "Domains Contacted: en.wikipedia.org 5isohu.com www.aieov.com", "https://www.anyxxxtube.net/video/2241/big-titted-sexy-chick-august-ames/ - Adult Content IP", "IP\u2019s Contacted: 104.200.23.95 174.139.10.194 198.35.26.96", "I did not clone my pulse to read Bit.io", "https://www.virustotal.com/gui/collection/4a8dd95ef74a602bb1e310bb7983505017771b18a52ef7b554eca501ffaedc8d", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io\t- Adult Content", "https://www.virustotal.com/gui/collection/b6570f7a26955ea25ee47c451b0d5ed48db2e6c38e8c7082f7b2fd45aaacd969", "https://www.virustotal.com/gui/collection/4a6474d024bcd082d21b09e0b8fe9154a5f26b8426216b1ed19259203255f0d6", "jamaicansex.com \u2022 onlinesexmags.com \u2022 sexbible.com \u2022 bestsex.com - Adult Content IP", "https://www.virustotal.com/gui/collection/64ae980a5d7b7eb3c27ede4a1c16f9fad502703cc72f0547185821974193748a", "Alerts: modifies_proxy_wpad antivm_vmware_in_instruction dumped_buffer", "http://www.italianporn.com/ \u2022 italianporn.com - Adult Content IP", "An earlier version contacted entities affected or affecting targets.", "Alerts: checks_debugger has_pdb raises_exception", "154.35.132.70\t\u2022 Description: CC=US ASN=AS14987 rethem hosting llc", "https://eliyporasa - Adult Content", "apple.co \u2022 apple.com \u2022 apple.info \u2022 apple.net" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Unix.trojan.gafgyt-6981154-0", "Win.trojan.ramnit-1847", "Unknown malware \u2018can't access file\u2019", "Cve-2023-22518", "Virus:win32/floxif.h", "Alf:jasyp:trojan:win32/adialer", "Ransom:win32/cve-2017-0147", "Mirai sim swap", "Mirai", "Elf:ddos-s\\ [trj]", "Win.trojan.fenomengame-14", "Alf:jasyp:trojan:win3", "Trojandropper:win32/muldrop", "Elf:ddos-s\\ [trj]\t\tunix.trojan.gafgyt-6981154-0", "Worm:win32/autorun!atmn", "Pandex!gen1", "Et", "Exploit:win32/cve-2017-0147", "Win.trojan.fenomengame-8", "Alf:jasyp:trojan:win32/ircbot!atmn", "Lumen ip", "Appleservice", "Win.malware.msilperseus-6989564-0" ], "industries": [ "Education", "Finance", "Civil society", "Technology", "Government", "Irs", "Financial", "Telecommunications" ], "unique_indicators": 22453 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/local.pl", "whois": "http://whois.domaintools.com/local.pl", "domain": "local.pl", "hostname": "cp.local.pl" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69d6619d62ea0c3bbf0ebf75", "name": "Mac OS Unwanted Programs | Mac Booster application potentially installed in background without target\u2019s knowledge", "description": "Not installed by users I\u2019m researching for. Downloaded as an unwanted program Overview of com.iobit.MacBooster-3\ncom.iobit.MacBooster-3 is the package identifier for MacBooster 3, a software application developed by IObit. This application is specifically designed for optimizing and maintaining Mac computers.\nKey Features\nMacBooster 3 includes several essential features aimed at enhancing the performance and security of Mac systems:\nSystem Cleanup: .\nPerformance Boosting: \nMalware Protection: .\nCompatibility\nMacBooster 3 is compatible with macOS versions starting from OS X 10.9. False - \nWhat are the potential risks of using MacBooster 3 on a Mac computer?\nUsing MacBooster 3 on a Mac computer can lead to potentially unwanted program (PUP) behavior, including browser interference, frequent pop-ups, and the installation of unnecessary software.", "modified": "2026-04-08T14:09:33.432000", "created": "2026-04-08T14:09:33.432000", "tags": [ "issuer apple", "valid from", "valid", "serial number", "macho", "macho 64bit", "mac os", "x macho", "intel", "file version", "team identifier", "apple root", "ca feb", "am ma9eduzpcw", "signers", "issuer valid", "from valid", "status issuer", "apple inc", "valid apple", "a9 a8", "process32nextw", "regsetvalueexa", "read c", "regdword", "tls handshake", "failure", "msie", "malware", "write", "win32", "unknown", "dynamicloader", "high", "myapp", "device driver", "host", "worm", "delphi", "error", "code", "defender", "next", "file score", "cryp", "virus", "checkin tls", "forbidden yara", "msvisualcpp2008", "less ip", "contacted", "scanning host", "trojan", "exploit host", "apple inc", "monitored target", "targeting", "name servers", "servers", "expiration date", "value emails", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "tulach" ], "references": [ "com.iobit.MacBooster-3", "IDS Detections: Win32.Floxif.A Checkin TLS Handshake Failure 403 Forbidden", "Yara Detections: Malware_Floxif_mpsvc_dll , stack_string , MS_Visual_Cpp_2008 ,", "Yara Detections: KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun", "Alerts: modifies_proxy_wpad antivm_vmware_in_instruction dumped_buffer", "Alerts: network_cnc_http network_http allocates_rwx antisandbox_sleep creates_exe", "Alerts: injection_process_search antivm_network_adapters privilege_luid_check", "Alerts: checks_debugger has_pdb raises_exception", "IP\u2019s Contacted: 104.200.23.95 174.139.10.194 198.35.26.96", "Domains Contacted: en.wikipedia.org 5isohu.com www.aieov.com", "Monitored targets. Tsara Brashears, UAlberta (disable_duck) seen", "I can\u2019t speak for behavior of targets. Seems unlikely programs were intentionally installed.", "https://otx.alienvault.com/indicator/cve/CVE-2023-22518", "Issue! Team member found CVE-2023-22518 have origins from the State of Colorado", "Issue! Multiple IoC\u2019s missing.", "A user StreamMiningEx copied pulses: octoseek, scoreblue, KAILULA4, callmeDoris , dorkingbeauty1 and more", "I can\u2019t help but notice a trend. IoC\u2019s found by actual targets are removed from pulses. Recent users are listed in place", "Issue! What I am troubled about the s the deletion service that has plagued OTX/ LevelBlue", "Brian Sabey, Tulach, other adversaries working illegally to remove IoC\u2019s", "Disturbed pulses of mercenary attacks S/A NSO Pegasus NOT reported to CISA or Citizens Lab.", "Reporting is an expected protocol. Is this more of a \u2018bounty\u2019 focused, a honeypot?", "Researching using an easy powerful tool like this has led to confrontations.", "I liked the tool. There is something strange happening with the pulses & IoC\u2019s", "I did not clone my pulse to read Bit.io", "I am not cloning pulses belonging to others without crediting. I\u2019m one of a few who credit. This has happened to other team members", "There are serious researchers on here for a short time hoping to resolve serious cyber issues", "I am unable to reach Level Blue regarding issues. Mailer Daemon only", "It\u2019s not just me. I have contacted from very secured emails, networks, devices", "I typically follow targets who have truly dangerous situations who no longer pulse.", "This would be sent in an email but \u2026.", "About pulse, found in peripheral.", "When your pulse says contacted, who is contacted besides OTX?", "An earlier version contacted entities affected or affecting targets." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "Ransom:Win32/CVE-2017-0147", "display_name": "Ransom:Win32/CVE-2017-0147", "target": "/malware/Ransom:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 75, "FileHash-MD5": 102, "FileHash-SHA256": 2076, "IPv4": 111, "URL": 2496, "CVE": 2, "domain": 483, "hostname": 938, "email": 4, "SSLCertFingerprint": 2 }, "indicator_count": 6289, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69598203b317ca9c39d22d24", "name": "Perl<==>PL 2020", "description": "The collection from 12 Virustotal graphs focused on Polish domains using the same domain names as frequently used IT terms (of course not all are included) such are prompts, commands commonly used in programming, shells, networking , cloud services ... in progress.", "modified": "2026-02-02T21:00:33.305000", "created": "2026-01-03T20:54:27.614000", "tags": [ "aftermarket", "pl", "Perl", "Linux", "vgt.pl", "allegro", "sanselo", "ginko", "adorno", "garden", "strefa=1003.v.vgt.pl", "franas", "logo.png", "style.css", "MKQZ", "information system", "cyber-volks", "update", "CERTHosts", "11 FBI Tools Emilyano Zapota", "Bitdefender", "factura.exe" ], "references": [ "https://www.virustotal.com/gui/collection/4a8dd95ef74a602bb1e310bb7983505017771b18a52ef7b554eca501ffaedc8d", "https://www.virustotal.com/gui/collection/64ae980a5d7b7eb3c27ede4a1c16f9fad502703cc72f0547185821974193748a", "https://www.virustotal.com/gui/collection/70e8893574d21e80a1f62512dd4d581684b9a65d5e8c511336b7277b3ebced89", "https://www.virustotal.com/gui/collection/924c72b474ebeb15b3fa374c619b258f527b861ea7ec284a86018af1585f8fff", "https://www.virustotal.com/gui/collection/b5ae7b0f2b072228395cf4cca8aa59ad83c70597b5f866117f6474190fed57ce", "https://www.virustotal.com/gui/collection/790677adc368e43b05183ed0b8f9237a9da486766dd708e6c6c2c5594bfae005", "https://www.virustotal.com/gui/collection/75633becc3e3625672d5b8623983983e76bf1d7d18bf0d7f8affcd3e22511a18", "https://www.virustotal.com/gui/collection/01010ec53219cf99ce0e46efe1d93f93e23c90d236fb6248420d283edd323c81", "https://www.virustotal.com/gui/collection/ac012a02b56f84ed78ab15a8344f812e1d66d0f1e22d6546670ced5108a82da4", "https://www.virustotal.com/gui/collection/b6570f7a26955ea25ee47c451b0d5ed48db2e6c38e8c7082f7b2fd45aaacd969", "https://www.virustotal.com/gui/collection/4a6474d024bcd082d21b09e0b8fe9154a5f26b8426216b1ed19259203255f0d6", "https://www.virustotal.com/gui/collection/f51a32f88ce67e629cf85563eabfc986e4d7da7e093814a3bc2c30fcaaff7341" ], "public": 1, "adversary": "", "targeted_countries": [ "Poland", "Canada", "Slovakia", "Czechia" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education", "Finance" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "userlolxxl", "id": "276085", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_276085/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 36, "FileHash-SHA1": 36, "FileHash-SHA256": 205, "URL": 187, "domain": 38, "hostname": 263 }, "indicator_count": 765, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "76 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694dc80ac6e7fd5474b316a1", "name": "Malicious DDOS attacks targeting Brand New 2025 | Updated Apple Products affecting IRS payment portal", "description": "Malicious actors continue to target certain users attempting to pay the IRS. Victim is redirected to : http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan after typing in IRS.gov (w/ secure header \u2018https\u2019 )\nOnce information is input it is payment is rejected, levy against bank accounts and assets and other threats. There is social engineering as one victim is communicating with someone allegedly from the IRS? \nAlthough malicious entities contacted , malicious behavior continues. Adversaries in the Middle attack. US hacker group. Denver, Iowa, Arizona, NY and abroad. \n\n*Targets: https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main |", "modified": "2026-01-24T22:05:13.068000", "created": "2025-12-25T23:26:02.712000", "tags": [ "hash avast", "avg clamav", "msdefender feb", "url http", "url https", "zipcode", "active related", "cage01195 dec", "passports", "ipv4", "active", "irs", "apple", "role title", "indicator role", "malware attacks", "find encrypted", "lumen", "fastly", "create c", "read c", "delete", "write", "default", "medium", "rgba", "dock", "execution", "xport", "united", "passive dns", "urls", "expiration date", "unknown ns", "unknown aaaa", "pulse pulses", "merit", "dod network", "type indicator", "related pulses", "name", "name servers", "ffffff", "ip address", "emails", "object", "clsid6bf52a52", "cookie", "meta", "united kingdom", "germany", "russia", "search", "added active", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "href", "pattern match", "ascii text", "ck id", "mitre att", "ck matrix", "t1071", "general", "local", "path", "iframe", "click", "beginstring", "segoe ui", "null", "refresh", "span", "hybrid", "strings", "error", "tools", "title", "look", "verify", "restart", "data upload", "extraction", "failed", "include data", "entries", "unicode", "high", "memcommit", "next", "flag", "process details", "path expiresthu", "moved", "gmt set", "domain", "httponly path", "encrypt", "leaseweb", "iowa", "title added", "bad traffic", "et info", "tls handshake", "failure", "command decode", "suricata stream", "circle", "f5f8fa", "learn", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "development att", "suricata http", "windows nt", "date", "ips initial", "prefetch8", "localappdata", "prefetch1", "programfiles", "edge", "access att", "t1566 phishing", "initial access", "show process", "show technique", "process", "t1057", "contacted", "ck techniques", "evasion att", "body", "report spam", "apple", "ddos", "irs created", "hours ago", "white", "apple user", "industries", "government", "finance", "trojandropper", "appleservice", "mirai", "trojan", "next associated", "fastly error", "please", "sea p", "mozilla", "accept", "alerts", "filehash", "md5 add", "av detections", "ids detections", "yara detections", "analysis date", "file score", "medium risk", "copy", "richhash", "finding notes", "clamav malware", "files matching", "number", "sample analysis", "samples show", "date hash", "yara rule", "msie", "t1063", "windows", "malware", "detected", "https domain", "tls sni", "markus", "smartassembly", "win64", "exif data", "present dec", "status", "showing", "show", "icmp traffic", "pdb path", "crlf line", "mutex", "ms defender", "mtb malware", "hide samples", "rootkit", "apple webkit", "macbook pro", "apple ios" ], "references": [ "sa.www4.irs.gov \u2022 sa1.www4.irs.gov \u2022 sa2.www4.irs.gov \u2022 apps.irs.gov \u2022 freetaxassistance.for.irs.gov \u2022 home.treasury.gov \u2022", "132.3.48.38 \u2022 Description: CC=US ASN=AS721 dod network information center", "154.35.132.70\t\u2022 Description: CC=US ASN=AS14987 rethem hosting llc", "165.206.254.134 \u2022 Description: CC=US ASN=AS6122", "192.85.127.130 \u2022 Description: CC=US ASN=AS2173 hewlett-packard company", "195.128.76.205 \u2022 Description: CC=RU ASN=AS8470 jsc macomnet", "205.181.242.243 \u2022 Description: CC=US ASN=AS3738 state street bank and trust company", "207.75.164.17 \u2022 Description: CC=US ASN=AS237 merit network", "207.75.164.210 \u2022 Description: CC=US ASN=AS237 merit network", "214.25.9.149 \u2022 Description: CC=US ASN=AS344 dod network information center", "216.252.199.59 \u2022 Description: CC=US ASN=AS31827 biz net technologies", "78.46.218.253 \u2022 Description: CC=DE ASN=AS24940 hetzner online gmbh", "95.211.7.168 \u2022Description: CC=NL ASN=AS60781 leaseweb netherlands b.v.", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing - Adult Content", "http://www.anyxxxtube.net/search-porn/tsara-brashears - Adult Content", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ - Adult Content", "http://www.anyxxxtube.net/search-porn/ - Adult Content", "https://eliyporasa.life/uelbu/5/151504-harleyxwest-porn - Adult Content", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net - Adult Content", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t- Adult Content", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io\t- Adult Content", "https://wallpapers-nature.com/tsara-brashears/urlscan-io - Adult Content", "http://sissy.com/default - Adult Content", "https://eliyporasa - Adult Content", "64.38.232.180 - Adult Content IP", "www.anyxxxtube.net - Adult Content", "www.anyxxxtube.net - Adult Content IP", "http://www.iranianporn.com/ \u2022 iranianporn.com - Adult Content", "http://www.italianporn.com/ \u2022 italianporn.com - Adult Content IP", "jamaicansex.com \u2022 onlinesexmags.com \u2022 sexbible.com \u2022 bestsex.com - Adult Content IP", "https://www.anyxxxtube.net/video/2241/big-titted-sexy-chick-august-ames/ - Adult Content IP", "http://geometry.ru/articles/blinkovsexcircle.pdf- Adult Content IP", "http://www.onlinesexmags.com/members/gent/current/ - Adult Content IP", "http://sissy.com/default.php?qry=xinb0NVH3vxGQfarWy4r54j5FWwjyNsIfAXqPpjmSCTYnrY20orAEt5QcaKNVYpHM3.AFndEsyGlSb_SXAGpMTdue0rkjANJ3fQ0wH3yzmI9qKCDJp39iCno_V.ci7VYf_I4t_Y2ibuGhE_rlOAs3FGeaahClLHQmyX30MRH5AfpY6B5N9LDoau6dxnMaf3qGZEX_xCRYTdVAigxUMX2qRyl16DvSb9DohTpdet4E_v0QjzIjDwGGS4PYEDpjmzIeKlCSItsv09pHL84QDb6V_fvuFw0jX8tfoI8VQmpnaeudPhO0nDmV3c5G7HjNNcF&tgt=NO+TOKEN&searchKey=free+porn&wp=1&skp=3_2402 - Adult Content IP", "httpssa.www4.irs.gov \u2022 jobs.irs.gov \u2022 https://sa.www4.irs.gov/ \u2022 https://sa.www4.irs.gov \u2022 www.directfile.irs.gov \u2022", "http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan \u2022 www4.irs.gov \u2022 www.drupal.org", "asp.bet", "apple.co \u2022 apple.com \u2022 apple.info \u2022 apple.net", "https://www.freeiconspng.com/thumbs/icloud-logo/icloud-drive-mac-mail-cloud-apple-pc-works-c", "https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main", "http://usw2.apple.com/ \u2022 https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "applefilmmaker.com \u2022 appleid.com \u2022 appleiservices.com", "jobs.lumen.com \u2022 lumen.com \u2022 msradc.lumen.com \u2022 voip.lumen.com \u2022 www.lumen.com", "https://otx.alienvault.com/pulse/694d7d426afd8c1c816ddb9e", "Information gathered equals 2 pulses. Pulse (1) included", "https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d/694d9e6a07ba5e76e203a672", "https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d", "https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3", "https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676", "https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3/694d9a33a2febcb826005ed5", "https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676", "Follow up need. This is a serious financial crime following the victims.", "Victims have lost financial assets, jobs, vehicles", "Persistent. Is Christopher P. Ahmann, Brian Sabey, State of Colorado", "After an attack a different victim had awe , tax refund seized, Insurance became Medicaid, Was audited by the IRs and there was attempts on life w/ bad outcome" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Win.Malware.Msilperseus-6989564-0", "display_name": "Win.Malware.Msilperseus-6989564-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.Ramnit-1847", "display_name": "Win.Trojan.Ramnit-1847", "target": null }, { "id": "Win.Trojan.Fenomengame-14", "display_name": "Win.Trojan.Fenomengame-14", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Pandex!gen1", "display_name": "Pandex!gen1", "target": null }, { "id": "Mirai Sim Swap", "display_name": "Mirai Sim Swap", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Lumen IP", "display_name": "Lumen IP", "target": null }, { "id": "Unknown Malware \u2018Can't access file\u2019", "display_name": "Unknown Malware \u2018Can't access file\u2019", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Win.Trojan.Fenomengame-8", "display_name": "Win.Trojan.Fenomengame-8", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/Adialer", "display_name": "ALF:JASYP:Trojan:Win32/Adialer", "target": null }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "ELF:DDoS-S\\ [Trj]", "display_name": "ELF:DDoS-S\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Gafgyt-6981154-0", "display_name": "Unix.Trojan.Gafgyt-6981154-0", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [ "Financial", "Government", "Technology", "IRS" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 363, "FileHash-SHA1": 360, "FileHash-SHA256": 3009, "URL": 3504, "domain": 879, "email": 15, "hostname": 1487, "SSLCertFingerprint": 3 }, "indicator_count": 9620, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "85 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694d7d426afd8c1c816ddb9e", "name": "Apple \u2022 IRS | ELF:DDoS |\tUnix.Trojan.Gafgyt redirects and blocks US taxpayers from making payments to IRS", "description": "This truly requires further research. This is a serious issue. There is are US adversaries blocking fiscally financial taxpayers from paying genie income taxes, threatening a levy, and other financially damaging consequences. It\u2019s clear to me the website is fraudulent. One target is an Apple user and an accountant. \n\n\nThere have been millions on financial crimes against this victim who I am now labeling a \u2018target\u2019. There are 4 other females\u2019 going through same thing. Losing assets, unable to reconcile taxes despite", "modified": "2026-01-24T17:05:40.719000", "created": "2025-12-25T18:06:58.222000", "tags": [ "united", "et trojan", "hello ssl", "whitelisted", "unknown", "ciphersuite", "sessionid", "asnone", "united kingdom", "show", "write", "virustotal", "drweb", "vipre", "mcafee", "panda", "malware", "pandex!gen1", "et", "aaaa", "present sep", "gmt secure", "passive dns", "urls", "gmt cache", "service", "title", "brazil as16625", "akamai", "top source", "tcp include", "top destination", "source source", "destination", "port", "gtmkv978zl", "utc gzy6fm95cs5", "utc na", "utc google", "analytics na", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "mitre att", "ck techniques", "access att", "bad traffic", "et info", "tls handshake", "failure", "windir", "openurl c", "prefetch2", "dns requests", "domain address", "poland unknown", "ip address", "search", "present oct", "a domains", "body head", "document moved", "unique", "maxage86400", "httponly", "google safe", "browsing", "whois", "virustotal api", "screenshots", "comments", "pragma", "data upload", "extraction", "type", "extr", "delete c", "writeconsolew", "windows", "t1045", "read c", "susp", "dock", "win64", "alerts", "icmp traffic", "pdb path", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "yara detections", "lumen", "lumen ip", "public bgp", "address range", "cidr", "network name", "allocation type", "whois server", "entity lpl141", "handle", "url add", "http", "hostname", "files domain", "files related", "pulses none", "related tags", "status", "showing", "domain", "trojan", "trojandropper", "next associated", "fastly error", "please", "sea p", "mozilla", "accept", "ipv4 add", "files", "location united", "america flag", "america asn", "nethandle", "net4", "net40000", "lpl141", "llc orgid", "city", "la postalcode", "dynamicloader", "write c", "medium", "named pipe", "yara rule", "high", "ms windows", "encrypt", "pegasus", "markus", "smartassembly", "next", "msie", "t1063", "windows nt", "fastly", "foundry", "palantir", "bgp", "webkit bugzilla", "record value", "content type", "bugzilla", "meta", "present nov", "entries", "atom", "apple", "chrome", "moved", "apple center", "gmt content", "name servers", "servers", "expiration date", "pulse submit", "url analysis", "date", "apple server", "apple dns", "asp.bet", "data collection", "bgp ip", "lumen control", "lumen admin", "level 3", "ipv4", "reverse dns", "found", "hostname add", "present jul", "present jun", "belize", "unknown ns", "present aug", "domain add", "creation date", "failed", "enter sc", "extra data", "include", "review exclude", "america united", "dns resolutions", "linuxgafgyt feb" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Canada" ], "malware_families": [ { "id": "Pandex!gen1", "display_name": "Pandex!gen1", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Lumen IP", "display_name": "Lumen IP", "target": null }, { "id": "Win.Malware.Msilperseus-6989564-0", "display_name": "Win.Malware.Msilperseus-6989564-0", "target": null }, { "id": "Unknown Malware \u2018Can't access file\u2019", "display_name": "Unknown Malware \u2018Can't access file\u2019", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Win.Trojan.Fenomengame-8", "display_name": "Win.Trojan.Fenomengame-8", "target": null }, { "id": "ALF:JASYP:Trojan:Win3", "display_name": "ALF:JASYP:Trojan:Win3", "target": null }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "ELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0", "display_name": "ELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Mirai Sim Swap", "display_name": "Mirai Sim Swap", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" } ], "industries": [ "Government", "Finance", "Telecommunications", "Technology", "Civil Society", "IRS" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4187, "hostname": 1574, "FileHash-SHA256": 2387, "FileHash-MD5": 189, "FileHash-SHA1": 161, "domain": 800, "CVE": 1, "email": 13, "CIDR": 1, "SSLCertFingerprint": 4 }, "indicator_count": 9317, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "85 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://cp.local.pl/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://cp.local.pl/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776664959.1755261 }