{
"type": "URL",
"indicator": "https://crt.sh/",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://crt.sh/",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 2949355865,
"indicator": "https://crt.sh/",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 10,
"pulses": [
{
"id": "6a0e9725b323ae1350c36488",
"name": "no comment",
"description": "",
"modified": "2026-05-21T06:52:08.577000",
"created": "2026-05-21T05:24:53.947000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 366,
"FileHash-SHA1": 366,
"FileHash-SHA256": 5078,
"IPv4": 44,
"URL": 2414,
"domain": 1305,
"hostname": 366,
"CIDR": 1,
"email": 2,
"Mutex": 1
},
"indicator_count": 9943,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "10 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69a5c36b78ed73550bb0bf22",
"name": "by Disable_Duck",
"description": "",
"modified": "2026-03-04T23:37:24.208000",
"created": "2026-03-02T17:05:47.288000",
"tags": [
"kgs0",
"kls0",
"botname http",
"entity",
"UAlberta",
"Telus",
"Norton",
"ffss",
"Alberta",
"AlbertaNDP",
"InteriorHealth",
"RCMP",
"CrimeStoppersAB",
"EdmontonPolice",
"RCMP Kelowna",
"RCMP AB",
"TLS/SSL Crawler",
"CVE-2026-24061 Attempt",
"Generic IoT Default Password Attempt",
"Cisco Prime Infrastructure CVE-2019-1821 RCE Attempt",
"Dahua Backdoor Attempt",
"ENV Crawler",
"DCERPC Protocol",
"Carries HTTP Referer",
"GNU Inetutils Telnetd Auth Bypass",
"ICMPv4 Protocol"
],
"references": [
"https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
"https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada",
"https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"Netherlands",
"Panama",
"Poland",
"United Kingdom of Great Britain and Northern Ireland",
"Slovakia",
"Aruba",
"Anguilla",
"Australia",
"Costa Rica",
"Guatemala",
"Mexico",
"Trinidad and Tobago",
"Cura\u00e7ao",
"Philippines",
"Virgin Islands, U.S.",
"Ukraine",
"Barbados",
"Germany",
"Sint Maarten (Dutch part)",
"Argentina",
"Switzerland"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Healthcare",
"Government",
"Technology",
"Energy",
"Telecommunications"
],
"TLP": "white",
"cloned_from": "6901363c4ce422f5caf0f72c",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3903,
"FileHash-SHA1": 4967,
"FileHash-SHA256": 12884,
"URL": 996,
"domain": 987,
"hostname": 3306,
"email": 4,
"CVE": 1
},
"indicator_count": 27048,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "88 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6901363c4ce422f5caf0f72c",
"name": "Copy of DevT-OddTags-Browser-BasedOdditites - (L4ke.Aff3ct.216, 01.18.26)",
"description": "Updated based on VT Graph & Tracking Spread of Cybercrime. This Pulse is mostly covering activity in the Province of Alberta Canada. Given recent news, it appears that BC Interior Health and Kelowna RCMP Detachment impacted in addition to Alberta Sectors of Education, Healthcare, and Government (Provincial & Federal - e.g. Treaty 6,7,8 as well as the Canadian CRA heavily impacted). \nEnriched a graph by vt user (L4ke.Aff3ct.216, 01.02.26)\nSubmitted IOCs to Greynoise.io (10.28.25)",
"modified": "2026-02-18T05:00:41.494000",
"created": "2025-10-28T21:31:40.008000",
"tags": [
"kgs0",
"kls0",
"botname http",
"entity",
"UAlberta",
"Telus",
"Norton",
"ffss",
"Alberta",
"AlbertaNDP",
"InteriorHealth",
"RCMP",
"CrimeStoppersAB",
"EdmontonPolice",
"RCMP Kelowna",
"RCMP AB"
],
"references": [
"https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
"https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"Netherlands",
"Panama",
"Poland",
"United Kingdom of Great Britain and Northern Ireland",
"Slovakia",
"Aruba",
"Anguilla",
"Australia",
"Costa Rica",
"Guatemala",
"Mexico",
"Trinidad and Tobago",
"Cura\u00e7ao",
"Philippines",
"Virgin Islands, U.S.",
"Ukraine",
"Barbados",
"Germany",
"Sint Maarten (Dutch part)"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Healthcare",
"Government",
"Technology",
"Energy",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3903,
"FileHash-SHA1": 4967,
"FileHash-SHA256": 12884,
"URL": 995,
"domain": 984,
"hostname": 3305,
"email": 4
},
"indicator_count": 27042,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 129,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68adee67c08cd025b05c2ab0",
"name": "Collection of Collections - Updated - Malicious Certificates & University of Alberta DataBreach - 09.15.25.25",
"description": "This Pulse is an attempt to aggregate all known certificates from all sources.\n\nEncrypted Communication: The malware uses Bitcoin and Ethereum addresses for communication, allowing it to receive commands and exfiltrate data securely.\nEvasion Techniques: The malware generates long and unusual domain parts using Domain Generation Algorithms to evade detection and establish communication with its C2 server.\nData Exfiltration: The malware can exfiltrate data to cloud storage services, enabling the threat actor to steal sensitive information from the compromised system.\nRemote Access: The malware leverages bidirectional communication and system binary proxy execution techniques to enable remote access and control over the infected system.\nIngress Tool Transfer: The malware downloads executable files from URLs, indicating its ability to download additional malicious payloads or updates to enhance its capabilities.",
"modified": "2025-10-16T05:02:02.452000",
"created": "2025-08-26T17:27:01.650000",
"tags": [
"http",
"https",
"kgs0",
"kls0",
"Malcerts",
"Certificates",
"Alberta",
"GovAB",
"UAlberta",
"Speader"
],
"references": [
"https://www.virustotal.com/graph/embed/g0cfdc207f7d14c9a9173c2f9b804dd92b17706ef2a8c41dba3e0af36353cd70b?theme=dark",
"https://viz.greynoise.io/ip/analysis/408b56e2-1932-4975-b348-5a8a7c5991d4",
"https://report.netcraft.com/submission/ATkcJjvq2iKUQhELceQs7q4WVU76Q8QG - Submitted IPv4s to Netcraft 08.29.25",
"https://www.filescan.io/uploads/68b261771c81c34281d8af6d/reports/44924eb0-000d-42ad-944e-36bf849a406d/overview",
"https://www.virustotal.com/gui/file/19ec86ce10a716e8e63804239052c96cfa0a7fb66c2820bda2e66358f622525c/community",
"Added some URLs from FSio Report to URLScan"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"Netherlands",
"Aruba",
"Panama",
"Poland",
"Ukraine",
"United Kingdom of Great Britain and Northern Ireland",
"Anguilla",
"United Arab Emirates",
"Ireland",
"Tanzania, United Republic of",
"Philippines",
"Japan",
"Guatemala",
"Mexico",
"Bahamas",
"Barbados",
"Georgia",
"Slovakia",
"Sint Maarten (Dutch part)",
"Kenya"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Government",
"Technology",
"Telecommunications",
"Healthcare"
],
"TLP": "white",
"cloned_from": null,
"export_count": 25,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1639,
"FileHash-MD5": 1481,
"FileHash-SHA1": 1421,
"FileHash-SHA256": 5969,
"domain": 707,
"hostname": 2311,
"email": 5,
"CIDR": 13
},
"indicator_count": 13546,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 133,
"modified_text": "228 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68b78d521f024d3a98fc79c8",
"name": "VT Graph miniuser - Databreach IOCs & Links",
"description": "Related to Pulse: Food for Thought (Updated 09.02.25)\n\n*Note most links are malicious",
"modified": "2025-10-03T00:01:12.616000",
"created": "2025-09-03T00:35:30.936000",
"tags": [
"kgs0",
"kls0",
"entity",
"UAlberta",
"University of Alberta",
"Hacked",
"DataBreach"
],
"references": [
"https://www.virustotal.com/graph/embed/g1ed56ef53af34510a0e0ee0c2d204f066a8684fa5aeb4e69aef49403742ef6a5?theme=dark"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 132,
"FileHash-SHA1": 121,
"FileHash-SHA256": 711,
"URL": 83,
"domain": 50,
"hostname": 125
},
"indicator_count": 1222,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 129,
"modified_text": "241 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "67b109cbfbcc6f92c399b327",
"name": "UAlberta Breach Data - Food for thought - thoughts & input on how to 'bring some attention to this' (not enriched)",
"description": "Just thought I'd throw thisntogether and 'see what ya'll make of it' (documents a VT graph produced and slightly modified) that pulls a lot of things together. Highlights both 'some problems' - U of A / Gov. of AB (who are also some 'solutions'). \nIdeas on how to grab their attention and maybe bring some 'urgency' to this issue? I have a few solutions and ideas for everyone - problem: I require some folks to 'do their jobs' (there is not 10 of me). Thoughts on how to encourage them to act on these problems. Present status: Connected directly to them on other devices. Within literal 5 min walking range.",
"modified": "2025-05-27T07:01:17.646000",
"created": "2025-02-15T21:40:27.895000",
"tags": [
"kgs0",
"kls0"
],
"references": [
"https://www.virustotal.com/graph/embed/g1ed56ef53af34510a0e0ee0c2d204f066a8684fa5aeb4e69aef49403742ef6a5?theme=dark",
"",
"Government of AB https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecce OTX AlienVault 2096",
"UAlberta = https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecbe"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Government",
"Healthcare",
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 5,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 215,
"FileHash-SHA1": 193,
"FileHash-SHA256": 1302,
"URL": 166,
"domain": 100,
"hostname": 234
},
"indicator_count": 2210,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 131,
"modified_text": "369 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "67aac6e4b628acffaed3f068",
"name": "New Batch - Malcerts - 02.10.25 - unenriched",
"description": "Here is the full text of the text that was found on the website of Mozilla, following an investigation by the security firm Virustotal and the UK's Office of National Statistics (ONS).. [autofilled].\n\nMore Malcerts from Sample Device deployed at several sites in YEG - Canada. Related to pulse - Thor Scan Lite Linux\nNot enriched on import, but did include links to VT entries as IOCs (those will be false positives - but easy access). \nFolder name: Mozilla Located @ /usr/share/ca-certificates",
"modified": "2025-03-16T17:01:06.968000",
"created": "2025-02-11T03:41:24.585000",
"tags": [
"UAlberta",
"Malcerts",
"Certificates",
"Eduroam",
"Alberta"
],
"references": [
"https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/iocs",
"https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/summary",
"https://hybrid-analysis.com/file-collection/67aa8951a3fc5708a905306a",
"https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/community",
"https://tria.ge/250210-3c3c3askfz",
"https://tria.ge/250210-3nh4kasmes",
"https://tria.ge/250210-3y8f7sspdy",
"https://tria.ge/250211-dhpxgswlax",
"https://tria.ge/250211-dt1hcswme1",
"https://tria.ge/250211-dx9v7swnbw",
"Zipped IOC: c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
"https://www.virustotal.com/graph/embed/g4d7797bcffdd450281d4012ac3a0a5ee3fafe8b4f5964c18b4e0332306cb367b?theme=dark",
"https://tip.neiki.dev/file/c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
"c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
"Cert[.]pl MLDB: 1da23fc67a5f101321e39d04e76dcaa7"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Government",
"Healthcare",
"Telecommunications",
"Finance",
"Agriculture",
"Hospitality",
"Media",
"Retail"
],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 831,
"FileHash-SHA1": 801,
"FileHash-SHA256": 3227,
"URL": 395,
"domain": 189,
"hostname": 798
},
"indicator_count": 6241,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 131,
"modified_text": "441 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "66c9bb42dd32d415f9aaa06c",
"name": "Botnet exchange | NORAD Tracking | Mirai | Injection | Spyware | Remote executions",
"description": "North American Aerospace Defense Command NORAD - http://superanalbizflowforum.com/tsara-lynn-brashears (really?)\nwww.norad.mil , www.northcom.mil, dodcio.defense.gov, www.defense.gov\nwww.dodig.mil, www.foia.gov , prhome.defense.gov\n, www.ourmilitary.com, www.noradsanta.org , www.web.dma.mil \nIt's hard to tell or believe military and DoD conduct business this way. I tend to think scam abuse. Exception: target, escorted by security to appt in a DHS secured b,dg. She was then told to leave after receptionist received a call stating target was a threat. Entire floor was secured off. TB beyond upset w/ my carelessness of veteran & other comments. Targets Father, brother uncles, cousins, all served honorably w/some now terminally affected &mothers passed on from Camp Lejeune related complications. Father, an engineer & veteran worked on AEGIS weapons system test team for 3 now potentially decommissioned military Destroyers. \nI apologize prefusly for comment, MIL involvement was prevalent; it remains cloudy.",
"modified": "2024-09-23T09:03:54.724000",
"created": "2024-08-24T10:51:46.907000",
"tags": [
"server",
"whois lookup",
"domain name",
"llc sponsoring",
"registrar iana",
"referral url",
"tsara brashears",
"referrer",
"porn",
"networks",
"botnet campaign",
"pyinstaller",
"apple",
"password",
"cybercrime",
"it consultant",
"metro",
"skynet",
"analyzer paste",
"iocs",
"hostnames",
"urls http",
"cyber threat",
"cnc server",
"ibm xforce",
"exchange",
"covid19",
"tracker",
"exchange botnet",
"command",
"control server",
"keybase",
"citadel",
"stealer",
"zeus",
"radamant",
"kovter",
"zbot",
"suppobox",
"simda",
"virut",
"kraken",
"amonetize",
"msil",
"phishing",
"malicious",
"feodo",
"united",
"germany unknown",
"as133775 xiamen",
"unknown",
"china unknown",
"passive dns",
"domain",
"search",
"cisco umbrella",
"site",
"alexa top",
"million",
"safe site",
"malware site",
"malicious site",
"malware",
"malicious url",
"files domain",
"files related",
"related tags",
"none md5",
"as35908 krypt",
"status hostname",
"query type",
"address first",
"seen last",
"seen asn",
"country unknown",
"status",
"record value",
"all scoreblue",
"meta",
"trend today",
"link",
"japan unknown",
"script urls",
"script script",
"name servers",
"script domains",
"accept",
"encrypt",
"gmt content",
"gmt etag",
"ipv4",
"url analysis",
"pragma",
"scan endpoints",
"pulse submit",
"urls",
"body",
"date",
"hostname",
"pulse pulses",
"react app",
"verizon feed",
"bq aug",
"typeof e",
"object",
"wds socket",
"error",
"path max",
"path",
"cookie",
"suspicious",
"virtool",
"info",
"trace",
"moved",
"aaaa nxdomain",
"files",
"a domains",
"as9371 sakura",
"service",
"servers",
"xml title",
"dnssec",
"showing",
"next",
"xserver",
"title",
"file",
"type texthtml",
"sha256",
"read c",
"write c",
"kryptik",
"tls sni",
"style ssl",
"cert",
"amazon profile",
"show",
"cobaltstrike",
"trojan",
"copy",
"write",
"win32",
"persistence",
"execution",
"media",
"autorun",
"delete c",
"trojanspy",
"entries",
"bytes",
"jpeg image",
"ole control",
"menu",
"dock zone",
"delphi",
"dcom",
"form",
"canvas",
"nxdomain",
"ds nxdomain",
"mirai variant",
"useragent",
"hello",
"apache",
"world",
"inbound",
"outbound",
"hackingtrio ua",
"activity mirai",
"http traffic",
"malware beacon",
"mirai",
"exploit",
"shell",
"aaaa",
"as14061",
"trojanclicker",
"expl",
"kr5a head",
"abuse",
"agent",
"virgin islands",
"as19905",
"expiration date",
"organization",
"as4134 chinanet",
"as4837 china",
"type get",
"as48447 sectigo",
"united kingdom",
"content type",
"arial",
"secure server",
"as20940",
"as2914 ntt",
"as3257 gtt",
"as2828 verizon",
"general",
".mil",
"brian sabey",
"brian sabey"
],
"references": [
"North American Aerospace Defense Command NORAD",
"superanalbizflowforum.com | www.networksolutions.com",
"http://superanalbizflowforum.com/tsara-lynn-brashears",
"ELF:Mirai-GH\\ [Trj] Trojan:Win32/Cenjonsla.D!bit Trojan:Win32/SmokeLoader TrojanSpy:Win32/Small VirTool:Win32/Injector.gen!BQ",
"https://www.virustotal.com/gui/search/engines:trojan%20AND%20engines:dropper%20AND%20engines:razy%20AND%20engines:copak",
"ELF:Mirai-GH\\ [Trj] : FileHash-SHA256 866dfa8f3e4f4f26b70fd046fa6dcbc16eea1abc3bfaddb099d675e77ce26942 trojan",
"Trojan:Win32/SmokeLoader : FileHash-SHA256 29d85b4c2d52a8bcb081aa40e3d4334a864e988e1fe17933f903b4114be8e56e",
"TrojanSpy:Win32/Small : FileHash-SHA256 afec8925c79d6bb948ce08df54753268f63b4cb770456e6b623d9985fb1499cd",
"Trojan:Win32/Cenjonsla.D!bit : FileHash-SHA256 8d5fe61f75602c85c9cd196e7accc17e119191655d4ecd56da498663f5a8c92b",
"VirTool:Win32/Injector.gen!BQ : FileHash-SHA256 a23846fe9a306c84eb1fb2b6b0b2b3a5fdbd958f747a10ccdb435d97e35de6f9",
"Malware Hosting: http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"Malware : http://gomyron.com/MTgzNjk=/2/6433/ronnoagraug/ - Huawei HG532 RCE Vulnerability",
"Malware Hosting: 162.43.116.132 | 183.181.98.116",
"CVE-2017-17215 - Huawei HG532 RCE Vulnerability / Huawei Remote Command Execution - Outbound / Huawei Remote Command Execution",
"CVE-2017-8759 -\t\".NET Framework Remote Code Execution Vulnerability.\" CVE-2018-8453 - \"Win32k Elevation of Privilege Vulnerability.'",
"dev.dancerage.com - Unknown\tdev.sportshelves.com\tA\t199.59.242.153| dev.sportshelves.com | www.imarkdev.com \u00d7 45.76.62.78 | ASN AS20473 the constant company llc",
"Exploit source: 138.197.103.178",
"https://www.sweetheartvideo.com/tsara-brashears/ | www.sweetheartvideo.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"Ransomware: FileHash-SHA256 557f1759be4fdf6b9dff732c8e8aa369f4d7f9fe61a0c462c0dc8d30c2973812"
],
"public": 1,
"adversary": "IDK",
"targeted_countries": [
"Japan",
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/SmokeLoader",
"display_name": "Trojan:Win32/SmokeLoader",
"target": "/malware/Trojan:Win32/SmokeLoader"
},
{
"id": "VirTool:Win32/Injector.gen!BQ",
"display_name": "VirTool:Win32/Injector.gen!BQ",
"target": "/malware/VirTool:Win32/Injector.gen!BQ"
},
{
"id": "TrojanSpy:Win32/Small",
"display_name": "TrojanSpy:Win32/Small",
"target": "/malware/TrojanSpy:Win32/Small"
},
{
"id": "Trojan:Win32/Cenjonsla.D!bit",
"display_name": "Trojan:Win32/Cenjonsla.D!bit",
"target": "/malware/Trojan:Win32/Cenjonsla.D!bit"
},
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 36,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 467,
"domain": 1213,
"hostname": 773,
"FileHash-SHA256": 1513,
"FileHash-MD5": 887,
"FileHash-SHA1": 729,
"CVE": 4,
"email": 10,
"SSLCertFingerprint": 5
},
"indicator_count": 5601,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "615 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653f4d0c4cca0c5f58530600",
"name": "BGP.Tools",
"description": "BGP is a very malicious, developed spyware tool. Attorneys, insurance companies use tool. BGP Hurricane. In the past they will call target and a modem connects draining ALL content. It can CNC device, erase everything from it, manipulate dropbox as well as other clouds. Very destructive.Once you're a target your privacy is gone for good. Assertions from threat crowd that CISA/Valmet are government phishing entities concerns me. BGP gets a 100% malicious score. Listed as part of infrastructure is CISA. A familiar name in adult content and other commands, vulnerabilities,etc. I'm not sure what to believe, or what's going on.",
"modified": "2023-11-29T05:05:42.592000",
"created": "2023-10-30T06:28:28.160000",
"tags": [
"ssl certificate",
"whois record",
"referrer",
"whois whois",
"communicating",
"relacionada",
"resolutions",
"historical ssl",
"collections new",
"family",
"lolkek",
"dark power",
"ransomware",
"play ransomware",
"makop",
"core",
"redline stealer",
"hacktool",
"emotet",
"quasar rat",
"wiper",
"ursnif",
"malware",
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"self",
"server",
"date wed",
"html info",
"meta tags",
"name verdict",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"ascii text",
"et tor",
"known tor",
"meta",
"monitoring",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"date",
"unknown",
"hybrid",
"general",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"njrat",
"cobalt strike"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 42,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3631,
"FileHash-MD5": 45,
"FileHash-SHA1": 44,
"FileHash-SHA256": 1788,
"CVE": 5,
"domain": 543,
"hostname": 1328,
"CIDR": 2,
"email": 1
},
"indicator_count": 7387,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "914 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653fd47a852cc130c72de9e5",
"name": "BGP.Tools",
"description": "",
"modified": "2023-11-29T05:05:42.592000",
"created": "2023-10-30T16:06:18.567000",
"tags": [
"ssl certificate",
"whois record",
"referrer",
"whois whois",
"communicating",
"relacionada",
"resolutions",
"historical ssl",
"collections new",
"family",
"lolkek",
"dark power",
"ransomware",
"play ransomware",
"makop",
"core",
"redline stealer",
"hacktool",
"emotet",
"quasar rat",
"wiper",
"ursnif",
"malware",
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"self",
"server",
"date wed",
"html info",
"meta tags",
"name verdict",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"ascii text",
"et tor",
"known tor",
"meta",
"monitoring",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"date",
"unknown",
"hybrid",
"general",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"njrat",
"cobalt strike"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "653f4d0c4cca0c5f58530600",
"export_count": 39,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3631,
"FileHash-MD5": 45,
"FileHash-SHA1": 44,
"FileHash-SHA256": 1788,
"CVE": 5,
"domain": 543,
"hostname": 1328,
"CIDR": 2,
"email": 1
},
"indicator_count": 7387,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "914 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"dev.dancerage.com - Unknown\tdev.sportshelves.com\tA\t199.59.242.153| dev.sportshelves.com | www.imarkdev.com \u00d7 45.76.62.78 | ASN AS20473 the constant company llc",
"ELF:Mirai-GH\\ [Trj] Trojan:Win32/Cenjonsla.D!bit Trojan:Win32/SmokeLoader TrojanSpy:Win32/Small VirTool:Win32/Injector.gen!BQ",
"Ransomware: FileHash-SHA256 557f1759be4fdf6b9dff732c8e8aa369f4d7f9fe61a0c462c0dc8d30c2973812",
"Malware : http://gomyron.com/MTgzNjk=/2/6433/ronnoagraug/ - Huawei HG532 RCE Vulnerability",
"https://tria.ge/250211-dt1hcswme1",
"Zipped IOC: c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
"https://www.virustotal.com/graph/embed/g1ed56ef53af34510a0e0ee0c2d204f066a8684fa5aeb4e69aef49403742ef6a5?theme=dark",
"https://www.filescan.io/uploads/68b261771c81c34281d8af6d/reports/44924eb0-000d-42ad-944e-36bf849a406d/overview",
"TrojanSpy:Win32/Small : FileHash-SHA256 afec8925c79d6bb948ce08df54753268f63b4cb770456e6b623d9985fb1499cd",
"CVE-2017-17215 - Huawei HG532 RCE Vulnerability / Huawei Remote Command Execution - Outbound / Huawei Remote Command Execution",
"https://tria.ge/250211-dhpxgswlax",
"https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/summary",
"Added some URLs from FSio Report to URLScan",
"Exploit source: 138.197.103.178",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"Trojan:Win32/Cenjonsla.D!bit : FileHash-SHA256 8d5fe61f75602c85c9cd196e7accc17e119191655d4ecd56da498663f5a8c92b",
"https://hybrid-analysis.com/file-collection/67aa8951a3fc5708a905306a",
"superanalbizflowforum.com | www.networksolutions.com",
"https://tria.ge/250210-3c3c3askfz",
"https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/community",
"https://tria.ge/250211-dx9v7swnbw",
"https://tria.ge/250210-3y8f7sspdy",
"Trojan:Win32/SmokeLoader : FileHash-SHA256 29d85b4c2d52a8bcb081aa40e3d4334a864e988e1fe17933f903b4114be8e56e",
"Malware Hosting: 162.43.116.132 | 183.181.98.116",
"https://www.sweetheartvideo.com/tsara-brashears/ | www.sweetheartvideo.com",
"https://www.virustotal.com/graph/embed/g4d7797bcffdd450281d4012ac3a0a5ee3fafe8b4f5964c18b4e0332306cb367b?theme=dark",
"https://www.virustotal.com/graph/embed/g0cfdc207f7d14c9a9173c2f9b804dd92b17706ef2a8c41dba3e0af36353cd70b?theme=dark",
"Government of AB https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecce OTX AlienVault 2096",
"https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/iocs",
"https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
"VirTool:Win32/Injector.gen!BQ : FileHash-SHA256 a23846fe9a306c84eb1fb2b6b0b2b3a5fdbd958f747a10ccdb435d97e35de6f9",
"https://tria.ge/250210-3nh4kasmes",
"https://www.virustotal.com/gui/file/19ec86ce10a716e8e63804239052c96cfa0a7fb66c2820bda2e66358f622525c/community",
"ELF:Mirai-GH\\ [Trj] : FileHash-SHA256 866dfa8f3e4f4f26b70fd046fa6dcbc16eea1abc3bfaddb099d675e77ce26942 trojan",
"https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96",
"https://viz.greynoise.io/ip/analysis/408b56e2-1932-4975-b348-5a8a7c5991d4",
"http://superanalbizflowforum.com/tsara-lynn-brashears",
"Malware Hosting: http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"North American Aerospace Defense Command NORAD",
"CVE-2017-8759 -\t\".NET Framework Remote Code Execution Vulnerability.\" CVE-2018-8453 - \"Win32k Elevation of Privilege Vulnerability.'",
"UAlberta = https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecbe",
"c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
"Cert[.]pl MLDB: 1da23fc67a5f101321e39d04e76dcaa7",
"https://tip.neiki.dev/file/c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
"https://report.netcraft.com/submission/ATkcJjvq2iKUQhELceQs7q4WVU76Q8QG - Submitted IPv4s to Netcraft 08.29.25",
"",
"https://www.virustotal.com/gui/search/engines:trojan%20AND%20engines:dropper%20AND%20engines:razy%20AND%20engines:copak",
"https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"IDK"
],
"malware_families": [
"Virtool:win32/injector.gen!bq",
"Elf:mirai-gh\\ [trj]",
"Trojanspy:win32/small",
"Trojan:win32/smokeloader",
"Trojan:win32/cenjonsla.d!bit"
],
"industries": [
"Healthcare",
"Finance",
"Energy",
"Agriculture",
"Media",
"Retail",
"Telecommunications",
"Hospitality",
"Government",
"Education",
"Technology"
],
"unique_indicators": 30979
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/crt.sh",
"whois": "http://whois.domaintools.com/crt.sh",
"domain": "crt.sh",
"hostname": "Unavailable"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 10,
"pulses": [
{
"id": "6a0e9725b323ae1350c36488",
"name": "no comment",
"description": "",
"modified": "2026-05-21T06:52:08.577000",
"created": "2026-05-21T05:24:53.947000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 366,
"FileHash-SHA1": 366,
"FileHash-SHA256": 5078,
"IPv4": 44,
"URL": 2414,
"domain": 1305,
"hostname": 366,
"CIDR": 1,
"email": 2,
"Mutex": 1
},
"indicator_count": 9943,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "10 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69a5c36b78ed73550bb0bf22",
"name": "by Disable_Duck",
"description": "",
"modified": "2026-03-04T23:37:24.208000",
"created": "2026-03-02T17:05:47.288000",
"tags": [
"kgs0",
"kls0",
"botname http",
"entity",
"UAlberta",
"Telus",
"Norton",
"ffss",
"Alberta",
"AlbertaNDP",
"InteriorHealth",
"RCMP",
"CrimeStoppersAB",
"EdmontonPolice",
"RCMP Kelowna",
"RCMP AB",
"TLS/SSL Crawler",
"CVE-2026-24061 Attempt",
"Generic IoT Default Password Attempt",
"Cisco Prime Infrastructure CVE-2019-1821 RCE Attempt",
"Dahua Backdoor Attempt",
"ENV Crawler",
"DCERPC Protocol",
"Carries HTTP Referer",
"GNU Inetutils Telnetd Auth Bypass",
"ICMPv4 Protocol"
],
"references": [
"https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
"https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada",
"https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"Netherlands",
"Panama",
"Poland",
"United Kingdom of Great Britain and Northern Ireland",
"Slovakia",
"Aruba",
"Anguilla",
"Australia",
"Costa Rica",
"Guatemala",
"Mexico",
"Trinidad and Tobago",
"Cura\u00e7ao",
"Philippines",
"Virgin Islands, U.S.",
"Ukraine",
"Barbados",
"Germany",
"Sint Maarten (Dutch part)",
"Argentina",
"Switzerland"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Healthcare",
"Government",
"Technology",
"Energy",
"Telecommunications"
],
"TLP": "white",
"cloned_from": "6901363c4ce422f5caf0f72c",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3903,
"FileHash-SHA1": 4967,
"FileHash-SHA256": 12884,
"URL": 996,
"domain": 987,
"hostname": 3306,
"email": 4,
"CVE": 1
},
"indicator_count": 27048,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "88 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6901363c4ce422f5caf0f72c",
"name": "Copy of DevT-OddTags-Browser-BasedOdditites - (L4ke.Aff3ct.216, 01.18.26)",
"description": "Updated based on VT Graph & Tracking Spread of Cybercrime. This Pulse is mostly covering activity in the Province of Alberta Canada. Given recent news, it appears that BC Interior Health and Kelowna RCMP Detachment impacted in addition to Alberta Sectors of Education, Healthcare, and Government (Provincial & Federal - e.g. Treaty 6,7,8 as well as the Canadian CRA heavily impacted). \nEnriched a graph by vt user (L4ke.Aff3ct.216, 01.02.26)\nSubmitted IOCs to Greynoise.io (10.28.25)",
"modified": "2026-02-18T05:00:41.494000",
"created": "2025-10-28T21:31:40.008000",
"tags": [
"kgs0",
"kls0",
"botname http",
"entity",
"UAlberta",
"Telus",
"Norton",
"ffss",
"Alberta",
"AlbertaNDP",
"InteriorHealth",
"RCMP",
"CrimeStoppersAB",
"EdmontonPolice",
"RCMP Kelowna",
"RCMP AB"
],
"references": [
"https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
"https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"Netherlands",
"Panama",
"Poland",
"United Kingdom of Great Britain and Northern Ireland",
"Slovakia",
"Aruba",
"Anguilla",
"Australia",
"Costa Rica",
"Guatemala",
"Mexico",
"Trinidad and Tobago",
"Cura\u00e7ao",
"Philippines",
"Virgin Islands, U.S.",
"Ukraine",
"Barbados",
"Germany",
"Sint Maarten (Dutch part)"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Healthcare",
"Government",
"Technology",
"Energy",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3903,
"FileHash-SHA1": 4967,
"FileHash-SHA256": 12884,
"URL": 995,
"domain": 984,
"hostname": 3305,
"email": 4
},
"indicator_count": 27042,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 129,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68adee67c08cd025b05c2ab0",
"name": "Collection of Collections - Updated - Malicious Certificates & University of Alberta DataBreach - 09.15.25.25",
"description": "This Pulse is an attempt to aggregate all known certificates from all sources.\n\nEncrypted Communication: The malware uses Bitcoin and Ethereum addresses for communication, allowing it to receive commands and exfiltrate data securely.\nEvasion Techniques: The malware generates long and unusual domain parts using Domain Generation Algorithms to evade detection and establish communication with its C2 server.\nData Exfiltration: The malware can exfiltrate data to cloud storage services, enabling the threat actor to steal sensitive information from the compromised system.\nRemote Access: The malware leverages bidirectional communication and system binary proxy execution techniques to enable remote access and control over the infected system.\nIngress Tool Transfer: The malware downloads executable files from URLs, indicating its ability to download additional malicious payloads or updates to enhance its capabilities.",
"modified": "2025-10-16T05:02:02.452000",
"created": "2025-08-26T17:27:01.650000",
"tags": [
"http",
"https",
"kgs0",
"kls0",
"Malcerts",
"Certificates",
"Alberta",
"GovAB",
"UAlberta",
"Speader"
],
"references": [
"https://www.virustotal.com/graph/embed/g0cfdc207f7d14c9a9173c2f9b804dd92b17706ef2a8c41dba3e0af36353cd70b?theme=dark",
"https://viz.greynoise.io/ip/analysis/408b56e2-1932-4975-b348-5a8a7c5991d4",
"https://report.netcraft.com/submission/ATkcJjvq2iKUQhELceQs7q4WVU76Q8QG - Submitted IPv4s to Netcraft 08.29.25",
"https://www.filescan.io/uploads/68b261771c81c34281d8af6d/reports/44924eb0-000d-42ad-944e-36bf849a406d/overview",
"https://www.virustotal.com/gui/file/19ec86ce10a716e8e63804239052c96cfa0a7fb66c2820bda2e66358f622525c/community",
"Added some URLs from FSio Report to URLScan"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"Netherlands",
"Aruba",
"Panama",
"Poland",
"Ukraine",
"United Kingdom of Great Britain and Northern Ireland",
"Anguilla",
"United Arab Emirates",
"Ireland",
"Tanzania, United Republic of",
"Philippines",
"Japan",
"Guatemala",
"Mexico",
"Bahamas",
"Barbados",
"Georgia",
"Slovakia",
"Sint Maarten (Dutch part)",
"Kenya"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Government",
"Technology",
"Telecommunications",
"Healthcare"
],
"TLP": "white",
"cloned_from": null,
"export_count": 25,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1639,
"FileHash-MD5": 1481,
"FileHash-SHA1": 1421,
"FileHash-SHA256": 5969,
"domain": 707,
"hostname": 2311,
"email": 5,
"CIDR": 13
},
"indicator_count": 13546,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 133,
"modified_text": "228 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68b78d521f024d3a98fc79c8",
"name": "VT Graph miniuser - Databreach IOCs & Links",
"description": "Related to Pulse: Food for Thought (Updated 09.02.25)\n\n*Note most links are malicious",
"modified": "2025-10-03T00:01:12.616000",
"created": "2025-09-03T00:35:30.936000",
"tags": [
"kgs0",
"kls0",
"entity",
"UAlberta",
"University of Alberta",
"Hacked",
"DataBreach"
],
"references": [
"https://www.virustotal.com/graph/embed/g1ed56ef53af34510a0e0ee0c2d204f066a8684fa5aeb4e69aef49403742ef6a5?theme=dark"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 132,
"FileHash-SHA1": 121,
"FileHash-SHA256": 711,
"URL": 83,
"domain": 50,
"hostname": 125
},
"indicator_count": 1222,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 129,
"modified_text": "241 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "67b109cbfbcc6f92c399b327",
"name": "UAlberta Breach Data - Food for thought - thoughts & input on how to 'bring some attention to this' (not enriched)",
"description": "Just thought I'd throw thisntogether and 'see what ya'll make of it' (documents a VT graph produced and slightly modified) that pulls a lot of things together. Highlights both 'some problems' - U of A / Gov. of AB (who are also some 'solutions'). \nIdeas on how to grab their attention and maybe bring some 'urgency' to this issue? I have a few solutions and ideas for everyone - problem: I require some folks to 'do their jobs' (there is not 10 of me). Thoughts on how to encourage them to act on these problems. Present status: Connected directly to them on other devices. Within literal 5 min walking range.",
"modified": "2025-05-27T07:01:17.646000",
"created": "2025-02-15T21:40:27.895000",
"tags": [
"kgs0",
"kls0"
],
"references": [
"https://www.virustotal.com/graph/embed/g1ed56ef53af34510a0e0ee0c2d204f066a8684fa5aeb4e69aef49403742ef6a5?theme=dark",
"",
"Government of AB https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecce OTX AlienVault 2096",
"UAlberta = https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecbe"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Government",
"Healthcare",
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 5,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 215,
"FileHash-SHA1": 193,
"FileHash-SHA256": 1302,
"URL": 166,
"domain": 100,
"hostname": 234
},
"indicator_count": 2210,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 131,
"modified_text": "369 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "67aac6e4b628acffaed3f068",
"name": "New Batch - Malcerts - 02.10.25 - unenriched",
"description": "Here is the full text of the text that was found on the website of Mozilla, following an investigation by the security firm Virustotal and the UK's Office of National Statistics (ONS).. [autofilled].\n\nMore Malcerts from Sample Device deployed at several sites in YEG - Canada. Related to pulse - Thor Scan Lite Linux\nNot enriched on import, but did include links to VT entries as IOCs (those will be false positives - but easy access). \nFolder name: Mozilla Located @ /usr/share/ca-certificates",
"modified": "2025-03-16T17:01:06.968000",
"created": "2025-02-11T03:41:24.585000",
"tags": [
"UAlberta",
"Malcerts",
"Certificates",
"Eduroam",
"Alberta"
],
"references": [
"https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/iocs",
"https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/summary",
"https://hybrid-analysis.com/file-collection/67aa8951a3fc5708a905306a",
"https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/community",
"https://tria.ge/250210-3c3c3askfz",
"https://tria.ge/250210-3nh4kasmes",
"https://tria.ge/250210-3y8f7sspdy",
"https://tria.ge/250211-dhpxgswlax",
"https://tria.ge/250211-dt1hcswme1",
"https://tria.ge/250211-dx9v7swnbw",
"Zipped IOC: c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
"https://www.virustotal.com/graph/embed/g4d7797bcffdd450281d4012ac3a0a5ee3fafe8b4f5964c18b4e0332306cb367b?theme=dark",
"https://tip.neiki.dev/file/c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
"c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
"Cert[.]pl MLDB: 1da23fc67a5f101321e39d04e76dcaa7"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Government",
"Healthcare",
"Telecommunications",
"Finance",
"Agriculture",
"Hospitality",
"Media",
"Retail"
],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 831,
"FileHash-SHA1": 801,
"FileHash-SHA256": 3227,
"URL": 395,
"domain": 189,
"hostname": 798
},
"indicator_count": 6241,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 131,
"modified_text": "441 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "66c9bb42dd32d415f9aaa06c",
"name": "Botnet exchange | NORAD Tracking | Mirai | Injection | Spyware | Remote executions",
"description": "North American Aerospace Defense Command NORAD - http://superanalbizflowforum.com/tsara-lynn-brashears (really?)\nwww.norad.mil , www.northcom.mil, dodcio.defense.gov, www.defense.gov\nwww.dodig.mil, www.foia.gov , prhome.defense.gov\n, www.ourmilitary.com, www.noradsanta.org , www.web.dma.mil \nIt's hard to tell or believe military and DoD conduct business this way. I tend to think scam abuse. Exception: target, escorted by security to appt in a DHS secured b,dg. She was then told to leave after receptionist received a call stating target was a threat. Entire floor was secured off. TB beyond upset w/ my carelessness of veteran & other comments. Targets Father, brother uncles, cousins, all served honorably w/some now terminally affected &mothers passed on from Camp Lejeune related complications. Father, an engineer & veteran worked on AEGIS weapons system test team for 3 now potentially decommissioned military Destroyers. \nI apologize prefusly for comment, MIL involvement was prevalent; it remains cloudy.",
"modified": "2024-09-23T09:03:54.724000",
"created": "2024-08-24T10:51:46.907000",
"tags": [
"server",
"whois lookup",
"domain name",
"llc sponsoring",
"registrar iana",
"referral url",
"tsara brashears",
"referrer",
"porn",
"networks",
"botnet campaign",
"pyinstaller",
"apple",
"password",
"cybercrime",
"it consultant",
"metro",
"skynet",
"analyzer paste",
"iocs",
"hostnames",
"urls http",
"cyber threat",
"cnc server",
"ibm xforce",
"exchange",
"covid19",
"tracker",
"exchange botnet",
"command",
"control server",
"keybase",
"citadel",
"stealer",
"zeus",
"radamant",
"kovter",
"zbot",
"suppobox",
"simda",
"virut",
"kraken",
"amonetize",
"msil",
"phishing",
"malicious",
"feodo",
"united",
"germany unknown",
"as133775 xiamen",
"unknown",
"china unknown",
"passive dns",
"domain",
"search",
"cisco umbrella",
"site",
"alexa top",
"million",
"safe site",
"malware site",
"malicious site",
"malware",
"malicious url",
"files domain",
"files related",
"related tags",
"none md5",
"as35908 krypt",
"status hostname",
"query type",
"address first",
"seen last",
"seen asn",
"country unknown",
"status",
"record value",
"all scoreblue",
"meta",
"trend today",
"link",
"japan unknown",
"script urls",
"script script",
"name servers",
"script domains",
"accept",
"encrypt",
"gmt content",
"gmt etag",
"ipv4",
"url analysis",
"pragma",
"scan endpoints",
"pulse submit",
"urls",
"body",
"date",
"hostname",
"pulse pulses",
"react app",
"verizon feed",
"bq aug",
"typeof e",
"object",
"wds socket",
"error",
"path max",
"path",
"cookie",
"suspicious",
"virtool",
"info",
"trace",
"moved",
"aaaa nxdomain",
"files",
"a domains",
"as9371 sakura",
"service",
"servers",
"xml title",
"dnssec",
"showing",
"next",
"xserver",
"title",
"file",
"type texthtml",
"sha256",
"read c",
"write c",
"kryptik",
"tls sni",
"style ssl",
"cert",
"amazon profile",
"show",
"cobaltstrike",
"trojan",
"copy",
"write",
"win32",
"persistence",
"execution",
"media",
"autorun",
"delete c",
"trojanspy",
"entries",
"bytes",
"jpeg image",
"ole control",
"menu",
"dock zone",
"delphi",
"dcom",
"form",
"canvas",
"nxdomain",
"ds nxdomain",
"mirai variant",
"useragent",
"hello",
"apache",
"world",
"inbound",
"outbound",
"hackingtrio ua",
"activity mirai",
"http traffic",
"malware beacon",
"mirai",
"exploit",
"shell",
"aaaa",
"as14061",
"trojanclicker",
"expl",
"kr5a head",
"abuse",
"agent",
"virgin islands",
"as19905",
"expiration date",
"organization",
"as4134 chinanet",
"as4837 china",
"type get",
"as48447 sectigo",
"united kingdom",
"content type",
"arial",
"secure server",
"as20940",
"as2914 ntt",
"as3257 gtt",
"as2828 verizon",
"general",
".mil",
"brian sabey",
"brian sabey"
],
"references": [
"North American Aerospace Defense Command NORAD",
"superanalbizflowforum.com | www.networksolutions.com",
"http://superanalbizflowforum.com/tsara-lynn-brashears",
"ELF:Mirai-GH\\ [Trj] Trojan:Win32/Cenjonsla.D!bit Trojan:Win32/SmokeLoader TrojanSpy:Win32/Small VirTool:Win32/Injector.gen!BQ",
"https://www.virustotal.com/gui/search/engines:trojan%20AND%20engines:dropper%20AND%20engines:razy%20AND%20engines:copak",
"ELF:Mirai-GH\\ [Trj] : FileHash-SHA256 866dfa8f3e4f4f26b70fd046fa6dcbc16eea1abc3bfaddb099d675e77ce26942 trojan",
"Trojan:Win32/SmokeLoader : FileHash-SHA256 29d85b4c2d52a8bcb081aa40e3d4334a864e988e1fe17933f903b4114be8e56e",
"TrojanSpy:Win32/Small : FileHash-SHA256 afec8925c79d6bb948ce08df54753268f63b4cb770456e6b623d9985fb1499cd",
"Trojan:Win32/Cenjonsla.D!bit : FileHash-SHA256 8d5fe61f75602c85c9cd196e7accc17e119191655d4ecd56da498663f5a8c92b",
"VirTool:Win32/Injector.gen!BQ : FileHash-SHA256 a23846fe9a306c84eb1fb2b6b0b2b3a5fdbd958f747a10ccdb435d97e35de6f9",
"Malware Hosting: http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"Malware : http://gomyron.com/MTgzNjk=/2/6433/ronnoagraug/ - Huawei HG532 RCE Vulnerability",
"Malware Hosting: 162.43.116.132 | 183.181.98.116",
"CVE-2017-17215 - Huawei HG532 RCE Vulnerability / Huawei Remote Command Execution - Outbound / Huawei Remote Command Execution",
"CVE-2017-8759 -\t\".NET Framework Remote Code Execution Vulnerability.\" CVE-2018-8453 - \"Win32k Elevation of Privilege Vulnerability.'",
"dev.dancerage.com - Unknown\tdev.sportshelves.com\tA\t199.59.242.153| dev.sportshelves.com | www.imarkdev.com \u00d7 45.76.62.78 | ASN AS20473 the constant company llc",
"Exploit source: 138.197.103.178",
"https://www.sweetheartvideo.com/tsara-brashears/ | www.sweetheartvideo.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"Ransomware: FileHash-SHA256 557f1759be4fdf6b9dff732c8e8aa369f4d7f9fe61a0c462c0dc8d30c2973812"
],
"public": 1,
"adversary": "IDK",
"targeted_countries": [
"Japan",
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/SmokeLoader",
"display_name": "Trojan:Win32/SmokeLoader",
"target": "/malware/Trojan:Win32/SmokeLoader"
},
{
"id": "VirTool:Win32/Injector.gen!BQ",
"display_name": "VirTool:Win32/Injector.gen!BQ",
"target": "/malware/VirTool:Win32/Injector.gen!BQ"
},
{
"id": "TrojanSpy:Win32/Small",
"display_name": "TrojanSpy:Win32/Small",
"target": "/malware/TrojanSpy:Win32/Small"
},
{
"id": "Trojan:Win32/Cenjonsla.D!bit",
"display_name": "Trojan:Win32/Cenjonsla.D!bit",
"target": "/malware/Trojan:Win32/Cenjonsla.D!bit"
},
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 36,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 467,
"domain": 1213,
"hostname": 773,
"FileHash-SHA256": 1513,
"FileHash-MD5": 887,
"FileHash-SHA1": 729,
"CVE": 4,
"email": 10,
"SSLCertFingerprint": 5
},
"indicator_count": 5601,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "615 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653f4d0c4cca0c5f58530600",
"name": "BGP.Tools",
"description": "BGP is a very malicious, developed spyware tool. Attorneys, insurance companies use tool. BGP Hurricane. In the past they will call target and a modem connects draining ALL content. It can CNC device, erase everything from it, manipulate dropbox as well as other clouds. Very destructive.Once you're a target your privacy is gone for good. Assertions from threat crowd that CISA/Valmet are government phishing entities concerns me. BGP gets a 100% malicious score. Listed as part of infrastructure is CISA. A familiar name in adult content and other commands, vulnerabilities,etc. I'm not sure what to believe, or what's going on.",
"modified": "2023-11-29T05:05:42.592000",
"created": "2023-10-30T06:28:28.160000",
"tags": [
"ssl certificate",
"whois record",
"referrer",
"whois whois",
"communicating",
"relacionada",
"resolutions",
"historical ssl",
"collections new",
"family",
"lolkek",
"dark power",
"ransomware",
"play ransomware",
"makop",
"core",
"redline stealer",
"hacktool",
"emotet",
"quasar rat",
"wiper",
"ursnif",
"malware",
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"self",
"server",
"date wed",
"html info",
"meta tags",
"name verdict",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"ascii text",
"et tor",
"known tor",
"meta",
"monitoring",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"date",
"unknown",
"hybrid",
"general",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"njrat",
"cobalt strike"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 42,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3631,
"FileHash-MD5": 45,
"FileHash-SHA1": 44,
"FileHash-SHA256": 1788,
"CVE": 5,
"domain": 543,
"hostname": 1328,
"CIDR": 2,
"email": 1
},
"indicator_count": 7387,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "914 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653fd47a852cc130c72de9e5",
"name": "BGP.Tools",
"description": "",
"modified": "2023-11-29T05:05:42.592000",
"created": "2023-10-30T16:06:18.567000",
"tags": [
"ssl certificate",
"whois record",
"referrer",
"whois whois",
"communicating",
"relacionada",
"resolutions",
"historical ssl",
"collections new",
"family",
"lolkek",
"dark power",
"ransomware",
"play ransomware",
"makop",
"core",
"redline stealer",
"hacktool",
"emotet",
"quasar rat",
"wiper",
"ursnif",
"malware",
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"self",
"server",
"date wed",
"html info",
"meta tags",
"name verdict",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"ascii text",
"et tor",
"known tor",
"meta",
"monitoring",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"date",
"unknown",
"hybrid",
"general",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"njrat",
"cobalt strike"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "653f4d0c4cca0c5f58530600",
"export_count": 39,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3631,
"FileHash-MD5": 45,
"FileHash-SHA1": 44,
"FileHash-SHA256": 1788,
"CVE": 5,
"domain": 543,
"hostname": 1328,
"CIDR": 2,
"email": 1
},
"indicator_count": 7387,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "914 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://crt.sh/",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://crt.sh/",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780290266.9834244
}