{ "type": "URL", "indicator": "https://csp.withgoogle.com/csp/hosted-libraries-pushers", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://csp.withgoogle.com/csp/hosted-libraries-pushers", "type": "url", "type_title": "URL", "validation": [ { "source": "whitelist", "message": "Whitelisted domain withgoogle.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain withgoogle.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3155864018, "indicator": "https://csp.withgoogle.com/csp/hosted-libraries-pushers", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 20, "pulses": [ { "id": "693b7dc3cf1996347652ef92", "name": "Google Site Redirector - Tesla Hackers", "description": "Silencing. By Tesla hackers. Awful example of how any victim of a crime; can become a target of the government..\nThis is especially true when the actual perpetrators work for the government are government affiliated, very wealthy, a celebrity or someone who is deemed important. In this instance the Quasi government sought to keep target seeking and obtaining life saving medical treatment, financial settlement that she was entitled to from assault, injuries from assault, false imprisonment, punitive damgages, pain and suffering, humiliation, premise liability, permanent (whole body disability @MMI ), many other crimes. The victims suffered from a great sadness and betrayal. \n\nObviously racist Elon Musk and crew have access to all government tools. Musk, All things cyber are at his disposal as \ncontinues to abuse privilege.\n They keep playing a God they don\u2019t believe in. God is the Ultimate Avenger.", "modified": "2026-01-11T00:03:08.581000", "created": "2025-12-12T02:28:19.107000", "tags": [ "compromised_site_redirector_fromcharcode", "site_redirector", "string", "regexp", "error", "number", "sxa0", "amptoken", "optout", "retrieving", "notfound", "write", "form", "flash", "vd", "tesla hackers", "nxdomain", "passive dns", "ip address", "domain", "a nxdomain", "urls", "files", "ip related", "pulses otx", "google", "unknown", "oracle", "dynamicloader", "medium", "high", "windows", "rndhex", "write c", "rndchar", "displayname", "tofsee", "yara rule", "stream", "strings", "push", "lte all", "search otx", "ource url", "or text", "paste", "data upload", "extraction", "elon musk", "indicator role", "active related", "ipv4", "exploitsource", "url https", "url http", "desktopinternet", "title added", "pulses ipv4", "less see", "ids detections", "vuze bt", "udp connection", "contacted", "filehash", "av detections", "yara detections", "alerts", "0x8aa42", "0xe3107", "upnp", "http request", "bittorrent", "file", "module load", "t1129", "post http", "install", "execution", "malware", "hostile", "crawl", "windows nt", "wow64", "get zona", "get httpget", "hash", "entries", "read c", "suspicious", "next", "united" ], "references": [ "Tesla Hackers | https://www.teslarati.com/spacex", "Yara Detections :compromised_site_redirector_fromcharcode Alerts network_icmp js_eval recon_fingerprint", "142.250.74.142.250.74.138 _exploit_source | 142.250.74.138 _exploit_source | 142.250.74.142_exploit_source", "IDS Detections Win32/ZonaInstaller Install Beacon", "https://www.google \u2022 https://ampcid.google.com/v1/publisher \u2022\u2019https://ampcid.google.com/v1/publisher:getClientId\\", "https://tagassistant.google.com/ \u2022 https://www.google-analytics.com/debug/bootstrap?id=", "https://www.google-analytics.com/debug/bootstrap?id=\\", "https://stats.g.doubleclick.net/j/collect\\ \u2022 https://tagassistant.google.com/ \u2022 https://www.google.com/ads/ga", "https://www.google-analytics.com/gtm/js?id=\\ \u2022 https://www.googletagmanager.com/gtag/js?id= \u2022", "https://www.googletagmanager.com/gtag/js?id=\\ \u2022 https://www.google-analytics.com/gtm/js?id=", "This is why our team tells a back story. It can and does happen to anyone.", "We apologize for so may typos and errors. We strive to do better at that." ], "public": 1, "adversary": "Tesla Hackers", "targeted_countries": [], "malware_families": [ { "id": "Vd", "display_name": "Vd", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Trojan.12382640-1", "display_name": "Win.Trojan.12382640-1", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 65, "FileHash-SHA1": 34, "FileHash-SHA256": 2032, "URL": 4921, "domain": 567, "hostname": 1586, "SSLCertFingerprint": 4 }, "indicator_count": 9209, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693adba47b2cce69440c726a", "name": "TESLA HACKERS | Login Google", "description": "Attackers target victims Google account, Google browser, Google homepage.\n\nTesla Hackers in the job. Tesla hackers are very young , angry, kids who chased target around mercilessly in their vehicles, photographed target, drive threateningly. Nothing sophisticated about the stalker crewl. This is intentional. Finding troubled individuals who are desperate for power is pretty easy. \n\nThe hit men range from gang members, white , black , Hispanic to the highly educated, Hit man who attempted to take target out was a spoiled, angry , aggressive, sneering POC. He walked in Denver. The next morning , the area target was driven if roadway was closed off and filled with a rather large road crew, work continues to work on this area. (Charlie Kirk like). Alleged traffic officer claims cameras pointed in different directions that night. He was identified as a computer science major by a PI. This feels so dangerous.", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T14:56:36.874000", "tags": [ "tlsv1", "united", "oamazon", "cnamazon rsa", "jfif", "ogoogle trust", "cngts ca", "exif standard", "tiff image", "xresolution74", "execution", "dock", "write", "persistence", "malware", "encrypt", "ca https", "no expiration", "iocs", "url https", "enter source", "url or", "text drag", "drop or", "browse to", "select file", "ipv4", "url http", "type indicator", "sec ch", "ch ua", "unknown", "ua full", "ua platform", "as44273 host", "ua bitness", "msie", "chrome", "backdoor", "trojandropper", "passive dns", "forbidden", "body", "twitter", "trojan", "cookie", "title", "windows nt", "wow64", "slcc2", "media center", "read c", "port", "destination", "local", "moved", "integration all", "urls", "files", "reverse dns", "location united", "america flag", "name servers", "hostname", "unique", "expires wed", "gmt date", "server", "date wed", "connection", "use linux", "cybersecurity", "http", "ip address", "files location", "flag united", "win32", "urls show", "date checked", "url hostname", "server response", "virtool", "date hash", "avast avg", "heur", "lowfi", "k sep", "contacted", "related tags", "none file", "type", "present dec", "present nov", "mtb mar", "aaaa", "hacktool", "indicator role", "domain", "url add", "as20940", "as16625 akamai", "present mar", "present may", "as54113", "present apr", "ipv4 add", "url analysis", "servers", "emails", "hostname add", "present aug", "present sep", "present oct", "status", "present jul", "data upload", "extraction", "as208722 yandex", "russia unknown", "a domains", "expirestue", "path", "certificate", "medium", "alerts show", "ck technique", "technique id", "installs", "pe32", "intel", "ms windows", "high", "icmp traffic", "dns query", "packing t1045", "t1045", "screenshots", "file type", "date february", "pm size", "imphash pehash", "guard", "syst", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "spawns", "t1590 gather", "flag", "united kingdom", "command decode", "belgium belgium", "federation", "france france", "ireland ireland", "canada canada", "suricata ipv4", "click", "tesla hackers", "elon musk", "show", "richhash", "external", "virustotal api", "comments", "vendor finding", "notes clamav", "ms defender", "files matching", "copy", "found", "ssl certificate", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "yara rule", "reads", "number", "sample analysis", "hide samples", "entries", "samples show", "next yara", "detections name", "devcv5 ujrb", "ujrb", "uja1t", "show technique", "mitre att", "ck matrix", "ascii text", "pattern match", "sha1", "network traffic", "show process", "general" ], "references": [ "https://www.teslarati.com/spacex", "https://omodeling.wpenginepowered.com/wp-content/uploads/2020/07/modelhub-pornhub-sell-nudes-1024x57", "https://cdn.teslarati.com \u2022 https://forums.teslarati.com/", "https://forums.teslarati.com/data/avatars/m/5/5998.jpg?1504431665 \u2022 https://forums.teslarati.com/forums/model-3.4/", "https://forums.teslarati.com/threads/humanlike-ai-robot-sophia-calls-out-elon-musk-during-live-interview.4970/", "https://www.teslarati.com/tesla-model-s-hitch-torklift-ecohitch-3-year-update/", "https://www.teslarati.com/tesla-tsla-monster-investment-rise-alaska-dept-of-revenue/", "https://www.teslarati.com/wp-content/themes/teslarati-mag/map/", "https://www.teslarati.com/tesla-model-3-crash-insight-60mph-collision/", "https://www.teslarati.com/", "https://www.teslarati.com/spacex", "https://www.teslarati.com/tesla-lands-87-million-megapack-belgium/", "https://www.teslarati.com/tesla-giga-shanghai-builds-5-millionth-battery-pack/", "https://www.teslarati.com/TESLA-DEBUTS-GROK-AI-UPDATE-2025-26-WHAT-YOU-NEED-TO-KNOW/", "https://www.teslarati.com/tesla-robotaxi-vs-new-york-taxi-why-the-yellow-cab-a-lot-to-lose/", "pornlynx.com \u2022 https://pornlynx.com \u2022 https://www.pornlynx", "http://www.aiupnow.com/2023/04/pakistani-hackers-use-linux-malware.html\\", "http://pickyhot.disqus.com/ \u2022 https://www.teslarati.com/tesla-hackers \u2022 https://pickyhot.disqus.com/tsara-brashears", "http://dev.browserweb.yandex.kg/ \u2022 https://api.messenger.yandex.az/ \u2022 https://yandex.uz/maps/-/CLWNeAKm", "HTML contains suspicious external redirect patterns details Suspicious redirect patterns detected: Redirect Types: Delayed Redirect Redirects to: /doodles/ Suspicious", "Redirect (Delayed Redirect): setTimeout(function(){location.href= source Binary File relevance 10/10 ATT&CK ID T1189", "External resources linked to high-risk commonly abused domains detected: mc.yandex.ru | script | src snd.click | src |", "Source : Binary File ATT&CK ID T1566.002", "Domain match: \"media-mbst-pub-ue1.s3.amazonaws.com\" possible high risk indicator. Commonly abused for malicious purposes. .", "Domain: \"snd.click\" possible high risk indicator. Domain uses TLD that is commonly abused for malicious purposes", "Detected Non-Google domain serving Google homepage details", "Detected Google homepage HTML served from suspicious domain Matched required Google homepage markers", "Source: Binary File relevance 10/10 ATT&CK ID T1204.001 | Target contacted CBI re: Suspicious looking Google Homepage.", "CBI (Colorado) - target believes she was redirected to malicious actors. Staffers not found in directory.", "Female states title as \u2018intern\u2019 dropped false information at front desk of CBI. Claims target ID theft victim. True", "Alleged CBI staffer refuses to provide evidence of identity theft resolution. Target unaware of. what\u2019s true", "CBI - asked target to enter Gmail in a resource. Targets Gmail account disappeared" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Japan" ], "malware_families": [ { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Ms Defender\tTrojan:Win32/Qbot.KVD!MTB", "display_name": "Ms Defender\tTrojan:Win32/Qbot.KVD!MTB", "target": "/malware/Ms Defender\tTrojan:Win32/Qbot.KVD!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Malware.Jaik-9940406-0", "display_name": "Win.Malware.Jaik-9940406-0", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/Genmaldown!atmn", "display_name": "ALF:JASYP:Trojan:Win32/Genmaldown!atmn", "target": null }, { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5894, "FileHash-MD5": 458, "FileHash-SHA1": 305, "FileHash-SHA256": 2481, "SSLCertFingerprint": 26, "hostname": 2406, "domain": 966, "email": 16, "CVE": 1 }, "indicator_count": 12553, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688ef0516013ca78448bf4e5", "name": "Foundry \u2022 Reflected Networks Pornhub Malvertising Subsidiary", "description": "Foundry ? Pornhub\nsanfoundry.com\ncompliance.fifoundry.net- Pornhub subsidiary. Targets networks, devices, routers, used for promoting pornography and her music. Producer revealed her hooks were used for Justin Bieber & Tori Kelly songs that. A producer stated her songs had been grifted. Both Tsara Brashears & a studio were in Pegasus & attacked by \u2018Lazarus\u2019 Group. She was told in detail how her songs can be used by music insiders if they choose. Target trolled by mocking hackers re: the JB and Kelly song.. Trojan:Win32/DisableUAC.A!bit\n, MSIL:Suspicious:ScreenCapture.S01\nIDS Detections\nLokiBot Checkin\nLokiBot User-Agent (Charon/Inferno)\nLokiBot Application/Credential Data Exfiltration Detected M1\nLokiBot Request for C2 Commands Detected M1\nLokiBot Application/Credential Data Exfiltration Detected M2\nLokiBot Request for C2 Commands Detected M2\nTrojan Generic - POST To gate.php with no referer\nSSL excessive fatal alerts (possible POODLE attack against server)\nI will revisit this. Gloryhole Foundation?", "modified": "2025-09-02T04:01:31.218000", "created": "2025-08-03T05:14:57.402000", "tags": [ "united", "moved", "entries", "passive dns", "detected m1", "next associated", "mtb apr", "mtb aug", "server", "gmt content", "trojandropper", "trojan", "body", "lokibot request", "c2 commands", "detected m2", "otx telemetry", "historical otx", "twitter running", "open ports", "cves", "time", "dynamicloader", "port", "search", "show", "destination", "alerts", "copy", "dynamic", "medium", "write", "creation date", "hostmaster", "urls", "domain", "showing", "hostname add", "pulse pulses", "date", "flag", "falcon sandbox", "name server", "markmonitor", "analysis", "mitre att", "anonymous", "upgrade", "hybrid", "contact", "usa windows", "december", "input threat", "level analysis", "summary", "february", "hwp support", "january", "october", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "calls", "command", "javascript", "object model", "model", "windir", "json data", "localappdata", "ascii text", "temp", "getprocaddress", "script", "license", "runtime process", "copy md5", "facebook", "roboto", "error", "win64", "path", "blink", "meta", "factory", "general", "comspec", "click", "strings", "damage", "mini", "stop", "core", "expl", "win32", "gmt server", "ecacc saa83dd", "ipv4 add", "twitter", "cobalt strike", "mozilla" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 263, "FileHash-SHA1": 256, "FileHash-SHA256": 837, "hostname": 4415, "URL": 1918, "domain": 1884, "email": 2, "SSLCertFingerprint": 2 }, "indicator_count": 9577, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c68bc8b8745068608cc50d", "name": "Metasploit | Ransomware | PinterestPots - Pin.it", "description": "", "modified": "2024-03-10T20:03:45.513000", "created": "2024-02-09T20:32:08.358000", "tags": [ "whois record", "contacted", "tsara brashears", "ssl certificate", "apple ios", "unlocker", "historical ssl", "referrer", "highly targeted", "critical risk", "hacktool", "malicious", "cobalt strike", "metasploit", "installer", "malware", "awful", "android", "banker", "keylogger", "jeffrey reimer", "emreimer", "emily reimer goldstien", "eva lisa", "eva lisa reimer", "status code", "http response", "ieedge date", "maxage86400", "path", "httponly xcdn", "connection", "vary useragent", "targeting brashears", "communicating", "whois whois", "collections", "password", "adult content", "core", "metro", "apple", "copy", "suspicious", "vj99", "threat", "slfrd1", "paste", "iocs", "analyze", "hostnames", "urls http", "jid1221717543", "slc1", "a domains", "united", "search", "date", "as15169 google", "passive dns", "urls", "record value", "name servers", "status", "encrypt", "win32", "next", "msie", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "body", "domain", "unknown", "china unknown", "pulse pulses", "files", "ip address", "servers", "domain name", "showing", "as54113", "as16625 akamai", "as20940", "aaaa", "cname", "as396982 google", "as14061", "script domains", "hostname", "japan unknown", "gmt content", "gmt etag", "pragma", "accept", "location japan", "asn as131965", "less", "pulses", "related tags", "meta", "asn as13335", "443 ma2592000", "certificate", "germany unknown", "script urls", "link", "code", "moved", "russia unknown", "as51659 llc", "as12616 filanc", "welcome", "uhttps", "urls https", "ccb455304", "ccb455307", "vj93", "uyebaauqaaaaaac", "malvertizing", "tagging", "prefetch8", "script", "prefetch1", "command decode", "segoe ui", "suricata ipv4", "emoji", "mitre att", "suricata udpv4", "roboto", "courier", "february", "hybrid", "general", "model", "comspec", "click", "strings" ], "references": [ "https://gr.pinterest.com/emreimer/", "Wife of Brashears SAter \u2022 Alias \u2022 Couple plays victim \u2022 Karens. HIPPA violations. Admittedly involved cyberstalking on Brashears. Legally agreed to stop.", "message.htm.com \u2022 CVE-2023-4966 \u2022 ransomed.vc", "http://neurosky.jp", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex", "http://alohatube.xyz/search/tsara-brashears", "facebooksunglassshop.com [titled' Tsara Brashears GCcmwm.T ?]", "alohatube.xyz [keylogger aimed at Tsara Brashears]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.pornhub.com/video/search?search=tsara+brashears", "http://alohatube.xyz/search/tsara-brashears/", "https://alohatube.xyz/search/tsara-brashears", "https://alohatube.xyz/search/tsara-brashears+(Formerly+Botnetwork+malvertizing+campaign+targeting+Tsara+Brashears+crime+victim.+Now+", "https://www.sweetheartvideo.com/tsara-brashears/", "manvimishraa5417@gmail.com [Video of Tsara Brashears circulation]", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language:", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "https://www.sweetheartvideo.com/tsara-brashears", "https://www.hybrid-analysis.com/sample/92b00ee3aca1f3057ad8402229c27bfdd6fc934908ef641b36379bf47093df0b/65c63a1fbc9c5333d20354ca", "https://www.hybrid-analysis.com/file-inline/65c63a1fbc9c5333d20354ca/screenshot/screen_6.png", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing \u2022 mitre S0154]", "CnC IP's: 104.124.58.137 \u2022 45.159.189.105 | Exploit source: 1.179.151.145 | scanning host: 208.115.103.34", "http://www.proxydocker.com/ja/proxy/43.229.135.125:8080", "https://twitter.com/PORNO_SEXYBABES | cloud.zemana.com - porn cloud", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "www.pornhub.com", "http://www.pinterest.com/ideas/songwriting/945635263947/", "https://www.neurosky.jp/wp-content/plugins/responsive-lightbox/assets/fancybox/jquery.fancybox.min.js?ver=2.1.0", "webdisk.thehomemakers.nl", "http://connectivitycheck.gstatic.com/generate_204 [RAT]", "http://discover.hubpages.com/literature/Most-Beautiful-Quotes-on-Love-and-Heartbreak [RAT| Tagging target in adult content fraud sites]", "https://gujarati.ent24x7.comb [RAT]", "http://clipper.guru/bot/online?guid=PC\\Administrator&key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb", "https://tulach.cc/socrative/internal.js", "http://email.birdeye.org/c/eJxkUcFuozAU_JrHsTLPYODAIYQmSqXNqmm3q-4FGfNIrAUbGTtV-_UrklRatT5ZnvGbeTNVmLWhed6HsSVXxiLNsyLniUhFyoqolp6eyPgSE4Ysjw407boSMerKWKV90kdUxhnLuMiyhEenUiZ9LjAuij6PMWdMSpnFJPKkLVQrUhHpEtl1GEuSgvG7DIss6XsZCy7jooghYa12Hb3TnXXHaChP3k8z8BXgBnDziSk7Am4mp5U2xwXim-DHZrbBKQJeT852QfmGRqkHQLGAI3U6jMDr_x-VNZ6MB15vf1SAotUd8PpLEJ9cOU5SHw3w2ppBG2omRzMZRc1CaY0cF-21NTO5s_TaGsDqidxZK5oBq62zYQKsdkYBimmQipqL3vq0e9i3-VoOf-J09_dgq-m-enupQnUEFNp0YfbuHXgNKD70dL04Omt6a5QNF_-H-5fd_e9m_fPX_hlQyPOxuTGc9EtKvF69bJvD6", "https://gujarati.ent24x7.com | https://otx.alienvault.com/indicator/url/https://gujarati.ent24x7.com", "162.159.208.8" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "Trojan:VBS/MetasploitVBSCmdStager", "display_name": "Trojan:VBS/MetasploitVBSCmdStager", "target": "/malware/Trojan:VBS/MetasploitVBSCmdStager" }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3412, "FileHash-MD5": 194, "FileHash-SHA1": 159, "FileHash-SHA256": 2223, "domain": 2117, "hostname": 1763, "CVE": 2, "email": 5 }, "indicator_count": 9875, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "771 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c4a1c74cf5f1af5be6464e", "name": " authsmtp.sabeydatacenters.com | tulach gained access to Side3 Studios Denver\t\t", "description": "", "modified": "2024-03-09T09:02:09.950000", "created": "2024-02-08T09:41:27.252000", "tags": [ "ssl certificate", "contacted", "historical ssl", "february", "referrer", "threat roundup", "apple ios", "goldfinder", "sibot", "goldmax", "hacktool", "malicious", "formbook", "contacted urls", "resolutions", "malware", "njrat", "ransomware", "open", "cyber criminal", "record type", "ttl value", "dropped", "execution", "hashes hashes", "hashes", "network", "communicating", "maui ransomware", "type name", "jpeg", "ms word", "document", "whois record", "january", "october", "december", "april", "august", "crypto", "awful", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "self", "march", "urls http", "threat network", "problems", "whois whois", "probe", "startpage", "premium", "snatch", "first", "utc submissions", "submitters", "cloudflarenet", "gvb gelimed", "com laude", "mb super", "optimizer", "amazonaes", "summary iocs", "twitter", "united", "as20940", "aaaa", "as714 apple", "as16625 akamai", "win32mydoom feb", "name servers", "trojan", "as6185 apple", "creation date", "virtool", "worm", "date", "win32", "urls", "search", "servers", "targeting", "target", "tsara brashears", "united kingdom", "whitelisted", "as6453 tata", "passive dns", "domain", "as46606", "scan endpoints", "all search", "otx octoseek", "pulse submit", "url analysis", "as54113", "entries", "moved", "body", "unknown", "found", "files", "backdoor", "expiration date", "hallrender", "tulach", "all octoseek", "url http", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "as62597 nsone", "as62729", "showing", "next", "as2914 ntt", "ireland unknown", "germany unknown", "as6461 zayo", "as7843 charter", "as3257 gtt", "ip address", "location united", "for privacy", "record value", "as54990", "bouvet island", "encrypt", "show", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "as15169 google", "domains ii", "sality", "ck id", "ck matrix", "intellectual property theft", "malicious file transfers", "scheme", "threat", "paste", "iocs", "hostnames", "urls https", "urls url", "j490s6lkpppw", "lfqprnkje8dni0" ], "references": [ "https://side3.com/", "https://www.side3.com", "http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting]", "http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting]", "http://fillmark.net/index.php [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "www-temp.metrobyt-mobile.com [malicious | data collection]", "www.icloud.com [wp-login.php]", "webdisk.thehomemakers.nl [spyware | tracking]", "https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team]", "URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org", "cs9.wac.phicdn.net.1.1.e64a8639.roksit.net", "www.anyxxxtube.net [malicious data collection]", "s3.amazonaws.com [targeting data collection]", "https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP]", "api.utah.edu [access apple]", "https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media]", "tv.apple.com", "104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users]", "andrewka6.pythonanywhere.com [python connection - apple]", "http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma", "https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign", "sonymobilemail.com", "https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf", "pegahpouraseflaw.info", "http://mouthgrave.net/index.php", "ransomed.vc", "Intellectual property accessed and distributed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Cyber Criminal", "display_name": "Cyber Criminal", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax", "display_name": "GoldMax", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Worm:Win32/Mydoom", "display_name": "Worm:Win32/Mydoom", "target": "/malware/Worm:Win32/Mydoom" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null } ], "attack_ids": [ { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Recording Industry", "Entertainers", "Civil Society" ], "TLP": "white", "cloned_from": "65c4a099f6a2c8fc2bb85d4b", "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5271, "FileHash-MD5": 899, "FileHash-SHA1": 881, "FileHash-SHA256": 5609, "domain": 2199, "hostname": 3205, "CVE": 1, "email": 9 }, "indicator_count": 18074, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "772 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c4a099f6a2c8fc2bb85d4b", "name": "Cyber espionage & ransomware attacks Denver Recording Studio", "description": "GoldMax is used by UNC2452 as a command-and-control backdoor. It is written in the Go programming language. To hide its activities, it generates dummy traffic.\n\nSibot is a VBScript-based malware that allows attackers to download and run payloads from a remote command-and-control server. It uses file names that are similar to those used in Windows for masquerading. The VBScript is executed through a scheduled task.\n\nGoldFinder is another Go malware used by attackers to access a hardcoded command-and-control (C2) server by logging the route or hops that a packet takes like an HTTP tracer tool.", "modified": "2024-03-09T09:02:09.950000", "created": "2024-02-08T09:36:25.114000", "tags": [ "ssl certificate", "contacted", "historical ssl", "february", "referrer", "threat roundup", "apple ios", "goldfinder", "sibot", "goldmax", "hacktool", "malicious", "formbook", "contacted urls", "resolutions", "malware", "njrat", "ransomware", "open", "cyber criminal", "record type", "ttl value", "dropped", "execution", "hashes hashes", "hashes", "network", "communicating", "maui ransomware", "type name", "jpeg", "ms word", "document", "whois record", "january", "october", "december", "april", "august", "crypto", "awful", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "self", "march", "urls http", "threat network", "problems", "whois whois", "probe", "startpage", "premium", "snatch", "first", "utc submissions", "submitters", "cloudflarenet", "gvb gelimed", "com laude", "mb super", "optimizer", "amazonaes", "summary iocs", "twitter", "united", "as20940", "aaaa", "as714 apple", "as16625 akamai", "win32mydoom feb", "name servers", "trojan", "as6185 apple", "creation date", "virtool", "worm", "date", "win32", "urls", "search", "servers", "targeting", "target", "tsara brashears", "united kingdom", "whitelisted", "as6453 tata", "passive dns", "domain", "as46606", "scan endpoints", "all search", "otx octoseek", "pulse submit", "url analysis", "as54113", "entries", "moved", "body", "unknown", "found", "files", "backdoor", "expiration date", "hallrender", "tulach", "all octoseek", "url http", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "as62597 nsone", "as62729", "showing", "next", "as2914 ntt", "ireland unknown", "germany unknown", "as6461 zayo", "as7843 charter", "as3257 gtt", "ip address", "location united", "for privacy", "record value", "as54990", "bouvet island", "encrypt", "show", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "as15169 google", "domains ii", "sality", "ck id", "ck matrix", "intellectual property theft", "malicious file transfers", "scheme", "threat", "paste", "iocs", "hostnames", "urls https", "urls url", "j490s6lkpppw", "lfqprnkje8dni0" ], "references": [ "https://side3.com/", "https://www.side3.com", "http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting]", "http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting]", "http://fillmark.net/index.php [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "www-temp.metrobyt-mobile.com [malicious | data collection]", "www.icloud.com [wp-login.php]", "webdisk.thehomemakers.nl [spyware | tracking]", "https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team]", "URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org", "cs9.wac.phicdn.net.1.1.e64a8639.roksit.net", "www.anyxxxtube.net [malicious data collection]", "s3.amazonaws.com [targeting data collection]", "https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP]", "api.utah.edu [access apple]", "https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media]", "tv.apple.com", "104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users]", "andrewka6.pythonanywhere.com [python connection - apple]", "http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma", "https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign", "sonymobilemail.com", "https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf", "pegahpouraseflaw.info", "http://mouthgrave.net/index.php", "ransomed.vc", "Intellectual property accessed and distributed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Cyber Criminal", "display_name": "Cyber Criminal", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax", "display_name": "GoldMax", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Worm:Win32/Mydoom", "display_name": "Worm:Win32/Mydoom", "target": "/malware/Worm:Win32/Mydoom" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null } ], "attack_ids": [ { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Recording Industry", "Entertainers", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5271, "FileHash-MD5": 899, "FileHash-SHA1": 881, "FileHash-SHA256": 5609, "domain": 2199, "hostname": 3205, "CVE": 1, "email": 9 }, "indicator_count": 18074, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "772 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657081be03964e671c853055", "name": "results.enr.clarityelections.com:TX:Comal:%22 ~ 03.04.2022", "description": "", "modified": "2023-12-06T14:14:21.542000", "created": "2023-12-06T14:14:21.542000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 143, "hostname": 45, "URL": 96, "domain": 13, "CIDR": 1, "FileHash-MD5": 8 }, "indicator_count": 306, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708191cdba4e9f07ba1f93", "name": "mail.ru:%22,", "description": "", "modified": "2023-12-06T14:13:36.976000", "created": "2023-12-06T14:13:36.976000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2753, "hostname": 1341, "domain": 447, "URL": 3301, "CIDR": 65, "FileHash-MD5": 112, "FileHash-SHA1": 2 }, "indicator_count": 8021, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708105cfc42f9740d5cdc1", "name": "case.house.gov", "description": "", "modified": "2023-12-06T14:11:17.482000", "created": "2023-12-06T14:11:17.482000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 689, "hostname": 64, "domain": 34, "URL": 141, "FileHash-MD5": 6, "FileHash-SHA1": 3 }, "indicator_count": 937, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708062a22589c28610ddcb", "name": "AlGreen.org ~ Texas Congressman (D)", "description": "", "modified": "2023-12-06T14:08:34.939000", "created": "2023-12-06T14:08:34.939000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 623, "hostname": 338, "domain": 131, "URL": 661, "CIDR": 3, "FileHash-MD5": 20 }, "indicator_count": 1776, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657080378bb66724b37455be", "name": "www.janehopehamilton.com", "description": "", "modified": "2023-12-06T14:07:51.583000", "created": "2023-12-06T14:07:51.583000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 983, "hostname": 192, "domain": 141, "URL": 374, "CIDR": 3, "FileHash-MD5": 18, "FileHash-SHA1": 5 }, "indicator_count": 1716, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707ffc71fb7f5aec5688be", "name": "www.txcourts.gov:supreme%22,.pdf", "description": "", "modified": "2023-12-06T14:06:52.270000", "created": "2023-12-06T14:06:52.270000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 557, "domain": 60, "hostname": 330, "URL": 654, "CIDR": 2, "FileHash-MD5": 4 }, "indicator_count": 1608, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707feeecca5c4a33dbdce8", "name": "www.votetexas.gov:register-to-vote:index.html%22,.pdf", "description": "", "modified": "2023-12-06T14:06:38.788000", "created": "2023-12-06T14:06:38.788000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 350, "hostname": 224, "domain": 84, "FileHash-SHA256": 788, "CIDR": 5, "FileHash-MD5": 26, "FileHash-SHA1": 1 }, "indicator_count": 1478, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "622f4f5bd90a80ace9ed5ac7", "name": "results.enr.clarityelections.com:TX:Comal:%22 ~ 03.04.2022", "description": "", "modified": "2022-04-13T00:01:48.292000", "created": "2022-03-14T14:21:15.662000", "tags": [], "references": [ "results.enr.clarityelections.com:TX:Comal:%22.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45, "URL": 96, "domain": 13, "FileHash-SHA256": 143, "CIDR": 1, "FileHash-MD5": 8 }, "indicator_count": 306, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1468 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "622ce493722da2314c26a477", "name": "mail.ru:%22,", "description": "", "modified": "2022-04-11T00:04:29.819000", "created": "2022-03-12T18:21:07.131000", "tags": [], "references": [ "mail.ru:%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3301, "hostname": 1341, "domain": 447, "FileHash-SHA256": 2753, "CIDR": 65, "FileHash-MD5": 112, "FileHash-SHA1": 2 }, "indicator_count": 8021, "is_author": false, "is_subscribing": null, "subscriber_count": 407, "modified_text": "1470 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6228bd4ae80abc010a03b287", "name": "case.house.gov", "description": "", "modified": "2022-04-08T00:05:40.239000", "created": "2022-03-09T14:44:26.921000", "tags": [], "references": [ "case.house.gov.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 64, "URL": 142, "FileHash-SHA256": 689, "domain": 34, "FileHash-MD5": 6, "FileHash-SHA1": 3 }, "indicator_count": 938, "is_author": false, "is_subscribing": null, "subscriber_count": 409, "modified_text": "1473 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62222991ac4a01695adb8d53", "name": "AlGreen.org ~ Texas Congressman (D)", "description": "", "modified": "2022-04-03T00:00:55.161000", "created": "2022-03-04T15:00:33.046000", "tags": [], "references": [ "algreen.org.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Ransomware.Vipasana-9783618-1", "display_name": "Win.Ransomware.Vipasana-9783618-1", "target": null }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": ", Ransom:Win32/HydraCrypt.PAA!MTB", "display_name": ", Ransom:Win32/HydraCrypt.PAA!MTB", "target": "/malware/, Ransom:Win32/HydraCrypt.PAA!MTB" } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 662, "hostname": 338, "domain": 131, "FileHash-SHA256": 623, "CIDR": 3, "FileHash-MD5": 20 }, "indicator_count": 1777, "is_author": false, "is_subscribing": null, "subscriber_count": 408, "modified_text": "1478 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62215f837238c441a3293f68", "name": "www.janehopehamilton.com", "description": "", "modified": "2022-04-02T00:04:50.405000", "created": "2022-03-04T00:38:27.697000", "tags": [], "references": [ "www.janehopehamilton.com:%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 192, "URL": 374, "domain": 141, "FileHash-SHA256": 983, "CIDR": 3, "FileHash-MD5": 18, "FileHash-SHA1": 5 }, "indicator_count": 1716, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1479 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6220828bb5364d3975be637e", "name": "www.txcourts.gov:supreme%22,.pdf", "description": "", "modified": "2022-04-02T00:04:50.405000", "created": "2022-03-03T08:55:39.622000", "tags": [], "references": [ "www.txcourts.gov:supreme%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 330, "URL": 655, "domain": 60, "CVE": 1, "FileHash-SHA256": 557, "CIDR": 2, "FileHash-MD5": 4 }, "indicator_count": 1609, "is_author": false, "is_subscribing": null, "subscriber_count": 407, "modified_text": "1479 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62204dc600b1ec40ebc0ce7a", "name": "www.votetexas.gov:register-to-vote:index.html%22,.pdf", "description": "", "modified": "2022-04-01T00:01:54.852000", "created": "2022-03-03T05:10:30.318000", "tags": [], "references": [ "www.votetexas.gov:register-to-vote:index.html%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 224, "URL": 350, "domain": 84, "FileHash-SHA256": 788, "CIDR": 5, "FileHash-MD5": 26, "FileHash-SHA1": 1 }, "indicator_count": 1478, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1480 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://connectivitycheck.gstatic.com/generate_204 [RAT]", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "https://www.googletagmanager.com/gtag/js?id=\\ \u2022 https://www.google-analytics.com/gtm/js?id=", "https://www.teslarati.com/tesla-giga-shanghai-builds-5-millionth-battery-pack/", "https://stats.g.doubleclick.net/j/collect\\ \u2022 https://tagassistant.google.com/ \u2022 https://www.google.com/ads/ga", "https://www.teslarati.com/", "webdisk.thehomemakers.nl", "https://www.teslarati.com/tesla-lands-87-million-megapack-belgium/", "http://pickyhot.disqus.com/ \u2022 https://www.teslarati.com/tesla-hackers \u2022 https://pickyhot.disqus.com/tsara-brashears", "https://gujarati.ent24x7.comb [RAT]", "142.250.74.142.250.74.138 _exploit_source | 142.250.74.138 _exploit_source | 142.250.74.142_exploit_source", "http://www.proxydocker.com/ja/proxy/43.229.135.125:8080", "mail.ru:%22,.pdf", "https://www.side3.com", "https://www.pornhub.com/video/search?search=tsara+brashears", "104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users]", "www.janehopehamilton.com:%22,.pdf", "External resources linked to high-risk commonly abused domains detected: mc.yandex.ru | script | src snd.click | src |", "https://www.sweetheartvideo.com/tsara-brashears/", "http://45.159.189.105/bot/regex", "https://forums.teslarati.com/data/avatars/m/5/5998.jpg?1504431665 \u2022 https://forums.teslarati.com/forums/model-3.4/", "www-temp.metrobyt-mobile.com [malicious | data collection]", "https://omodeling.wpenginepowered.com/wp-content/uploads/2020/07/modelhub-pornhub-sell-nudes-1024x57", "https://www.teslarati.com/tesla-model-s-hitch-torklift-ecohitch-3-year-update/", "www.votetexas.gov:register-to-vote:index.html%22,.pdf", "Tesla Hackers | https://www.teslarati.com/spacex", "Source: Binary File relevance 10/10 ATT&CK ID T1204.001 | Target contacted CBI re: Suspicious looking Google Homepage.", "https://www.sweetheartvideo.com/tsara-brashears", "message.htm.com \u2022 CVE-2023-4966 \u2022 ransomed.vc", "https://side3.com/", "http://alohatube.xyz/search/tsara-brashears", "http://clipper.guru/bot/online?guid=PC\\Administrator&key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb", "algreen.org.pdf", "https://www.teslarati.com/TESLA-DEBUTS-GROK-AI-UPDATE-2025-26-WHAT-YOU-NEED-TO-KNOW/", "Domain: \"snd.click\" possible high risk indicator. Domain uses TLD that is commonly abused for malicious purposes", "Alleged CBI staffer refuses to provide evidence of identity theft resolution. Target unaware of. what\u2019s true", "manvimishraa5417@gmail.com [Video of Tsara Brashears circulation]", "https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf", "https://www.teslarati.com/spacex", "ransomed.vc", "Female states title as \u2018intern\u2019 dropped false information at front desk of CBI. Claims target ID theft victim. True", "andrewka6.pythonanywhere.com [python connection - apple]", "Detected Google homepage HTML served from suspicious domain Matched required Google homepage markers", "facebooksunglassshop.com [titled' Tsara Brashears GCcmwm.T ?]", "http://www.pinterest.com/ideas/songwriting/945635263947/", "https://forums.teslarati.com/threads/humanlike-ai-robot-sophia-calls-out-elon-musk-during-live-interview.4970/", "IDS Detections Win32/ZonaInstaller Install Beacon", "We apologize for so may typos and errors. We strive to do better at that.", "http://dev.browserweb.yandex.kg/ \u2022 https://api.messenger.yandex.az/ \u2022 https://yandex.uz/maps/-/CLWNeAKm", "https://tulach.cc/socrative/internal.js", "URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org", "api.utah.edu [access apple]", "http://www.aiupnow.com/2023/04/pakistani-hackers-use-linux-malware.html\\", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "www.icloud.com [wp-login.php]", "https://alohatube.xyz/search/tsara-brashears", "http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting]", "CBI - asked target to enter Gmail in a resource. Targets Gmail account disappeared", "https://www.neurosky.jp/wp-content/plugins/responsive-lightbox/assets/fancybox/jquery.fancybox.min.js?ver=2.1.0", "https://www.google \u2022 https://ampcid.google.com/v1/publisher \u2022\u2019https://ampcid.google.com/v1/publisher:getClientId\\", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing]", "s3.amazonaws.com [targeting data collection]", "pornlynx.com \u2022 https://pornlynx.com \u2022 https://www.pornlynx", "https://tagassistant.google.com/ \u2022 https://www.google-analytics.com/debug/bootstrap?id=", "Redirect (Delayed Redirect): setTimeout(function(){location.href= source Binary File relevance 10/10 ATT&CK ID T1189", "http://mouthgrave.net/index.php", "cs9.wac.phicdn.net.1.1.e64a8639.roksit.net", "This is why our team tells a back story. It can and does happen to anyone.", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing \u2022 mitre S0154]", "http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma", "https://gujarati.ent24x7.com | https://otx.alienvault.com/indicator/url/https://gujarati.ent24x7.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "Yara Detections :compromised_site_redirector_fromcharcode Alerts network_icmp js_eval recon_fingerprint", "https://cdn.teslarati.com \u2022 https://forums.teslarati.com/", "pegahpouraseflaw.info", "https://www.hybrid-analysis.com/file-inline/65c63a1fbc9c5333d20354ca/screenshot/screen_6.png", "Detected Non-Google domain serving Google homepage details", "http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting]", "Domain match: \"media-mbst-pub-ue1.s3.amazonaws.com\" possible high risk indicator. Commonly abused for malicious purposes. .", "Intellectual property accessed and distributed", "tv.apple.com", "Source : Binary File ATT&CK ID T1566.002", "https://twitter.com/PORNO_SEXYBABES | cloud.zemana.com - porn cloud", "http://email.birdeye.org/c/eJxkUcFuozAU_JrHsTLPYODAIYQmSqXNqmm3q-4FGfNIrAUbGTtV-_UrklRatT5ZnvGbeTNVmLWhed6HsSVXxiLNsyLniUhFyoqolp6eyPgSE4Ysjw407boSMerKWKV90kdUxhnLuMiyhEenUiZ9LjAuij6PMWdMSpnFJPKkLVQrUhHpEtl1GEuSgvG7DIss6XsZCy7jooghYa12Hb3TnXXHaChP3k8z8BXgBnDziSk7Am4mp5U2xwXim-DHZrbBKQJeT852QfmGRqkHQLGAI3U6jMDr_x-VNZ6MB15vf1SAotUd8PpLEJ9cOU5SHw3w2ppBG2omRzMZRc1CaY0cF-21NTO5s_TaGsDqidxZK5oBq62zYQKsdkYBimmQipqL3vq0e9i3-VoOf-J09_dgq-m-enupQnUEFNp0YfbuHXgNKD70dL04Omt6a5QNF_-H-5fd_e9m_fPX_hlQyPOxuTGc9EtKvF69bJvD6", "case.house.gov.pdf", "162.159.208.8", "http://fillmark.net/index.php [phishing]", "https://www.teslarati.com/tesla-tsla-monster-investment-rise-alaska-dept-of-revenue/", "www.anyxxxtube.net [malicious data collection]", "https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign", "https://www.google-analytics.com/gtm/js?id=\\ \u2022 https://www.googletagmanager.com/gtag/js?id= \u2022", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "http://neurosky.jp", "HTML contains suspicious external redirect patterns details Suspicious redirect patterns detected: Redirect Types: Delayed Redirect Redirects to: /doodles/ Suspicious", "https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "https://www.hybrid-analysis.com/sample/92b00ee3aca1f3057ad8402229c27bfdd6fc934908ef641b36379bf47093df0b/65c63a1fbc9c5333d20354ca", "www.txcourts.gov:supreme%22,.pdf", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language:", "https://alohatube.xyz/search/tsara-brashears+(Formerly+Botnetwork+malvertizing+campaign+targeting+Tsara+Brashears+crime+victim.+Now+", "Wife of Brashears SAter \u2022 Alias \u2022 Couple plays victim \u2022 Karens. HIPPA violations. Admittedly involved cyberstalking on Brashears. Legally agreed to stop.", "alohatube.xyz [keylogger aimed at Tsara Brashears]", "webdisk.thehomemakers.nl [spyware | tracking]", "https://www.teslarati.com/tesla-robotaxi-vs-new-york-taxi-why-the-yellow-cab-a-lot-to-lose/", "https://www.teslarati.com/tesla-model-3-crash-insight-60mph-collision/", "https://www.teslarati.com/wp-content/themes/teslarati-mag/map/", "https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team]", "CBI (Colorado) - target believes she was redirected to malicious actors. Staffers not found in directory.", "www.pornhub.com", "http://alohatube.xyz/search/tsara-brashears/", "nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP]", "sonymobilemail.com", "https://gr.pinterest.com/emreimer/", "results.enr.clarityelections.com:TX:Comal:%22.pdf", "http://discover.hubpages.com/literature/Most-Beautiful-Quotes-on-Love-and-Heartbreak [RAT| Tagging target in adult content fraud sites]", "CnC IP's: 104.124.58.137 \u2022 45.159.189.105 | Exploit source: 1.179.151.145 | scanning host: 208.115.103.34", "https://www.google-analytics.com/debug/bootstrap?id=\\" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Tesla Hackers" ], "malware_families": [ "Worm:win32/mofksys.rnd!mtb", "Trojan:vbs/metasploitvbscmdstager", ", ransom:win32/hydracrypt.paa!mtb", "Win.trojan.12382640-1", "Ms defender\ttrojan:win32/qbot.kvd!mtb", "Maui ransomware", "Njrat", "Cobalt strike", "Ransomware", "Sibot", "Cyber criminal", "Goldfinder", "Trojan:win32/zombie.a", "Backdoor:win32/tofsee.t", "Vd", "Alf:jasyp:trojan:win32/genmaldown!atmn", "Formbook", "Tulach", "Win.malware.jaik-9940406-0", "Sality", "Win.malware.snojan-6775202-0", "Win32:ransomx-gen\\ [ransom]", "Goldmax", "Hacktool", "Worm:win32/mydoom", "Win.ransomware.vipasana-9783618-1" ], "industries": [ "Civil society", "Recording industry", "Technology", "Media", "Entertainment", "Government", "Telecommunications", "Entertainers" ], "unique_indicators": 71907 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/withgoogle.com", "whois": "http://whois.domaintools.com/withgoogle.com", "domain": "withgoogle.com", "hostname": "csp.withgoogle.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 20, "pulses": [ { "id": "693b7dc3cf1996347652ef92", "name": "Google Site Redirector - Tesla Hackers", "description": "Silencing. By Tesla hackers. Awful example of how any victim of a crime; can become a target of the government..\nThis is especially true when the actual perpetrators work for the government are government affiliated, very wealthy, a celebrity or someone who is deemed important. In this instance the Quasi government sought to keep target seeking and obtaining life saving medical treatment, financial settlement that she was entitled to from assault, injuries from assault, false imprisonment, punitive damgages, pain and suffering, humiliation, premise liability, permanent (whole body disability @MMI ), many other crimes. The victims suffered from a great sadness and betrayal. \n\nObviously racist Elon Musk and crew have access to all government tools. Musk, All things cyber are at his disposal as \ncontinues to abuse privilege.\n They keep playing a God they don\u2019t believe in. God is the Ultimate Avenger.", "modified": "2026-01-11T00:03:08.581000", "created": "2025-12-12T02:28:19.107000", "tags": [ "compromised_site_redirector_fromcharcode", "site_redirector", "string", "regexp", "error", "number", "sxa0", "amptoken", "optout", "retrieving", "notfound", "write", "form", "flash", "vd", "tesla hackers", "nxdomain", "passive dns", "ip address", "domain", "a nxdomain", "urls", "files", "ip related", "pulses otx", "google", "unknown", "oracle", "dynamicloader", "medium", "high", "windows", "rndhex", "write c", "rndchar", "displayname", "tofsee", "yara rule", "stream", "strings", "push", "lte all", "search otx", "ource url", "or text", "paste", "data upload", "extraction", "elon musk", "indicator role", "active related", "ipv4", "exploitsource", "url https", "url http", "desktopinternet", "title added", "pulses ipv4", "less see", "ids detections", "vuze bt", "udp connection", "contacted", "filehash", "av detections", "yara detections", "alerts", "0x8aa42", "0xe3107", "upnp", "http request", "bittorrent", "file", "module load", "t1129", "post http", "install", "execution", "malware", "hostile", "crawl", "windows nt", "wow64", "get zona", "get httpget", "hash", "entries", "read c", "suspicious", "next", "united" ], "references": [ "Tesla Hackers | https://www.teslarati.com/spacex", "Yara Detections :compromised_site_redirector_fromcharcode Alerts network_icmp js_eval recon_fingerprint", "142.250.74.142.250.74.138 _exploit_source | 142.250.74.138 _exploit_source | 142.250.74.142_exploit_source", "IDS Detections Win32/ZonaInstaller Install Beacon", "https://www.google \u2022 https://ampcid.google.com/v1/publisher \u2022\u2019https://ampcid.google.com/v1/publisher:getClientId\\", "https://tagassistant.google.com/ \u2022 https://www.google-analytics.com/debug/bootstrap?id=", "https://www.google-analytics.com/debug/bootstrap?id=\\", "https://stats.g.doubleclick.net/j/collect\\ \u2022 https://tagassistant.google.com/ \u2022 https://www.google.com/ads/ga", "https://www.google-analytics.com/gtm/js?id=\\ \u2022 https://www.googletagmanager.com/gtag/js?id= \u2022", "https://www.googletagmanager.com/gtag/js?id=\\ \u2022 https://www.google-analytics.com/gtm/js?id=", "This is why our team tells a back story. It can and does happen to anyone.", "We apologize for so may typos and errors. We strive to do better at that." ], "public": 1, "adversary": "Tesla Hackers", "targeted_countries": [], "malware_families": [ { "id": "Vd", "display_name": "Vd", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Trojan.12382640-1", "display_name": "Win.Trojan.12382640-1", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 65, "FileHash-SHA1": 34, "FileHash-SHA256": 2032, "URL": 4921, "domain": 567, "hostname": 1586, "SSLCertFingerprint": 4 }, "indicator_count": 9209, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693adba47b2cce69440c726a", "name": "TESLA HACKERS | Login Google", "description": "Attackers target victims Google account, Google browser, Google homepage.\n\nTesla Hackers in the job. Tesla hackers are very young , angry, kids who chased target around mercilessly in their vehicles, photographed target, drive threateningly. Nothing sophisticated about the stalker crewl. This is intentional. Finding troubled individuals who are desperate for power is pretty easy. \n\nThe hit men range from gang members, white , black , Hispanic to the highly educated, Hit man who attempted to take target out was a spoiled, angry , aggressive, sneering POC. He walked in Denver. The next morning , the area target was driven if roadway was closed off and filled with a rather large road crew, work continues to work on this area. (Charlie Kirk like). Alleged traffic officer claims cameras pointed in different directions that night. He was identified as a computer science major by a PI. This feels so dangerous.", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T14:56:36.874000", "tags": [ "tlsv1", "united", "oamazon", "cnamazon rsa", "jfif", "ogoogle trust", "cngts ca", "exif standard", "tiff image", "xresolution74", "execution", "dock", "write", "persistence", "malware", "encrypt", "ca https", "no expiration", "iocs", "url https", "enter source", "url or", "text drag", "drop or", "browse to", "select file", "ipv4", "url http", "type indicator", "sec ch", "ch ua", "unknown", "ua full", "ua platform", "as44273 host", "ua bitness", "msie", "chrome", "backdoor", "trojandropper", "passive dns", "forbidden", "body", "twitter", "trojan", "cookie", "title", "windows nt", "wow64", "slcc2", "media center", "read c", "port", "destination", "local", "moved", "integration all", "urls", "files", "reverse dns", "location united", "america flag", "name servers", "hostname", "unique", "expires wed", "gmt date", "server", "date wed", "connection", "use linux", "cybersecurity", "http", "ip address", "files location", "flag united", "win32", "urls show", "date checked", "url hostname", "server response", "virtool", "date hash", "avast avg", "heur", "lowfi", "k sep", "contacted", "related tags", "none file", "type", "present dec", "present nov", "mtb mar", "aaaa", "hacktool", "indicator role", "domain", "url add", "as20940", "as16625 akamai", "present mar", "present may", "as54113", "present apr", "ipv4 add", "url analysis", "servers", "emails", "hostname add", "present aug", "present sep", "present oct", "status", "present jul", "data upload", "extraction", "as208722 yandex", "russia unknown", "a domains", "expirestue", "path", "certificate", "medium", "alerts show", "ck technique", "technique id", "installs", "pe32", "intel", "ms windows", "high", "icmp traffic", "dns query", "packing t1045", "t1045", "screenshots", "file type", "date february", "pm size", "imphash pehash", "guard", "syst", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "spawns", "t1590 gather", "flag", "united kingdom", "command decode", "belgium belgium", "federation", "france france", "ireland ireland", "canada canada", "suricata ipv4", "click", "tesla hackers", "elon musk", "show", "richhash", "external", "virustotal api", "comments", "vendor finding", "notes clamav", "ms defender", "files matching", "copy", "found", "ssl certificate", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "yara rule", "reads", "number", "sample analysis", "hide samples", "entries", "samples show", "next yara", "detections name", "devcv5 ujrb", "ujrb", "uja1t", "show technique", "mitre att", "ck matrix", "ascii text", "pattern match", "sha1", "network traffic", "show process", "general" ], "references": [ "https://www.teslarati.com/spacex", "https://omodeling.wpenginepowered.com/wp-content/uploads/2020/07/modelhub-pornhub-sell-nudes-1024x57", "https://cdn.teslarati.com \u2022 https://forums.teslarati.com/", "https://forums.teslarati.com/data/avatars/m/5/5998.jpg?1504431665 \u2022 https://forums.teslarati.com/forums/model-3.4/", "https://forums.teslarati.com/threads/humanlike-ai-robot-sophia-calls-out-elon-musk-during-live-interview.4970/", "https://www.teslarati.com/tesla-model-s-hitch-torklift-ecohitch-3-year-update/", "https://www.teslarati.com/tesla-tsla-monster-investment-rise-alaska-dept-of-revenue/", "https://www.teslarati.com/wp-content/themes/teslarati-mag/map/", "https://www.teslarati.com/tesla-model-3-crash-insight-60mph-collision/", "https://www.teslarati.com/", "https://www.teslarati.com/spacex", "https://www.teslarati.com/tesla-lands-87-million-megapack-belgium/", "https://www.teslarati.com/tesla-giga-shanghai-builds-5-millionth-battery-pack/", "https://www.teslarati.com/TESLA-DEBUTS-GROK-AI-UPDATE-2025-26-WHAT-YOU-NEED-TO-KNOW/", "https://www.teslarati.com/tesla-robotaxi-vs-new-york-taxi-why-the-yellow-cab-a-lot-to-lose/", "pornlynx.com \u2022 https://pornlynx.com \u2022 https://www.pornlynx", "http://www.aiupnow.com/2023/04/pakistani-hackers-use-linux-malware.html\\", "http://pickyhot.disqus.com/ \u2022 https://www.teslarati.com/tesla-hackers \u2022 https://pickyhot.disqus.com/tsara-brashears", "http://dev.browserweb.yandex.kg/ \u2022 https://api.messenger.yandex.az/ \u2022 https://yandex.uz/maps/-/CLWNeAKm", "HTML contains suspicious external redirect patterns details Suspicious redirect patterns detected: Redirect Types: Delayed Redirect Redirects to: /doodles/ Suspicious", "Redirect (Delayed Redirect): setTimeout(function(){location.href= source Binary File relevance 10/10 ATT&CK ID T1189", "External resources linked to high-risk commonly abused domains detected: mc.yandex.ru | script | src snd.click | src |", "Source : Binary File ATT&CK ID T1566.002", "Domain match: \"media-mbst-pub-ue1.s3.amazonaws.com\" possible high risk indicator. Commonly abused for malicious purposes. .", "Domain: \"snd.click\" possible high risk indicator. Domain uses TLD that is commonly abused for malicious purposes", "Detected Non-Google domain serving Google homepage details", "Detected Google homepage HTML served from suspicious domain Matched required Google homepage markers", "Source: Binary File relevance 10/10 ATT&CK ID T1204.001 | Target contacted CBI re: Suspicious looking Google Homepage.", "CBI (Colorado) - target believes she was redirected to malicious actors. Staffers not found in directory.", "Female states title as \u2018intern\u2019 dropped false information at front desk of CBI. Claims target ID theft victim. True", "Alleged CBI staffer refuses to provide evidence of identity theft resolution. Target unaware of. what\u2019s true", "CBI - asked target to enter Gmail in a resource. Targets Gmail account disappeared" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Japan" ], "malware_families": [ { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Ms Defender\tTrojan:Win32/Qbot.KVD!MTB", "display_name": "Ms Defender\tTrojan:Win32/Qbot.KVD!MTB", "target": "/malware/Ms Defender\tTrojan:Win32/Qbot.KVD!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Malware.Jaik-9940406-0", "display_name": "Win.Malware.Jaik-9940406-0", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/Genmaldown!atmn", "display_name": "ALF:JASYP:Trojan:Win32/Genmaldown!atmn", "target": null }, { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5894, "FileHash-MD5": 458, "FileHash-SHA1": 305, "FileHash-SHA256": 2481, "SSLCertFingerprint": 26, "hostname": 2406, "domain": 966, "email": 16, "CVE": 1 }, "indicator_count": 12553, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688ef0516013ca78448bf4e5", "name": "Foundry \u2022 Reflected Networks Pornhub Malvertising Subsidiary", "description": "Foundry ? Pornhub\nsanfoundry.com\ncompliance.fifoundry.net- Pornhub subsidiary. Targets networks, devices, routers, used for promoting pornography and her music. Producer revealed her hooks were used for Justin Bieber & Tori Kelly songs that. A producer stated her songs had been grifted. Both Tsara Brashears & a studio were in Pegasus & attacked by \u2018Lazarus\u2019 Group. She was told in detail how her songs can be used by music insiders if they choose. Target trolled by mocking hackers re: the JB and Kelly song.. Trojan:Win32/DisableUAC.A!bit\n, MSIL:Suspicious:ScreenCapture.S01\nIDS Detections\nLokiBot Checkin\nLokiBot User-Agent (Charon/Inferno)\nLokiBot Application/Credential Data Exfiltration Detected M1\nLokiBot Request for C2 Commands Detected M1\nLokiBot Application/Credential Data Exfiltration Detected M2\nLokiBot Request for C2 Commands Detected M2\nTrojan Generic - POST To gate.php with no referer\nSSL excessive fatal alerts (possible POODLE attack against server)\nI will revisit this. Gloryhole Foundation?", "modified": "2025-09-02T04:01:31.218000", "created": "2025-08-03T05:14:57.402000", "tags": [ "united", "moved", "entries", "passive dns", "detected m1", "next associated", "mtb apr", "mtb aug", "server", "gmt content", "trojandropper", "trojan", "body", "lokibot request", "c2 commands", "detected m2", "otx telemetry", "historical otx", "twitter running", "open ports", "cves", "time", "dynamicloader", "port", "search", "show", "destination", "alerts", "copy", "dynamic", "medium", "write", "creation date", "hostmaster", "urls", "domain", "showing", "hostname add", "pulse pulses", "date", "flag", "falcon sandbox", "name server", "markmonitor", "analysis", "mitre att", "anonymous", "upgrade", "hybrid", "contact", "usa windows", "december", "input threat", "level analysis", "summary", "february", "hwp support", "january", "october", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "calls", "command", "javascript", "object model", "model", "windir", "json data", "localappdata", "ascii text", "temp", "getprocaddress", "script", "license", "runtime process", "copy md5", "facebook", "roboto", "error", "win64", "path", "blink", "meta", "factory", "general", "comspec", "click", "strings", "damage", "mini", "stop", "core", "expl", "win32", "gmt server", "ecacc saa83dd", "ipv4 add", "twitter", "cobalt strike", "mozilla" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 263, "FileHash-SHA1": 256, "FileHash-SHA256": 837, "hostname": 4415, "URL": 1918, "domain": 1884, "email": 2, "SSLCertFingerprint": 2 }, "indicator_count": 9577, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c68bc8b8745068608cc50d", "name": "Metasploit | Ransomware | PinterestPots - Pin.it", "description": "", "modified": "2024-03-10T20:03:45.513000", "created": "2024-02-09T20:32:08.358000", "tags": [ "whois record", "contacted", "tsara brashears", "ssl certificate", "apple ios", "unlocker", "historical ssl", "referrer", "highly targeted", "critical risk", "hacktool", "malicious", "cobalt strike", "metasploit", "installer", "malware", "awful", "android", "banker", "keylogger", "jeffrey reimer", "emreimer", "emily reimer goldstien", "eva lisa", "eva lisa reimer", "status code", "http response", "ieedge date", "maxage86400", "path", "httponly xcdn", "connection", "vary useragent", "targeting brashears", "communicating", "whois whois", "collections", "password", "adult content", "core", "metro", "apple", "copy", "suspicious", "vj99", "threat", "slfrd1", "paste", "iocs", "analyze", "hostnames", "urls http", "jid1221717543", "slc1", "a domains", "united", "search", "date", "as15169 google", "passive dns", "urls", "record value", "name servers", "status", "encrypt", "win32", "next", "msie", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "body", "domain", "unknown", "china unknown", "pulse pulses", "files", "ip address", "servers", "domain name", "showing", "as54113", "as16625 akamai", "as20940", "aaaa", "cname", "as396982 google", "as14061", "script domains", "hostname", "japan unknown", "gmt content", "gmt etag", "pragma", "accept", "location japan", "asn as131965", "less", "pulses", "related tags", "meta", "asn as13335", "443 ma2592000", "certificate", "germany unknown", "script urls", "link", "code", "moved", "russia unknown", "as51659 llc", "as12616 filanc", "welcome", "uhttps", "urls https", "ccb455304", "ccb455307", "vj93", "uyebaauqaaaaaac", "malvertizing", "tagging", "prefetch8", "script", "prefetch1", "command decode", "segoe ui", "suricata ipv4", "emoji", "mitre att", "suricata udpv4", "roboto", "courier", "february", "hybrid", "general", "model", "comspec", "click", "strings" ], "references": [ "https://gr.pinterest.com/emreimer/", "Wife of Brashears SAter \u2022 Alias \u2022 Couple plays victim \u2022 Karens. HIPPA violations. Admittedly involved cyberstalking on Brashears. Legally agreed to stop.", "message.htm.com \u2022 CVE-2023-4966 \u2022 ransomed.vc", "http://neurosky.jp", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex", "http://alohatube.xyz/search/tsara-brashears", "facebooksunglassshop.com [titled' Tsara Brashears GCcmwm.T ?]", "alohatube.xyz [keylogger aimed at Tsara Brashears]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.pornhub.com/video/search?search=tsara+brashears", "http://alohatube.xyz/search/tsara-brashears/", "https://alohatube.xyz/search/tsara-brashears", "https://alohatube.xyz/search/tsara-brashears+(Formerly+Botnetwork+malvertizing+campaign+targeting+Tsara+Brashears+crime+victim.+Now+", "https://www.sweetheartvideo.com/tsara-brashears/", "manvimishraa5417@gmail.com [Video of Tsara Brashears circulation]", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language:", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "https://www.sweetheartvideo.com/tsara-brashears", "https://www.hybrid-analysis.com/sample/92b00ee3aca1f3057ad8402229c27bfdd6fc934908ef641b36379bf47093df0b/65c63a1fbc9c5333d20354ca", "https://www.hybrid-analysis.com/file-inline/65c63a1fbc9c5333d20354ca/screenshot/screen_6.png", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing \u2022 mitre S0154]", "CnC IP's: 104.124.58.137 \u2022 45.159.189.105 | Exploit source: 1.179.151.145 | scanning host: 208.115.103.34", "http://www.proxydocker.com/ja/proxy/43.229.135.125:8080", "https://twitter.com/PORNO_SEXYBABES | cloud.zemana.com - porn cloud", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "www.pornhub.com", "http://www.pinterest.com/ideas/songwriting/945635263947/", "https://www.neurosky.jp/wp-content/plugins/responsive-lightbox/assets/fancybox/jquery.fancybox.min.js?ver=2.1.0", "webdisk.thehomemakers.nl", "http://connectivitycheck.gstatic.com/generate_204 [RAT]", "http://discover.hubpages.com/literature/Most-Beautiful-Quotes-on-Love-and-Heartbreak [RAT| Tagging target in adult content fraud sites]", "https://gujarati.ent24x7.comb [RAT]", "http://clipper.guru/bot/online?guid=PC\\Administrator&key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb", "https://tulach.cc/socrative/internal.js", "http://email.birdeye.org/c/eJxkUcFuozAU_JrHsTLPYODAIYQmSqXNqmm3q-4FGfNIrAUbGTtV-_UrklRatT5ZnvGbeTNVmLWhed6HsSVXxiLNsyLniUhFyoqolp6eyPgSE4Ysjw407boSMerKWKV90kdUxhnLuMiyhEenUiZ9LjAuij6PMWdMSpnFJPKkLVQrUhHpEtl1GEuSgvG7DIss6XsZCy7jooghYa12Hb3TnXXHaChP3k8z8BXgBnDziSk7Am4mp5U2xwXim-DHZrbBKQJeT852QfmGRqkHQLGAI3U6jMDr_x-VNZ6MB15vf1SAotUd8PpLEJ9cOU5SHw3w2ppBG2omRzMZRc1CaY0cF-21NTO5s_TaGsDqidxZK5oBq62zYQKsdkYBimmQipqL3vq0e9i3-VoOf-J09_dgq-m-enupQnUEFNp0YfbuHXgNKD70dL04Omt6a5QNF_-H-5fd_e9m_fPX_hlQyPOxuTGc9EtKvF69bJvD6", "https://gujarati.ent24x7.com | https://otx.alienvault.com/indicator/url/https://gujarati.ent24x7.com", "162.159.208.8" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "Trojan:VBS/MetasploitVBSCmdStager", "display_name": "Trojan:VBS/MetasploitVBSCmdStager", "target": "/malware/Trojan:VBS/MetasploitVBSCmdStager" }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3412, "FileHash-MD5": 194, "FileHash-SHA1": 159, "FileHash-SHA256": 2223, "domain": 2117, "hostname": 1763, "CVE": 2, "email": 5 }, "indicator_count": 9875, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "771 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c4a1c74cf5f1af5be6464e", "name": " authsmtp.sabeydatacenters.com | tulach gained access to Side3 Studios Denver\t\t", "description": "", "modified": "2024-03-09T09:02:09.950000", "created": "2024-02-08T09:41:27.252000", "tags": [ "ssl certificate", "contacted", "historical ssl", "february", "referrer", "threat roundup", "apple ios", "goldfinder", "sibot", "goldmax", "hacktool", "malicious", "formbook", "contacted urls", "resolutions", "malware", "njrat", "ransomware", "open", "cyber criminal", "record type", "ttl value", "dropped", "execution", "hashes hashes", "hashes", "network", "communicating", "maui ransomware", "type name", "jpeg", "ms word", "document", "whois record", "january", "october", "december", "april", "august", "crypto", "awful", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "self", "march", "urls http", "threat network", "problems", "whois whois", "probe", "startpage", "premium", "snatch", "first", "utc submissions", "submitters", "cloudflarenet", "gvb gelimed", "com laude", "mb super", "optimizer", "amazonaes", "summary iocs", "twitter", "united", "as20940", "aaaa", "as714 apple", "as16625 akamai", "win32mydoom feb", "name servers", "trojan", "as6185 apple", "creation date", "virtool", "worm", "date", "win32", "urls", "search", "servers", "targeting", "target", "tsara brashears", "united kingdom", "whitelisted", "as6453 tata", "passive dns", "domain", "as46606", "scan endpoints", "all search", "otx octoseek", "pulse submit", "url analysis", "as54113", "entries", "moved", "body", "unknown", "found", "files", "backdoor", "expiration date", "hallrender", "tulach", "all octoseek", "url http", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "as62597 nsone", "as62729", "showing", "next", "as2914 ntt", "ireland unknown", "germany unknown", "as6461 zayo", "as7843 charter", "as3257 gtt", "ip address", "location united", "for privacy", "record value", "as54990", "bouvet island", "encrypt", "show", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "as15169 google", "domains ii", "sality", "ck id", "ck matrix", "intellectual property theft", "malicious file transfers", "scheme", "threat", "paste", "iocs", "hostnames", "urls https", "urls url", "j490s6lkpppw", "lfqprnkje8dni0" ], "references": [ "https://side3.com/", "https://www.side3.com", "http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting]", "http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting]", "http://fillmark.net/index.php [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "www-temp.metrobyt-mobile.com [malicious | data collection]", "www.icloud.com [wp-login.php]", "webdisk.thehomemakers.nl [spyware | tracking]", "https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team]", "URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org", "cs9.wac.phicdn.net.1.1.e64a8639.roksit.net", "www.anyxxxtube.net [malicious data collection]", "s3.amazonaws.com [targeting data collection]", "https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP]", "api.utah.edu [access apple]", "https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media]", "tv.apple.com", "104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users]", "andrewka6.pythonanywhere.com [python connection - apple]", "http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma", "https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign", "sonymobilemail.com", "https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf", "pegahpouraseflaw.info", "http://mouthgrave.net/index.php", "ransomed.vc", "Intellectual property accessed and distributed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Cyber Criminal", "display_name": "Cyber Criminal", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax", "display_name": "GoldMax", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Worm:Win32/Mydoom", "display_name": "Worm:Win32/Mydoom", "target": "/malware/Worm:Win32/Mydoom" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null } ], "attack_ids": [ { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Recording Industry", "Entertainers", "Civil Society" ], "TLP": "white", "cloned_from": "65c4a099f6a2c8fc2bb85d4b", "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5271, "FileHash-MD5": 899, "FileHash-SHA1": 881, "FileHash-SHA256": 5609, "domain": 2199, "hostname": 3205, "CVE": 1, "email": 9 }, "indicator_count": 18074, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "772 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c4a099f6a2c8fc2bb85d4b", "name": "Cyber espionage & ransomware attacks Denver Recording Studio", "description": "GoldMax is used by UNC2452 as a command-and-control backdoor. It is written in the Go programming language. To hide its activities, it generates dummy traffic.\n\nSibot is a VBScript-based malware that allows attackers to download and run payloads from a remote command-and-control server. It uses file names that are similar to those used in Windows for masquerading. The VBScript is executed through a scheduled task.\n\nGoldFinder is another Go malware used by attackers to access a hardcoded command-and-control (C2) server by logging the route or hops that a packet takes like an HTTP tracer tool.", "modified": "2024-03-09T09:02:09.950000", "created": "2024-02-08T09:36:25.114000", "tags": [ "ssl certificate", "contacted", "historical ssl", "february", "referrer", "threat roundup", "apple ios", "goldfinder", "sibot", "goldmax", "hacktool", "malicious", "formbook", "contacted urls", "resolutions", "malware", "njrat", "ransomware", "open", "cyber criminal", "record type", "ttl value", "dropped", "execution", "hashes hashes", "hashes", "network", "communicating", "maui ransomware", "type name", "jpeg", "ms word", "document", "whois record", "january", "october", "december", "april", "august", "crypto", "awful", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "self", "march", "urls http", "threat network", "problems", "whois whois", "probe", "startpage", "premium", "snatch", "first", "utc submissions", "submitters", "cloudflarenet", "gvb gelimed", "com laude", "mb super", "optimizer", "amazonaes", "summary iocs", "twitter", "united", "as20940", "aaaa", "as714 apple", "as16625 akamai", "win32mydoom feb", "name servers", "trojan", "as6185 apple", "creation date", "virtool", "worm", "date", "win32", "urls", "search", "servers", "targeting", "target", "tsara brashears", "united kingdom", "whitelisted", "as6453 tata", "passive dns", "domain", "as46606", "scan endpoints", "all search", "otx octoseek", "pulse submit", "url analysis", "as54113", "entries", "moved", "body", "unknown", "found", "files", "backdoor", "expiration date", "hallrender", "tulach", "all octoseek", "url http", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "as62597 nsone", "as62729", "showing", "next", "as2914 ntt", "ireland unknown", "germany unknown", "as6461 zayo", "as7843 charter", "as3257 gtt", "ip address", "location united", "for privacy", "record value", "as54990", "bouvet island", "encrypt", "show", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "as15169 google", "domains ii", "sality", "ck id", "ck matrix", "intellectual property theft", "malicious file transfers", "scheme", "threat", "paste", "iocs", "hostnames", "urls https", "urls url", "j490s6lkpppw", "lfqprnkje8dni0" ], "references": [ "https://side3.com/", "https://www.side3.com", "http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting]", "http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting]", "http://fillmark.net/index.php [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "www-temp.metrobyt-mobile.com [malicious | data collection]", "www.icloud.com [wp-login.php]", "webdisk.thehomemakers.nl [spyware | tracking]", "https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team]", "URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org", "cs9.wac.phicdn.net.1.1.e64a8639.roksit.net", "www.anyxxxtube.net [malicious data collection]", "s3.amazonaws.com [targeting data collection]", "https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP]", "api.utah.edu [access apple]", "https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media]", "tv.apple.com", "104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users]", "andrewka6.pythonanywhere.com [python connection - apple]", "http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma", "https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign", "sonymobilemail.com", "https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf", "pegahpouraseflaw.info", "http://mouthgrave.net/index.php", "ransomed.vc", "Intellectual property accessed and distributed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Cyber Criminal", "display_name": "Cyber Criminal", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax", "display_name": "GoldMax", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Worm:Win32/Mydoom", "display_name": "Worm:Win32/Mydoom", "target": "/malware/Worm:Win32/Mydoom" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null } ], "attack_ids": [ { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Recording Industry", "Entertainers", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5271, "FileHash-MD5": 899, "FileHash-SHA1": 881, "FileHash-SHA256": 5609, "domain": 2199, "hostname": 3205, "CVE": 1, "email": 9 }, "indicator_count": 18074, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "772 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657081be03964e671c853055", "name": "results.enr.clarityelections.com:TX:Comal:%22 ~ 03.04.2022", "description": "", "modified": "2023-12-06T14:14:21.542000", "created": "2023-12-06T14:14:21.542000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 143, "hostname": 45, "URL": 96, "domain": 13, "CIDR": 1, "FileHash-MD5": 8 }, "indicator_count": 306, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708191cdba4e9f07ba1f93", "name": "mail.ru:%22,", "description": "", "modified": "2023-12-06T14:13:36.976000", "created": "2023-12-06T14:13:36.976000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2753, "hostname": 1341, "domain": 447, "URL": 3301, "CIDR": 65, "FileHash-MD5": 112, "FileHash-SHA1": 2 }, "indicator_count": 8021, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708105cfc42f9740d5cdc1", "name": "case.house.gov", "description": "", "modified": "2023-12-06T14:11:17.482000", "created": "2023-12-06T14:11:17.482000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 689, "hostname": 64, "domain": 34, "URL": 141, "FileHash-MD5": 6, "FileHash-SHA1": 3 }, "indicator_count": 937, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708062a22589c28610ddcb", "name": "AlGreen.org ~ Texas Congressman (D)", "description": "", "modified": "2023-12-06T14:08:34.939000", "created": "2023-12-06T14:08:34.939000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 623, "hostname": 338, "domain": 131, "URL": 661, "CIDR": 3, "FileHash-MD5": 20 }, "indicator_count": 1776, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://csp.withgoogle.com/csp/hosted-libraries-pushers", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://csp.withgoogle.com/csp/hosted-libraries-pushers", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776719654.6015756 }