{ "type": "URL", "indicator": "https://data.flurry.com/v1/flr.do", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://data.flurry.com/v1/flr.do", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #219", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain flurry.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain flurry.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 4093463346, "indicator": "https://data.flurry.com/v1/flr.do", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69ad4f70dd8cd3a4bae75670", "name": "krnaver.com- BL! 10 month of no sleep and all i could read was ralph nader #doh", "description": "Pulse\nPulses\n5\nPassive DNS\n39\nURLs\n12\nFiles\n1K\nAnalysis Overview\nIP Address\n104.17.232.29\nLocation\n\nUnited States\nASN\nAS13335 cloudflare\nNameservers\nns36.domaincontrol.com.\n, \nns35.domaincontrol.com.\nWHOIS\nRegistrar:\nXiamen Domains, Inc., \nCreation Date:\nNov 12, 2016\nRelated Pulses\nOTX User-Created Pulses (5)\nRelated Tags\nNone\nIndicator Facts\n1000 malicious files communicating\nHistorical OTX telemetry\nRunning webserver\n2 subdomains\nNumber of malicious files communicating with the domain or subdomains\nAntivirus Detections\nBackdoor:Win32/Venik.E!dha\n, \nBackdoor:Win32/Venik.I\n, \nBackdoor:Win32/Venik.J\n, \nWin.Trojan.Packed-123\nAV Detection Ratio\n1000\n / 1000", "modified": "2026-04-07T10:26:55.912000", "created": "2026-03-08T10:29:04.330000", "tags": [ "backdoor", "pulse", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "whois registrar", "domains" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 321, "hostname": 85, "URL": 87, "FileHash-MD5": 151, "FileHash-SHA1": 151, "FileHash-SHA256": 152, "email": 6 }, "indicator_count": 953, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ada442ba9893ca65ae8b87", "name": "VirusTotal report\n for base.apk", "description": "We are going to be the ones leaning on Fury. To win this, I don't need to be heavy, I need to be fast and quick.", "modified": "2026-03-08T16:30:58.152000", "created": "2026-03-08T16:30:58.152000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 47, "domain": 10, "hostname": 21 }, "indicator_count": 81, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "43 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6952fbca42c1b0da7431e6a7", "name": "Pegasus / Pegacloud - Infiltration (10-2013 or 2014 to Current/ Ongoing) ", "description": "", "modified": "2025-12-29T22:08:10.280000", "created": "2025-12-29T22:08:10.280000", "tags": [ "backdoor", "cyprus", "trojan", "mtb sep", "passive dns", "ddos", "mtb oct", "mtb aug", "ipv4 add", "smokeloader", "trojandropper", "extraction", "se extraction", "failed", "data upload", "enter s", "enter sc", "data u", "extrac please", "prop", "extre data", "type", "extr data", "include review", "exclude", "find s", "typ data", "source tir", "extri", "exclude sugges", "se type", "extra", "include data", "exclude review", "show", "showinil tvnes", "dom dom", "sc cat959", "drop", "pulse pulses", "worm", "files show", "date hash", "avast avg", "win32", "susp", "cyprus showing", "entries", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "registrar", "se cre", "pul use", "url list", "status http", "linkid182227", "linkid151642", "first", "domain list", "ii llc", "sc data", "ukl extract", "hiloti style", "msle", "win3 data", "onio", "observea", "data data", "stop data", "monitored target", "tsara", "pegasus", "social engineering" ], "references": [ "http://fakejuko.site40/", "pegacloud.net", "IDS: Hiloti Style GET to PHP with invalid terse MSIE headers", "IDS: Win32/Ibashade CnC Beacon", "IDS: Win32.Scar.hhrw POST", "IDS: Trojan.Win32.Cosmu.cdqg Checkin", "IDS: OnionDuke CnC Beacon 1", "IDS: Observed Suspicious UA (Mozilla/5.0)", "IDS: Data POST to an image file (jpg)", "cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:WormX-gen [Wrm]", "display_name": "Win32:WormX-gen [Wrm]", "target": null }, { "id": "Worm:Win32:Drolnux", "display_name": "Worm:Win32:Drolnux", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": "6877422df67773a07ef450c2", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1630, "URL": 4078, "FileHash-MD5": 245, "FileHash-SHA1": 246, "FileHash-SHA256": 2561, "CVE": 2, "domain": 1307, "email": 1 }, "indicator_count": 10070, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "111 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6877422df67773a07ef450c2", "name": "Pegasus / Pegacloud - Infiltration", "description": "Pegasus IoC\u2019s found in the periphery of research. Appears target contacted a \u2018fake host\u2019 after finding name in multiple highly malicious domains. May have appeared between 12/2013 - 11-2014. Target was contacted by telephone and asked \u2018 have you checked Googled yourself\u2019, to which target answered \u2018Not really\u2019. Target was told \u2018you really should Google yourself\u2019. Target, upset about content clicked and began a takedown effort with host.\n\nThis seems to be at the start of many malicious campaigns. Requires further investigation.", "modified": "2025-08-15T05:01:22.570000", "created": "2025-07-16T06:09:49.704000", "tags": [ "backdoor", "cyprus", "trojan", "mtb sep", "passive dns", "ddos", "mtb oct", "mtb aug", "ipv4 add", "smokeloader", "trojandropper", "extraction", "se extraction", "failed", "data upload", "enter s", "enter sc", "data u", "extrac please", "prop", "extre data", "type", "extr data", "include review", "exclude", "find s", "typ data", "source tir", "extri", "exclude sugges", "se type", "extra", "include data", "exclude review", "show", "showinil tvnes", "dom dom", "sc cat959", "drop", "pulse pulses", "worm", "files show", "date hash", "avast avg", "win32", "susp", "cyprus showing", "entries", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "registrar", "se cre", "pul use", "url list", "status http", "linkid182227", "linkid151642", "first", "domain list", "ii llc", "sc data", "ukl extract", "hiloti style", "msle", "win3 data", "onio", "observea", "data data", "stop data", "monitored target", "tsara", "pegasus", "social engineering" ], "references": [ "http://fakejuko.site40/", "pegacloud.net", "IDS: Hiloti Style GET to PHP with invalid terse MSIE headers", "IDS: Win32/Ibashade CnC Beacon", "IDS: Win32.Scar.hhrw POST", "IDS: Trojan.Win32.Cosmu.cdqg Checkin", "IDS: OnionDuke CnC Beacon 1", "IDS: Observed Suspicious UA (Mozilla/5.0)", "IDS: Data POST to an image file (jpg)", "cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:WormX-gen [Wrm]", "display_name": "Win32:WormX-gen [Wrm]", "target": null }, { "id": "Worm:Win32:Drolnux", "display_name": "Worm:Win32:Drolnux", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1630, "URL": 4078, "FileHash-MD5": 245, "FileHash-SHA1": 246, "FileHash-SHA256": 2561, "CVE": 2, "domain": 1307, "email": 1 }, "indicator_count": 10070, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "248 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IDS: Hiloti Style GET to PHP with invalid terse MSIE headers", "pegacloud.net", "IDS: Trojan.Win32.Cosmu.cdqg Checkin", "IDS: Data POST to an image file (jpg)", "cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214", "http://fakejuko.site40/", "IDS: Win32.Scar.hhrw POST", "IDS: Observed Suspicious UA (Mozilla/5.0)", "IDS: OnionDuke CnC Beacon 1", "IDS: Win32/Ibashade CnC Beacon" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Worm:win32:drolnux", "Pegasus - mob-s0005", "Win32:wormx-gen [wrm]" ], "industries": [ "Technology", "Government", "Telecommunications" ], "unique_indicators": 10753 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/flurry.com", "whois": "http://whois.domaintools.com/flurry.com", "domain": "flurry.com", "hostname": "data.flurry.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69ad4f70dd8cd3a4bae75670", "name": "krnaver.com- BL! 10 month of no sleep and all i could read was ralph nader #doh", "description": "Pulse\nPulses\n5\nPassive DNS\n39\nURLs\n12\nFiles\n1K\nAnalysis Overview\nIP Address\n104.17.232.29\nLocation\n\nUnited States\nASN\nAS13335 cloudflare\nNameservers\nns36.domaincontrol.com.\n, \nns35.domaincontrol.com.\nWHOIS\nRegistrar:\nXiamen Domains, Inc., \nCreation Date:\nNov 12, 2016\nRelated Pulses\nOTX User-Created Pulses (5)\nRelated Tags\nNone\nIndicator Facts\n1000 malicious files communicating\nHistorical OTX telemetry\nRunning webserver\n2 subdomains\nNumber of malicious files communicating with the domain or subdomains\nAntivirus Detections\nBackdoor:Win32/Venik.E!dha\n, \nBackdoor:Win32/Venik.I\n, \nBackdoor:Win32/Venik.J\n, \nWin.Trojan.Packed-123\nAV Detection Ratio\n1000\n / 1000", "modified": "2026-04-07T10:26:55.912000", "created": "2026-03-08T10:29:04.330000", "tags": [ "backdoor", "pulse", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "whois registrar", "domains" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 321, "hostname": 85, "URL": 87, "FileHash-MD5": 151, "FileHash-SHA1": 151, "FileHash-SHA256": 152, "email": 6 }, "indicator_count": 953, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ada442ba9893ca65ae8b87", "name": "VirusTotal report\n for base.apk", "description": "We are going to be the ones leaning on Fury. To win this, I don't need to be heavy, I need to be fast and quick.", "modified": "2026-03-08T16:30:58.152000", "created": "2026-03-08T16:30:58.152000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 47, "domain": 10, "hostname": 21 }, "indicator_count": 81, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "43 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6952fbca42c1b0da7431e6a7", "name": "Pegasus / Pegacloud - Infiltration (10-2013 or 2014 to Current/ Ongoing) ", "description": "", "modified": "2025-12-29T22:08:10.280000", "created": "2025-12-29T22:08:10.280000", "tags": [ "backdoor", "cyprus", "trojan", "mtb sep", "passive dns", "ddos", "mtb oct", "mtb aug", "ipv4 add", "smokeloader", "trojandropper", "extraction", "se extraction", "failed", "data upload", "enter s", "enter sc", "data u", "extrac please", "prop", "extre data", "type", "extr data", "include review", "exclude", "find s", "typ data", "source tir", "extri", "exclude sugges", "se type", "extra", "include data", "exclude review", "show", "showinil tvnes", "dom dom", "sc cat959", "drop", "pulse pulses", "worm", "files show", "date hash", "avast avg", "win32", "susp", "cyprus showing", "entries", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "registrar", "se cre", "pul use", "url list", "status http", "linkid182227", "linkid151642", "first", "domain list", "ii llc", "sc data", "ukl extract", "hiloti style", "msle", "win3 data", "onio", "observea", "data data", "stop data", "monitored target", "tsara", "pegasus", "social engineering" ], "references": [ "http://fakejuko.site40/", "pegacloud.net", "IDS: Hiloti Style GET to PHP with invalid terse MSIE headers", "IDS: Win32/Ibashade CnC Beacon", "IDS: Win32.Scar.hhrw POST", "IDS: Trojan.Win32.Cosmu.cdqg Checkin", "IDS: OnionDuke CnC Beacon 1", "IDS: Observed Suspicious UA (Mozilla/5.0)", "IDS: Data POST to an image file (jpg)", "cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:WormX-gen [Wrm]", "display_name": "Win32:WormX-gen [Wrm]", "target": null }, { "id": "Worm:Win32:Drolnux", "display_name": "Worm:Win32:Drolnux", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": "6877422df67773a07ef450c2", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1630, "URL": 4078, "FileHash-MD5": 245, "FileHash-SHA1": 246, "FileHash-SHA256": 2561, "CVE": 2, "domain": 1307, "email": 1 }, "indicator_count": 10070, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "111 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6877422df67773a07ef450c2", "name": "Pegasus / Pegacloud - Infiltration", "description": "Pegasus IoC\u2019s found in the periphery of research. Appears target contacted a \u2018fake host\u2019 after finding name in multiple highly malicious domains. May have appeared between 12/2013 - 11-2014. Target was contacted by telephone and asked \u2018 have you checked Googled yourself\u2019, to which target answered \u2018Not really\u2019. Target was told \u2018you really should Google yourself\u2019. Target, upset about content clicked and began a takedown effort with host.\n\nThis seems to be at the start of many malicious campaigns. Requires further investigation.", "modified": "2025-08-15T05:01:22.570000", "created": "2025-07-16T06:09:49.704000", "tags": [ "backdoor", "cyprus", "trojan", "mtb sep", "passive dns", "ddos", "mtb oct", "mtb aug", "ipv4 add", "smokeloader", "trojandropper", "extraction", "se extraction", "failed", "data upload", "enter s", "enter sc", "data u", "extrac please", "prop", "extre data", "type", "extr data", "include review", "exclude", "find s", "typ data", "source tir", "extri", "exclude sugges", "se type", "extra", "include data", "exclude review", "show", "showinil tvnes", "dom dom", "sc cat959", "drop", "pulse pulses", "worm", "files show", "date hash", "avast avg", "win32", "susp", "cyprus showing", "entries", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "registrar", "se cre", "pul use", "url list", "status http", "linkid182227", "linkid151642", "first", "domain list", "ii llc", "sc data", "ukl extract", "hiloti style", "msle", "win3 data", "onio", "observea", "data data", "stop data", "monitored target", "tsara", "pegasus", "social engineering" ], "references": [ "http://fakejuko.site40/", "pegacloud.net", "IDS: Hiloti Style GET to PHP with invalid terse MSIE headers", "IDS: Win32/Ibashade CnC Beacon", "IDS: Win32.Scar.hhrw POST", "IDS: Trojan.Win32.Cosmu.cdqg Checkin", "IDS: OnionDuke CnC Beacon 1", "IDS: Observed Suspicious UA (Mozilla/5.0)", "IDS: Data POST to an image file (jpg)", "cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:WormX-gen [Wrm]", "display_name": "Win32:WormX-gen [Wrm]", "target": null }, { "id": "Worm:Win32:Drolnux", "display_name": "Worm:Win32:Drolnux", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1630, "URL": 4078, "FileHash-MD5": 245, "FileHash-SHA1": 246, "FileHash-SHA256": 2561, "CVE": 2, "domain": 1307, "email": 1 }, "indicator_count": 10070, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "248 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://data.flurry.com/v1/flr.do", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://data.flurry.com/v1/flr.do", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776707836.849417 }