{ "type": "URL", "indicator": "https://de-appletradein.likewize.com/login.aspx", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://de-appletradein.likewize.com/login.aspx", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4128637825, "indicator": "https://de-appletradein.likewize.com/login.aspx", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "699c6ef61298b57cd7275728", "name": "Apple Support IOC\u2019s IcedID | Bloored | Mydoom worm | iOS IOC\u2019s", "description": "A list of Apple and Apple related iOS\u2019s linked to a malicious redirect found in an apple.support.com redirect. Two separate Apple ID\u2019s on one iPhone. | Mimecast compromised with Emotet. iCloud siphoning. Related to Pulse found in references. | IOC\u2019s came from a single url.", "modified": "2026-03-25T07:05:10.628000", "created": "2026-02-23T15:15:02.857000", "tags": [ "ipv4", "http", "passive dns", "files domain", "united", "unknown ns", "for privacy", "ip address", "domain", "dynamicloader", "antivirus", "yara rule", "fe ff", "write c", "msvisualcpp60", "rsds", "e8 c8", "e8 a8", "ff e1", "unknown", "worm", "launch", "write", "explorer", "february", "push", "service", "files", "reverse dns", "america flag", "america asn", "url add", "otx logo", "all ipv4", "searc", "date checked", "server response", "results dec", "unknown soa", "present aug", "present oct", "present sep", "present nov", "moved", "error", "title", "win32mydoom feb", "aaaa", "name servers", "trojan", "servers", "virtool", "united states", "apple", "crlf line", "unicode text", "utf8", "ff d5", "ascii text", "ee fc", "suspicious", "music", "malware", "role title", "ttl value", ".cc", "d4 f5", "msvisualcpp2002", "msvisualcpp2005", "apple support", ".ch", "privaterelay", "pattern match", "ck id", "mitre att", "ck matrix", "href", "et info", "general", "local", "path", "click", "learn", "command", "name tactics", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "present jun", "backdoor", "present may", "status", "ransom", "high", "medium", "windows", "tofsee", "loaderid", "lidfileupd", "localcfg", "rndhex", "stream", "delete", "emotet", "bot network", "mitm", "screenshot", "mimecast" ], "references": [ "http://apple.support.com/ht***** redirect", "https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8", "mac.store", "https://icloud.ch/cn/ipod-touch/", "https://icloud.ch/", "https://multicash.smbcgroup.com/gb/App/Authentication/Challenge", "https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/", "Redirect: schemas.microsoft.com", "apple.com(-inc.cc)", "oas-japac-domains-applecomputer.cn", "robert-aebi.appleid.com", "smtp2.icl-privaterelay.appleid.com", "http://audaxgroup.appleid.com/", "https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php", "iphonegermany.com", "api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud", "https://aspmx.l.google.com/", "api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com", "de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com", "http://www.icloud-sms-alert.com/", "monitoring.eurovision.net", "https://www.irby.com/iub-en/services/testing-and-monitoring", "monitor.kyos.ninja" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/IcedId.DI!MTB", "display_name": "Trojan:Win32/IcedId.DI!MTB", "target": "/malware/Trojan:Win32/IcedId.DI!MTB" }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "Worm:Win32/Bloored", "display_name": "Worm:Win32/Bloored", "target": "/malware/Worm:Win32/Bloored" }, { "id": "Win.Malware.Elenooka-6996044-0", "display_name": "Win.Malware.Elenooka-6996044-0", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6031, "hostname": 1971, "domain": 1125, "FileHash-SHA256": 1715, "email": 18, "FileHash-MD5": 317, "FileHash-SHA1": 164 }, "indicator_count": 11341, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "70 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c04a662e48fc9c441ecf16", "name": "Phishing [090925]", "description": "Phishing domains and IP addresses that have been used to send malicious emails.", "modified": "2025-10-09T15:02:08.238000", "created": "2025-09-09T15:40:22.389000", "tags": [ "phishing", "spearphishing", "meta", "facebook", "m365", "scam", "malicious-domain", "malicious-IP" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "FS13JKMK", "id": "312129", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_312129/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 30, "hostname": 63, "email": 11, "URL": 107, "FileHash-SHA256": 5 }, "indicator_count": 216, "is_author": false, "is_subscribing": null, "subscriber_count": 71, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://icloud.ch/cn/ipod-touch/", "https://www.irby.com/iub-en/services/testing-and-monitoring", "de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com", "http://apple.support.com/ht***** redirect", "https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/", "smtp2.icl-privaterelay.appleid.com", "robert-aebi.appleid.com", "apple.com(-inc.cc)", "http://audaxgroup.appleid.com/", "https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php", "https://icloud.ch/", "monitoring.eurovision.net", "monitor.kyos.ninja", "mac.store", "https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8", "api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud", "oas-japac-domains-applecomputer.cn", "Redirect: schemas.microsoft.com", "https://multicash.smbcgroup.com/gb/App/Authentication/Challenge", "api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com", "http://www.icloud-sms-alert.com/", "iphonegermany.com", "https://aspmx.l.google.com/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Trojan:win32/icedid.di!mtb", "Emotet", "Worm:win32/bloored", "Win.malware.elenooka-6996044-0", "Mydoom" ], "industries": [ "Government" ], "unique_indicators": 11661 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/likewize.com", "whois": "http://whois.domaintools.com/likewize.com", "domain": "likewize.com", "hostname": "de-appletradein.likewize.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "699c6ef61298b57cd7275728", "name": "Apple Support IOC\u2019s IcedID | Bloored | Mydoom worm | iOS IOC\u2019s", "description": "A list of Apple and Apple related iOS\u2019s linked to a malicious redirect found in an apple.support.com redirect. Two separate Apple ID\u2019s on one iPhone. | Mimecast compromised with Emotet. iCloud siphoning. Related to Pulse found in references. | IOC\u2019s came from a single url.", "modified": "2026-03-25T07:05:10.628000", "created": "2026-02-23T15:15:02.857000", "tags": [ "ipv4", "http", "passive dns", "files domain", "united", "unknown ns", "for privacy", "ip address", "domain", "dynamicloader", "antivirus", "yara rule", "fe ff", "write c", "msvisualcpp60", "rsds", "e8 c8", "e8 a8", "ff e1", "unknown", "worm", "launch", "write", "explorer", "february", "push", "service", "files", "reverse dns", "america flag", "america asn", "url add", "otx logo", "all ipv4", "searc", "date checked", "server response", "results dec", "unknown soa", "present aug", "present oct", "present sep", "present nov", "moved", "error", "title", "win32mydoom feb", "aaaa", "name servers", "trojan", "servers", "virtool", "united states", "apple", "crlf line", "unicode text", "utf8", "ff d5", "ascii text", "ee fc", "suspicious", "music", "malware", "role title", "ttl value", ".cc", "d4 f5", "msvisualcpp2002", "msvisualcpp2005", "apple support", ".ch", "privaterelay", "pattern match", "ck id", "mitre att", "ck matrix", "href", "et info", "general", "local", "path", "click", "learn", "command", "name tactics", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "present jun", "backdoor", "present may", "status", "ransom", "high", "medium", "windows", "tofsee", "loaderid", "lidfileupd", "localcfg", "rndhex", "stream", "delete", "emotet", "bot network", "mitm", "screenshot", "mimecast" ], "references": [ "http://apple.support.com/ht***** redirect", "https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8", "mac.store", "https://icloud.ch/cn/ipod-touch/", "https://icloud.ch/", "https://multicash.smbcgroup.com/gb/App/Authentication/Challenge", "https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/", "Redirect: schemas.microsoft.com", "apple.com(-inc.cc)", "oas-japac-domains-applecomputer.cn", "robert-aebi.appleid.com", "smtp2.icl-privaterelay.appleid.com", "http://audaxgroup.appleid.com/", "https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php", "iphonegermany.com", "api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud", "https://aspmx.l.google.com/", "api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com", "de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com", "http://www.icloud-sms-alert.com/", "monitoring.eurovision.net", "https://www.irby.com/iub-en/services/testing-and-monitoring", "monitor.kyos.ninja" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/IcedId.DI!MTB", "display_name": "Trojan:Win32/IcedId.DI!MTB", "target": "/malware/Trojan:Win32/IcedId.DI!MTB" }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "Worm:Win32/Bloored", "display_name": "Worm:Win32/Bloored", "target": "/malware/Worm:Win32/Bloored" }, { "id": "Win.Malware.Elenooka-6996044-0", "display_name": "Win.Malware.Elenooka-6996044-0", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6031, "hostname": 1971, "domain": 1125, "FileHash-SHA256": 1715, "email": 18, "FileHash-MD5": 317, "FileHash-SHA1": 164 }, "indicator_count": 11341, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "70 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c04a662e48fc9c441ecf16", "name": "Phishing [090925]", "description": "Phishing domains and IP addresses that have been used to send malicious emails.", "modified": "2025-10-09T15:02:08.238000", "created": "2025-09-09T15:40:22.389000", "tags": [ "phishing", "spearphishing", "meta", "facebook", "m365", "scam", "malicious-domain", "malicious-IP" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "FS13JKMK", "id": "312129", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_312129/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 30, "hostname": 63, "email": 11, "URL": 107, "FileHash-SHA256": 5 }, "indicator_count": 216, "is_author": false, "is_subscribing": null, "subscriber_count": 71, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://de-appletradein.likewize.com/login.aspx", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://de-appletradein.likewize.com/login.aspx", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780498498.4936228 }