{ "type": "URL", "indicator": "https://dev.marjak.ee", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://dev.marjak.ee", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3989271411, "indicator": "https://dev.marjak.ee", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "698037098c99c37cb91037c2", "name": "Busy Box MITM Attacks via Drive-by-Compromise | Facebook | Apple", "description": "Busy Box - MITM Attack\n\nDrive-by-Compromise | Facebook | Jamie Oliver Recipes | My sister-in-law made this once and I couldn\u2019t stop eating it. \nAdversarial Facebook pop up posts. .\n\n|| Pykspa.C Check in. \"Pykspa is a type of Remote Access Trojan (RAT). A powerful a worm that spreads via social media or via DGA algorithms. Parking crews are fond of these types of attacks. Christopher Ahmann", "modified": "2026-03-04T04:07:14.513000", "created": "2026-02-02T05:32:57.303000", "tags": [ "no expiration", "filehashsha256", "ipv4", "url http", "domain", "hostname", "filehashmd5", "filehashsha1", "iocs", "url https", "search", "type indicator", "review iocs", "role title", "create new", "pulse use", "pdf report", "pcap", "extraction", "sc data", "extre data", "include review", "exclude sugges", "data upload", "failed", "find s", "oo data", "enter source", "url or", "text drag", "expiration", "showing", "entries", "protect", "pulse show", "email abuse", "related pulses", "indicator role", "returnurl no", "drop", "pulse provide", "public tlp", "green", "adversary tags", "buzz", "x8664", "add tag", "groups add", "add industry", "trojan", "tags" ], "references": [ "https://www.facebook.com/groups/378607181955796/posts/773093455840498/?hpir=1&http_ref=eyJ0cyI6MTc2OTk2MDkxOTAwMCwiciI6IiJ9", "www.crazyfrost.com IPv4 104.21.5.49 IPv4 172.67.132.250", "Antivirus Detections: Trojan:Win32/Dorv.A", "IDS Detections: Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host)", "IDS Detections: IP Check Domain (showmyipaddress .com in HTTP Host) External IP Lookup", "IDS Detections: Domain in DNS Lookup (whatismyipaddress .com) IP Check", "IDS Detections: Domain (whatismyipaddress .com in HTTP Host)", "Yara Detections XOR_embeded_exefile_xored_with_round_256_bytes_key", "Alerts: antiav_servicestop antisandbox_sleep process_creation_suspicious_location", "Alerts: network_bind persistence_autorun binary_yara procmem_yara suricata_alert", "Alerts: disables_uac infostealer_keylog modify_uac_prompt anomalous_deletefile", "Alerts: mouse_movement_detect dead_connect enumerates_running_processes process_needed", "Alerts: dynamic_function_loading reads_memory_remote_process packer_entropy network_http", "IP\u2019s Contacted: 188.223.42.134 78.57.88.30 84.73.234.83 78.84.44.225 89.252.203.80", "IP\u2019s Contacted: 77.76.39.110 104.156.155.94 77.77.13.89 78.61.87.173 78.63.104.75", "Domains Contacted: www.whatismyip.com www.showmyipaddress.com www.whatismyip.ca", "Domains Contacted: whatismyipaddress.com whatismyip.everdot.org www.facebook.com", "Domains Contacted: fexexwjehud.org lxclombt.net jpnzlsaqogv.com esccuyigsy.org", "Antivirus Detections: Win.Malware.Pits-10035540-0", "Yara: Detections Delphi", "Alerts: infostealer_cookies antiav_detectfile", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "nigger.cat \u2022 http://a.nigger.cat/ \u2022 http://a.nigger.cat/imrred.exe \u2022 http://a.nigger.cat/iwzptk.pdf \u2022", "http://a.nigger.cat/ltbexb.jpg \u2022 http://a.nigger.cat/ocnxdv.exe \u2022 http://a.nigger.cat/ocnxdv.exe/", "http://a.nigger.cat/ovefvy.html \u2022 http://a.nigger.cat/snkikb.rar \u2022 http://a.nigger.cat/unipms.exe", "http://a.nigger.cat/ypphgg.exe \u2022 http://u.nigger.cat/ \u2022 https://a.nigger.cat/", "http://www.a.nigger.cat/ocnxdv.exe \u2022 https://a.nigger.cat/pwzbrt.txt", "output.228572717.txt [fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f]", "https://www.virustotal.com/gui/file/fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f/summary", "https://hybrid-analysis.com/sample/3aaca21b3918eecd127867bdd724611398cf897a0686fedfde1d424b7ad6130a", "https://hybrid-analysis.com/sample/e4999984a69a65a69bec9fef1200f7ec36a10bc401cdd15db3510fdc87ec5008/697fb0fec4a9bda3410454cf", "https://hybrid-analysis.com/sample/f6ccff8dec08334fab98d4f6cb9b2774acd00e98d1afabd219c2634d5b3e2147/697faa178cc598cfb90b0423", "https://hybrid-analysis.com/sample/01a1a2106bcddc591cab08d31c13966bd0413fe312bce9be396e964e114631a6/697f8c04475b90e7fb0d7ff9", "apple4you.it \u2022 https://www.apple4you.it/ \u2022 cpcalendars.apple4you.it \u2022 ftp.apple4you.it \u2022", "https://ftp.apple4you.it \u2022 http://cpcalendars.apple4you.it \u2022 http://cpcontacts.apple4you.it \u2022", "http://ftp.apple4you.it \u2022 http://www.apple4you.it/ \u2022https://cpcalendars.apple4you.it \u2022", "https://cpcontacts.apple4you.it", "AppleWebKit Christopher P. \u2018BUZZ\u2019 Ahmann interference", "adsparkahz.shop \u2022 https://adsparkahz.shop/ \u2022 parkedbits.com", "https://parkedbits.com \u2022 spiritzuridgerunelahubcloudgusparkx.rest", "https://fs25.mygamesteam.com/download/underground-parking/", "http://spiritzuridgerunelahubcloudgusparkx.rest/", "127.0.0.1 Private IP Address \u2022 http://facebook.com/iWebTechnologies", "9e8c2f9e77b4b6a7538e4136d3bda379c560dc1a5931643da119da2f28881e4d\tELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0\tDDoS:Linux/Gafgyt.YA!MTB", "ELF:DDoS-S\\ [Trj] , Unix.Trojan.Gafgyt-6981154-0 , DDoS:Linux/Gafgyt.YA!MTB", "IDS Detections: Suspicious Activity potential UPnProxy", "Yara Detections: is__elf , ECHOBOT", "Alerts: dead_host network_icmp tcp_by", "Unix.Dropper.Mirai-7135925-0 , DDoS:Linux/Gafgyt.YA!MTB Yara Detections is__elf , ECHOBOT", "TAGS: aaaa accept activity address adversaries aes128gcm ahmann all hostname all ipv4 as15169", "TAGS: as29278 deninet as29728 cottage as47325 ascii text asn as29278 asn as29728 asn13335", "TAGS: av detections av exploit belgium belgium unknown binbusybox bits body canada unknown", "TAGS: christopher p christopher p. \u2018buzz\u2019 ahmann ck id ck matrix ck techniques clare click cloud", "TAGS: cloudflare cloudflarenet command config connection copy crazyfrost cyber attacks", "TAGS: data upload date date hash ddos dead connection default defense evasion delphi destination", "TAGS: detection detections detections name development att direct dirty dns resolutions domain", "TAGS: add dynamicloader ecdsa echobot echobot related encrypt entries error evasion att", "TAGS: expiration date explorer extraction facebook facebook failed february filehash files files ip", "TAGS: flag gecko general general full general info generator geo hungary guard hackers hash hide", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passiv", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passive dns path pattern match pink screen port possible prefetch8 present dec present feb present jan", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver", "TAGS: json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey", "TAGS: macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec", "TAGS: mtb yara name servers name tactics network traffic new browser next associated next", "TAGS: yara niggercat none file null object os x outbound passive dns path pattern match", "TAGS: pink screen port possible prefetch8 present program protocol h3 ptr record none push", "TAGS: pyspark python python initiated quic ransom recipes record value redacted for", "TAGS. redirect refresh related tags remoteIPAddress resource restart reverse dns route runner", "TAGS: sample analysis se domains search security quic add source level span spawns spy", "TAGS: state of colorado stream strings suspicious t1590 gather tcp syn title tools tr trex triangulation", "TAGS: trojan trojandropper trojanspy united unknown unknown aaaa unknown ns updater", "TAGS: upnproxy url analysis url https url text urls verified verify veryhigh victim network vubbuv win32 win64 windows windows nt windows server worm write write c yara detections yara rule" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Hungary" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "DDos:Linux/Gafgyt.YA!MTB", "display_name": "DDos:Linux/Gafgyt.YA!MTB", "target": "/malware/DDos:Linux/Gafgyt.YA!MTB" }, { "id": "ELF:DDoS-S\\ [Trj]", "display_name": "ELF:DDoS-S\\ [Trj]", "target": null }, { "id": "Pykspa.C", "display_name": "Pykspa.C", "target": null }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Unix.Trojan.Gafgyt-698115", "display_name": "Unix.Trojan.Gafgyt-698115", "target": null }, { "id": "4-0 Win.Malware.Pits-10035540-0", "display_name": "4-0 Win.Malware.Pits-10035540-0", "target": null }, { "id": "Win.Packed.Usteal-7531303-0", "display_name": "Win.Packed.Usteal-7531303-0", "target": null }, { "id": "tR", "display_name": "tR", "target": null }, { "id": "DeathHiddenTear (Large&Small HT) >", "display_name": "DeathHiddenTear (Large&Small HT) >", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1586, "FileHash-SHA1": 1479, "FileHash-SHA256": 1938, "URL": 4548, "domain": 1052, "hostname": 2501, "email": 9, "SSLCertFingerprint": 7, "CIDR": 2 }, "indicator_count": 13122, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697cdce9ec418c422eee2054", "name": "Device Isolation: Lumen Technologies | Palantir and \u2018Boots on the Ground Operations\u2019", "description": "Device Isolation: Lumen Technologies (formerly CenturyLink) deployed as an admin on iOS devices. Standard factory resets may prove ineffective. Complete hardware \"air-gap\" or clean devices that have never touched your home network may be best option for deeply monitored targets.\n\nSummary of the Campaign:\nThe involvement of Lumen Technologies (as an unwanted admin), Foundry (Palantir) for data mapping, and Mirai Botnet for network disruption represents a \"scorched earth\" approach to digital destruction. Target treated as a criminal through Cellebrite, implicates specific attackers attempted to legalize what was actually a predatory stalking campaign/s.\n\n\nSurveillance Overlap: The use of Lumen Technologies and Palantir, tools allows for real-time tracking of a target's physical location\u2014explains how \u2018boots on the ground\u2019 offenders can stalk , surveillance , confront, assault and engage in various damaging attacks of specific monitored targets.", "modified": "2026-03-01T16:05:57.375000", "created": "2026-01-30T16:31:37.011000", "tags": [ "url https", "url http", "tlsv1", "whitelisted", "united", "read c", "as15169", "stcalifornia", "execution", "dock", "write", "persistence", "malware", "encrypt", "active", "lumen technologies", "number", "error", "regexp", "sxa0", "amptoken", "optout", "retrieving", "notfound", "unknown", "form", "flash", "backdoor", "writeconsolew", "yara detections", "command line", "pdb path", "pe resource", "internalname", "windows command", "A", "aws", "name servers", "url analysis", "passive dns", "urls", "data upload", "extraction", "palantir", "c2", "aerospace", "tracking", "spywatchdog", "palapa-c2", "communications satellite", "amazon", "hughesnet", "icmp traffic", "washington c", "washington ou", "mopr", "mon jul", "local", "dynamic", "apple", "network", "t1057", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1480", "guardrails", "t1566", "present jan", "unknown ns", "ip address", "dnssec", "domain", "dynamic dns", "government", "pcup", "germany unknown", "link", "dns hosting", "cloudns", "cloud dns", "a domains", "ipv4 add", "title", "meta", "class", "servers", "present aug", "aaaa", "present sep", "present nov", "present jul", "present may", "moved", "canada unknown", "begin", "record value", "gmt content", "type", "hostname add", "files", "ascii text", "pattern match", "href", "mitre att", "ck id", "ck matrix", "network traffic", "et info", "general", "path", "click", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "input url", "defense evasion", "france", "ireland", "netherlands", "denmark", "united kingdom", "type indicator", "role title", "added active", "savvis", "centurylinktechnology", "hybrid analysis", "monitoring tools", "monitored target", "triangulation", "worm", "intel", "ms windows", "pe32", "write c", "delete c", "show", "russia as47764", "unix", "lsan jose", "odigicert inc", "markus", "url add", "http", "related nids", "files location", "russia flag", "russia hostname", "russia", "russia unknown", "hosting", "federation flag", "body", "gmt vary", "accept encoding", "gmt cache", "certificate", "pulse submit", "unknown aaaa", "search", "entries", "script domains", "script urls", "pdx cf" ], "references": [ "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "Yare: compromised_site_redirector_fromcharcode", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "Alerts: console_output has_pdb pe_unknown_resource_name", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "Tipped: A targets AI and other cyber research findings.", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "https://palapa.c.id\t (c.id)", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "cedevice.io \u2022 decagonsoftware.com", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "pcup.gov.ph:", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "https://elegantcosmedampyeah.pages.dev/", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "inst.govelopscold.com", "https://feedback.ptv.vic.gov.au/360", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "https://brand.centurylinktechnology.com", "https://prod.centurylinktechnology.com", "https://brand2.centurylinktechnology.com", "https://mobile-pocket-guide.centurylinktechnology.com", "UPX_OEP_place", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "ASP. NET", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "7box.vip" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan.Tofsee/Botx", "display_name": "Trojan.Tofsee/Botx", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "PWS:Win32/Axespec.A", "display_name": "PWS:Win32/Axespec.A", "target": "/malware/PWS:Win32/Axespec.A" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1069.003", "name": "Cloud Groups", "display_name": "T1069.003 - Cloud Groups" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 102, "FileHash-SHA1": 59, "FileHash-SHA256": 1929, "domain": 854, "hostname": 2156, "URL": 4475, "SSLCertFingerprint": 9, "email": 7, "CVE": 1 }, "indicator_count": 9592, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "49 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6976d69ecbc0497f97e28618", "name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)", "description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello", "modified": "2026-02-25T02:03:02.441000", "created": "2026-01-26T02:51:10.502000", "tags": [ "united", "error", "port", "destination", "host", "tlsv1", "intel", "ms windows", "worm", "delphi", "write", "malware", "suspicious", "autorun", "bloat", "checkin", "google", "drive", "cape", "lowfi", "hookwowlow dec", "passive dns", "mtb jan", "mtb nov", "hookwowlow nov", "twitter", "trojandropper", "virtool", "win32", "susp", "hookwowlow", "injection", "please", "x msedge", "ipv4 add", "urls", "dynamicloader", "windows", "professional", "delete c", "tls issuing", "x005x00xc0", "xc0xc0", "xc0nxc0tx00jx00", "stwa", "lredmond", "explorer", "powershell", "accept", "corporation10", "trojan", "pegasus", "url add", "http", "hostname", "files domain", "files related", "related tags", "present sep", "present aug", "redacted for", "ip address", "search", "unknown cname", "memcommit", "default", "sectigo limited", "read c", "gb st", "inprocserver32", "sectigo public", "defender", "next", "present jan", "spain", "domain add", "files", "asn as15169", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "ck techniques", "mitre att", "ck matrix", "starfield", "hybrid", "general", "path", "strings", "extraction", "data upload", "failed", "include review", "exclude sugges", "stop data", "levelblue", "open threat", "url https", "none google", "url http", "no expiration", "iocs", "domain", "pdf report", "pcap", "stix", "openioc", "ocs to", "exclude", "suggesteu", "find s", "snow", "aitypes", "suspicious_redirect", "url_encoding", "present dec", "unknown aaaa", "present oct", "record value", "body", "encrypt", "access att", "link initial", "ascii text", "pattern match", "sha256", "show technique", "iframe", "local", "united states", "brian sabey", "christopher p. ahmann", "black rock", "td td", "td tr", "a td", "dynamic dns", "meta name", "strong", "static dns", "date", "null", "enough", "hosts", "fast" ], "references": [ "Sprouts Farmers Market", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?", "Pegasus | A targets devices are obviously infiltrated", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi", "Alerts: cape_detected_threat https_ urls", "IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252", "Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog", "Domains Contacted: drive.usercontent.google.com", "ConventionEngine_Anomaly_MultiPDB_Double", "https://jviwczq.zc-apple.com/", "SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx", "Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,", "Malware Hosting: 13.107.226.70", "Scanning Host: 13.107.246.70", "https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com", "http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/", "pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com", "www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/", "endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/", "https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us", "https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com", "https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/", "http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com", "sprouts@em.sprouts.com?", "http://blackrock.work.gd/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io", "supplierportal.gov2x.com", "http://wonporn.com/top/Pakistani_Sucking", "https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo", "https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303", "supply.qld.gov.au", "okta-dev.gov2x.com", "verify.gov.tl", "api.optimizer.insitemaxdev.gov2x.com", "iot.insitemaxdev.gov2x.com", "https://kb.drakesoftware.com/Site/Browse/15183/State", "https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW", "freedns.afraid.org", "https://hello.riskxchange.co/api/mailings/unsubscribe", "Sabey , Ahmann, Quasi Government, Government" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFI:HookwowLow", "display_name": "#LowFI:HookwowLow", "target": null }, { "id": "Win.Trojan.CobaltStrike-9044898-1", "display_name": "Win.Trojan.CobaltStrike-9044898-1", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "SLF:Win64/CobPipe.A", "display_name": "SLF:Win64/CobPipe.A", "target": "/malware/SLF:Win64/CobPipe.A" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:Trojan:Win32/Anorocuriv.A", "display_name": "ALF:Trojan:Win32/Anorocuriv.A", "target": null }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Win.Trojan.Pushdo-15", "display_name": "Win.Trojan.Pushdo-15", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Win32:Trojano-CHF\\ [Trj]", "display_name": "Win32:Trojano-CHF\\ [Trj]", "target": null }, { "id": "Win.Downloader.3867-1", "display_name": "Win.Downloader.3867-1", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "Virtool:Win32/CeeInject.gen!AH", "display_name": "Virtool:Win32/CeeInject.gen!AH", "target": "/malware/Virtool:Win32/CeeInject.gen!AH" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1055.008", "name": "Ptrace System Calls", "display_name": "T1055.008 - Ptrace System Calls" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [ "Retail", "Government", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12640, "hostname": 4429, "email": 7, "domain": 1250, "FileHash-SHA256": 1633, "FileHash-MD5": 278, "FileHash-SHA1": 343, "SSLCertFingerprint": 17 }, "indicator_count": 20597, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6976d6a601f06adcd1ed22fc", "name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)", "description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello", "modified": "2026-02-25T02:03:02.441000", "created": "2026-01-26T02:51:18.022000", "tags": [ "united", "error", "port", "destination", "host", "tlsv1", "intel", "ms windows", "worm", "delphi", "write", "malware", "suspicious", "autorun", "bloat", "checkin", "google", "drive", "cape", "lowfi", "hookwowlow dec", "passive dns", "mtb jan", "mtb nov", "hookwowlow nov", "twitter", "trojandropper", "virtool", "win32", "susp", "hookwowlow", "injection", "please", "x msedge", "ipv4 add", "urls", "dynamicloader", "windows", "professional", "delete c", "tls issuing", "x005x00xc0", "xc0xc0", "xc0nxc0tx00jx00", "stwa", "lredmond", "explorer", "powershell", "accept", "corporation10", "trojan", "pegasus", "url add", "http", "hostname", "files domain", "files related", "related tags", "present sep", "present aug", "redacted for", "ip address", "search", "unknown cname", "memcommit", "default", "sectigo limited", "read c", "gb st", "inprocserver32", "sectigo public", "defender", "next", "present jan", "spain", "domain add", "files", "asn as15169", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "ck techniques", "mitre att", "ck matrix", "starfield", "hybrid", "general", "path", "strings", "extraction", "data upload", "failed", "include review", "exclude sugges", "stop data", "levelblue", "open threat", "url https", "none google", "url http", "no expiration", "iocs", "domain", "pdf report", "pcap", "stix", "openioc", "ocs to", "exclude", "suggesteu", "find s", "snow", "aitypes", "suspicious_redirect", "url_encoding", "present dec", "unknown aaaa", "present oct", "record value", "body", "encrypt", "access att", "link initial", "ascii text", "pattern match", "sha256", "show technique", "iframe", "local", "united states", "brian sabey", "christopher p. ahmann", "black rock", "td td", "td tr", "a td", "dynamic dns", "meta name", "strong", "static dns", "date", "null", "enough", "hosts", "fast" ], "references": [ "Sprouts Farmers Market", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?", "Pegasus | A targets devices are obviously infiltrated", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi", "Alerts: cape_detected_threat https_ urls", "IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252", "Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog", "Domains Contacted: drive.usercontent.google.com", "ConventionEngine_Anomaly_MultiPDB_Double", "https://jviwczq.zc-apple.com/", "SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx", "Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,", "Malware Hosting: 13.107.226.70", "Scanning Host: 13.107.246.70", "https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com", "http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/", "pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com", "www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/", "endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/", "https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us", "https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com", "https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/", "http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com", "sprouts@em.sprouts.com?", "http://blackrock.work.gd/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io", "supplierportal.gov2x.com", "http://wonporn.com/top/Pakistani_Sucking", "https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo", "https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303", "supply.qld.gov.au", "okta-dev.gov2x.com", "verify.gov.tl", "api.optimizer.insitemaxdev.gov2x.com", "iot.insitemaxdev.gov2x.com", "https://kb.drakesoftware.com/Site/Browse/15183/State", "https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW", "freedns.afraid.org", "https://hello.riskxchange.co/api/mailings/unsubscribe", "Sabey , Ahmann, Quasi Government, Government" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFI:HookwowLow", "display_name": "#LowFI:HookwowLow", "target": null }, { "id": "Win.Trojan.CobaltStrike-9044898-1", "display_name": "Win.Trojan.CobaltStrike-9044898-1", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "SLF:Win64/CobPipe.A", "display_name": "SLF:Win64/CobPipe.A", "target": "/malware/SLF:Win64/CobPipe.A" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:Trojan:Win32/Anorocuriv.A", "display_name": "ALF:Trojan:Win32/Anorocuriv.A", "target": null }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Win.Trojan.Pushdo-15", "display_name": "Win.Trojan.Pushdo-15", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Win32:Trojano-CHF\\ [Trj]", "display_name": "Win32:Trojano-CHF\\ [Trj]", "target": null }, { "id": "Win.Downloader.3867-1", "display_name": "Win.Downloader.3867-1", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "Virtool:Win32/CeeInject.gen!AH", "display_name": "Virtool:Win32/CeeInject.gen!AH", "target": "/malware/Virtool:Win32/CeeInject.gen!AH" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1055.008", "name": "Ptrace System Calls", "display_name": "T1055.008 - Ptrace System Calls" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [ "Retail", "Government", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12640, "hostname": 4429, "email": 7, "domain": 1250, "FileHash-SHA256": 1633, "FileHash-MD5": 278, "FileHash-SHA1": 343, "SSLCertFingerprint": 17 }, "indicator_count": 20597, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6976d6afd744c55bd596ed6e", "name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)", "description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello", "modified": "2026-02-25T02:03:02.441000", "created": "2026-01-26T02:51:27.248000", "tags": [ "united", "error", "port", "destination", "host", "tlsv1", "intel", "ms windows", "worm", "delphi", "write", "malware", "suspicious", "autorun", "bloat", "checkin", "google", "drive", "cape", "lowfi", "hookwowlow dec", "passive dns", "mtb jan", "mtb nov", "hookwowlow nov", "twitter", "trojandropper", "virtool", "win32", "susp", "hookwowlow", "injection", "please", "x msedge", "ipv4 add", "urls", "dynamicloader", "windows", "professional", "delete c", "tls issuing", "x005x00xc0", "xc0xc0", "xc0nxc0tx00jx00", "stwa", "lredmond", "explorer", "powershell", "accept", "corporation10", "trojan", "pegasus", "url add", "http", "hostname", "files domain", "files related", "related tags", "present sep", "present aug", "redacted for", "ip address", "search", "unknown cname", "memcommit", "default", "sectigo limited", "read c", "gb st", "inprocserver32", "sectigo public", "defender", "next", "present jan", "spain", "domain add", "files", "asn as15169", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "ck techniques", "mitre att", "ck matrix", "starfield", "hybrid", "general", "path", "strings", "extraction", "data upload", "failed", "include review", "exclude sugges", "stop data", "levelblue", "open threat", "url https", "none google", "url http", "no expiration", "iocs", "domain", "pdf report", "pcap", "stix", "openioc", "ocs to", "exclude", "suggesteu", "find s", "snow", "aitypes", "suspicious_redirect", "url_encoding", "present dec", "unknown aaaa", "present oct", "record value", "body", "encrypt", "access att", "link initial", "ascii text", "pattern match", "sha256", "show technique", "iframe", "local", "united states", "brian sabey", "christopher p. ahmann", "black rock", "td td", "td tr", "a td", "dynamic dns", "meta name", "strong", "static dns", "date", "null", "enough", "hosts", "fast" ], "references": [ "Sprouts Farmers Market", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?", "Pegasus | A targets devices are obviously infiltrated", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi", "Alerts: cape_detected_threat https_ urls", "IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252", "Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog", "Domains Contacted: drive.usercontent.google.com", "ConventionEngine_Anomaly_MultiPDB_Double", "https://jviwczq.zc-apple.com/", "SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx", "Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,", "Malware Hosting: 13.107.226.70", "Scanning Host: 13.107.246.70", "https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com", "http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/", "pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com", "www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/", "endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/", "https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us", "https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com", "https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/", "http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com", "sprouts@em.sprouts.com?", "http://blackrock.work.gd/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io", "supplierportal.gov2x.com", "http://wonporn.com/top/Pakistani_Sucking", "https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo", "https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303", "supply.qld.gov.au", "okta-dev.gov2x.com", "verify.gov.tl", "api.optimizer.insitemaxdev.gov2x.com", "iot.insitemaxdev.gov2x.com", "https://kb.drakesoftware.com/Site/Browse/15183/State", "https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW", "freedns.afraid.org", "https://hello.riskxchange.co/api/mailings/unsubscribe", "Sabey , Ahmann, Quasi Government, Government" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFI:HookwowLow", "display_name": "#LowFI:HookwowLow", "target": null }, { "id": "Win.Trojan.CobaltStrike-9044898-1", "display_name": "Win.Trojan.CobaltStrike-9044898-1", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "SLF:Win64/CobPipe.A", "display_name": "SLF:Win64/CobPipe.A", "target": "/malware/SLF:Win64/CobPipe.A" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:Trojan:Win32/Anorocuriv.A", "display_name": "ALF:Trojan:Win32/Anorocuriv.A", "target": null }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Win.Trojan.Pushdo-15", "display_name": "Win.Trojan.Pushdo-15", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Win32:Trojano-CHF\\ [Trj]", "display_name": "Win32:Trojano-CHF\\ [Trj]", "target": null }, { "id": "Win.Downloader.3867-1", "display_name": "Win.Downloader.3867-1", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "Virtool:Win32/CeeInject.gen!AH", "display_name": "Virtool:Win32/CeeInject.gen!AH", "target": "/malware/Virtool:Win32/CeeInject.gen!AH" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1055.008", "name": "Ptrace System Calls", "display_name": "T1055.008 - Ptrace System Calls" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [ "Retail", "Government", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12640, "hostname": 4429, "email": 7, "domain": 1250, "FileHash-SHA256": 1633, "FileHash-MD5": 278, "FileHash-SHA1": 343, "SSLCertFingerprint": 17 }, "indicator_count": 20597, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fd0cc422cea2fd989581fd", "name": "LevelBlue - Open Threat Exchange (Malicious Attacks)", "description": "I\u2019ll\nrefer to these bad actors as the .lol .fun group. London, Australia , South Africa with US base External resources. With this group, you e probably met though attackers.. OTX errors! Difficult to pulse. There are some profiles in here that are shady and attempt or do co connect to your products. They usually begin social engineering by saying that you have a \u2018problem\u2019 just like they do. Say they are from Canada or\nFrance , somewhere abroad when they are down the street using your services. There was user \u2018Merkd\u2019 whose entire system seem to become infected by someone or someone about this platform. Check the IP address at all\nTo see if it matches or is on the same block as OTC, region will show as well. Hackers may potentially cnc / move your profile on their own block. What happened today was weird. Alien Vault became a PHP and turned bright pink and black, requesting I download page. Keep your systems locked down if you\u2019re researching not reporting vulnerabilities.", "modified": "2025-11-24T17:02:12.441000", "created": "2025-10-25T17:45:40.291000", "tags": [ "ipv4", "levelblue", "open threat", "date sat", "connection", "etag w", "cloudfront", "sameorigin age", "vary", "ip address", "kb body", "gtmkvjvztk", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "learn", "exchange og", "levelblue open", "threat exchange", "exchange", "google tag", "iocs", "search otx", "included iocs", "review iocs", "data upload", "extraction", "layer protocol", "v full", "reports v", "port t1571", "t1573", "oc0006 http", "c0014", "get http", "dns resolutions", "user", "data", "datacrashpad", "edge", "tag manager", "us er", "help files", "shell", "html", "cve202323397", "iframe tags", "community score", "url http", "url https", "united", "united kingdom", "netherlands", "search", "type indicator", "role title", "added active", "related pulses", "indicator role", "title added", "active related", "otc oct", "report spam", "week ago", "scan", "learn more", "filehashmd5", "filehashsha1", "domain", "australia", "does", "josh", "created", "filehashsha256", "present jul", "present oct", "date", "a domains", "script urls", "for privacy", "moved", "script domains", "meta", "title", "body", "pragma", "encrypt", "ck ids", "t1060", "run keys", "startup", "folder", "t1027", "files", "information", "t1055", "injection", "capture", "south korea", "malaysia", "pulses", "fatal error", "hacker known", "name", "unknown", "risk", "weeks ago", "scary", "sova", "colorado", "wire", "name unknown", "thursday", "denver", "types of", "indicators hong", "kong", "tsara brashears", "african", "ethiopia", "b8reactjs", "india", "america", "x ua", "hostname", "dicator role", "pulses url", "airplane", "icator role", "t1432", "access contact", "list", "t1525", "image", "security scan", "heuristic oct", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1114", "t1480", "internal image", "brian sabey", "month ago", "modified", "days ago", "green well", "sabey stash", "service", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sova", "display_name": "Sova", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 956, "FileHash-SHA1": 906, "FileHash-SHA256": 2651, "URL": 4450, "domain": 708, "hostname": 2403, "CVE": 1, "email": 5 }, "indicator_count": 12080, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68edc1c2be848e73a32ab9ba", "name": "Fatal Error - Hacker Known \u2022 Name Unknown | Lives @ risk", "description": "I am connected to targeteds phone. My location is autonomous _ will show up in Colorado most likely. \n\nScary, this weekend a woman dressed like a peasant somehow managed to give me a letter past Thursday with information about a death in the 11th floor of an Apartment in Denver. The Sova. Alleged drug overdose may have actually been a homicide, I sound & feel crazy, there were names inside , emails , plans for Airplane attacks affecting civilians this month. I couldn\u2019t, wouldn\u2019t create this. Apparently UK born citizens sponsored by a Google hierarchy were able to weave their way into the lives a family member & Tsara Brashears . These are white males, anlso involved are citizens from African, Ethiopia, India and America deeply involved. They used fake names and I have said too much. If there is an helpful person on here please help!!! There\nis worse and it might be legal hits to insight money for war!\n#nso_related", "modified": "2025-11-13T02:02:12.454000", "created": "2025-10-14T03:21:38.305000", "tags": [ "pulses ipv4", "ipv4", "div div", "united", "script script", "a li", "present jul", "param", "entries", "present aug", "certificate", "global domains", "date", "title", "class", "meta", "agent", "stack", "life", "a domains", "passive dns", "urls", "ok server", "gmt content", "type", "hostname add", "pulse pulses", "files", "win32mydoom oct", "trojan", "next associated", "pulse", "reverse dns", "twitter", "body", "dynamicloader", "crlf line", "unicode text", "utf8", "ee fc", "yara rule", "ff d5", "ascii text", "f0 ff", "eb e1", "unknown", "copy", "write", "malware", "push", "next", "autorun", "suspicious", "ip address", "unknown ns", "unknown aaaa", "ipv4 add", "location united", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "ck id", "show technique", "mitre att", "path", "error", "fatalerror", "general", "hybrid", "local", "click", "strings", "filehashsha256", "filehashmd5", "filehashsha1", "iist", "malware family", "mydoom att", "ck ids", "t1060", "run keys", "indicator role", "title added", "active related", "showing", "url https", "url http", "startup", "folder", "web protocols", "t1105", "tool transfer", "indicators hong", "kong", "china", "germany", "australia", "search", "type indicator", "role title", "added active", "related pulses", "wire", "t1071" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2724, "hostname": 1212, "domain": 410, "FileHash-MD5": 408, "email": 9, "FileHash-SHA256": 604, "FileHash-SHA1": 307 }, "indicator_count": 5674, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68cb233ba91aa1eb958b3f31", "name": "Home - RMHS | APT 10 \u2022 Andromeda \u2022 OneLouder", "description": "I don\u2019t even know what to say. I\u2019ve received several complaints. This is 2nd time checking out technical issues that do exist. Operates as a Human Service entity for injured persons. OTX auto populated \u2018Golfing\u2019 as industry. \n\nDoes serve the severely disabled population. Does pay caregivers. Possibly a front page a FF link page, I have no idea", "modified": "2025-10-17T19:03:15.031000", "created": "2025-09-17T21:08:11.518000", "tags": [ "script urls", "meta", "moved", "x tec", "passive dns", "encrypt", "america flag", "san francisco", "extraction", "data upload", "type indicatod", "united states", "a domains", "united", "gmt server", "jose", "university", "bill", "rmhs", "information", "board", "lorin", "joseph", "all veterans", "rocky mountain", "mission", "vice", "april", "school", "austin", "prior", "ipv4 add", "urls", "files", "location united", "wordpress", "rmhs meta", "tags viewport", "rmhs og", "rmhs article", "wpbakery page", "builder", "slider plugin", "google tag", "mountain human", "denver", "connecting", "denver start", "relevance home", "providers", "contact us", "rmhs main", "server", "redacted tech", "redacted admin", "registrar abuse", "algorithm", "key identifier", "x509v3 subject", "dnssec", "country", "ttl value", "graph summary", "resolved ips", "ip address", "port", "data", "screenshots no", "involved direct", "country name", "name response", "tcp connections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "found", "spawns", "t1590 gather", "path", "ascii text", "exif standard", "tiff image", "format", "stop", "false", "soldier", "model", "youth", "baby", "june", "general", "local", "click", "strings", "core", "warrior", "green", "emotion", "flash", "nina", "hunk", "fono", "daam", "mitre att", "ck techniques", "id name", "malicious", "windows nt", "win64", "khtml", "gecko", "brand", "microsoft edge", "show process", "self", "date", "comspec", "hybrid", "form", "log id", "gmtn", "tls web", "b2 f6", "b0n timestamp", "f9401a", "record value", "x wix", "certificate", "domain add", "pulse submit", "body", "domain related", "blackbox", "apple", "helix", "dvrdns", "tracking", "remote access", "ios", "spyware", "hoax", "dynamicloader", "ptls6", "medium", "flashpix", "high", "ygjpavclsline", "officespace", "chartshared", "powershell", "write", "malware", "ygjpaulscontext", "status", "japan unknown", "domain", "pulses", "search", "accept", "apt10", "trojanspy", "win32", "entries", "susp", "backdoor", "useragent", "showing", "virtool", "twitter", "mozilla", "trojandropper", "trojan", "title", "onelouder", "yara det", "maware samoe", "genaco x", "ids detec", "ids terse", "win3 data", "include review", "exclude sugges", "targeting", "show", "copy", "reads", "dynamic", "vendor finding", "notes clamav", "files matching", "number", "sample analysis", "hide samples", "date hash", "next yara" ], "references": [ "rmhumanservices.org", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt", "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt", "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/", "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound", "https://www.mlkfoundation.net/ (Foundry DGA)", "remotewd.com x 34 devices", "South Africa based: remote.advisoroffice.com", "acc.lehigtapp.com - malware", "http://watchhers.net/index.php (espionage entity /palantir relationship - seen before with palantir and Pegasus sometimes simultaneously )", "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022 emails.redvue.com \u2022", "Active - pointing: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/", "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting", "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net", "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2", "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)", "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname", "1.organization.api.powerplatform.partner.microsoftonline.cn", "chinaeast2.admin.api.powerautomate.cn", "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/", "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A", "ssa-gov.authorizeddns", "hmmm\u2026http://palander.stjernstrom.se/", "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU" ], "public": 1, "adversary": "APT 10", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "APT 10", "display_name": "APT 10", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "KoobFace", "display_name": "KoobFace", "target": null }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "Nivdort Checkin", "display_name": "Nivdort Checkin", "target": null }, { "id": "Win.Malware.Installcore-6950365-0", "display_name": "Win.Malware.Installcore-6950365-0", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574.006", "name": "Dynamic Linker Hijacking", "display_name": "T1574.006 - Dynamic Linker Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Golfing", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 690, "hostname": 1912, "URL": 5925, "FileHash-SHA1": 273, "email": 8, "FileHash-SHA256": 3618, "CIDR": 3, "FileHash-MD5": 254, "SSLCertFingerprint": 19, "CVE": 2 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689d5115ad786de4ff048e5b", "name": "TEL:ECCert!SSLCO | Mirai Malware Hosting | Multi user Tracker", "description": "https://api.mirai.com/MiraiWebService/passbook/180823-77257/4001645 [Malware hosting]\n*TEL:ECCert!SSLCO\nYARA Detections:\nDelphi\nThis program must be run under Win32\ncompilers.\nCode Overlap of Trojan Droppers Backdoors , TrojanSpy\n\n\n#injection_inter_process\n#creates_largekey\n#network_bind\n#ransomware_file_modifications\n#antivm_generic_bios\n#antivm_generic_disk\n#enumerates_physical_drives\n#physical_drive_access\n#deletes_executed_files\n#recon_fingerprint\n#suspicious_command_tools\n#anomalous_deletefile\n#antisandbox_sleep\n#dead_connect\n#dynamic_function_loading\n#http_request\n#ipc_namedpipe\n#network_anomaly\n#powershell_download\n#powershell_request #track #locate #remote_access", "modified": "2025-09-13T02:00:42.729000", "created": "2025-08-14T02:59:33.036000", "tags": [ "url https", "url http", "search", "type indicator", "role title", "added active", "related pulses", "showing", "entries", "present sep", "united", "present aug", "present jul", "present jun", "moved", "unknown ns", "present may", "present apr", "passive dns", "date", "encrypt", "body", "cookie", "gmt server", "content type", "dynamicloader", "medium", "x17x03x01", "download studio", "high", "read c", "show", "windows", "copy", "powershell", "write", "anomaly", "next", "unknown", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "yara detections", "delphi", "codeoverlap", "win32", "rgba", "memcommit", "delete", "png image", "hash", "dock", "execution", "malware", "wine emulator", "dynamic", "msie", "windows nt", "wow64", "slcc2", "media center", "capture", "persistence", "sha256", "submitted", "copy md5", "copy sha1", "copy sha256", "sha1", "script", "mitre att", "ck id", "show technique", "ck matrix", "null", "august", "span", "refresh", "meta", "mirai", "february", "april", "june", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "caribe", "rest", "accept", "friday", "look", "verify", "restart" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6211, "domain": 682, "hostname": 1661, "FileHash-MD5": 117, "FileHash-SHA1": 100, "FileHash-SHA256": 1386, "SSLCertFingerprint": 5 }, "indicator_count": 10162, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "218 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d30048b95aaba628a5ee7", "name": "Working on it\u2026\u2026", "description": "\u2022 Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)\n(onyx-ware.com)\nNS1.ENDGAME.COM\n(endgames.us)\nNS1.ENDGAME.COM\n#deadmau5 #janskyofficial #idk #soundcloud", "modified": "2025-08-19T17:00:59.379000", "created": "2025-07-20T18:05:56.587000", "tags": [ "dynamicloader", "united", "as15169", "medium", "search", "show", "write c", "whitelisted", "brazil as396982", "high", "themida", "write", "delphi", "copy", "upatre", "encrypt", "june", "win32", "malware", "win64", "windows nt", "directui", "element", "classinfobase", "value", "hwndhost", "sapeav12", "delete c", "worm", "explorer", "insert", "movie", "alerts", "windows", "installs", "filehash", "sha256 add", "pulse pulses", "av detections", "ids detections", "passive dns", "urls", "http", "ip address", "related nids", "files location", "spain flag", "spain domain", "files related", "spain", "entries", "next associated", "meta name", "frame src", "ok set", "cookie", "gmt date", "gmt content", "filehashsha256", "type indicator", "role title", "added active", "related pulses", "url http", "filehashmd5", "showing", "url https", "indicator role", "title added", "active related", "iocs", "learn more", "filehashsha1", "types of", "united kingdom", "t1053", "taskjob", "t1055", "injection", "t1082", "t1119", "t1129", "modules", "t1143", "soundcloud", "created", "hour ago", "facebook", "twitter", "victims website", "youtube", "jansky", "trojandropper", "pulses url" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2012, "FileHash-MD5": 140, "FileHash-SHA1": 129, "FileHash-SHA256": 1348, "SSLCertFingerprint": 3, "domain": 288, "hostname": 812 }, "indicator_count": 4732, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687b5499d48de6e54f3bff11", "name": "213.174.130.70 - Spyware Install | Emotet via Malware sites", "description": "Malicious IP address for multiple malware domains. Very malicious spyware, will hijack network and devices. \n\u2022 Best Targeted sites \nSpyware Install\n\u2022 Garveep POST CnC\nBeacon\n\u2022 Worm.Mydoom\nCheckin\n\n#endgame #emotet #mydoom #malware_domains #install_spyware #monitered_targets", "modified": "2025-08-18T08:00:43.712000", "created": "2025-07-19T08:17:29.443000", "tags": [ "handle", "ripe ncc", "ripe network", "address range", "cidr", "allocation type", "assigned pa", "status", "whois server", "entity ah36ripe", "algorithm", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "date", "abuse contact", "orgid", "orgtechhandle", "address", "orgabuseref", "postalcode", "ripe", "seen", "update date", "tech email", "admin country", "expiration date", "dnssec", "admin id", "mi11255597wp", "msie", "chrome", "passive dns", "united", "ipv4 add", "pulse submit", "url analysis", "urls", "files", "hosting", "open", "body", "extraction", "data upload", "failed", "include review", "anorexx", "video", "father sex", "ebony riding", "ebony", "roberta", "type win32", "exe size", "mb first", "file name", "sentinelone", "present jul", "present oct", "entries http", "memcommit", "t1055", "read c", "search", "entries", "show", "medium", "showing", "high process", "injection t1055", "copy", "write", "win32", "malware", "tsara brashears", "tsara", "pornhub", "porn videos", "watch tsara", "most relevant", "open threat", "exchange", "public", "https", "green", "daily", "brashears", "porn", "watch", "busty xxx", "filter tsara", "brashears porn", "url add", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "md5 sha256", "google safe", "browsing", "dynamicloader", "dynamic", "read", "delete", "mtb apr", "trojan", "lowfi", "virtool", "icloader apr", "otx telemetry", "australia", "exploit", "cobalt strike", "hostile", "trojanspy", "msil", "win64", "pulse", "alerts", "yara rule", "named pipe", "xe7xf3xf2x14x9d", "high", "delphi", "local", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "defense evasion", "adversaries", "spawns", "found", "process details", "flag", "contacted", "meta", "location united", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "size", "beginstring", "null", "type data", "error", "span", "hybrid", "general", "click", "strings", "refresh", "tools", "pattern match", "show technique", "mitre att", "ck matrix", "ascii text", "show process", "utf8", "crlf line", "network traffic", "path", "included", "review", "excludea", "sugges data", "typ url", "url url", "url hos", "hos hos", "extraction f", "enter so", "u extractio", "extra data", "included review", "ic excluded", "suggeste", "pulses", "md5 google", "safe browsing", "virustotal api", "comments", "ally s", "extraction data", "enter soudcfidi", "ad temdac", "cddad ad", "praw type", "extr", "include u", "creation date", "record value", "gmt content", "x adblock", "certificate", "domain", "encrypt", "sec ch", "ch ua", "unknown aaaa", "ua full", "ua platform", "present jun", "moved", "ip address", "doctype html", "lander script", "head", "method", "allowed date", "arizona", "scottsdale", "go daddy", "authority", "next associated", "extraction fail", "enter soupce", "udi ad", "trydda dada", "panca type", "ur extraction", "s data", "pr extract", "servers", "hostname", "files ip", "denmark unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 4, "URL": 7528, "domain": 1822, "hostname": 2015, "email": 5, "FileHash-MD5": 373, "FileHash-SHA1": 363, "FileHash-SHA256": 1939 }, "indicator_count": 14049, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "244 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67035385a884405e783f9a7e", "name": "Mirai_Botnet_Malware | Healthcare \u00bb savethemalesdenver.com |", "description": "Impacting multiple Colorado medical facilities and educational institutions and patients. || Malware Families\nBackdoor:Linux/Mirai.B\nELF:Mirai-BZ\\ [Trj]\nMirai\nMirai_Botnet_Malware\nTrojan:Win32/Zombie.A\nTrojanClicker:Win32/Frosparf\nTrojanDownloader:Win32/Fosniw\nUnix.Trojan.Mirai-6976991-0\nAd", "modified": "2024-11-06T01:02:24.390000", "created": "2024-10-07T03:20:37.224000", "tags": [ "canada unknown", "redacted for", "as25825", "all scoreblue", "passive dns", "ipv4", "reverse dns", "next", "for privacy", "cname", "united states", "nxdomain", "ns nxdomain", "united", "as21928", "south korea", "as9318 sk", "taiwan as3462", "as701 verizon", "search", "maxage apt", "minage apt", "maxsize apt", "malware", "as44273 host", "creation date", "status", "showing", "record value", "certificate", "date", "urls", "overview ip", "address", "related nids", "files location", "flag united", "domain", "files related", "intel", "ms windows", "users", "pe32", "number", "ascii text", "crlf line", "database", "english", "tue jun", "installer", "template", "trojan", "write", "registrar", "pulse submit", "url analysis", "files", "msie", "chrome", "rdds service", "record", "registrant", "admin", "tech contact", "name servers", "email please", "moved", "trojanproxy", "virtool", "as1221", "aaaa", "asnone united", "show", "filehash", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "script urls", "gmt path", "fedora", "open ports", "nginx http", "server", "a domains", "gmt content", "set cookie", "gmt etag", "accept", "expiration date", "backdoor", "mirai", "scan endpoints", "all search", "otx scoreblue", "hostname", "verdict", "unknown", "new pulse", "loveland", "america asn", "Generic36.ABKD", "domains", "location canada", "as32133", "files ip", "address domain", "path max", "age86400 set", "cookie", "type", "entries", "script domains", "downloader", "body", "servers", "emails", "gmt max", "title", "meta", "as20940", "as16625 akamai", "west domains", "as4230 claro", "copy", "sabey", "contacted" ], "references": [ "savethemalesdenver.com \u00bb https://www.uchealthcares.org | myuchealth.net | 168.200.5.63 | http://ITSupport.uchealth.org", "bestofus.org Location: United States of America ASN AS18693 university of colorado hospital", "https://floorgoddijn.nl/3798393-dad-dont-my-image-hole-fuck-ass.html", "https://hypnosen.fr/4306769-women-xxvideos-matured-village-african-scene-wapdam.html", "https://kayleighvandalen.nl/8455490-up-hot-bottoms-xxxonxxx-pics-galleries.html", "https://maisonduweb3.fr/6014324-porn-you-ebony-pics-black-xxx.html", "https://mtl-plomberie.fr/1210582-sperm-release-can-pictures-that-naija.html", "https://mtl-plomberie.fr/2536532-\u1200\u1260\u123b-video-xxx.html", "FileHash-SHA256 cc0f195fe54b9981b1ea3815e44b85a0fb3571be732bd5b4034f57690436f4c4", "Yara Detections: Mirai_Botnet_Malware Alerts: dead_host network_icmp nolookup_communication", "Domains Contacted: ntp.ubuntu.com", "IP\u2019s Contacted: 1.0.128.143 1.10.54.226 1.107.217.150 1.112.34.224 1.114.165.87 1.116.76.208 1.118.37.88 1.121.139.226 1.122.96.75 1.114.207.168", "device-290db215-637a-441f-b5f4-81bf8bd75ae5.remotewd.com", "Trojan:Win32/Zombie.A FileHash-SHA256 ff43920cf098063475b4c62cd63e550fb783e3be1cf7458688b5c1d2d94c6830", "Yara Detections: Nrv2x , upx_3 , UPX_OEP_place , UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "cpe-1-159-170-17.wb05.wa.asp.telstra.net", "ELF:Mirai-BZ\\ [Trj] \u00bb device-290db215-637a-441f-b5f4-81bf8bd75ae5.remotewd.com | 1.159.170.17 | Perth, Australia ASN AS1221 telstra corporation", "ELF:Mirai-BZ\\ [Trj] cc0f195fe54b9981b1ea3815e44b85a0fb3571be732bd5b4034f57690436f4c4 | Australia ASN AS1221 telstra corporation", "Backdoor:Linux/Mirai.B FileHash-SHA1 5df4c3322a68750c6b0c931e8ebebaa60c0a0555", "Yara Detections: Mirai_Botnet_Malware , MAL_ELF_LNX_Mirai_Oct10_2 , SUSP_XORed_Mozilla , is__elf", "198.49.6.6 \u00bb Loveland, United States of America ASN AS25825 poudre valley health care inc." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Taiwan", "Philippines", "India", "Italy", "Germany", "Netherlands" ], "malware_families": [ { "id": "ELF:Mirai-BZ\\ [Trj]", "display_name": "ELF:Mirai-BZ\\ [Trj]", "target": null }, { "id": "Mirai_Botnet_Malware", "display_name": "Mirai_Botnet_Malware", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Unix.Trojan.Mirai-6976991-0", "display_name": "Unix.Trojan.Mirai-6976991-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Backdoor:Linux/Mirai.B", "display_name": "Backdoor:Linux/Mirai.B", "target": "/malware/Backdoor:Linux/Mirai.B" }, { "id": "TrojanDownloader:Win32/Fosniw", "display_name": "TrojanDownloader:Win32/Fosniw", "target": "/malware/TrojanDownloader:Win32/Fosniw" }, { "id": "TrojanClicker:Win32/Frosparf", "display_name": "TrojanClicker:Win32/Frosparf", "target": "/malware/TrojanClicker:Win32/Frosparf" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [ "Legal", "Healthcare", "Education" ], "TLP": "green", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1230, "email": 16, "hostname": 1560, "URL": 3400, "FileHash-SHA256": 1064, "FileHash-MD5": 544, "FileHash-SHA1": 496, "CVE": 1 }, "indicator_count": 8311, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "529 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://jviwczq.zc-apple.com/", "https://prod.centurylinktechnology.com", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "https://elegantcosmedampyeah.pages.dev/", "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname", "TAGS: flag gecko general general full general info generator geo hungary guard hackers hash hide", "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "device-290db215-637a-441f-b5f4-81bf8bd75ae5.remotewd.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt", "Domains Contacted: fexexwjehud.org lxclombt.net jpnzlsaqogv.com esccuyigsy.org", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt", "pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com", "hmmm\u2026http://palander.stjernstrom.se/", "freedns.afraid.org", "TAGS: aaaa accept activity address adversaries aes128gcm ahmann all hostname all ipv4 as15169", "TAGS: christopher p christopher p. \u2018buzz\u2019 ahmann ck id ck matrix ck techniques clare click cloud", "Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog", "Alerts: antiav_servicestop antisandbox_sleep process_creation_suspicious_location", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "https://parkedbits.com \u2022 spiritzuridgerunelahubcloudgusparkx.rest", "endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/", "Alerts: disables_uac infostealer_keylog modify_uac_prompt anomalous_deletefile", "www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com", "okta-dev.gov2x.com", "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com", "Alerts: mouse_movement_detect dead_connect enumerates_running_processes process_needed", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "http://wonporn.com/top/Pakistani_Sucking", "https://kb.drakesoftware.com/Site/Browse/15183/State", "Yara Detections XOR_embeded_exefile_xored_with_round_256_bytes_key", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player", "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "savethemalesdenver.com \u00bb https://www.uchealthcares.org | myuchealth.net | 168.200.5.63 | http://ITSupport.uchealth.org", "bestofus.org Location: United States of America ASN AS18693 university of colorado hospital", "https://brand.centurylinktechnology.com", "wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/", "ASP. NET", "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A", "IDS Detections: Domain in DNS Lookup (whatismyipaddress .com) IP Check", "remotewd.com x 34 devices", "https://floorgoddijn.nl/3798393-dad-dont-my-image-hole-fuck-ass.html", "https://fs25.mygamesteam.com/download/underground-parking/", "Domains Contacted: drive.usercontent.google.com", "TAGS: sample analysis se domains search security quic add source level span spawns spy", "https://palapa.c.id\t (c.id)", "Unix.Dropper.Mirai-7135925-0 , DDoS:Linux/Gafgyt.YA!MTB Yara Detections is__elf , ECHOBOT", "https://mtl-plomberie.fr/2536532-\u1200\u1260\u123b-video-xxx.html", "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2", "apple4you.it \u2022 https://www.apple4you.it/ \u2022 cpcalendars.apple4you.it \u2022 ftp.apple4you.it \u2022", "TAGS: mtb yara name servers name tactics network traffic new browser next associated next", "http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/", "South Africa based: remote.advisoroffice.com", "rmhumanservices.org", "https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com", "Tipped: A targets AI and other cyber research findings.", "Domains Contacted: www.whatismyip.com www.showmyipaddress.com www.whatismyip.ca", "ELF:DDoS-S\\ [Trj] , Unix.Trojan.Gafgyt-6981154-0 , DDoS:Linux/Gafgyt.YA!MTB", "https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us", "TAGS. redirect refresh related tags remoteIPAddress resource restart reverse dns route runner", "Alerts: dynamic_function_loading reads_memory_remote_process packer_entropy network_http", "IDS Detections: Suspicious Activity potential UPnProxy", "http://ftp.apple4you.it \u2022 http://www.apple4you.it/ \u2022https://cpcalendars.apple4you.it \u2022", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passive dns path pattern match pink screen port possible prefetch8 present dec present feb present jan", "TAGS: data upload date date hash ddos dead connection default defense evasion delphi destination", "TAGS: upnproxy url analysis url https url text urls verified verify veryhigh victim network vubbuv win32 win64 windows windows nt windows server worm write write c yara detections yara rule", "Domains Contacted: ntp.ubuntu.com", "https://hypnosen.fr/4306769-women-xxvideos-matured-village-african-scene-wapdam.html", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "https://www.virustotal.com/gui/file/fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f/summary", "https://feedback.ptv.vic.gov.au/360", "TAGS: cloudflare cloudflarenet command config connection copy crazyfrost cyber attacks", "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound", "Yara Detections: Mirai_Botnet_Malware Alerts: dead_host network_icmp nolookup_communication", "http://www.a.nigger.cat/ocnxdv.exe \u2022 https://a.nigger.cat/pwzbrt.txt", "IP\u2019s Contacted: 188.223.42.134 78.57.88.30 84.73.234.83 78.84.44.225 89.252.203.80", "sprouts@em.sprouts.com?", "Pegasus | A targets devices are obviously infiltrated", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "Backdoor:Linux/Mirai.B FileHash-SHA1 5df4c3322a68750c6b0c931e8ebebaa60c0a0555", "TAGS: state of colorado stream strings suspicious t1590 gather tcp syn title tools tr trex triangulation", "Yara: Detections Delphi", "TAGS: as29278 deninet as29728 cottage as47325 ascii text asn as29278 asn as29728 asn13335", "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/", "7box.vip", "www.crazyfrost.com IPv4 104.21.5.49 IPv4 172.67.132.250", "Alerts: cape_detected_threat https_ urls", "output.228572717.txt [fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f]", "Yara Detections: Mirai_Botnet_Malware , MAL_ELF_LNX_Mirai_Oct10_2 , SUSP_XORed_Mozilla , is__elf", "Scanning Host: 13.107.246.70", "Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,", "Sprouts Farmers Market", "Active - pointing: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "Yara Detections: is__elf , ECHOBOT", "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022 emails.redvue.com \u2022", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "9e8c2f9e77b4b6a7538e4136d3bda379c560dc1a5931643da119da2f28881e4d\tELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0\tDDoS:Linux/Gafgyt.YA!MTB", "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)", "1.organization.api.powerplatform.partner.microsoftonline.cn", "TAGS: av detections av exploit belgium belgium unknown binbusybox bits body canada unknown", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackrock.work.gd/", "iot.insitemaxdev.gov2x.com", "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "chinaeast2.admin.api.powerautomate.cn", "Antivirus Detections: Win.Malware.Pits-10035540-0", "TAGS: yara niggercat none file null object os x outbound passive dns path pattern match", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "verify.gov.tl", "https://hello.riskxchange.co/api/mailings/unsubscribe", "http://a.nigger.cat/ovefvy.html \u2022 http://a.nigger.cat/snkikb.rar \u2022 http://a.nigger.cat/unipms.exe", "TAGS: json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey", "https://cpcontacts.apple4you.it", "Domains Contacted: whatismyipaddress.com whatismyip.everdot.org www.facebook.com", "acc.lehigtapp.com - malware", "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net", "Yare: compromised_site_redirector_fromcharcode", "TAGS: pyspark python python initiated quic ransom recipes record value redacted for", "TAGS: trojan trojandropper trojanspy united unknown unknown aaaa unknown ns updater", "https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://hybrid-analysis.com/sample/3aaca21b3918eecd127867bdd724611398cf897a0686fedfde1d424b7ad6130a", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "https://maisonduweb3.fr/6014324-porn-you-ebony-pics-black-xxx.html", "Malware Hosting: 13.107.226.70", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "https://hybrid-analysis.com/sample/f6ccff8dec08334fab98d4f6cb9b2774acd00e98d1afabd219c2634d5b3e2147/697faa178cc598cfb90b0423", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/", "supplierportal.gov2x.com", "cpe-1-159-170-17.wb05.wa.asp.telstra.net", "ConventionEngine_Anomaly_MultiPDB_Double", "Alerts: network_bind persistence_autorun binary_yara procmem_yara suricata_alert", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2", "https://brand2.centurylinktechnology.com", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "ELF:Mirai-BZ\\ [Trj] \u00bb device-290db215-637a-441f-b5f4-81bf8bd75ae5.remotewd.com | 1.159.170.17 | Perth, Australia ASN AS1221 telstra corporation", "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt", "cedevice.io \u2022 decagonsoftware.com", "inst.govelopscold.com", "Alerts: infostealer_cookies antiav_detectfile", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "https://hybrid-analysis.com/sample/e4999984a69a65a69bec9fef1200f7ec36a10bc401cdd15db3510fdc87ec5008/697fb0fec4a9bda3410454cf", "Alerts: console_output has_pdb pe_unknown_resource_name", "endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe", "pcup.gov.ph:", "http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/", "IP\u2019s Contacted: 77.76.39.110 104.156.155.94 77.77.13.89 78.61.87.173 78.63.104.75", "Sabey , Ahmann, Quasi Government, Government", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "TAGS: expiration date explorer extraction facebook facebook failed february filehash files files ip", "https://www.mlkfoundation.net/ (Foundry DGA)", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passiv", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "nigger.cat \u2022 http://a.nigger.cat/ \u2022 http://a.nigger.cat/imrred.exe \u2022 http://a.nigger.cat/iwzptk.pdf \u2022", "http://a.nigger.cat/ypphgg.exe \u2022 http://u.nigger.cat/ \u2022 https://a.nigger.cat/", "IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252", "IDS Detections: Domain (whatismyipaddress .com in HTTP Host)", "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU", "https://ftp.apple4you.it \u2022 http://cpcalendars.apple4you.it \u2022 http://cpcontacts.apple4you.it \u2022", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "Yara Detections: Nrv2x , upx_3 , UPX_OEP_place , UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser ,", "IDS Detections: Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host)", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://spiritzuridgerunelahubcloudgusparkx.rest/", "127.0.0.1 Private IP Address \u2022 http://facebook.com/iWebTechnologies", "AppleWebKit Christopher P. \u2018BUZZ\u2019 Ahmann interference", "Alerts: dead_host network_icmp tcp_by", "adsparkahz.shop \u2022 https://adsparkahz.shop/ \u2022 parkedbits.com", "TAGS: add dynamicloader ecdsa echobot echobot related encrypt entries error evasion att", "TAGS: pink screen port possible prefetch8 present program protocol h3 ptr record none push", "198.49.6.6 \u00bb Loveland, United States of America ASN AS25825 poudre valley health care inc.", "ssa-gov.authorizeddns", "https://kayleighvandalen.nl/8455490-up-hot-bottoms-xxxonxxx-pics-galleries.html", "https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/", "https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo", "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe", "SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx", "TAGS: detection detections detections name development att direct dirty dns resolutions domain", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "supply.qld.gov.au", "Trojan:Win32/Zombie.A FileHash-SHA256 ff43920cf098063475b4c62cd63e550fb783e3be1cf7458688b5c1d2d94c6830", "https://hybrid-analysis.com/sample/01a1a2106bcddc591cab08d31c13966bd0413fe312bce9be396e964e114631a6/697f8c04475b90e7fb0d7ff9", "https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com", "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "TAGS: macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec", "http://watchhers.net/index.php (espionage entity /palantir relationship - seen before with palantir and Pegasus sometimes simultaneously )", "https://mtl-plomberie.fr/1210582-sperm-release-can-pictures-that-naija.html", "https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW", "api.optimizer.insitemaxdev.gov2x.com", "FileHash-SHA256 cc0f195fe54b9981b1ea3815e44b85a0fb3571be732bd5b4034f57690436f4c4", "https://www.facebook.com/groups/378607181955796/posts/773093455840498/?hpir=1&http_ref=eyJ0cyI6MTc2OTk2MDkxOTAwMCwiciI6IiJ9", "http://a.nigger.cat/ltbexb.jpg \u2022 http://a.nigger.cat/ocnxdv.exe \u2022 http://a.nigger.cat/ocnxdv.exe/", "http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "IDS Detections: IP Check Domain (showmyipaddress .com in HTTP Host) External IP Lookup", "Antivirus Detections: Trojan:Win32/Dorv.A", "Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,", "IP\u2019s Contacted: 1.0.128.143 1.10.54.226 1.107.217.150 1.112.34.224 1.114.165.87 1.116.76.208 1.118.37.88 1.121.139.226 1.122.96.75 1.114.207.168", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?", "UPX_OEP_place", "https://mobile-pocket-guide.centurylinktechnology.com", "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "ELF:Mirai-BZ\\ [Trj] cc0f195fe54b9981b1ea3815e44b85a0fb3571be732bd5b4034f57690436f4c4 | Australia ASN AS1221 telstra corporation", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "APT 10" ], "malware_families": [ "Trojandownloader:win32/fosniw", "Ddos:linux/gafgyt.ya!mtb", "Unix.trojan.gafgyt-698115", "Nivdort checkin", "Win.trojan.pushdo-15", "Alf:heraklezeval:trojan:win32/clipbanker", "Apt 10", "Pykspa.c", "Deathhiddentear (large&small ht) >", "Trojan:win32/dorv.a", "Koobface", "#lowfi:hookwowlow", "Pegasus", "Win.trojan.emotet-9850453-0", "Bayrob", "Sf:shellcode-au\\ [trj]", "Worm:win32/mofksys.rnd!mtb", "Trojan:win32/zombie.a", "4-0 win.malware.pits-10035540-0", "Trojanclicker:win32/frosparf", "Sality", "Win.malware.installcore-6950365-0", "Backdoor:linux/mirai.b", "Win.trojan.vbgeneric-6735875-0", "Trojandownloader:win32/cutwail.bs", "Win32:trojano-chf\\ [trj]", "Win.packed.usteal-7531303-0", "Mirai", "Elf:ddos-s\\ [trj]", "Win32:evo-gen\\ [susp]", "Worm:win32/lightmoon.h", "Win.trojan.cobaltstrike-9044898-1", "Mirai_botnet_malware", "Elf:mirai-bz\\ [trj]", "Worm:win32/autorun!atmn", "Trojan.tofsee/botx", "Sova", "Onelouder", "Alf:trojan:win32/anorocuriv.a", "Unix.trojan.mirai-6976991-0", "Andromeda", "Pws:win32/axespec.a", "Win.downloader.3867-1", "Tr", "Virtool:win32/ceeinject.gen!ah", "Slf:win64/cobpipe.a", "Alf:jasyp:trojan:win32/ircbot!atmn", "Alf:program:win32/webcompanion" ], "industries": [ "Education", "Technology", "Government", "Legal", "Retail", "Healthcare", "Golfing" ], "unique_indicators": 100396 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/marjak.ee", "whois": "http://whois.domaintools.com/marjak.ee", "domain": "marjak.ee", "hostname": "dev.marjak.ee" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "698037098c99c37cb91037c2", "name": "Busy Box MITM Attacks via Drive-by-Compromise | Facebook | Apple", "description": "Busy Box - MITM Attack\n\nDrive-by-Compromise | Facebook | Jamie Oliver Recipes | My sister-in-law made this once and I couldn\u2019t stop eating it. \nAdversarial Facebook pop up posts. .\n\n|| Pykspa.C Check in. \"Pykspa is a type of Remote Access Trojan (RAT). A powerful a worm that spreads via social media or via DGA algorithms. Parking crews are fond of these types of attacks. Christopher Ahmann", "modified": "2026-03-04T04:07:14.513000", "created": "2026-02-02T05:32:57.303000", "tags": [ "no expiration", "filehashsha256", "ipv4", "url http", "domain", "hostname", "filehashmd5", "filehashsha1", "iocs", "url https", "search", "type indicator", "review iocs", "role title", "create new", "pulse use", "pdf report", "pcap", "extraction", "sc data", "extre data", "include review", "exclude sugges", "data upload", "failed", "find s", "oo data", "enter source", "url or", "text drag", "expiration", "showing", "entries", "protect", "pulse show", "email abuse", "related pulses", "indicator role", "returnurl no", "drop", "pulse provide", "public tlp", "green", "adversary tags", "buzz", "x8664", "add tag", "groups add", "add industry", "trojan", "tags" ], "references": [ "https://www.facebook.com/groups/378607181955796/posts/773093455840498/?hpir=1&http_ref=eyJ0cyI6MTc2OTk2MDkxOTAwMCwiciI6IiJ9", "www.crazyfrost.com IPv4 104.21.5.49 IPv4 172.67.132.250", "Antivirus Detections: Trojan:Win32/Dorv.A", "IDS Detections: Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host)", "IDS Detections: IP Check Domain (showmyipaddress .com in HTTP Host) External IP Lookup", "IDS Detections: Domain in DNS Lookup (whatismyipaddress .com) IP Check", "IDS Detections: Domain (whatismyipaddress .com in HTTP Host)", "Yara Detections XOR_embeded_exefile_xored_with_round_256_bytes_key", "Alerts: antiav_servicestop antisandbox_sleep process_creation_suspicious_location", "Alerts: network_bind persistence_autorun binary_yara procmem_yara suricata_alert", "Alerts: disables_uac infostealer_keylog modify_uac_prompt anomalous_deletefile", "Alerts: mouse_movement_detect dead_connect enumerates_running_processes process_needed", "Alerts: dynamic_function_loading reads_memory_remote_process packer_entropy network_http", "IP\u2019s Contacted: 188.223.42.134 78.57.88.30 84.73.234.83 78.84.44.225 89.252.203.80", "IP\u2019s Contacted: 77.76.39.110 104.156.155.94 77.77.13.89 78.61.87.173 78.63.104.75", "Domains Contacted: www.whatismyip.com www.showmyipaddress.com www.whatismyip.ca", "Domains Contacted: whatismyipaddress.com whatismyip.everdot.org www.facebook.com", "Domains Contacted: fexexwjehud.org lxclombt.net jpnzlsaqogv.com esccuyigsy.org", "Antivirus Detections: Win.Malware.Pits-10035540-0", "Yara: Detections Delphi", "Alerts: infostealer_cookies antiav_detectfile", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "nigger.cat \u2022 http://a.nigger.cat/ \u2022 http://a.nigger.cat/imrred.exe \u2022 http://a.nigger.cat/iwzptk.pdf \u2022", "http://a.nigger.cat/ltbexb.jpg \u2022 http://a.nigger.cat/ocnxdv.exe \u2022 http://a.nigger.cat/ocnxdv.exe/", "http://a.nigger.cat/ovefvy.html \u2022 http://a.nigger.cat/snkikb.rar \u2022 http://a.nigger.cat/unipms.exe", "http://a.nigger.cat/ypphgg.exe \u2022 http://u.nigger.cat/ \u2022 https://a.nigger.cat/", "http://www.a.nigger.cat/ocnxdv.exe \u2022 https://a.nigger.cat/pwzbrt.txt", "output.228572717.txt [fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f]", "https://www.virustotal.com/gui/file/fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f/summary", "https://hybrid-analysis.com/sample/3aaca21b3918eecd127867bdd724611398cf897a0686fedfde1d424b7ad6130a", "https://hybrid-analysis.com/sample/e4999984a69a65a69bec9fef1200f7ec36a10bc401cdd15db3510fdc87ec5008/697fb0fec4a9bda3410454cf", "https://hybrid-analysis.com/sample/f6ccff8dec08334fab98d4f6cb9b2774acd00e98d1afabd219c2634d5b3e2147/697faa178cc598cfb90b0423", "https://hybrid-analysis.com/sample/01a1a2106bcddc591cab08d31c13966bd0413fe312bce9be396e964e114631a6/697f8c04475b90e7fb0d7ff9", "apple4you.it \u2022 https://www.apple4you.it/ \u2022 cpcalendars.apple4you.it \u2022 ftp.apple4you.it \u2022", "https://ftp.apple4you.it \u2022 http://cpcalendars.apple4you.it \u2022 http://cpcontacts.apple4you.it \u2022", "http://ftp.apple4you.it \u2022 http://www.apple4you.it/ \u2022https://cpcalendars.apple4you.it \u2022", "https://cpcontacts.apple4you.it", "AppleWebKit Christopher P. \u2018BUZZ\u2019 Ahmann interference", "adsparkahz.shop \u2022 https://adsparkahz.shop/ \u2022 parkedbits.com", "https://parkedbits.com \u2022 spiritzuridgerunelahubcloudgusparkx.rest", "https://fs25.mygamesteam.com/download/underground-parking/", "http://spiritzuridgerunelahubcloudgusparkx.rest/", "127.0.0.1 Private IP Address \u2022 http://facebook.com/iWebTechnologies", "9e8c2f9e77b4b6a7538e4136d3bda379c560dc1a5931643da119da2f28881e4d\tELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0\tDDoS:Linux/Gafgyt.YA!MTB", "ELF:DDoS-S\\ [Trj] , Unix.Trojan.Gafgyt-6981154-0 , DDoS:Linux/Gafgyt.YA!MTB", "IDS Detections: Suspicious Activity potential UPnProxy", "Yara Detections: is__elf , ECHOBOT", "Alerts: dead_host network_icmp tcp_by", "Unix.Dropper.Mirai-7135925-0 , DDoS:Linux/Gafgyt.YA!MTB Yara Detections is__elf , ECHOBOT", "TAGS: aaaa accept activity address adversaries aes128gcm ahmann all hostname all ipv4 as15169", "TAGS: as29278 deninet as29728 cottage as47325 ascii text asn as29278 asn as29728 asn13335", "TAGS: av detections av exploit belgium belgium unknown binbusybox bits body canada unknown", "TAGS: christopher p christopher p. \u2018buzz\u2019 ahmann ck id ck matrix ck techniques clare click cloud", "TAGS: cloudflare cloudflarenet command config connection copy crazyfrost cyber attacks", "TAGS: data upload date date hash ddos dead connection default defense evasion delphi destination", "TAGS: detection detections detections name development att direct dirty dns resolutions domain", "TAGS: add dynamicloader ecdsa echobot echobot related encrypt entries error evasion att", "TAGS: expiration date explorer extraction facebook facebook failed february filehash files files ip", "TAGS: flag gecko general general full general info generator geo hungary guard hackers hash hide", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passiv", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passive dns path pattern match pink screen port possible prefetch8 present dec present feb present jan", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver", "TAGS: json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey", "TAGS: macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec", "TAGS: mtb yara name servers name tactics network traffic new browser next associated next", "TAGS: yara niggercat none file null object os x outbound passive dns path pattern match", "TAGS: pink screen port possible prefetch8 present program protocol h3 ptr record none push", "TAGS: pyspark python python initiated quic ransom recipes record value redacted for", "TAGS. redirect refresh related tags remoteIPAddress resource restart reverse dns route runner", "TAGS: sample analysis se domains search security quic add source level span spawns spy", "TAGS: state of colorado stream strings suspicious t1590 gather tcp syn title tools tr trex triangulation", "TAGS: trojan trojandropper trojanspy united unknown unknown aaaa unknown ns updater", "TAGS: upnproxy url analysis url https url text urls verified verify veryhigh victim network vubbuv win32 win64 windows windows nt windows server worm write write c yara detections yara rule" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Hungary" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "DDos:Linux/Gafgyt.YA!MTB", "display_name": "DDos:Linux/Gafgyt.YA!MTB", "target": "/malware/DDos:Linux/Gafgyt.YA!MTB" }, { "id": "ELF:DDoS-S\\ [Trj]", "display_name": "ELF:DDoS-S\\ [Trj]", "target": null }, { "id": "Pykspa.C", "display_name": "Pykspa.C", "target": null }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Unix.Trojan.Gafgyt-698115", "display_name": "Unix.Trojan.Gafgyt-698115", "target": null }, { "id": "4-0 Win.Malware.Pits-10035540-0", "display_name": "4-0 Win.Malware.Pits-10035540-0", "target": null }, { "id": "Win.Packed.Usteal-7531303-0", "display_name": "Win.Packed.Usteal-7531303-0", "target": null }, { "id": "tR", "display_name": "tR", "target": null }, { "id": "DeathHiddenTear (Large&Small HT) >", "display_name": "DeathHiddenTear (Large&Small HT) >", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1586, "FileHash-SHA1": 1479, "FileHash-SHA256": 1938, "URL": 4548, "domain": 1052, "hostname": 2501, "email": 9, "SSLCertFingerprint": 7, "CIDR": 2 }, "indicator_count": 13122, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697cdce9ec418c422eee2054", "name": "Device Isolation: Lumen Technologies | Palantir and \u2018Boots on the Ground Operations\u2019", "description": "Device Isolation: Lumen Technologies (formerly CenturyLink) deployed as an admin on iOS devices. Standard factory resets may prove ineffective. Complete hardware \"air-gap\" or clean devices that have never touched your home network may be best option for deeply monitored targets.\n\nSummary of the Campaign:\nThe involvement of Lumen Technologies (as an unwanted admin), Foundry (Palantir) for data mapping, and Mirai Botnet for network disruption represents a \"scorched earth\" approach to digital destruction. Target treated as a criminal through Cellebrite, implicates specific attackers attempted to legalize what was actually a predatory stalking campaign/s.\n\n\nSurveillance Overlap: The use of Lumen Technologies and Palantir, tools allows for real-time tracking of a target's physical location\u2014explains how \u2018boots on the ground\u2019 offenders can stalk , surveillance , confront, assault and engage in various damaging attacks of specific monitored targets.", "modified": "2026-03-01T16:05:57.375000", "created": "2026-01-30T16:31:37.011000", "tags": [ "url https", "url http", "tlsv1", "whitelisted", "united", "read c", "as15169", "stcalifornia", "execution", "dock", "write", "persistence", "malware", "encrypt", "active", "lumen technologies", "number", "error", "regexp", "sxa0", "amptoken", "optout", "retrieving", "notfound", "unknown", "form", "flash", "backdoor", "writeconsolew", "yara detections", "command line", "pdb path", "pe resource", "internalname", "windows command", "A", "aws", "name servers", "url analysis", "passive dns", "urls", "data upload", "extraction", "palantir", "c2", "aerospace", "tracking", "spywatchdog", "palapa-c2", "communications satellite", "amazon", "hughesnet", "icmp traffic", "washington c", "washington ou", "mopr", "mon jul", "local", "dynamic", "apple", "network", "t1057", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1480", "guardrails", "t1566", "present jan", "unknown ns", "ip address", "dnssec", "domain", "dynamic dns", "government", "pcup", "germany unknown", "link", "dns hosting", "cloudns", "cloud dns", "a domains", "ipv4 add", "title", "meta", "class", "servers", "present aug", "aaaa", "present sep", "present nov", "present jul", "present may", "moved", "canada unknown", "begin", "record value", "gmt content", "type", "hostname add", "files", "ascii text", "pattern match", "href", "mitre att", "ck id", "ck matrix", "network traffic", "et info", "general", "path", "click", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "input url", "defense evasion", "france", "ireland", "netherlands", "denmark", "united kingdom", "type indicator", "role title", "added active", "savvis", "centurylinktechnology", "hybrid analysis", "monitoring tools", "monitored target", "triangulation", "worm", "intel", "ms windows", "pe32", "write c", "delete c", "show", "russia as47764", "unix", "lsan jose", "odigicert inc", "markus", "url add", "http", "related nids", "files location", "russia flag", "russia hostname", "russia", "russia unknown", "hosting", "federation flag", "body", "gmt vary", "accept encoding", "gmt cache", "certificate", "pulse submit", "unknown aaaa", "search", "entries", "script domains", "script urls", "pdx cf" ], "references": [ "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "Yare: compromised_site_redirector_fromcharcode", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "Alerts: console_output has_pdb pe_unknown_resource_name", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "Tipped: A targets AI and other cyber research findings.", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "https://palapa.c.id\t (c.id)", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "cedevice.io \u2022 decagonsoftware.com", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "pcup.gov.ph:", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "https://elegantcosmedampyeah.pages.dev/", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "inst.govelopscold.com", "https://feedback.ptv.vic.gov.au/360", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "https://brand.centurylinktechnology.com", "https://prod.centurylinktechnology.com", "https://brand2.centurylinktechnology.com", "https://mobile-pocket-guide.centurylinktechnology.com", "UPX_OEP_place", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "ASP. NET", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "7box.vip" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan.Tofsee/Botx", "display_name": "Trojan.Tofsee/Botx", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "PWS:Win32/Axespec.A", "display_name": "PWS:Win32/Axespec.A", "target": "/malware/PWS:Win32/Axespec.A" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1069.003", "name": "Cloud Groups", "display_name": "T1069.003 - Cloud Groups" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 102, "FileHash-SHA1": 59, "FileHash-SHA256": 1929, "domain": 854, "hostname": 2156, "URL": 4475, "SSLCertFingerprint": 9, "email": 7, "CVE": 1 }, "indicator_count": 9592, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "49 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6976d69ecbc0497f97e28618", "name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)", "description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello", "modified": "2026-02-25T02:03:02.441000", "created": "2026-01-26T02:51:10.502000", "tags": [ "united", "error", "port", "destination", "host", "tlsv1", "intel", "ms windows", "worm", "delphi", "write", "malware", "suspicious", "autorun", "bloat", "checkin", "google", "drive", "cape", "lowfi", "hookwowlow dec", "passive dns", "mtb jan", "mtb nov", "hookwowlow nov", "twitter", "trojandropper", "virtool", "win32", "susp", "hookwowlow", "injection", "please", "x msedge", "ipv4 add", "urls", "dynamicloader", "windows", "professional", "delete c", "tls issuing", "x005x00xc0", "xc0xc0", "xc0nxc0tx00jx00", "stwa", "lredmond", "explorer", "powershell", "accept", "corporation10", "trojan", "pegasus", "url add", "http", "hostname", "files domain", "files related", "related tags", "present sep", "present aug", "redacted for", "ip address", "search", "unknown cname", "memcommit", "default", "sectigo limited", "read c", "gb st", "inprocserver32", "sectigo public", "defender", "next", "present jan", "spain", "domain add", "files", "asn as15169", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "ck techniques", "mitre att", "ck matrix", "starfield", "hybrid", "general", "path", "strings", "extraction", "data upload", "failed", "include review", "exclude sugges", "stop data", "levelblue", "open threat", "url https", "none google", "url http", "no expiration", "iocs", "domain", "pdf report", "pcap", "stix", "openioc", "ocs to", "exclude", "suggesteu", "find s", "snow", "aitypes", "suspicious_redirect", "url_encoding", "present dec", "unknown aaaa", "present oct", "record value", "body", "encrypt", "access att", "link initial", "ascii text", "pattern match", "sha256", "show technique", "iframe", "local", "united states", "brian sabey", "christopher p. ahmann", "black rock", "td td", "td tr", "a td", "dynamic dns", "meta name", "strong", "static dns", "date", "null", "enough", "hosts", "fast" ], "references": [ "Sprouts Farmers Market", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?", "Pegasus | A targets devices are obviously infiltrated", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi", "Alerts: cape_detected_threat https_ urls", "IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252", "Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog", "Domains Contacted: drive.usercontent.google.com", "ConventionEngine_Anomaly_MultiPDB_Double", "https://jviwczq.zc-apple.com/", "SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx", "Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,", "Malware Hosting: 13.107.226.70", "Scanning Host: 13.107.246.70", "https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com", "http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/", "pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com", "www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/", "endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/", "https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us", "https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com", "https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/", "http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com", "sprouts@em.sprouts.com?", "http://blackrock.work.gd/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io", "supplierportal.gov2x.com", "http://wonporn.com/top/Pakistani_Sucking", "https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo", "https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303", "supply.qld.gov.au", "okta-dev.gov2x.com", "verify.gov.tl", "api.optimizer.insitemaxdev.gov2x.com", "iot.insitemaxdev.gov2x.com", "https://kb.drakesoftware.com/Site/Browse/15183/State", "https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW", "freedns.afraid.org", "https://hello.riskxchange.co/api/mailings/unsubscribe", "Sabey , Ahmann, Quasi Government, Government" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFI:HookwowLow", "display_name": "#LowFI:HookwowLow", "target": null }, { "id": "Win.Trojan.CobaltStrike-9044898-1", "display_name": "Win.Trojan.CobaltStrike-9044898-1", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "SLF:Win64/CobPipe.A", "display_name": "SLF:Win64/CobPipe.A", "target": "/malware/SLF:Win64/CobPipe.A" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:Trojan:Win32/Anorocuriv.A", "display_name": "ALF:Trojan:Win32/Anorocuriv.A", "target": null }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Win.Trojan.Pushdo-15", "display_name": "Win.Trojan.Pushdo-15", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Win32:Trojano-CHF\\ [Trj]", "display_name": "Win32:Trojano-CHF\\ [Trj]", "target": null }, { "id": "Win.Downloader.3867-1", "display_name": "Win.Downloader.3867-1", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "Virtool:Win32/CeeInject.gen!AH", "display_name": "Virtool:Win32/CeeInject.gen!AH", "target": "/malware/Virtool:Win32/CeeInject.gen!AH" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1055.008", "name": "Ptrace System Calls", "display_name": "T1055.008 - Ptrace System Calls" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [ "Retail", "Government", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12640, "hostname": 4429, "email": 7, "domain": 1250, "FileHash-SHA256": 1633, "FileHash-MD5": 278, "FileHash-SHA1": 343, "SSLCertFingerprint": 17 }, "indicator_count": 20597, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6976d6a601f06adcd1ed22fc", "name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)", "description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello", "modified": "2026-02-25T02:03:02.441000", "created": "2026-01-26T02:51:18.022000", "tags": [ "united", "error", "port", "destination", "host", "tlsv1", "intel", "ms windows", "worm", "delphi", "write", "malware", "suspicious", "autorun", "bloat", "checkin", "google", "drive", "cape", "lowfi", "hookwowlow dec", "passive dns", "mtb jan", "mtb nov", "hookwowlow nov", "twitter", "trojandropper", "virtool", "win32", "susp", "hookwowlow", "injection", "please", "x msedge", "ipv4 add", "urls", "dynamicloader", "windows", "professional", "delete c", "tls issuing", "x005x00xc0", "xc0xc0", "xc0nxc0tx00jx00", "stwa", "lredmond", "explorer", "powershell", "accept", "corporation10", "trojan", "pegasus", "url add", "http", "hostname", "files domain", "files related", "related tags", "present sep", "present aug", "redacted for", "ip address", "search", "unknown cname", "memcommit", "default", "sectigo limited", "read c", "gb st", "inprocserver32", "sectigo public", "defender", "next", "present jan", "spain", "domain add", "files", "asn as15169", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "ck techniques", "mitre att", "ck matrix", "starfield", "hybrid", "general", "path", "strings", "extraction", "data upload", "failed", "include review", "exclude sugges", "stop data", "levelblue", "open threat", "url https", "none google", "url http", "no expiration", "iocs", "domain", "pdf report", "pcap", "stix", "openioc", "ocs to", "exclude", "suggesteu", "find s", "snow", "aitypes", "suspicious_redirect", "url_encoding", "present dec", "unknown aaaa", "present oct", "record value", "body", "encrypt", "access att", "link initial", "ascii text", "pattern match", "sha256", "show technique", "iframe", "local", "united states", "brian sabey", "christopher p. ahmann", "black rock", "td td", "td tr", "a td", "dynamic dns", "meta name", "strong", "static dns", "date", "null", "enough", "hosts", "fast" ], "references": [ "Sprouts Farmers Market", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?", "Pegasus | A targets devices are obviously infiltrated", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi", "Alerts: cape_detected_threat https_ urls", "IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252", "Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog", "Domains Contacted: drive.usercontent.google.com", "ConventionEngine_Anomaly_MultiPDB_Double", "https://jviwczq.zc-apple.com/", "SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx", "Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,", "Malware Hosting: 13.107.226.70", "Scanning Host: 13.107.246.70", "https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com", "http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/", "pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com", "www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/", "endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/", "https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us", "https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com", "https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/", "http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com", "sprouts@em.sprouts.com?", "http://blackrock.work.gd/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io", "supplierportal.gov2x.com", "http://wonporn.com/top/Pakistani_Sucking", "https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo", "https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303", "supply.qld.gov.au", "okta-dev.gov2x.com", "verify.gov.tl", "api.optimizer.insitemaxdev.gov2x.com", "iot.insitemaxdev.gov2x.com", "https://kb.drakesoftware.com/Site/Browse/15183/State", "https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW", "freedns.afraid.org", "https://hello.riskxchange.co/api/mailings/unsubscribe", "Sabey , Ahmann, Quasi Government, Government" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFI:HookwowLow", "display_name": "#LowFI:HookwowLow", "target": null }, { "id": "Win.Trojan.CobaltStrike-9044898-1", "display_name": "Win.Trojan.CobaltStrike-9044898-1", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "SLF:Win64/CobPipe.A", "display_name": "SLF:Win64/CobPipe.A", "target": "/malware/SLF:Win64/CobPipe.A" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:Trojan:Win32/Anorocuriv.A", "display_name": "ALF:Trojan:Win32/Anorocuriv.A", "target": null }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Win.Trojan.Pushdo-15", "display_name": "Win.Trojan.Pushdo-15", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Win32:Trojano-CHF\\ [Trj]", "display_name": "Win32:Trojano-CHF\\ [Trj]", "target": null }, { "id": "Win.Downloader.3867-1", "display_name": "Win.Downloader.3867-1", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "Virtool:Win32/CeeInject.gen!AH", "display_name": "Virtool:Win32/CeeInject.gen!AH", "target": "/malware/Virtool:Win32/CeeInject.gen!AH" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1055.008", "name": "Ptrace System Calls", "display_name": "T1055.008 - Ptrace System Calls" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [ "Retail", "Government", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12640, "hostname": 4429, "email": 7, "domain": 1250, "FileHash-SHA256": 1633, "FileHash-MD5": 278, "FileHash-SHA1": 343, "SSLCertFingerprint": 17 }, "indicator_count": 20597, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6976d6afd744c55bd596ed6e", "name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)", "description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello", "modified": "2026-02-25T02:03:02.441000", "created": "2026-01-26T02:51:27.248000", "tags": [ "united", "error", "port", "destination", "host", "tlsv1", "intel", "ms windows", "worm", "delphi", "write", "malware", "suspicious", "autorun", "bloat", "checkin", "google", "drive", "cape", "lowfi", "hookwowlow dec", "passive dns", "mtb jan", "mtb nov", "hookwowlow nov", "twitter", "trojandropper", "virtool", "win32", "susp", "hookwowlow", "injection", "please", "x msedge", "ipv4 add", "urls", "dynamicloader", "windows", "professional", "delete c", "tls issuing", "x005x00xc0", "xc0xc0", "xc0nxc0tx00jx00", "stwa", "lredmond", "explorer", "powershell", "accept", "corporation10", "trojan", "pegasus", "url add", "http", "hostname", "files domain", "files related", "related tags", "present sep", "present aug", "redacted for", "ip address", "search", "unknown cname", "memcommit", "default", "sectigo limited", "read c", "gb st", "inprocserver32", "sectigo public", "defender", "next", "present jan", "spain", "domain add", "files", "asn as15169", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "ck techniques", "mitre att", "ck matrix", "starfield", "hybrid", "general", "path", "strings", "extraction", "data upload", "failed", "include review", "exclude sugges", "stop data", "levelblue", "open threat", "url https", "none google", "url http", "no expiration", "iocs", "domain", "pdf report", "pcap", "stix", "openioc", "ocs to", "exclude", "suggesteu", "find s", "snow", "aitypes", "suspicious_redirect", "url_encoding", "present dec", "unknown aaaa", "present oct", "record value", "body", "encrypt", "access att", "link initial", "ascii text", "pattern match", "sha256", "show technique", "iframe", "local", "united states", "brian sabey", "christopher p. ahmann", "black rock", "td td", "td tr", "a td", "dynamic dns", "meta name", "strong", "static dns", "date", "null", "enough", "hosts", "fast" ], "references": [ "Sprouts Farmers Market", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?", "Pegasus | A targets devices are obviously infiltrated", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi", "Alerts: cape_detected_threat https_ urls", "IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252", "Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog", "Domains Contacted: drive.usercontent.google.com", "ConventionEngine_Anomaly_MultiPDB_Double", "https://jviwczq.zc-apple.com/", "SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx", "Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,", "Malware Hosting: 13.107.226.70", "Scanning Host: 13.107.246.70", "https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com", "http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/", "pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com", "www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/", "endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/", "https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us", "https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com", "https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/", "http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com", "sprouts@em.sprouts.com?", "http://blackrock.work.gd/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io", "supplierportal.gov2x.com", "http://wonporn.com/top/Pakistani_Sucking", "https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo", "https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303", "supply.qld.gov.au", "okta-dev.gov2x.com", "verify.gov.tl", "api.optimizer.insitemaxdev.gov2x.com", "iot.insitemaxdev.gov2x.com", "https://kb.drakesoftware.com/Site/Browse/15183/State", "https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW", "freedns.afraid.org", "https://hello.riskxchange.co/api/mailings/unsubscribe", "Sabey , Ahmann, Quasi Government, Government" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFI:HookwowLow", "display_name": "#LowFI:HookwowLow", "target": null }, { "id": "Win.Trojan.CobaltStrike-9044898-1", "display_name": "Win.Trojan.CobaltStrike-9044898-1", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "SLF:Win64/CobPipe.A", "display_name": "SLF:Win64/CobPipe.A", "target": "/malware/SLF:Win64/CobPipe.A" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:Trojan:Win32/Anorocuriv.A", "display_name": "ALF:Trojan:Win32/Anorocuriv.A", "target": null }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Win.Trojan.Pushdo-15", "display_name": "Win.Trojan.Pushdo-15", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Win32:Trojano-CHF\\ [Trj]", "display_name": "Win32:Trojano-CHF\\ [Trj]", "target": null }, { "id": "Win.Downloader.3867-1", "display_name": "Win.Downloader.3867-1", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "Virtool:Win32/CeeInject.gen!AH", "display_name": "Virtool:Win32/CeeInject.gen!AH", "target": "/malware/Virtool:Win32/CeeInject.gen!AH" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1055.008", "name": "Ptrace System Calls", "display_name": "T1055.008 - Ptrace System Calls" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [ "Retail", "Government", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12640, "hostname": 4429, "email": 7, "domain": 1250, "FileHash-SHA256": 1633, "FileHash-MD5": 278, "FileHash-SHA1": 343, "SSLCertFingerprint": 17 }, "indicator_count": 20597, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fd0cc422cea2fd989581fd", "name": "LevelBlue - Open Threat Exchange (Malicious Attacks)", "description": "I\u2019ll\nrefer to these bad actors as the .lol .fun group. London, Australia , South Africa with US base External resources. With this group, you e probably met though attackers.. OTX errors! Difficult to pulse. There are some profiles in here that are shady and attempt or do co connect to your products. They usually begin social engineering by saying that you have a \u2018problem\u2019 just like they do. Say they are from Canada or\nFrance , somewhere abroad when they are down the street using your services. There was user \u2018Merkd\u2019 whose entire system seem to become infected by someone or someone about this platform. Check the IP address at all\nTo see if it matches or is on the same block as OTC, region will show as well. Hackers may potentially cnc / move your profile on their own block. What happened today was weird. Alien Vault became a PHP and turned bright pink and black, requesting I download page. Keep your systems locked down if you\u2019re researching not reporting vulnerabilities.", "modified": "2025-11-24T17:02:12.441000", "created": "2025-10-25T17:45:40.291000", "tags": [ "ipv4", "levelblue", "open threat", "date sat", "connection", "etag w", "cloudfront", "sameorigin age", "vary", "ip address", "kb body", "gtmkvjvztk", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "learn", "exchange og", "levelblue open", "threat exchange", "exchange", "google tag", "iocs", "search otx", "included iocs", "review iocs", "data upload", "extraction", "layer protocol", "v full", "reports v", "port t1571", "t1573", "oc0006 http", "c0014", "get http", "dns resolutions", "user", "data", "datacrashpad", "edge", "tag manager", "us er", "help files", "shell", "html", "cve202323397", "iframe tags", "community score", "url http", "url https", "united", "united kingdom", "netherlands", "search", "type indicator", "role title", "added active", "related pulses", "indicator role", "title added", "active related", "otc oct", "report spam", "week ago", "scan", "learn more", "filehashmd5", "filehashsha1", "domain", "australia", "does", "josh", "created", "filehashsha256", "present jul", "present oct", "date", "a domains", "script urls", "for privacy", "moved", "script domains", "meta", "title", "body", "pragma", "encrypt", "ck ids", "t1060", "run keys", "startup", "folder", "t1027", "files", "information", "t1055", "injection", "capture", "south korea", "malaysia", "pulses", "fatal error", "hacker known", "name", "unknown", "risk", "weeks ago", "scary", "sova", "colorado", "wire", "name unknown", "thursday", "denver", "types of", "indicators hong", "kong", "tsara brashears", "african", "ethiopia", "b8reactjs", "india", "america", "x ua", "hostname", "dicator role", "pulses url", "airplane", "icator role", "t1432", "access contact", "list", "t1525", "image", "security scan", "heuristic oct", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1114", "t1480", "internal image", "brian sabey", "month ago", "modified", "days ago", "green well", "sabey stash", "service", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sova", "display_name": "Sova", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 956, "FileHash-SHA1": 906, "FileHash-SHA256": 2651, "URL": 4450, "domain": 708, "hostname": 2403, "CVE": 1, "email": 5 }, "indicator_count": 12080, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68edc1c2be848e73a32ab9ba", "name": "Fatal Error - Hacker Known \u2022 Name Unknown | Lives @ risk", "description": "I am connected to targeteds phone. My location is autonomous _ will show up in Colorado most likely. \n\nScary, this weekend a woman dressed like a peasant somehow managed to give me a letter past Thursday with information about a death in the 11th floor of an Apartment in Denver. The Sova. Alleged drug overdose may have actually been a homicide, I sound & feel crazy, there were names inside , emails , plans for Airplane attacks affecting civilians this month. I couldn\u2019t, wouldn\u2019t create this. Apparently UK born citizens sponsored by a Google hierarchy were able to weave their way into the lives a family member & Tsara Brashears . These are white males, anlso involved are citizens from African, Ethiopia, India and America deeply involved. They used fake names and I have said too much. If there is an helpful person on here please help!!! There\nis worse and it might be legal hits to insight money for war!\n#nso_related", "modified": "2025-11-13T02:02:12.454000", "created": "2025-10-14T03:21:38.305000", "tags": [ "pulses ipv4", "ipv4", "div div", "united", "script script", "a li", "present jul", "param", "entries", "present aug", "certificate", "global domains", "date", "title", "class", "meta", "agent", "stack", "life", "a domains", "passive dns", "urls", "ok server", "gmt content", "type", "hostname add", "pulse pulses", "files", "win32mydoom oct", "trojan", "next associated", "pulse", "reverse dns", "twitter", "body", "dynamicloader", "crlf line", "unicode text", "utf8", "ee fc", "yara rule", "ff d5", "ascii text", "f0 ff", "eb e1", "unknown", "copy", "write", "malware", "push", "next", "autorun", "suspicious", "ip address", "unknown ns", "unknown aaaa", "ipv4 add", "location united", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "ck id", "show technique", "mitre att", "path", "error", "fatalerror", "general", "hybrid", "local", "click", "strings", "filehashsha256", "filehashmd5", "filehashsha1", "iist", "malware family", "mydoom att", "ck ids", "t1060", "run keys", "indicator role", "title added", "active related", "showing", "url https", "url http", "startup", "folder", "web protocols", "t1105", "tool transfer", "indicators hong", "kong", "china", "germany", "australia", "search", "type indicator", "role title", "added active", "related pulses", "wire", "t1071" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2724, "hostname": 1212, "domain": 410, "FileHash-MD5": 408, "email": 9, "FileHash-SHA256": 604, "FileHash-SHA1": 307 }, "indicator_count": 5674, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68cb233ba91aa1eb958b3f31", "name": "Home - RMHS | APT 10 \u2022 Andromeda \u2022 OneLouder", "description": "I don\u2019t even know what to say. I\u2019ve received several complaints. This is 2nd time checking out technical issues that do exist. Operates as a Human Service entity for injured persons. OTX auto populated \u2018Golfing\u2019 as industry. \n\nDoes serve the severely disabled population. Does pay caregivers. Possibly a front page a FF link page, I have no idea", "modified": "2025-10-17T19:03:15.031000", "created": "2025-09-17T21:08:11.518000", "tags": [ "script urls", "meta", "moved", "x tec", "passive dns", "encrypt", "america flag", "san francisco", "extraction", "data upload", "type indicatod", "united states", "a domains", "united", "gmt server", "jose", "university", "bill", "rmhs", "information", "board", "lorin", "joseph", "all veterans", "rocky mountain", "mission", "vice", "april", "school", "austin", "prior", "ipv4 add", "urls", "files", "location united", "wordpress", "rmhs meta", "tags viewport", "rmhs og", "rmhs article", "wpbakery page", "builder", "slider plugin", "google tag", "mountain human", "denver", "connecting", "denver start", "relevance home", "providers", "contact us", "rmhs main", "server", "redacted tech", "redacted admin", "registrar abuse", "algorithm", "key identifier", "x509v3 subject", "dnssec", "country", "ttl value", "graph summary", "resolved ips", "ip address", "port", "data", "screenshots no", "involved direct", "country name", "name response", "tcp connections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "found", "spawns", "t1590 gather", "path", "ascii text", "exif standard", "tiff image", "format", "stop", "false", "soldier", "model", "youth", "baby", "june", "general", "local", "click", "strings", "core", "warrior", "green", "emotion", "flash", "nina", "hunk", "fono", "daam", "mitre att", "ck techniques", "id name", "malicious", "windows nt", "win64", "khtml", "gecko", "brand", "microsoft edge", "show process", "self", "date", "comspec", "hybrid", "form", "log id", "gmtn", "tls web", "b2 f6", "b0n timestamp", "f9401a", "record value", "x wix", "certificate", "domain add", "pulse submit", "body", "domain related", "blackbox", "apple", "helix", "dvrdns", "tracking", "remote access", "ios", "spyware", "hoax", "dynamicloader", "ptls6", "medium", "flashpix", "high", "ygjpavclsline", "officespace", "chartshared", "powershell", "write", "malware", "ygjpaulscontext", "status", "japan unknown", "domain", "pulses", "search", "accept", "apt10", "trojanspy", "win32", "entries", "susp", "backdoor", "useragent", "showing", "virtool", "twitter", "mozilla", "trojandropper", "trojan", "title", "onelouder", "yara det", "maware samoe", "genaco x", "ids detec", "ids terse", "win3 data", "include review", "exclude sugges", "targeting", "show", "copy", "reads", "dynamic", "vendor finding", "notes clamav", "files matching", "number", "sample analysis", "hide samples", "date hash", "next yara" ], "references": [ "rmhumanservices.org", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt", "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt", "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/", "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound", "https://www.mlkfoundation.net/ (Foundry DGA)", "remotewd.com x 34 devices", "South Africa based: remote.advisoroffice.com", "acc.lehigtapp.com - malware", "http://watchhers.net/index.php (espionage entity /palantir relationship - seen before with palantir and Pegasus sometimes simultaneously )", "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022 emails.redvue.com \u2022", "Active - pointing: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/", "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting", "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net", "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2", "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)", "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname", "1.organization.api.powerplatform.partner.microsoftonline.cn", "chinaeast2.admin.api.powerautomate.cn", "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/", "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A", "ssa-gov.authorizeddns", "hmmm\u2026http://palander.stjernstrom.se/", "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU" ], "public": 1, "adversary": "APT 10", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "APT 10", "display_name": "APT 10", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "KoobFace", "display_name": "KoobFace", "target": null }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "Nivdort Checkin", "display_name": "Nivdort Checkin", "target": null }, { "id": "Win.Malware.Installcore-6950365-0", "display_name": "Win.Malware.Installcore-6950365-0", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574.006", "name": "Dynamic Linker Hijacking", "display_name": "T1574.006 - Dynamic Linker Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Golfing", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 690, "hostname": 1912, "URL": 5925, "FileHash-SHA1": 273, "email": 8, "FileHash-SHA256": 3618, "CIDR": 3, "FileHash-MD5": 254, "SSLCertFingerprint": 19, "CVE": 2 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689d5115ad786de4ff048e5b", "name": "TEL:ECCert!SSLCO | Mirai Malware Hosting | Multi user Tracker", "description": "https://api.mirai.com/MiraiWebService/passbook/180823-77257/4001645 [Malware hosting]\n*TEL:ECCert!SSLCO\nYARA Detections:\nDelphi\nThis program must be run under Win32\ncompilers.\nCode Overlap of Trojan Droppers Backdoors , TrojanSpy\n\n\n#injection_inter_process\n#creates_largekey\n#network_bind\n#ransomware_file_modifications\n#antivm_generic_bios\n#antivm_generic_disk\n#enumerates_physical_drives\n#physical_drive_access\n#deletes_executed_files\n#recon_fingerprint\n#suspicious_command_tools\n#anomalous_deletefile\n#antisandbox_sleep\n#dead_connect\n#dynamic_function_loading\n#http_request\n#ipc_namedpipe\n#network_anomaly\n#powershell_download\n#powershell_request #track #locate #remote_access", "modified": "2025-09-13T02:00:42.729000", "created": "2025-08-14T02:59:33.036000", "tags": [ "url https", "url http", "search", "type indicator", "role title", "added active", "related pulses", "showing", "entries", "present sep", "united", "present aug", "present jul", "present jun", "moved", "unknown ns", "present may", "present apr", "passive dns", "date", "encrypt", "body", "cookie", "gmt server", "content type", "dynamicloader", "medium", "x17x03x01", "download studio", "high", "read c", "show", "windows", "copy", "powershell", "write", "anomaly", "next", "unknown", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "yara detections", "delphi", "codeoverlap", "win32", "rgba", "memcommit", "delete", "png image", "hash", "dock", "execution", "malware", "wine emulator", "dynamic", "msie", "windows nt", "wow64", "slcc2", "media center", "capture", "persistence", "sha256", "submitted", "copy md5", "copy sha1", "copy sha256", "sha1", "script", "mitre att", "ck id", "show technique", "ck matrix", "null", "august", "span", "refresh", "meta", "mirai", "february", "april", "june", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "caribe", "rest", "accept", "friday", "look", "verify", "restart" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6211, "domain": 682, "hostname": 1661, "FileHash-MD5": 117, "FileHash-SHA1": 100, "FileHash-SHA256": 1386, "SSLCertFingerprint": 5 }, "indicator_count": 10162, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "218 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d30048b95aaba628a5ee7", "name": "Working on it\u2026\u2026", "description": "\u2022 Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)\n(onyx-ware.com)\nNS1.ENDGAME.COM\n(endgames.us)\nNS1.ENDGAME.COM\n#deadmau5 #janskyofficial #idk #soundcloud", "modified": "2025-08-19T17:00:59.379000", "created": "2025-07-20T18:05:56.587000", "tags": [ "dynamicloader", "united", "as15169", "medium", "search", "show", "write c", "whitelisted", "brazil as396982", "high", "themida", "write", "delphi", "copy", "upatre", "encrypt", "june", "win32", "malware", "win64", "windows nt", "directui", "element", "classinfobase", "value", "hwndhost", "sapeav12", "delete c", "worm", "explorer", "insert", "movie", "alerts", "windows", "installs", "filehash", "sha256 add", "pulse pulses", "av detections", "ids detections", "passive dns", "urls", "http", "ip address", "related nids", "files location", "spain flag", "spain domain", "files related", "spain", "entries", "next associated", "meta name", "frame src", "ok set", "cookie", "gmt date", "gmt content", "filehashsha256", "type indicator", "role title", "added active", "related pulses", "url http", "filehashmd5", "showing", "url https", "indicator role", "title added", "active related", "iocs", "learn more", "filehashsha1", "types of", "united kingdom", "t1053", "taskjob", "t1055", "injection", "t1082", "t1119", "t1129", "modules", "t1143", "soundcloud", "created", "hour ago", "facebook", "twitter", "victims website", "youtube", "jansky", "trojandropper", "pulses url" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2012, "FileHash-MD5": 140, "FileHash-SHA1": 129, "FileHash-SHA256": 1348, "SSLCertFingerprint": 3, "domain": 288, "hostname": 812 }, "indicator_count": 4732, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://dev.marjak.ee", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://dev.marjak.ee", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776627766.1523538 }