{
  "type": "URL",
  "indicator": "https://docs.fastly.com/en/guides/common",
  "general": {
    "sections": [
      "general",
      "url_list",
      "http_scans",
      "screenshot"
    ],
    "indicator": "https://docs.fastly.com/en/guides/common",
    "type": "url",
    "type_title": "URL",
    "validation": [
      {
        "source": "majestic",
        "message": "Whitelisted domain fastly.com",
        "name": "Whitelisted domain"
      }
    ],
    "base_indicator": {
      "id": 4074464483,
      "indicator": "https://docs.fastly.com/en/guides/common",
      "type": "URL",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 6,
      "pulses": [
        {
          "id": "69bf864a324c12b2898c18e5",
          "name": "fastly/trafficmgr",
          "description": "A look at some of the key facts and statistics that have been reported to the internet service provider (icann) over the past seven years:. and how they have affected the web.<<<pretext",
          "modified": "2026-03-22T06:22:30.332000",
          "created": "2026-03-22T06:03:54.532000",
          "tags": [
            "as54113",
            "united",
            "status",
            "aaaa",
            "body",
            "otx telemetry",
            "domain",
            "date",
            "expiration date",
            "name servers"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 277,
            "IPv6": 34,
            "email": 4,
            "IPv4": 574,
            "URL": 146,
            "domain": 178,
            "hostname": 191,
            "FileHash-MD5": 197,
            "FileHash-SHA1": 195
          },
          "indicator_count": 1796,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 47,
          "modified_text": "28 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "6964c08bf79bcb252eaa9e15",
          "name": "TrojanSpy -  Spotify account under an attack which conceals artists releases / deletes followers",
          "description": "Spotify Attacks: TrojanSpy - Streamer Spotify account under an attack which conceals artists releases / deletes followers. The attack is adversarial. I\u2019m unclear how widespread it is.  . Further research required. OTX auto generated Pegasus. Released work that was once viewable is now concealed, followers deleted.\n#cloudfront #spyware #delete_service #cloudfront_attacks",
          "modified": "2026-02-11T09:03:20.933000",
          "created": "2026-01-12T09:36:11.701000",
          "tags": [
            "google",
            "fastly",
            "googlecl",
            "january",
            "http",
            "domain",
            "akamaias",
            "cloudflar",
            "page url",
            "de summary",
            "april",
            "reverse dns",
            "url https",
            "general full",
            "software",
            "united",
            "resource hash",
            "protocol h3",
            "security quic",
            "protocol h2",
            "security tls",
            "main",
            "present jan",
            "title",
            "gmt max",
            "certificate",
            "moved",
            "lowfi",
            "gmt content",
            "meta",
            "present dec",
            "status",
            "aaaa",
            "passive dns",
            "urls",
            "search",
            "expiration date",
            "win32",
            "files",
            "verdict",
            "files ip",
            "address",
            "mtb jan",
            "trojandropper",
            "backdoor",
            "win32upatre jan",
            "origin trial",
            "gmt cache",
            "443 ma2592000",
            "possible",
            "worm",
            "trojan",
            "ip address",
            "record value",
            "dark",
            "found",
            "ipv4 add",
            "error",
            "trojanspy",
            "emails",
            "servers",
            "pegasus",
            "america flag",
            "america asn",
            "tlsv1",
            "read c",
            "show",
            "medium",
            "lstockholm",
            "ospotify ab",
            "odigicert inc",
            "execution",
            "next",
            "dock",
            "write",
            "persistence",
            "dynamicloader",
            "yara rule",
            "ms windows",
            "pe32",
            "named pipe",
            "smartassembly",
            "delphi",
            "malware",
            "united states",
            "pe file",
            "filehash",
            "md5 add",
            "av detections",
            "ids detections",
            "yara detections",
            "alerts",
            "high",
            "write c",
            "tls sni",
            "tls handshake",
            "delete",
            "as15169",
            "stun binding",
            "request",
            "port",
            "win64",
            "themida",
            "guard",
            "risepro",
            "sha256",
            "sha1",
            "pattern match",
            "ascii text",
            "size",
            "mitre att",
            "ck id",
            "null",
            "refresh",
            "span",
            "hybrid",
            "general",
            "local",
            "path",
            "click",
            "strings",
            "tools",
            "look",
            "verify",
            "restart",
            "learn",
            "command",
            "name tactics",
            "suspicious",
            "informative",
            "spawns",
            "ck techniques",
            "evasion att",
            "t1480 execution",
            "directui",
            "element",
            "hwndhost",
            "classinfobase",
            "hwndelement",
            "value",
            "explorer",
            "insert",
            "movie",
            "hacktool",
            "showing",
            "entries http",
            "scans show",
            "california",
            "location united",
            "next associated",
            "pulse pulses",
            "name servers",
            "found request",
            "unique",
            "url add",
            "related nids",
            "files location",
            "expiration",
            "flag united",
            "present nov",
            "present sep",
            "href",
            "suricata stream",
            "command decode",
            "starfield",
            "encrypt",
            "iframe",
            "date",
            "title error",
            "hostname",
            "pulse submit",
            "memcommit",
            "checks",
            "windows",
            "capture",
            "cloudfront",
            "colorado",
            "creation date",
            "hostname add",
            "eset",
            "binary file",
            "pdb path",
            "internalname",
            "nod32",
            "amon"
          ],
          "references": [
            "open.spotify.com \u2022",
            "https://open.spotify.com/intl-de/track/5KjB1j0u54VXg6M8SN8hH2",
            "https://open.spotify.com/track/5KjB1j0u54VXg6M8SN8hH2",
            "FileHash-SHA256 cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95",
            "events.launchdarkly.com \u2022 clientstream.launchdarkly. \u2022 app.launchdarkly.com",
            "https://target.tccwest.www.littleswimmers.fr/",
            "www.onyx-ware.com \u2022 endgamesystems.com",
            "cloudfront.net \u2022  d127qq8ld0aiq5.cloudfront.net"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "Win.Packed.Stealerc-10017074-0",
              "display_name": "Win.Packed.Stealerc-10017074-0",
              "target": null
            },
            {
              "id": "#Lowfi:Win32/AutoIt",
              "display_name": "#Lowfi:Win32/AutoIt",
              "target": "/malware/#Lowfi:Win32/AutoIt"
            },
            {
              "id": "Win.Packed.Generic-9967832-0",
              "display_name": "Win.Packed.Generic-9967832-0",
              "target": null
            },
            {
              "id": "TrojanSpy:MSIL/Yakbeex.A",
              "display_name": "TrojanSpy:MSIL/Yakbeex.A",
              "target": "/malware/TrojanSpy:MSIL/Yakbeex.A"
            },
            {
              "id": "Pegasus",
              "display_name": "Pegasus",
              "target": null
            },
            {
              "id": "Win32:HacktoolX-gen\\ [Trj]",
              "display_name": "Win32:HacktoolX-gen\\ [Trj]",
              "target": null
            },
            {
              "id": "nUFS_unicode",
              "display_name": "nUFS_unicode",
              "target": null
            },
            {
              "id": "HackTool:Win32/CobaltStrike.A",
              "display_name": "HackTool:Win32/CobaltStrike.A",
              "target": "/malware/HackTool:Win32/CobaltStrike.A"
            },
            {
              "id": "Win.Dropper.PoisonIvy-9876745-0",
              "display_name": "Win.Dropper.PoisonIvy-9876745-0",
              "target": null
            },
            {
              "id": "Trojan:Win32/Zombie.A",
              "display_name": "Trojan:Win32/Zombie.A",
              "target": "/malware/Trojan:Win32/Zombie.A"
            },
            {
              "id": "Win.Trojan.Barys-10005825-0",
              "display_name": "Win.Trojan.Barys-10005825-0",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1102",
              "name": "Web Service",
              "display_name": "T1102 - Web Service"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1063",
              "name": "Security Software Discovery",
              "display_name": "T1063 - Security Software Discovery"
            },
            {
              "id": "TA0003",
              "name": "Persistence",
              "display_name": "TA0003 - Persistence"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1113",
              "name": "Screen Capture",
              "display_name": "T1113 - Screen Capture"
            },
            {
              "id": "T1587.001",
              "name": "Malware",
              "display_name": "T1587.001 - Malware"
            },
            {
              "id": "T1069.002",
              "name": "Domain Groups",
              "display_name": "T1069.002 - Domain Groups"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1189",
              "name": "Drive-by Compromise",
              "display_name": "T1189 - Drive-by Compromise"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1158",
              "name": "Hidden Files and Directories",
              "display_name": "T1158 - Hidden Files and Directories"
            },
            {
              "id": "TA0037",
              "name": "Command and Control",
              "display_name": "TA0037 - Command and Control"
            }
          ],
          "industries": [
            "Entertainment",
            "Technology"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 1293,
            "URL": 3389,
            "FileHash-MD5": 635,
            "FileHash-SHA1": 531,
            "FileHash-SHA256": 2345,
            "domain": 501,
            "email": 12,
            "SSLCertFingerprint": 16
          },
          "indicator_count": 8722,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 138,
          "modified_text": "67 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "690a2c38de1708af54217faa",
          "name": "Access Token used to steal security credentials & hack and ride DND of targeted individuals",
          "description": "- https://shift.gearboxsoftware.com/link\n- Found embedded in targets phone.\n\nAccess Token used to steal security credentials & hack and ride DND of targeted individuals device. \nTAM Legal \u2022  Tulach \u2022 Hall Render \u2022 Quasi Government | Some type of Foundry user account found. \n\nStop illegally \n  stalking, harassment, attempts, hacking, death threats. . Because the Colorado government allowing entities like this to operate without any type of rules, oversight or boundaries \nMILLION$ were wasted in your own fraud, waste in abuse scheme. AT&T , CrowdStrike , United Healthcare , UC Healthcare, Intermountain Health, T-Mobile, Amazon East, the Colorado Government itself, Medicare and Medicaid. For what? You have zero talent so you take it from those who do. You have nothing coming to you so you steal it from those who do. Is this somehow legal? \n#contacted #all_hosts backdoor #ransomware  #cve #usa #american_terrorists #workers_compenstation_abuse #silencing #targeting #hitmen #illegal #malvertizing #aws_dns",
          "modified": "2025-12-04T15:01:02.531000",
          "created": "2025-11-04T16:39:20.035000",
          "tags": [
            "present aug",
            "moved",
            "encrypt",
            "present jul",
            "passive dns",
            "ipv4 add",
            "reverse dns",
            "united states",
            "present may",
            "ip address",
            "gmt content",
            "ipv4",
            "all ipv4",
            "america",
            "united",
            "present oct",
            "name servers",
            "redacted for",
            "emails",
            "for privacy",
            "unknown ns",
            "unknown aaaa",
            "dynamicloader",
            "focus region",
            "unicode text",
            "utf16",
            "ms windows",
            "bokeh onlycanon",
            "zeiss jena",
            "mcsonnar",
            "high",
            "win64",
            "stream",
            "write",
            "smartassembly",
            "trailer",
            "next",
            "search",
            "medium",
            "as15169",
            "write c",
            "reads",
            "team",
            "malware",
            "local",
            "yara detections",
            "delphi",
            "strings",
            "dcom",
            "form",
            "trojandropper",
            "mtb nov",
            "backdoor",
            "otx telemetry",
            "trojan",
            "type",
            "data upload",
            "extraction",
            "ol rop",
            "hash avast",
            "avg clamav",
            "msdefender nov",
            "win32upatre nov",
            "win32berbew nov",
            "dynamic",
            "pe section",
            "error",
            "close",
            "status",
            "urls",
            "expiration date",
            "hostname",
            "url analysis",
            "yara rule",
            "show",
            "binary file",
            "wine emulator",
            "mtb oct",
            "files",
            "denmark asn",
            "as32934",
            "candyopen",
            "possible",
            "smoke loader",
            "trojanspy",
            "filehash",
            "pulses otx",
            "related tags",
            "file type",
            "no analysis",
            "available",
            "api key",
            "screenshots",
            "present nov",
            "aaaa",
            "mtb may",
            "mexico",
            "hostname add",
            "registrar",
            "domain add",
            "location united",
            "email add",
            "none related",
            "domains",
            "email domain",
            "service",
            "domain",
            "america flag",
            "body",
            "title",
            "aws dns",
            "next associated",
            "risepro",
            "guard",
            "v full",
            "reports v",
            "t1059 shared",
            "modules",
            "t1129 system",
            "t1569",
            "help v",
            "t1179 boot",
            "logon autost",
            "encoding",
            "packing f0001",
            "hidden files",
            "e1203 windows",
            "file attributes",
            "registry value",
            "catalog tree",
            "analysis ob0001",
            "evasion b0003",
            "virtual machine",
            "ip traffic",
            "memory pattern",
            "pattern urls",
            "tls sni",
            "get https",
            "post https",
            "named pipe",
            "delete c",
            "radar",
            "defender",
            "format",
            "learn",
            "command",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "spawns",
            "mitre att",
            "ck techniques",
            "evasion att",
            "country",
            "contacted hosts",
            "process details",
            "flag",
            "globalc",
            "intel",
            "win32",
            "worm",
            "path",
            "explorer",
            "script",
            "href",
            "external",
            "html content",
            "tulach",
            "hallrender",
            "tam legal",
            "brian sabey",
            "christopher ahmann",
            "apple",
            "msie",
            "chrome",
            "ascio",
            "creation date",
            "date",
            "germany unknown",
            "germany asn",
            "files ip",
            "address",
            "asn as24940",
            "less",
            "script urls",
            "a domains",
            "prox",
            "dennis schrder",
            "meta",
            "apache",
            "99u25f.exe",
            "entries",
            "as24940 hetzner",
            "dns resolutions",
            "status code",
            "body length",
            "kb body",
            "software/ hardware",
            "external-resources",
            "password-input",
            "overview",
            "colorado"
          ],
          "references": [
            "https://shift.gearboxsoftware.com/link",
            "https://tulach.cc/",
            "https://www.anyxxxtube.net/search-porn/tsara-brashears/  \u2022 alohatube.xyz \u2022 1001pornvideos.com",
            "x402.porn \u2022 http://alohatube.xyz/search/tsara-brashears \u2022 \thttps://ufovpn.io/blog/is-eporner-safe",
            "https://www.turbo.net/run/videolan/vlc",
            "http://www.forensickb.com/2013/03/file-entropy-explained.html",
            "https://www.xlabs.com.br/blog/cve-2013-3304-dell-equallogic-directory-traversal/ \u2022 http://cve.phidias.com/",
            "Overview \"Keeping money\" by the Colorado workers' compensation system can refer to",
            "legal deductions, legitimate reasons for payment delays or denial, or potential issues that require legal",
            "counsel. The system does not \"keep\" money without a valid reason.Lies. they\u2019ve Ben in trouble before ."
          ],
          "public": 1,
          "adversary": "Colorado Quasi Government | Workerk Compensation",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Win.Trojan.Generic-9878032-0",
              "display_name": "Win.Trojan.Generic-9878032-0",
              "target": null
            },
            {
              "id": "Win.Trojan.Starter-171",
              "display_name": "Win.Trojan.Starter-171",
              "target": null
            },
            {
              "id": "GravityRAT",
              "display_name": "GravityRAT",
              "target": null
            },
            {
              "id": "Backdoor:Win32/Berbew.AA!MTB",
              "display_name": "Backdoor:Win32/Berbew.AA!MTB",
              "target": "/malware/Backdoor:Win32/Berbew.AA!MTB"
            },
            {
              "id": "Trojan:MSIL/AgentTesla.DW!MTB",
              "display_name": "Trojan:MSIL/AgentTesla.DW!MTB",
              "target": "/malware/Trojan:MSIL/AgentTesla.DW!MTB"
            },
            {
              "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
              "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
              "target": null
            },
            {
              "id": "Trojandropper:Win32/VB.IL",
              "display_name": "Trojandropper:Win32/VB.IL",
              "target": "/malware/Trojandropper:Win32/VB.IL"
            },
            {
              "id": "Nemucod",
              "display_name": "Nemucod",
              "target": null
            },
            {
              "id": "Berbew",
              "display_name": "Berbew",
              "target": null
            },
            {
              "id": "PWS:Win32/Zbot.MS!MTB",
              "display_name": "PWS:Win32/Zbot.MS!MTB",
              "target": "/malware/PWS:Win32/Zbot.MS!MTB"
            },
            {
              "id": "Win.Trojan.Barys-10005825-0",
              "display_name": "Win.Trojan.Barys-10005825-0",
              "target": null
            },
            {
              "id": "Upatre",
              "display_name": "Upatre",
              "target": null
            },
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "Win.Exploit.Rozena-10038302-0",
              "display_name": "Win.Exploit.Rozena-10038302-0",
              "target": null
            },
            {
              "id": "Zombie",
              "display_name": "Zombie",
              "target": null
            },
            {
              "id": "Trojan:Win32/Zombie",
              "display_name": "Trojan:Win32/Zombie",
              "target": "/malware/Trojan:Win32/Zombie"
            },
            {
              "id": "Muldrop",
              "display_name": "Muldrop",
              "target": null
            },
            {
              "id": "Worm:Win32/Mofksys.RND!MTB",
              "display_name": "Worm:Win32/Mofksys.RND!MTB",
              "target": "/malware/Worm:Win32/Mofksys.RND!MTB"
            },
            {
              "id": "Dorv",
              "display_name": "Dorv",
              "target": null
            },
            {
              "id": "Win.Malware.Pits-10035540-0",
              "display_name": "Win.Malware.Pits-10035540-0",
              "target": null
            },
            {
              "id": "Win.Ransomware.Msilzilla-10014498-0",
              "display_name": "Win.Ransomware.Msilzilla-10014498-0",
              "target": null
            },
            {
              "id": "CVE-2023-4966",
              "display_name": "CVE-2023-4966",
              "target": null
            },
            {
              "id": "Exploit:Linux/CVE-2017-17215",
              "display_name": "Exploit:Linux/CVE-2017-17215",
              "target": "/malware/Exploit:Linux/CVE-2017-17215"
            },
            {
              "id": "Ransom:Win32/CVE-2017-0147",
              "display_name": "Ransom:Win32/CVE-2017-0147",
              "target": "/malware/Ransom:Win32/CVE-2017-0147"
            },
            {
              "id": "CVE-2022-26134",
              "display_name": "CVE-2022-26134",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1063",
              "name": "Security Software Discovery",
              "display_name": "T1063 - Security Software Discovery"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1179",
              "name": "Hooking",
              "display_name": "T1179 - Hooking"
            },
            {
              "id": "T1547",
              "name": "Boot or Logon Autostart Execution",
              "display_name": "T1547 - Boot or Logon Autostart Execution"
            },
            {
              "id": "T1569",
              "name": "System Services",
              "display_name": "T1569 - System Services"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1457",
              "name": "Malicious Media Content",
              "display_name": "T1457 - Malicious Media Content"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 12,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 6051,
            "hostname": 2627,
            "FileHash-MD5": 401,
            "FileHash-SHA1": 257,
            "email": 11,
            "domain": 1838,
            "FileHash-SHA256": 1742,
            "CVE": 4,
            "SSLCertFingerprint": 3
          },
          "indicator_count": 12934,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 140,
          "modified_text": "135 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "68fbc84609098d17c316f23c",
          "name": "NSO - Multiple crimes",
          "description": "Multiple crimes including illegal gambling, loan sharking, cybercrimes , content reputation , instructions. Starfield seen again. Team 8 has seen Starfield in more than 300 pulses. Now it\u2019s gone. Check your devices for innocent looking searches you\u2019ve never searched. Browser extensions found on 3 targeted devices with an adversary with full CnC armed with a deletion and disk wipe service. Local - Denver. \n\nAlso, very concerning is specific Airline to be attacked revealed. It cant be researched without bringing down a flight or messing up air command & control. DJT has already made travel a risky feat by being influenced to fire the (NOAA) & (DOT). Its manipulation. PP Mafia bros. \n\nDoes anyone have any power? Contact someone. We did have a mystery plane incident in Denver after I first reported. Just space junk , ya know the usual. I am serious about preventing crime. I need some help!",
          "modified": "2025-11-23T17:00:58.297000",
          "created": "2025-10-24T18:41:10.936000",
          "tags": [
            "type indicator",
            "added active",
            "related pulses",
            "script urls",
            "united",
            "unknown ns",
            "a domains",
            "ip address",
            "meta",
            "asn as13335",
            "msie",
            "chrome",
            "ransom",
            "trojan",
            "passive dns",
            "backdoor",
            "http request",
            "twitter",
            "win32/crix.c check-in",
            "gmt content",
            "ipv4",
            "urls",
            "files",
            "data upload",
            "extraction",
            "domain add",
            "e emeseieee",
            "dynamicloader",
            "e eue",
            "eweienedeoewese",
            "windows nt",
            "wow64",
            "slcc2",
            "media center",
            "edeeefeaeuelete",
            "unknown",
            "write",
            "bits",
            "malware",
            "xserver",
            "encrypt",
            "unknown aaaa",
            "moved",
            "cloudfront x",
            "hio52 p1",
            "name servers",
            "accept encoding",
            "emails",
            "servers",
            "extr",
            "u a640",
            "a69f u",
            "fe2e fe2f",
            "u a720",
            "a7ff",
            "u feff",
            "learn",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "adversaries",
            "command",
            "defense evasion",
            "spawns",
            "found",
            "pattern match",
            "mitre att",
            "null",
            "body",
            "pizza",
            "friday",
            "hybrid",
            "general",
            "local",
            "path",
            "starfield",
            "iframe",
            "click",
            "strings",
            "core",
            "bet",
            "gambling",
            "record value",
            "date",
            "present sep",
            "present apr",
            "colombia",
            "present jun",
            "present nov",
            "cookie",
            "present oct",
            "entries",
            "next associated",
            "error",
            "attack",
            "government",
            "scotland",
            "news",
            "covid19",
            "subscribe",
            "october",
            "crown copyright",
            "nhs scotland",
            "parliament",
            "coronavirus",
            "redacted for",
            "domain status",
            "server",
            "privacy tech",
            "privacy admin",
            "email",
            "country",
            "postal code",
            "stateprovince",
            "code",
            "host name",
            "rdap database",
            "handle",
            "iana registrar",
            "entity roles",
            "links",
            "key identifier",
            "x509v3 subject",
            "data",
            "v3 serial",
            "number",
            "cus olet",
            "encrypt cnr12",
            "validity",
            "subject public",
            "key info",
            "medium",
            "write c",
            "search",
            "pe file",
            "high",
            "checks",
            "http",
            "delete",
            "copy",
            "guard",
            "mozilla",
            "next",
            "godaddy",
            "creation date",
            "hostname",
            "pulse submit",
            "url analysis",
            "domain",
            "files ip",
            "trojandropper",
            "mtb oct",
            "mtb may",
            "refloadapihash",
            "foundry",
            "fastly",
            "value a",
            "com laude",
            "ltd dba",
            "nomiq",
            "limited dba",
            "pulse",
            "location united",
            "asn asnone",
            "nameservers"
          ],
          "references": [
            "giovannisnypizza.net \u2022  http://www.giovannisnypizza.net \u2022",
            "fazendabetb.live \u2022 bowiesports.com Check first???",
            "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino",
            "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022",
            "05bet99.bet \u2022  app.05bet99.bet \u2022  betterlifeschool.kr  \u2022  bbrbet.today",
            "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com",
            "cashloanboat.com \u2022 mx-loans-5o.today\u2022  nodoccommercialloan",
            "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards",
            "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/",
            "m.casinometropol225.com \u2022 casinometropol285.com  \u2022 http://bonus.casinometropol285.com \u2022",
            "https://bonus.casinometropol285.com \u2022  www.aksescasinobet77.icu bonus.casinometropol285.com \u2022",
            "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au",
            "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))",
            "The Scottish Government www.gov.scot The NHS Scotland support",
            "http://129.2.4.2/32 Lencr",
            "qlw020.managed-sprint.dynalabs.io (Check)",
            "brave-ohttp-relay-dev.fastly-edge.com (Palantir)",
            "ims.foundryfabrication.co.uk \u2022  timelog.foundryfabrication.co.uk \u2022  ims.foundryfabrication.co",
            "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com",
            "vb.cu \u2022  vb \u2022 vb.il  \u2022 vb.cu \u2022  vb.il \u2022 docs.fastly.com  \u2022 docs.fastly.com",
            "ExternalHosts: US",
            "Starfield again - HoneyPot / Dod- DoW",
            "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction",
            "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware",
            "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b"
          ],
          "public": 1,
          "adversary": "NSO",
          "targeted_countries": [
            "United States of America",
            "Germany",
            "Bulgaria",
            "Singapore",
            "Denmark",
            "Australia",
            "Jersey",
            "Japan",
            "Canada"
          ],
          "malware_families": [
            {
              "id": "Upatre",
              "display_name": "Upatre",
              "target": null
            },
            {
              "id": "Autoit",
              "display_name": "Autoit",
              "target": null
            },
            {
              "id": "Ransom:Win32/Crowti",
              "display_name": "Ransom:Win32/Crowti",
              "target": "/malware/Ransom:Win32/Crowti"
            },
            {
              "id": "Backdoor:Win32/Tofsee.",
              "display_name": "Backdoor:Win32/Tofsee.",
              "target": "/malware/Backdoor:Win32/Tofsee."
            },
            {
              "id": "#Lowfi:SIGATTR:DownloadAndExecute",
              "display_name": "#Lowfi:SIGATTR:DownloadAndExecute",
              "target": null
            },
            {
              "id": "Win.Dropper.Vbclone",
              "display_name": "Win.Dropper.Vbclone",
              "target": null
            },
            {
              "id": "Win.Packer",
              "display_name": "Win.Packer",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1539",
              "name": "Steal Web Session Cookie",
              "display_name": "T1539 - Steal Web Session Cookie"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1590",
              "name": "Gather Victim Network Information",
              "display_name": "T1590 - Gather Victim Network Information"
            },
            {
              "id": "T1113",
              "name": "Screen Capture",
              "display_name": "T1113 - Screen Capture"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 13,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 6261,
            "domain": 1806,
            "hostname": 2427,
            "FileHash-MD5": 384,
            "FileHash-SHA1": 381,
            "email": 13,
            "FileHash-SHA256": 1418,
            "SSLCertFingerprint": 14
          },
          "indicator_count": 12704,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 141,
          "modified_text": "146 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "68fc18514965ccd3b55c216d",
          "name": "Dorv \u2022 Obfuscator - Affecting DropBox",
          "description": "",
          "modified": "2025-11-23T17:00:58.297000",
          "created": "2025-10-25T00:22:41.686000",
          "tags": [
            "type indicator",
            "added active",
            "related pulses",
            "script urls",
            "united",
            "unknown ns",
            "a domains",
            "ip address",
            "meta",
            "asn as13335",
            "msie",
            "chrome",
            "ransom",
            "trojan",
            "passive dns",
            "backdoor",
            "http request",
            "twitter",
            "win32/crix.c check-in",
            "gmt content",
            "ipv4",
            "urls",
            "files",
            "data upload",
            "extraction",
            "domain add",
            "e emeseieee",
            "dynamicloader",
            "e eue",
            "eweienedeoewese",
            "windows nt",
            "wow64",
            "slcc2",
            "media center",
            "edeeefeaeuelete",
            "unknown",
            "write",
            "bits",
            "malware",
            "xserver",
            "encrypt",
            "unknown aaaa",
            "moved",
            "cloudfront x",
            "hio52 p1",
            "name servers",
            "accept encoding",
            "emails",
            "servers",
            "extr",
            "u a640",
            "a69f u",
            "fe2e fe2f",
            "u a720",
            "a7ff",
            "u feff",
            "learn",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "adversaries",
            "command",
            "defense evasion",
            "spawns",
            "found",
            "pattern match",
            "mitre att",
            "null",
            "body",
            "pizza",
            "friday",
            "hybrid",
            "general",
            "local",
            "path",
            "starfield",
            "iframe",
            "click",
            "strings",
            "core",
            "bet",
            "gambling",
            "record value",
            "date",
            "present sep",
            "present apr",
            "colombia",
            "present jun",
            "present nov",
            "cookie",
            "present oct",
            "entries",
            "next associated",
            "error",
            "attack",
            "government",
            "scotland",
            "news",
            "covid19",
            "subscribe",
            "october",
            "crown copyright",
            "nhs scotland",
            "parliament",
            "coronavirus",
            "redacted for",
            "domain status",
            "server",
            "privacy tech",
            "privacy admin",
            "email",
            "country",
            "postal code",
            "stateprovince",
            "code",
            "host name",
            "rdap database",
            "handle",
            "iana registrar",
            "entity roles",
            "links",
            "key identifier",
            "x509v3 subject",
            "data",
            "v3 serial",
            "number",
            "cus olet",
            "encrypt cnr12",
            "validity",
            "subject public",
            "key info",
            "medium",
            "write c",
            "search",
            "pe file",
            "high",
            "checks",
            "http",
            "delete",
            "copy",
            "guard",
            "mozilla",
            "next",
            "godaddy",
            "creation date",
            "hostname",
            "pulse submit",
            "url analysis",
            "domain",
            "files ip",
            "trojandropper",
            "mtb oct",
            "mtb may",
            "refloadapihash",
            "foundry",
            "fastly",
            "value a",
            "com laude",
            "ltd dba",
            "nomiq",
            "limited dba",
            "pulse",
            "location united",
            "asn asnone",
            "nameservers"
          ],
          "references": [
            "giovannisnypizza.net \u2022  http://www.giovannisnypizza.net \u2022",
            "fazendabetb.live \u2022 bowiesports.com Check first???",
            "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino",
            "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022",
            "05bet99.bet \u2022  app.05bet99.bet \u2022  betterlifeschool.kr  \u2022  bbrbet.today",
            "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com",
            "cashloanboat.com \u2022 mx-loans-5o.today\u2022  nodoccommercialloan",
            "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards",
            "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/",
            "m.casinometropol225.com \u2022 casinometropol285.com  \u2022 http://bonus.casinometropol285.com \u2022",
            "https://bonus.casinometropol285.com \u2022  www.aksescasinobet77.icu bonus.casinometropol285.com \u2022",
            "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au",
            "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))",
            "The Scottish Government www.gov.scot The NHS Scotland support",
            "http://129.2.4.2/32 Lencr",
            "qlw020.managed-sprint.dynalabs.io (Check)",
            "brave-ohttp-relay-dev.fastly-edge.com (Palantir)",
            "ims.foundryfabrication.co.uk \u2022  timelog.foundryfabrication.co.uk \u2022  ims.foundryfabrication.co",
            "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com",
            "vb.cu \u2022  vb \u2022 vb.il  \u2022 vb.cu \u2022  vb.il \u2022 docs.fastly.com  \u2022 docs.fastly.com",
            "ExternalHosts: US",
            "Starfield again - HoneyPot / Dod- DoW",
            "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction",
            "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware",
            "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b"
          ],
          "public": 1,
          "adversary": "NSO",
          "targeted_countries": [
            "United States of America",
            "Germany",
            "Bulgaria",
            "Singapore",
            "Denmark",
            "Australia",
            "Jersey",
            "Japan",
            "Canada"
          ],
          "malware_families": [
            {
              "id": "Upatre",
              "display_name": "Upatre",
              "target": null
            },
            {
              "id": "Autoit",
              "display_name": "Autoit",
              "target": null
            },
            {
              "id": "Ransom:Win32/Crowti",
              "display_name": "Ransom:Win32/Crowti",
              "target": "/malware/Ransom:Win32/Crowti"
            },
            {
              "id": "Backdoor:Win32/Tofsee.",
              "display_name": "Backdoor:Win32/Tofsee.",
              "target": "/malware/Backdoor:Win32/Tofsee."
            },
            {
              "id": "#Lowfi:SIGATTR:DownloadAndExecute",
              "display_name": "#Lowfi:SIGATTR:DownloadAndExecute",
              "target": null
            },
            {
              "id": "Win.Dropper.Vbclone",
              "display_name": "Win.Dropper.Vbclone",
              "target": null
            },
            {
              "id": "Win.Packer",
              "display_name": "Win.Packer",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1539",
              "name": "Steal Web Session Cookie",
              "display_name": "T1539 - Steal Web Session Cookie"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1590",
              "name": "Gather Victim Network Information",
              "display_name": "T1590 - Gather Victim Network Information"
            },
            {
              "id": "T1113",
              "name": "Screen Capture",
              "display_name": "T1113 - Screen Capture"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "68fbc84609098d17c316f23c",
          "export_count": 17,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 6261,
            "domain": 1806,
            "hostname": 2427,
            "FileHash-MD5": 384,
            "FileHash-SHA1": 381,
            "email": 13,
            "FileHash-SHA256": 1418,
            "SSLCertFingerprint": 14
          },
          "indicator_count": 12704,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 139,
          "modified_text": "146 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "68451577ada8bb0aa0834edb",
          "name": "X - Business Social Media Account used to attack victim",
          "description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.",
          "modified": "2025-07-08T04:03:04.386000",
          "created": "2025-06-08T04:45:43.423000",
          "tags": [
            "trojan",
            "ids detections",
            "yara detections",
            "alerts",
            "analysis date",
            "file score",
            "upxoepplace",
            "pulses none",
            "related tags",
            "none file",
            "markus",
            "april",
            "win32",
            "copy",
            "usvwu",
            "usvw",
            "high",
            "medium",
            "show",
            "uss c",
            "binary file",
            "yara",
            "write",
            "delphi",
            "enigma",
            "present mar",
            "aaaa",
            "united",
            "passive dns",
            "date",
            "present nov",
            "moved",
            "urls",
            "creation date",
            "entries",
            "body",
            "trojandropper",
            "susp",
            "msr jul",
            "next associated",
            "pulse pulses",
            "mtb jun",
            "backdoor",
            "content length",
            "html document",
            "ascii text",
            "search",
            "internalname",
            "entries pe",
            "showing",
            "filehash",
            "md5 add",
            "av detections",
            "learn",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "command",
            "adversaries",
            "spawns",
            "mitre att",
            "ck techniques",
            "copy md5",
            "copy sha1",
            "copy sha256",
            "sha1",
            "sha256",
            "pattern match",
            "size",
            "encrypt",
            "june",
            "hybrid",
            "local",
            "path",
            "click",
            "twitter",
            "strings",
            "url https",
            "url http",
            "report spam",
            "created",
            "hours ago",
            "bad actor",
            "ck ids",
            "t1057",
            "discovery",
            "t1071",
            "amer",
            "ipv4",
            "indicator role",
            "title added",
            "active related",
            "pulses",
            "china",
            "hong kong",
            "russia",
            "type indicator",
            "role title",
            "added active",
            "related pulses",
            "pulses url",
            "filehashsha256",
            "url add",
            "http",
            "ip address",
            "related nids",
            "files location",
            "flag united",
            "domain",
            "hostname",
            "next",
            "filehashmd5",
            "protocol",
            "t1105",
            "tool transfer",
            "t1480"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1113",
              "name": "Screen Capture",
              "display_name": "T1113 - Screen Capture"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 24,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 637,
            "FileHash-SHA1": 639,
            "FileHash-SHA256": 5380,
            "domain": 676,
            "hostname": 1120,
            "URL": 1031,
            "SSLCertFingerprint": 4
          },
          "indicator_count": 9487,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 139,
          "modified_text": "285 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "https://bonus.casinometropol285.com \u2022  www.aksescasinobet77.icu bonus.casinometropol285.com \u2022",
        "https://shift.gearboxsoftware.com/link",
        "ExternalHosts: US",
        "https://tulach.cc/",
        "http://www.forensickb.com/2013/03/file-entropy-explained.html",
        "https://www.xlabs.com.br/blog/cve-2013-3304-dell-equallogic-directory-traversal/ \u2022 http://cve.phidias.com/",
        "counsel. The system does not \"keep\" money without a valid reason.Lies. they\u2019ve Ben in trouble before .",
        "cloudfront.net \u2022  d127qq8ld0aiq5.cloudfront.net",
        "cashloanboat.com \u2022 mx-loans-5o.today\u2022  nodoccommercialloan",
        "www.onyx-ware.com \u2022 endgamesystems.com",
        "Starfield again - HoneyPot / Dod- DoW",
        "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction",
        "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware",
        "FileHash-SHA256 cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95",
        "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards",
        "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com",
        "legal deductions, legitimate reasons for payment delays or denial, or potential issues that require legal",
        "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com",
        "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/",
        "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022",
        "brave-ohttp-relay-dev.fastly-edge.com (Palantir)",
        "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b",
        "open.spotify.com \u2022",
        "giovannisnypizza.net \u2022  http://www.giovannisnypizza.net \u2022",
        "https://open.spotify.com/intl-de/track/5KjB1j0u54VXg6M8SN8hH2",
        "qlw020.managed-sprint.dynalabs.io (Check)",
        "Overview \"Keeping money\" by the Colorado workers' compensation system can refer to",
        "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))",
        "https://target.tccwest.www.littleswimmers.fr/",
        "events.launchdarkly.com \u2022 clientstream.launchdarkly. \u2022 app.launchdarkly.com",
        "05bet99.bet \u2022  app.05bet99.bet \u2022  betterlifeschool.kr  \u2022  bbrbet.today",
        "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au",
        "The Scottish Government www.gov.scot The NHS Scotland support",
        "https://www.anyxxxtube.net/search-porn/tsara-brashears/  \u2022 alohatube.xyz \u2022 1001pornvideos.com",
        "x402.porn \u2022 http://alohatube.xyz/search/tsara-brashears \u2022 \thttps://ufovpn.io/blog/is-eporner-safe",
        "ims.foundryfabrication.co.uk \u2022  timelog.foundryfabrication.co.uk \u2022  ims.foundryfabrication.co",
        "https://open.spotify.com/track/5KjB1j0u54VXg6M8SN8hH2",
        "http://129.2.4.2/32 Lencr",
        "https://www.turbo.net/run/videolan/vlc",
        "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino",
        "fazendabetb.live \u2022 bowiesports.com Check first???",
        "m.casinometropol225.com \u2022 casinometropol285.com  \u2022 http://bonus.casinometropol285.com \u2022",
        "vb.cu \u2022  vb \u2022 vb.il  \u2022 vb.cu \u2022  vb.il \u2022 docs.fastly.com  \u2022 docs.fastly.com"
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": [],
          "unique_indicators": 0
        },
        "other": {
          "adversary": [
            "NSO",
            "Colorado Quasi Government | Workerk Compensation"
          ],
          "malware_families": [
            "Win.trojan.generic-9878032-0",
            "Pws:win32/zbot.ms!mtb",
            "Win32:hacktoolx-gen\\ [trj]",
            "Backdoor:win32/tofsee.",
            "Cve-2023-4966",
            "Win.trojan.barys-10005825-0",
            "#lowfi:sigattr:downloadandexecute",
            "Win.trojan.starter-171",
            "Win.exploit.rozena-10038302-0",
            "Zombie",
            "Trojan:win32/zombie",
            "Muldrop",
            "Win.dropper.vbclone",
            "Trojanspy:msil/yakbeex.a",
            "Backdoor:win32/berbew.aa!mtb",
            "Win.packer",
            "Trojanspy",
            "Berbew",
            "Win.ransomware.msilzilla-10014498-0",
            "Autoit",
            "Gravityrat",
            "Ransom:win32/cve-2017-0147",
            "Hacktool:win32/cobaltstrike.a",
            "Win.packed.generic-9967832-0",
            "Win.malware.pits-10035540-0",
            "Nufs_unicode",
            "Pegasus",
            "Trojan:msil/agenttesla.dw!mtb",
            "#lowfi:win32/autoit",
            "Win.dropper.poisonivy-9876745-0",
            "Trojandropper:win32/vb.il",
            "Win.packed.stealerc-10017074-0",
            "Alf:heraklezeval:trojan:msil/gravityrat!rfn",
            "Worm:win32/mofksys.rnd!mtb",
            "Dorv",
            "Ransom:win32/crowti",
            "Exploit:linux/cve-2017-17215",
            "Cve-2022-26134",
            "Trojan:win32/zombie.a",
            "Nemucod",
            "Upatre"
          ],
          "industries": [
            "Entertainment",
            "Technology"
          ],
          "unique_indicators": 44776
        }
      }
    },
    "false_positive": [],
    "alexa": "http://www.alexa.com/siteinfo/fastly.com",
    "whois": "http://whois.domaintools.com/fastly.com",
    "domain": "fastly.com",
    "hostname": "docs.fastly.com"
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 6,
  "pulses": [
    {
      "id": "69bf864a324c12b2898c18e5",
      "name": "fastly/trafficmgr",
      "description": "A look at some of the key facts and statistics that have been reported to the internet service provider (icann) over the past seven years:. and how they have affected the web.<<<pretext",
      "modified": "2026-03-22T06:22:30.332000",
      "created": "2026-03-22T06:03:54.532000",
      "tags": [
        "as54113",
        "united",
        "status",
        "aaaa",
        "body",
        "otx telemetry",
        "domain",
        "date",
        "expiration date",
        "name servers"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 2,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 277,
        "IPv6": 34,
        "email": 4,
        "IPv4": 574,
        "URL": 146,
        "domain": 178,
        "hostname": 191,
        "FileHash-MD5": 197,
        "FileHash-SHA1": 195
      },
      "indicator_count": 1796,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 47,
      "modified_text": "28 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "6964c08bf79bcb252eaa9e15",
      "name": "TrojanSpy -  Spotify account under an attack which conceals artists releases / deletes followers",
      "description": "Spotify Attacks: TrojanSpy - Streamer Spotify account under an attack which conceals artists releases / deletes followers. The attack is adversarial. I\u2019m unclear how widespread it is.  . Further research required. OTX auto generated Pegasus. Released work that was once viewable is now concealed, followers deleted.\n#cloudfront #spyware #delete_service #cloudfront_attacks",
      "modified": "2026-02-11T09:03:20.933000",
      "created": "2026-01-12T09:36:11.701000",
      "tags": [
        "google",
        "fastly",
        "googlecl",
        "january",
        "http",
        "domain",
        "akamaias",
        "cloudflar",
        "page url",
        "de summary",
        "april",
        "reverse dns",
        "url https",
        "general full",
        "software",
        "united",
        "resource hash",
        "protocol h3",
        "security quic",
        "protocol h2",
        "security tls",
        "main",
        "present jan",
        "title",
        "gmt max",
        "certificate",
        "moved",
        "lowfi",
        "gmt content",
        "meta",
        "present dec",
        "status",
        "aaaa",
        "passive dns",
        "urls",
        "search",
        "expiration date",
        "win32",
        "files",
        "verdict",
        "files ip",
        "address",
        "mtb jan",
        "trojandropper",
        "backdoor",
        "win32upatre jan",
        "origin trial",
        "gmt cache",
        "443 ma2592000",
        "possible",
        "worm",
        "trojan",
        "ip address",
        "record value",
        "dark",
        "found",
        "ipv4 add",
        "error",
        "trojanspy",
        "emails",
        "servers",
        "pegasus",
        "america flag",
        "america asn",
        "tlsv1",
        "read c",
        "show",
        "medium",
        "lstockholm",
        "ospotify ab",
        "odigicert inc",
        "execution",
        "next",
        "dock",
        "write",
        "persistence",
        "dynamicloader",
        "yara rule",
        "ms windows",
        "pe32",
        "named pipe",
        "smartassembly",
        "delphi",
        "malware",
        "united states",
        "pe file",
        "filehash",
        "md5 add",
        "av detections",
        "ids detections",
        "yara detections",
        "alerts",
        "high",
        "write c",
        "tls sni",
        "tls handshake",
        "delete",
        "as15169",
        "stun binding",
        "request",
        "port",
        "win64",
        "themida",
        "guard",
        "risepro",
        "sha256",
        "sha1",
        "pattern match",
        "ascii text",
        "size",
        "mitre att",
        "ck id",
        "null",
        "refresh",
        "span",
        "hybrid",
        "general",
        "local",
        "path",
        "click",
        "strings",
        "tools",
        "look",
        "verify",
        "restart",
        "learn",
        "command",
        "name tactics",
        "suspicious",
        "informative",
        "spawns",
        "ck techniques",
        "evasion att",
        "t1480 execution",
        "directui",
        "element",
        "hwndhost",
        "classinfobase",
        "hwndelement",
        "value",
        "explorer",
        "insert",
        "movie",
        "hacktool",
        "showing",
        "entries http",
        "scans show",
        "california",
        "location united",
        "next associated",
        "pulse pulses",
        "name servers",
        "found request",
        "unique",
        "url add",
        "related nids",
        "files location",
        "expiration",
        "flag united",
        "present nov",
        "present sep",
        "href",
        "suricata stream",
        "command decode",
        "starfield",
        "encrypt",
        "iframe",
        "date",
        "title error",
        "hostname",
        "pulse submit",
        "memcommit",
        "checks",
        "windows",
        "capture",
        "cloudfront",
        "colorado",
        "creation date",
        "hostname add",
        "eset",
        "binary file",
        "pdb path",
        "internalname",
        "nod32",
        "amon"
      ],
      "references": [
        "open.spotify.com \u2022",
        "https://open.spotify.com/intl-de/track/5KjB1j0u54VXg6M8SN8hH2",
        "https://open.spotify.com/track/5KjB1j0u54VXg6M8SN8hH2",
        "FileHash-SHA256 cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95",
        "events.launchdarkly.com \u2022 clientstream.launchdarkly. \u2022 app.launchdarkly.com",
        "https://target.tccwest.www.littleswimmers.fr/",
        "www.onyx-ware.com \u2022 endgamesystems.com",
        "cloudfront.net \u2022  d127qq8ld0aiq5.cloudfront.net"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [
        {
          "id": "TrojanSpy",
          "display_name": "TrojanSpy",
          "target": null
        },
        {
          "id": "Win.Packed.Stealerc-10017074-0",
          "display_name": "Win.Packed.Stealerc-10017074-0",
          "target": null
        },
        {
          "id": "#Lowfi:Win32/AutoIt",
          "display_name": "#Lowfi:Win32/AutoIt",
          "target": "/malware/#Lowfi:Win32/AutoIt"
        },
        {
          "id": "Win.Packed.Generic-9967832-0",
          "display_name": "Win.Packed.Generic-9967832-0",
          "target": null
        },
        {
          "id": "TrojanSpy:MSIL/Yakbeex.A",
          "display_name": "TrojanSpy:MSIL/Yakbeex.A",
          "target": "/malware/TrojanSpy:MSIL/Yakbeex.A"
        },
        {
          "id": "Pegasus",
          "display_name": "Pegasus",
          "target": null
        },
        {
          "id": "Win32:HacktoolX-gen\\ [Trj]",
          "display_name": "Win32:HacktoolX-gen\\ [Trj]",
          "target": null
        },
        {
          "id": "nUFS_unicode",
          "display_name": "nUFS_unicode",
          "target": null
        },
        {
          "id": "HackTool:Win32/CobaltStrike.A",
          "display_name": "HackTool:Win32/CobaltStrike.A",
          "target": "/malware/HackTool:Win32/CobaltStrike.A"
        },
        {
          "id": "Win.Dropper.PoisonIvy-9876745-0",
          "display_name": "Win.Dropper.PoisonIvy-9876745-0",
          "target": null
        },
        {
          "id": "Trojan:Win32/Zombie.A",
          "display_name": "Trojan:Win32/Zombie.A",
          "target": "/malware/Trojan:Win32/Zombie.A"
        },
        {
          "id": "Win.Trojan.Barys-10005825-0",
          "display_name": "Win.Trojan.Barys-10005825-0",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1102",
          "name": "Web Service",
          "display_name": "T1102 - Web Service"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1112",
          "name": "Modify Registry",
          "display_name": "T1112 - Modify Registry"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1143",
          "name": "Hidden Window",
          "display_name": "T1143 - Hidden Window"
        },
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1063",
          "name": "Security Software Discovery",
          "display_name": "T1063 - Security Software Discovery"
        },
        {
          "id": "TA0003",
          "name": "Persistence",
          "display_name": "TA0003 - Persistence"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1069",
          "name": "Permission Groups Discovery",
          "display_name": "T1069 - Permission Groups Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1113",
          "name": "Screen Capture",
          "display_name": "T1113 - Screen Capture"
        },
        {
          "id": "T1587.001",
          "name": "Malware",
          "display_name": "T1587.001 - Malware"
        },
        {
          "id": "T1069.002",
          "name": "Domain Groups",
          "display_name": "T1069.002 - Domain Groups"
        },
        {
          "id": "T1071.001",
          "name": "Web Protocols",
          "display_name": "T1071.001 - Web Protocols"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1189",
          "name": "Drive-by Compromise",
          "display_name": "T1189 - Drive-by Compromise"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1566",
          "name": "Phishing",
          "display_name": "T1566 - Phishing"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1158",
          "name": "Hidden Files and Directories",
          "display_name": "T1158 - Hidden Files and Directories"
        },
        {
          "id": "TA0037",
          "name": "Command and Control",
          "display_name": "TA0037 - Command and Control"
        }
      ],
      "industries": [
        "Entertainment",
        "Technology"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 2,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "hostname": 1293,
        "URL": 3389,
        "FileHash-MD5": 635,
        "FileHash-SHA1": 531,
        "FileHash-SHA256": 2345,
        "domain": 501,
        "email": 12,
        "SSLCertFingerprint": 16
      },
      "indicator_count": 8722,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 138,
      "modified_text": "67 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "690a2c38de1708af54217faa",
      "name": "Access Token used to steal security credentials & hack and ride DND of targeted individuals",
      "description": "- https://shift.gearboxsoftware.com/link\n- Found embedded in targets phone.\n\nAccess Token used to steal security credentials & hack and ride DND of targeted individuals device. \nTAM Legal \u2022  Tulach \u2022 Hall Render \u2022 Quasi Government | Some type of Foundry user account found. \n\nStop illegally \n  stalking, harassment, attempts, hacking, death threats. . Because the Colorado government allowing entities like this to operate without any type of rules, oversight or boundaries \nMILLION$ were wasted in your own fraud, waste in abuse scheme. AT&T , CrowdStrike , United Healthcare , UC Healthcare, Intermountain Health, T-Mobile, Amazon East, the Colorado Government itself, Medicare and Medicaid. For what? You have zero talent so you take it from those who do. You have nothing coming to you so you steal it from those who do. Is this somehow legal? \n#contacted #all_hosts backdoor #ransomware  #cve #usa #american_terrorists #workers_compenstation_abuse #silencing #targeting #hitmen #illegal #malvertizing #aws_dns",
      "modified": "2025-12-04T15:01:02.531000",
      "created": "2025-11-04T16:39:20.035000",
      "tags": [
        "present aug",
        "moved",
        "encrypt",
        "present jul",
        "passive dns",
        "ipv4 add",
        "reverse dns",
        "united states",
        "present may",
        "ip address",
        "gmt content",
        "ipv4",
        "all ipv4",
        "america",
        "united",
        "present oct",
        "name servers",
        "redacted for",
        "emails",
        "for privacy",
        "unknown ns",
        "unknown aaaa",
        "dynamicloader",
        "focus region",
        "unicode text",
        "utf16",
        "ms windows",
        "bokeh onlycanon",
        "zeiss jena",
        "mcsonnar",
        "high",
        "win64",
        "stream",
        "write",
        "smartassembly",
        "trailer",
        "next",
        "search",
        "medium",
        "as15169",
        "write c",
        "reads",
        "team",
        "malware",
        "local",
        "yara detections",
        "delphi",
        "strings",
        "dcom",
        "form",
        "trojandropper",
        "mtb nov",
        "backdoor",
        "otx telemetry",
        "trojan",
        "type",
        "data upload",
        "extraction",
        "ol rop",
        "hash avast",
        "avg clamav",
        "msdefender nov",
        "win32upatre nov",
        "win32berbew nov",
        "dynamic",
        "pe section",
        "error",
        "close",
        "status",
        "urls",
        "expiration date",
        "hostname",
        "url analysis",
        "yara rule",
        "show",
        "binary file",
        "wine emulator",
        "mtb oct",
        "files",
        "denmark asn",
        "as32934",
        "candyopen",
        "possible",
        "smoke loader",
        "trojanspy",
        "filehash",
        "pulses otx",
        "related tags",
        "file type",
        "no analysis",
        "available",
        "api key",
        "screenshots",
        "present nov",
        "aaaa",
        "mtb may",
        "mexico",
        "hostname add",
        "registrar",
        "domain add",
        "location united",
        "email add",
        "none related",
        "domains",
        "email domain",
        "service",
        "domain",
        "america flag",
        "body",
        "title",
        "aws dns",
        "next associated",
        "risepro",
        "guard",
        "v full",
        "reports v",
        "t1059 shared",
        "modules",
        "t1129 system",
        "t1569",
        "help v",
        "t1179 boot",
        "logon autost",
        "encoding",
        "packing f0001",
        "hidden files",
        "e1203 windows",
        "file attributes",
        "registry value",
        "catalog tree",
        "analysis ob0001",
        "evasion b0003",
        "virtual machine",
        "ip traffic",
        "memory pattern",
        "pattern urls",
        "tls sni",
        "get https",
        "post https",
        "named pipe",
        "delete c",
        "radar",
        "defender",
        "format",
        "learn",
        "command",
        "ck id",
        "name tactics",
        "suspicious",
        "informative",
        "spawns",
        "mitre att",
        "ck techniques",
        "evasion att",
        "country",
        "contacted hosts",
        "process details",
        "flag",
        "globalc",
        "intel",
        "win32",
        "worm",
        "path",
        "explorer",
        "script",
        "href",
        "external",
        "html content",
        "tulach",
        "hallrender",
        "tam legal",
        "brian sabey",
        "christopher ahmann",
        "apple",
        "msie",
        "chrome",
        "ascio",
        "creation date",
        "date",
        "germany unknown",
        "germany asn",
        "files ip",
        "address",
        "asn as24940",
        "less",
        "script urls",
        "a domains",
        "prox",
        "dennis schrder",
        "meta",
        "apache",
        "99u25f.exe",
        "entries",
        "as24940 hetzner",
        "dns resolutions",
        "status code",
        "body length",
        "kb body",
        "software/ hardware",
        "external-resources",
        "password-input",
        "overview",
        "colorado"
      ],
      "references": [
        "https://shift.gearboxsoftware.com/link",
        "https://tulach.cc/",
        "https://www.anyxxxtube.net/search-porn/tsara-brashears/  \u2022 alohatube.xyz \u2022 1001pornvideos.com",
        "x402.porn \u2022 http://alohatube.xyz/search/tsara-brashears \u2022 \thttps://ufovpn.io/blog/is-eporner-safe",
        "https://www.turbo.net/run/videolan/vlc",
        "http://www.forensickb.com/2013/03/file-entropy-explained.html",
        "https://www.xlabs.com.br/blog/cve-2013-3304-dell-equallogic-directory-traversal/ \u2022 http://cve.phidias.com/",
        "Overview \"Keeping money\" by the Colorado workers' compensation system can refer to",
        "legal deductions, legitimate reasons for payment delays or denial, or potential issues that require legal",
        "counsel. The system does not \"keep\" money without a valid reason.Lies. they\u2019ve Ben in trouble before ."
      ],
      "public": 1,
      "adversary": "Colorado Quasi Government | Workerk Compensation",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "Win.Trojan.Generic-9878032-0",
          "display_name": "Win.Trojan.Generic-9878032-0",
          "target": null
        },
        {
          "id": "Win.Trojan.Starter-171",
          "display_name": "Win.Trojan.Starter-171",
          "target": null
        },
        {
          "id": "GravityRAT",
          "display_name": "GravityRAT",
          "target": null
        },
        {
          "id": "Backdoor:Win32/Berbew.AA!MTB",
          "display_name": "Backdoor:Win32/Berbew.AA!MTB",
          "target": "/malware/Backdoor:Win32/Berbew.AA!MTB"
        },
        {
          "id": "Trojan:MSIL/AgentTesla.DW!MTB",
          "display_name": "Trojan:MSIL/AgentTesla.DW!MTB",
          "target": "/malware/Trojan:MSIL/AgentTesla.DW!MTB"
        },
        {
          "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
          "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
          "target": null
        },
        {
          "id": "Trojandropper:Win32/VB.IL",
          "display_name": "Trojandropper:Win32/VB.IL",
          "target": "/malware/Trojandropper:Win32/VB.IL"
        },
        {
          "id": "Nemucod",
          "display_name": "Nemucod",
          "target": null
        },
        {
          "id": "Berbew",
          "display_name": "Berbew",
          "target": null
        },
        {
          "id": "PWS:Win32/Zbot.MS!MTB",
          "display_name": "PWS:Win32/Zbot.MS!MTB",
          "target": "/malware/PWS:Win32/Zbot.MS!MTB"
        },
        {
          "id": "Win.Trojan.Barys-10005825-0",
          "display_name": "Win.Trojan.Barys-10005825-0",
          "target": null
        },
        {
          "id": "Upatre",
          "display_name": "Upatre",
          "target": null
        },
        {
          "id": "TrojanSpy",
          "display_name": "TrojanSpy",
          "target": null
        },
        {
          "id": "Win.Exploit.Rozena-10038302-0",
          "display_name": "Win.Exploit.Rozena-10038302-0",
          "target": null
        },
        {
          "id": "Zombie",
          "display_name": "Zombie",
          "target": null
        },
        {
          "id": "Trojan:Win32/Zombie",
          "display_name": "Trojan:Win32/Zombie",
          "target": "/malware/Trojan:Win32/Zombie"
        },
        {
          "id": "Muldrop",
          "display_name": "Muldrop",
          "target": null
        },
        {
          "id": "Worm:Win32/Mofksys.RND!MTB",
          "display_name": "Worm:Win32/Mofksys.RND!MTB",
          "target": "/malware/Worm:Win32/Mofksys.RND!MTB"
        },
        {
          "id": "Dorv",
          "display_name": "Dorv",
          "target": null
        },
        {
          "id": "Win.Malware.Pits-10035540-0",
          "display_name": "Win.Malware.Pits-10035540-0",
          "target": null
        },
        {
          "id": "Win.Ransomware.Msilzilla-10014498-0",
          "display_name": "Win.Ransomware.Msilzilla-10014498-0",
          "target": null
        },
        {
          "id": "CVE-2023-4966",
          "display_name": "CVE-2023-4966",
          "target": null
        },
        {
          "id": "Exploit:Linux/CVE-2017-17215",
          "display_name": "Exploit:Linux/CVE-2017-17215",
          "target": "/malware/Exploit:Linux/CVE-2017-17215"
        },
        {
          "id": "Ransom:Win32/CVE-2017-0147",
          "display_name": "Ransom:Win32/CVE-2017-0147",
          "target": "/malware/Ransom:Win32/CVE-2017-0147"
        },
        {
          "id": "CVE-2022-26134",
          "display_name": "CVE-2022-26134",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1063",
          "name": "Security Software Discovery",
          "display_name": "T1063 - Security Software Discovery"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        },
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1179",
          "name": "Hooking",
          "display_name": "T1179 - Hooking"
        },
        {
          "id": "T1547",
          "name": "Boot or Logon Autostart Execution",
          "display_name": "T1547 - Boot or Logon Autostart Execution"
        },
        {
          "id": "T1569",
          "name": "System Services",
          "display_name": "T1569 - System Services"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1069",
          "name": "Permission Groups Discovery",
          "display_name": "T1069 - Permission Groups Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1457",
          "name": "Malicious Media Content",
          "display_name": "T1457 - Malicious Media Content"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 12,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 6051,
        "hostname": 2627,
        "FileHash-MD5": 401,
        "FileHash-SHA1": 257,
        "email": 11,
        "domain": 1838,
        "FileHash-SHA256": 1742,
        "CVE": 4,
        "SSLCertFingerprint": 3
      },
      "indicator_count": 12934,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 140,
      "modified_text": "135 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "68fbc84609098d17c316f23c",
      "name": "NSO - Multiple crimes",
      "description": "Multiple crimes including illegal gambling, loan sharking, cybercrimes , content reputation , instructions. Starfield seen again. Team 8 has seen Starfield in more than 300 pulses. Now it\u2019s gone. Check your devices for innocent looking searches you\u2019ve never searched. Browser extensions found on 3 targeted devices with an adversary with full CnC armed with a deletion and disk wipe service. Local - Denver. \n\nAlso, very concerning is specific Airline to be attacked revealed. It cant be researched without bringing down a flight or messing up air command & control. DJT has already made travel a risky feat by being influenced to fire the (NOAA) & (DOT). Its manipulation. PP Mafia bros. \n\nDoes anyone have any power? Contact someone. We did have a mystery plane incident in Denver after I first reported. Just space junk , ya know the usual. I am serious about preventing crime. I need some help!",
      "modified": "2025-11-23T17:00:58.297000",
      "created": "2025-10-24T18:41:10.936000",
      "tags": [
        "type indicator",
        "added active",
        "related pulses",
        "script urls",
        "united",
        "unknown ns",
        "a domains",
        "ip address",
        "meta",
        "asn as13335",
        "msie",
        "chrome",
        "ransom",
        "trojan",
        "passive dns",
        "backdoor",
        "http request",
        "twitter",
        "win32/crix.c check-in",
        "gmt content",
        "ipv4",
        "urls",
        "files",
        "data upload",
        "extraction",
        "domain add",
        "e emeseieee",
        "dynamicloader",
        "e eue",
        "eweienedeoewese",
        "windows nt",
        "wow64",
        "slcc2",
        "media center",
        "edeeefeaeuelete",
        "unknown",
        "write",
        "bits",
        "malware",
        "xserver",
        "encrypt",
        "unknown aaaa",
        "moved",
        "cloudfront x",
        "hio52 p1",
        "name servers",
        "accept encoding",
        "emails",
        "servers",
        "extr",
        "u a640",
        "a69f u",
        "fe2e fe2f",
        "u a720",
        "a7ff",
        "u feff",
        "learn",
        "ck id",
        "name tactics",
        "suspicious",
        "informative",
        "adversaries",
        "command",
        "defense evasion",
        "spawns",
        "found",
        "pattern match",
        "mitre att",
        "null",
        "body",
        "pizza",
        "friday",
        "hybrid",
        "general",
        "local",
        "path",
        "starfield",
        "iframe",
        "click",
        "strings",
        "core",
        "bet",
        "gambling",
        "record value",
        "date",
        "present sep",
        "present apr",
        "colombia",
        "present jun",
        "present nov",
        "cookie",
        "present oct",
        "entries",
        "next associated",
        "error",
        "attack",
        "government",
        "scotland",
        "news",
        "covid19",
        "subscribe",
        "october",
        "crown copyright",
        "nhs scotland",
        "parliament",
        "coronavirus",
        "redacted for",
        "domain status",
        "server",
        "privacy tech",
        "privacy admin",
        "email",
        "country",
        "postal code",
        "stateprovince",
        "code",
        "host name",
        "rdap database",
        "handle",
        "iana registrar",
        "entity roles",
        "links",
        "key identifier",
        "x509v3 subject",
        "data",
        "v3 serial",
        "number",
        "cus olet",
        "encrypt cnr12",
        "validity",
        "subject public",
        "key info",
        "medium",
        "write c",
        "search",
        "pe file",
        "high",
        "checks",
        "http",
        "delete",
        "copy",
        "guard",
        "mozilla",
        "next",
        "godaddy",
        "creation date",
        "hostname",
        "pulse submit",
        "url analysis",
        "domain",
        "files ip",
        "trojandropper",
        "mtb oct",
        "mtb may",
        "refloadapihash",
        "foundry",
        "fastly",
        "value a",
        "com laude",
        "ltd dba",
        "nomiq",
        "limited dba",
        "pulse",
        "location united",
        "asn asnone",
        "nameservers"
      ],
      "references": [
        "giovannisnypizza.net \u2022  http://www.giovannisnypizza.net \u2022",
        "fazendabetb.live \u2022 bowiesports.com Check first???",
        "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino",
        "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022",
        "05bet99.bet \u2022  app.05bet99.bet \u2022  betterlifeschool.kr  \u2022  bbrbet.today",
        "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com",
        "cashloanboat.com \u2022 mx-loans-5o.today\u2022  nodoccommercialloan",
        "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards",
        "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/",
        "m.casinometropol225.com \u2022 casinometropol285.com  \u2022 http://bonus.casinometropol285.com \u2022",
        "https://bonus.casinometropol285.com \u2022  www.aksescasinobet77.icu bonus.casinometropol285.com \u2022",
        "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au",
        "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))",
        "The Scottish Government www.gov.scot The NHS Scotland support",
        "http://129.2.4.2/32 Lencr",
        "qlw020.managed-sprint.dynalabs.io (Check)",
        "brave-ohttp-relay-dev.fastly-edge.com (Palantir)",
        "ims.foundryfabrication.co.uk \u2022  timelog.foundryfabrication.co.uk \u2022  ims.foundryfabrication.co",
        "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com",
        "vb.cu \u2022  vb \u2022 vb.il  \u2022 vb.cu \u2022  vb.il \u2022 docs.fastly.com  \u2022 docs.fastly.com",
        "ExternalHosts: US",
        "Starfield again - HoneyPot / Dod- DoW",
        "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction",
        "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware",
        "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b"
      ],
      "public": 1,
      "adversary": "NSO",
      "targeted_countries": [
        "United States of America",
        "Germany",
        "Bulgaria",
        "Singapore",
        "Denmark",
        "Australia",
        "Jersey",
        "Japan",
        "Canada"
      ],
      "malware_families": [
        {
          "id": "Upatre",
          "display_name": "Upatre",
          "target": null
        },
        {
          "id": "Autoit",
          "display_name": "Autoit",
          "target": null
        },
        {
          "id": "Ransom:Win32/Crowti",
          "display_name": "Ransom:Win32/Crowti",
          "target": "/malware/Ransom:Win32/Crowti"
        },
        {
          "id": "Backdoor:Win32/Tofsee.",
          "display_name": "Backdoor:Win32/Tofsee.",
          "target": "/malware/Backdoor:Win32/Tofsee."
        },
        {
          "id": "#Lowfi:SIGATTR:DownloadAndExecute",
          "display_name": "#Lowfi:SIGATTR:DownloadAndExecute",
          "target": null
        },
        {
          "id": "Win.Dropper.Vbclone",
          "display_name": "Win.Dropper.Vbclone",
          "target": null
        },
        {
          "id": "Win.Packer",
          "display_name": "Win.Packer",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1069",
          "name": "Permission Groups Discovery",
          "display_name": "T1069 - Permission Groups Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1539",
          "name": "Steal Web Session Cookie",
          "display_name": "T1539 - Steal Web Session Cookie"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1590",
          "name": "Gather Victim Network Information",
          "display_name": "T1590 - Gather Victim Network Information"
        },
        {
          "id": "T1113",
          "name": "Screen Capture",
          "display_name": "T1113 - Screen Capture"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 13,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 6261,
        "domain": 1806,
        "hostname": 2427,
        "FileHash-MD5": 384,
        "FileHash-SHA1": 381,
        "email": 13,
        "FileHash-SHA256": 1418,
        "SSLCertFingerprint": 14
      },
      "indicator_count": 12704,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 141,
      "modified_text": "146 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "68fc18514965ccd3b55c216d",
      "name": "Dorv \u2022 Obfuscator - Affecting DropBox",
      "description": "",
      "modified": "2025-11-23T17:00:58.297000",
      "created": "2025-10-25T00:22:41.686000",
      "tags": [
        "type indicator",
        "added active",
        "related pulses",
        "script urls",
        "united",
        "unknown ns",
        "a domains",
        "ip address",
        "meta",
        "asn as13335",
        "msie",
        "chrome",
        "ransom",
        "trojan",
        "passive dns",
        "backdoor",
        "http request",
        "twitter",
        "win32/crix.c check-in",
        "gmt content",
        "ipv4",
        "urls",
        "files",
        "data upload",
        "extraction",
        "domain add",
        "e emeseieee",
        "dynamicloader",
        "e eue",
        "eweienedeoewese",
        "windows nt",
        "wow64",
        "slcc2",
        "media center",
        "edeeefeaeuelete",
        "unknown",
        "write",
        "bits",
        "malware",
        "xserver",
        "encrypt",
        "unknown aaaa",
        "moved",
        "cloudfront x",
        "hio52 p1",
        "name servers",
        "accept encoding",
        "emails",
        "servers",
        "extr",
        "u a640",
        "a69f u",
        "fe2e fe2f",
        "u a720",
        "a7ff",
        "u feff",
        "learn",
        "ck id",
        "name tactics",
        "suspicious",
        "informative",
        "adversaries",
        "command",
        "defense evasion",
        "spawns",
        "found",
        "pattern match",
        "mitre att",
        "null",
        "body",
        "pizza",
        "friday",
        "hybrid",
        "general",
        "local",
        "path",
        "starfield",
        "iframe",
        "click",
        "strings",
        "core",
        "bet",
        "gambling",
        "record value",
        "date",
        "present sep",
        "present apr",
        "colombia",
        "present jun",
        "present nov",
        "cookie",
        "present oct",
        "entries",
        "next associated",
        "error",
        "attack",
        "government",
        "scotland",
        "news",
        "covid19",
        "subscribe",
        "october",
        "crown copyright",
        "nhs scotland",
        "parliament",
        "coronavirus",
        "redacted for",
        "domain status",
        "server",
        "privacy tech",
        "privacy admin",
        "email",
        "country",
        "postal code",
        "stateprovince",
        "code",
        "host name",
        "rdap database",
        "handle",
        "iana registrar",
        "entity roles",
        "links",
        "key identifier",
        "x509v3 subject",
        "data",
        "v3 serial",
        "number",
        "cus olet",
        "encrypt cnr12",
        "validity",
        "subject public",
        "key info",
        "medium",
        "write c",
        "search",
        "pe file",
        "high",
        "checks",
        "http",
        "delete",
        "copy",
        "guard",
        "mozilla",
        "next",
        "godaddy",
        "creation date",
        "hostname",
        "pulse submit",
        "url analysis",
        "domain",
        "files ip",
        "trojandropper",
        "mtb oct",
        "mtb may",
        "refloadapihash",
        "foundry",
        "fastly",
        "value a",
        "com laude",
        "ltd dba",
        "nomiq",
        "limited dba",
        "pulse",
        "location united",
        "asn asnone",
        "nameservers"
      ],
      "references": [
        "giovannisnypizza.net \u2022  http://www.giovannisnypizza.net \u2022",
        "fazendabetb.live \u2022 bowiesports.com Check first???",
        "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino",
        "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022",
        "05bet99.bet \u2022  app.05bet99.bet \u2022  betterlifeschool.kr  \u2022  bbrbet.today",
        "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com",
        "cashloanboat.com \u2022 mx-loans-5o.today\u2022  nodoccommercialloan",
        "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards",
        "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/",
        "m.casinometropol225.com \u2022 casinometropol285.com  \u2022 http://bonus.casinometropol285.com \u2022",
        "https://bonus.casinometropol285.com \u2022  www.aksescasinobet77.icu bonus.casinometropol285.com \u2022",
        "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au",
        "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))",
        "The Scottish Government www.gov.scot The NHS Scotland support",
        "http://129.2.4.2/32 Lencr",
        "qlw020.managed-sprint.dynalabs.io (Check)",
        "brave-ohttp-relay-dev.fastly-edge.com (Palantir)",
        "ims.foundryfabrication.co.uk \u2022  timelog.foundryfabrication.co.uk \u2022  ims.foundryfabrication.co",
        "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com",
        "vb.cu \u2022  vb \u2022 vb.il  \u2022 vb.cu \u2022  vb.il \u2022 docs.fastly.com  \u2022 docs.fastly.com",
        "ExternalHosts: US",
        "Starfield again - HoneyPot / Dod- DoW",
        "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction",
        "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware",
        "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b"
      ],
      "public": 1,
      "adversary": "NSO",
      "targeted_countries": [
        "United States of America",
        "Germany",
        "Bulgaria",
        "Singapore",
        "Denmark",
        "Australia",
        "Jersey",
        "Japan",
        "Canada"
      ],
      "malware_families": [
        {
          "id": "Upatre",
          "display_name": "Upatre",
          "target": null
        },
        {
          "id": "Autoit",
          "display_name": "Autoit",
          "target": null
        },
        {
          "id": "Ransom:Win32/Crowti",
          "display_name": "Ransom:Win32/Crowti",
          "target": "/malware/Ransom:Win32/Crowti"
        },
        {
          "id": "Backdoor:Win32/Tofsee.",
          "display_name": "Backdoor:Win32/Tofsee.",
          "target": "/malware/Backdoor:Win32/Tofsee."
        },
        {
          "id": "#Lowfi:SIGATTR:DownloadAndExecute",
          "display_name": "#Lowfi:SIGATTR:DownloadAndExecute",
          "target": null
        },
        {
          "id": "Win.Dropper.Vbclone",
          "display_name": "Win.Dropper.Vbclone",
          "target": null
        },
        {
          "id": "Win.Packer",
          "display_name": "Win.Packer",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1069",
          "name": "Permission Groups Discovery",
          "display_name": "T1069 - Permission Groups Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1539",
          "name": "Steal Web Session Cookie",
          "display_name": "T1539 - Steal Web Session Cookie"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1590",
          "name": "Gather Victim Network Information",
          "display_name": "T1590 - Gather Victim Network Information"
        },
        {
          "id": "T1113",
          "name": "Screen Capture",
          "display_name": "T1113 - Screen Capture"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": "68fbc84609098d17c316f23c",
      "export_count": 17,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 6261,
        "domain": 1806,
        "hostname": 2427,
        "FileHash-MD5": 384,
        "FileHash-SHA1": 381,
        "email": 13,
        "FileHash-SHA256": 1418,
        "SSLCertFingerprint": 14
      },
      "indicator_count": 12704,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 139,
      "modified_text": "146 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "68451577ada8bb0aa0834edb",
      "name": "X - Business Social Media Account used to attack victim",
      "description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.",
      "modified": "2025-07-08T04:03:04.386000",
      "created": "2025-06-08T04:45:43.423000",
      "tags": [
        "trojan",
        "ids detections",
        "yara detections",
        "alerts",
        "analysis date",
        "file score",
        "upxoepplace",
        "pulses none",
        "related tags",
        "none file",
        "markus",
        "april",
        "win32",
        "copy",
        "usvwu",
        "usvw",
        "high",
        "medium",
        "show",
        "uss c",
        "binary file",
        "yara",
        "write",
        "delphi",
        "enigma",
        "present mar",
        "aaaa",
        "united",
        "passive dns",
        "date",
        "present nov",
        "moved",
        "urls",
        "creation date",
        "entries",
        "body",
        "trojandropper",
        "susp",
        "msr jul",
        "next associated",
        "pulse pulses",
        "mtb jun",
        "backdoor",
        "content length",
        "html document",
        "ascii text",
        "search",
        "internalname",
        "entries pe",
        "showing",
        "filehash",
        "md5 add",
        "av detections",
        "learn",
        "ck id",
        "name tactics",
        "suspicious",
        "informative",
        "command",
        "adversaries",
        "spawns",
        "mitre att",
        "ck techniques",
        "copy md5",
        "copy sha1",
        "copy sha256",
        "sha1",
        "sha256",
        "pattern match",
        "size",
        "encrypt",
        "june",
        "hybrid",
        "local",
        "path",
        "click",
        "twitter",
        "strings",
        "url https",
        "url http",
        "report spam",
        "created",
        "hours ago",
        "bad actor",
        "ck ids",
        "t1057",
        "discovery",
        "t1071",
        "amer",
        "ipv4",
        "indicator role",
        "title added",
        "active related",
        "pulses",
        "china",
        "hong kong",
        "russia",
        "type indicator",
        "role title",
        "added active",
        "related pulses",
        "pulses url",
        "filehashsha256",
        "url add",
        "http",
        "ip address",
        "related nids",
        "files location",
        "flag united",
        "domain",
        "hostname",
        "next",
        "filehashmd5",
        "protocol",
        "t1105",
        "tool transfer",
        "t1480"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1113",
          "name": "Screen Capture",
          "display_name": "T1113 - Screen Capture"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 24,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 637,
        "FileHash-SHA1": 639,
        "FileHash-SHA256": 5380,
        "domain": 676,
        "hostname": 1120,
        "URL": 1031,
        "SSLCertFingerprint": 4
      },
      "indicator_count": 9487,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 139,
      "modified_text": "285 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "https://docs.fastly.com/en/guides/common",
    "type": "URL"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "https://docs.fastly.com/en/guides/common",
    "type": "URL",
    "found": false,
    "verdict": "clean",
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1776607197.038885
}