{ "type": "URL", "indicator": "https://email.casinolawgroup.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://email.casinolawgroup.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3790653379, "indicator": "https://email.casinolawgroup.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "69aa003c63c19b7be7671c65", "name": "re post by Q.Vashti cloned", "description": "", "modified": "2026-03-06T05:11:14.366000", "created": "2026-03-05T22:14:20.388000", "tags": [ "filehashmd5", "filehashsha256", "ipv4", "filehashsha1", "domain", "types", "indicators show", "search", "type indicator", "role title", "added active", "scan", "iocs", "learn more", "related pulses", "url https", "url http", "countrycn", "countrycn sep", "indicator role", "title added", "active related", "pulses url", "xtblogblockid1", "pulses", "zdata0", "browserie", "browserver8", "defaultie", "ver1360122", "defaultch", "browserver11", "filesize", "browserid1", "qmark", "methodpost" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "68ffa35cd4eefffa0ffbeae1", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 381, "FileHash-SHA1": 367, "FileHash-SHA256": 767, "domain": 179, "URL": 1615, "hostname": 946, "CVE": 1 }, "indicator_count": 4256, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69434bae6aa51aea5cbe4686", "name": "Malicious Entertainment Licensing Scheme attacked independent artists", "description": "Unique entertainment scheme that seemed to have either intentionally usurped the copyrights of artists accepted for music licensing deals. It\u2019s possible company was attacked. Is connected to a target. Several entities related to this music licensing company were attacked by Pegasus and Lazarus Group including Sony music. Christopher P.\u2019Buzz\u2019 Ahmann is related to the attacks. Unfortunately a Colorado IT company that lists individuals related to hacked studio as an employee has been cyber stalking target. The licensing company is unavailable online. \nInteresting mafia relationships. \nOTX auto populated - AFFixmusic.com is an unregistered domain name with an address address of 166.109.7, the same address as GoDaddy.Com.co.org, which is also known as Godaddy.{", "modified": "2026-01-17T00:03:29.023000", "created": "2025-12-18T00:32:46.567000", "tags": [ "united", "as44273 host", "unknown xn", "title style", "f2f2f2 color", "helvetica neue", "twitter", "ipv4", "hosting", "helvetica arial", "united states", "verdict", "files ip", "name servers", "west domains", "as autonomous", "system", "cloudflar", "cisco", "umbrella rank", "unknown", "present dec", "nxdomain", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "pur sta", "godaddycomllc", "linux x8664", "khtml", "gecko", "cloudflarenet", "veryhigh", "americachicago", "conflict", "sameorigin", "cloudflare", "please", "text content", "ray id", "utc dns", "what happened", "thank", "cloudflare ray", "click", "performance", "general full", "resource", "name value", "url http", "server", "asn398787", "type mimetype", "uni idc", "passive dns", "urls", "hostname add", "url analysis", "files", "domain", "october", "divi object", "waypoint object", "reverse dns", "software", "asn26496", "resource hash", "security", "main", "google", "page url", "address as", "as26496", "screenshot page", "title affix", "music", "music licensing", "made easy", "history http", "found", "title", "extraction", "lte all", "search otx", "enter", "data upload", "enter source", "url data", "bad request", "next associated", "facebook url", "google url", "new releases", "music url", "kyle troop", "marsna design", "whitelisted", "status", "ip address", "search", "aaaa nxdomain", "present jan", "trojan", "pegasus", "location united", "as20773 host", "singapore", "asnone country", "netherlands", "germany", "as21499 host", "temple", "pulse submit", "date", "lte pulse", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "lte c", "additionally", "url or", "text type", "expiration", "url https", "no expiration", "hostname", "iocs", "pulse show", "type indicator", "text drag", "drop or", "create c", "read c", "delete", "write", "medium", "create", "show", "rgba", "next", "dock", "execution", "malware", "mitre att", "show technique", "ck matrix", "pattern match", "ascii text", "sha1", "network traffic", "show process", "hybrid", "general", "local", "path", "strings", "virus", "high", "dns query", "packing t1045", "pdb path", "pe resource", "win32", "present jun", "present mar", "a nxdomain", "present aug", "formpere", "msie", "windows nt", "entries", "defender", "t1071", "chrome", "creation date", "expiration date", "body", "t1045", "copy", "filehashsha256", "showing", "mafia", "lombardi mafia", "gambino", "genovese crime family", "crime families", "john t sasha", "jeffrey reimer", "navy", "danica implants", "jon", "bonus", "silva" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "France", "Poland", "Sweden", "Germany", "United Kingdom of Great Britain and Northern Ireland", "Belgium", "Japan", "Slovenia", "Spain", "Finland", "Hungary" ], "malware_families": [ { "id": "Virus:Win32/Triusor.A", "display_name": "Virus:Win32/Triusor.A", "target": "/malware/Virus:Win32/Triusor.A" }, { "id": "#LOWFI:HSTR:MSIL/Obfuscator", "display_name": "#LOWFI:HSTR:MSIL/Obfuscator", "target": null }, { "id": "!InstallCreatorPro_2_0", "display_name": "!InstallCreatorPro_2_0", "target": null }, { "id": "Win.Downloader.130721-1", "display_name": "Win.Downloader.130721-1", "target": null }, { "id": "Pegasus Family", "display_name": "Pegasus Family", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1172, "hostname": 1200, "URL": 2438, "email": 6, "FileHash-SHA256": 610, "FileHash-MD5": 490, "FileHash-SHA1": 463, "CIDR": 2, "SSLCertFingerprint": 3 }, "indicator_count": 6384, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ffa35cd4eefffa0ffbeae1", "name": "Liar Liar! If this were your attorney; you\u2019d pay $$$ to get hacked and they\u2019d gain full CnC of your devices and disappear\u2026", "description": "Sample of FAKE attorneys Liar Liar! If this were your attorney; you\u2019d pay $$$ to get hacked, they\u2019d gain full CnC of devices & disappear into the background , stealing from cloud, spying, etc..Mafia & Government ties. https://magento.hirecar.net/\n*Unix.Dropper.Mirai-7338044\n*Virus:Win32/Virut.BO\n*Trojan:Win32/Delf.EM\n*DDoS.XOR\n*Backdoor.Win32.Shiz.ivr, *Backdoor.Win32/Simda.gen!A\n*Alf:HeraklezEval:DoS:Linux/Xorddos!rfn\n*nUFS_html\n*Trojanspy:Win32/Nivdort.CB\n*Win32/Nystprac.A *Ramnit\n*Win32:Sality *Upatre\n*Possible_QuasarRAT_Payload\nxor_0x15_xord_javascript\ninvalid_trailer_structure\n#fp539598-VBS/LoveLetter.BT\n*Trojanspy:Win32/Nivdort.CB\n*Alf:HeraklezEval:DoS:Linux/Xorddos!rfn\n*Trojan:Win64/Gapro\n\u201cMethodology_RareEquities_Tencent_Proxy\u201d\nvad_contains_network_strings\n*Trojan:Win32/Sisproc!gmb\n*TrojanDownloader:Win32/Upatre\n*PWS:MSIL/Grmasi.YA!MTB\n*Trojan:Win32/Danabot.G\n *Virus:Win32/Virut.EPO\n* Ramnit\nConventionEngine_Term_NewFolder", "modified": "2025-11-26T13:01:56.367000", "created": "2025-10-27T16:52:44.619000", "tags": [ "filehashmd5", "filehashsha256", "ipv4", "filehashsha1", "domain", "types", "indicators show", "search", "type indicator", "role title", "added active", "scan", "iocs", "learn more", "related pulses", "url https", "url http", "countrycn", "countrycn sep", "indicator role", "title added", "active related", "pulses url", "xtblogblockid1", "pulses", "zdata0", "browserie", "browserver8", "defaultie", "ver1360122", "defaultch", "browserver11", "filesize", "browserid1", "qmark", "methodpost" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 381, "FileHash-SHA1": 367, "FileHash-SHA256": 767, "domain": 178, "URL": 1615, "hostname": 944 }, "indicator_count": 4252, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "145 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f1860d3062a8cb715ee358", "name": "United Healthcare sponsored Healthy Benefits Plus Attack warning - Contactec", "description": "", "modified": "2024-03-13T10:55:09.654000", "created": "2024-03-13T10:55:09.654000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": "656d71fbc00b370fde721350", "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "768 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658b9e86f7a149333882bfb9", "name": "Hijacking | Typosquatting | Masquerading Shared Modules", "description": "*Shared Modules\t\nExecution\nAdversaries may execute malicious payloads via loading shared modules.\n\n*Masquerading\t\nDefense Evasion\nAdversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.\n\nComponent Object Model Hijacking\t\nPersistence\nPrivilege Escalation\nAdversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.\nPulse: http://ww1.thecoolzipextractorapp.com/\nFound in: https://www.hallrender.com/attorney/brian-sabey/", "modified": "2024-01-26T01:05:54.754000", "created": "2023-12-27T03:48:22.319000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "maltiverse", "dinkle threat", "paste", "iocs", "analyze", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "communicating", "whois whois", "siblings parent", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12134, "FileHash-MD5": 102, "FileHash-SHA1": 101, "FileHash-SHA256": 3982, "hostname": 2878, "domain": 2159, "CVE": 1 }, "indicator_count": 21357, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "815 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658ca3f53717bb3a25e96065", "name": "Hijacking | Typosquatting | Masquerading Shared Modules | http://ww1.thecoolzipextractorapp.com/ via https://www.hallrender.com/attorney/brian-sabey/", "description": "", "modified": "2024-01-26T01:05:54.754000", "created": "2023-12-27T22:23:49.562000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "maltiverse", "dinkle threat", "paste", "iocs", "analyze", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "communicating", "whois whois", "siblings parent", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "658b9e86f7a149333882bfb9", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12134, "FileHash-MD5": 102, "FileHash-SHA1": 101, "FileHash-SHA256": 3982, "hostname": 2878, "domain": 2159, "CVE": 1 }, "indicator_count": 21357, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "815 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656c2345912bea54c4eeb718", "name": "United Healthcare sponsored Healthy Benefits Plus | Apple cyber attack", "description": "I received a request regarding AIG subsidiary United healthcare medicare sponsored healthy benefit plus card. Benefits provided to elderly, disabled SSDI recipients who have lower incomes. I learned 200+ were affected. Remote attacks, apple iOS, phi, health, vision, dental, food beneficiaries. Command and Control server. Research reveals a be deeply impacted target.\nbrowser.events.data.msn.com\nevents-sandbox.data.msn.com\n192.229.211.108 (Virus Network)\nassetscdn.isappcloud.com\nnr-data.net (Apple Private Data Collection)\nphotos1.blogger.com. (Malware site)\nhttp://www.tsarabrashears.com\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \nhttps://www.tsarabrashears.com\ntracker.adxpansion.com access tracker\ntsarabrashears.com\ntt.milehighmedia.com", "modified": "2024-01-02T06:03:26.454000", "created": "2023-12-03T06:42:13.993000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": null, "export_count": 121, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "839 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656d71fbc00b370fde721350", "name": "United Healthcare sponsored Healthy Benefits Plus | Apple cyber ", "description": "", "modified": "2024-01-02T06:03:26.454000", "created": "2023-12-04T06:30:19.057000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": "656c2345912bea54c4eeb718", "export_count": 126, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "839 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "!installcreatorpro_2_0", "Trojanspy", "Pegasus family", "Webtoolbar", "Virus:win32/triusor.a", "Generic", "Win.downloader.130721-1", "Maltiverse", "#lowfi:hstr:msil/obfuscator" ], "industries": [ "Health", "Food" ], "unique_indicators": 53087 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/casinolawgroup.com", "whois": "http://whois.domaintools.com/casinolawgroup.com", "domain": "casinolawgroup.com", "hostname": "email.casinolawgroup.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "69aa003c63c19b7be7671c65", "name": "re post by Q.Vashti cloned", "description": "", "modified": "2026-03-06T05:11:14.366000", "created": "2026-03-05T22:14:20.388000", "tags": [ "filehashmd5", "filehashsha256", "ipv4", "filehashsha1", "domain", "types", "indicators show", "search", "type indicator", "role title", "added active", "scan", "iocs", "learn more", "related pulses", "url https", "url http", "countrycn", "countrycn sep", "indicator role", "title added", "active related", "pulses url", "xtblogblockid1", "pulses", "zdata0", "browserie", "browserver8", "defaultie", "ver1360122", "defaultch", "browserver11", "filesize", "browserid1", "qmark", "methodpost" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "68ffa35cd4eefffa0ffbeae1", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 381, "FileHash-SHA1": 367, "FileHash-SHA256": 767, "domain": 179, "URL": 1615, "hostname": 946, "CVE": 1 }, "indicator_count": 4256, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69434bae6aa51aea5cbe4686", "name": "Malicious Entertainment Licensing Scheme attacked independent artists", "description": "Unique entertainment scheme that seemed to have either intentionally usurped the copyrights of artists accepted for music licensing deals. It\u2019s possible company was attacked. Is connected to a target. Several entities related to this music licensing company were attacked by Pegasus and Lazarus Group including Sony music. Christopher P.\u2019Buzz\u2019 Ahmann is related to the attacks. Unfortunately a Colorado IT company that lists individuals related to hacked studio as an employee has been cyber stalking target. The licensing company is unavailable online. \nInteresting mafia relationships. \nOTX auto populated - AFFixmusic.com is an unregistered domain name with an address address of 166.109.7, the same address as GoDaddy.Com.co.org, which is also known as Godaddy.{", "modified": "2026-01-17T00:03:29.023000", "created": "2025-12-18T00:32:46.567000", "tags": [ "united", "as44273 host", "unknown xn", "title style", "f2f2f2 color", "helvetica neue", "twitter", "ipv4", "hosting", "helvetica arial", "united states", "verdict", "files ip", "name servers", "west domains", "as autonomous", "system", "cloudflar", "cisco", "umbrella rank", "unknown", "present dec", "nxdomain", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "pur sta", "godaddycomllc", "linux x8664", "khtml", "gecko", "cloudflarenet", "veryhigh", "americachicago", "conflict", "sameorigin", "cloudflare", "please", "text content", "ray id", "utc dns", "what happened", "thank", "cloudflare ray", "click", "performance", "general full", "resource", "name value", "url http", "server", "asn398787", "type mimetype", "uni idc", "passive dns", "urls", "hostname add", "url analysis", "files", "domain", "october", "divi object", "waypoint object", "reverse dns", "software", "asn26496", "resource hash", "security", "main", "google", "page url", "address as", "as26496", "screenshot page", "title affix", "music", "music licensing", "made easy", "history http", "found", "title", "extraction", "lte all", "search otx", "enter", "data upload", "enter source", "url data", "bad request", "next associated", "facebook url", "google url", "new releases", "music url", "kyle troop", "marsna design", "whitelisted", "status", "ip address", "search", "aaaa nxdomain", "present jan", "trojan", "pegasus", "location united", "as20773 host", "singapore", "asnone country", "netherlands", "germany", "as21499 host", "temple", "pulse submit", "date", "lte pulse", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "lte c", "additionally", "url or", "text type", "expiration", "url https", "no expiration", "hostname", "iocs", "pulse show", "type indicator", "text drag", "drop or", "create c", "read c", "delete", "write", "medium", "create", "show", "rgba", "next", "dock", "execution", "malware", "mitre att", "show technique", "ck matrix", "pattern match", "ascii text", "sha1", "network traffic", "show process", "hybrid", "general", "local", "path", "strings", "virus", "high", "dns query", "packing t1045", "pdb path", "pe resource", "win32", "present jun", "present mar", "a nxdomain", "present aug", "formpere", "msie", "windows nt", "entries", "defender", "t1071", "chrome", "creation date", "expiration date", "body", "t1045", "copy", "filehashsha256", "showing", "mafia", "lombardi mafia", "gambino", "genovese crime family", "crime families", "john t sasha", "jeffrey reimer", "navy", "danica implants", "jon", "bonus", "silva" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "France", "Poland", "Sweden", "Germany", "United Kingdom of Great Britain and Northern Ireland", "Belgium", "Japan", "Slovenia", "Spain", "Finland", "Hungary" ], "malware_families": [ { "id": "Virus:Win32/Triusor.A", "display_name": "Virus:Win32/Triusor.A", "target": "/malware/Virus:Win32/Triusor.A" }, { "id": "#LOWFI:HSTR:MSIL/Obfuscator", "display_name": "#LOWFI:HSTR:MSIL/Obfuscator", "target": null }, { "id": "!InstallCreatorPro_2_0", "display_name": "!InstallCreatorPro_2_0", "target": null }, { "id": "Win.Downloader.130721-1", "display_name": "Win.Downloader.130721-1", "target": null }, { "id": "Pegasus Family", "display_name": "Pegasus Family", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1172, "hostname": 1200, "URL": 2438, "email": 6, "FileHash-SHA256": 610, "FileHash-MD5": 490, "FileHash-SHA1": 463, "CIDR": 2, "SSLCertFingerprint": 3 }, "indicator_count": 6384, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ffa35cd4eefffa0ffbeae1", "name": "Liar Liar! If this were your attorney; you\u2019d pay $$$ to get hacked and they\u2019d gain full CnC of your devices and disappear\u2026", "description": "Sample of FAKE attorneys Liar Liar! If this were your attorney; you\u2019d pay $$$ to get hacked, they\u2019d gain full CnC of devices & disappear into the background , stealing from cloud, spying, etc..Mafia & Government ties. https://magento.hirecar.net/\n*Unix.Dropper.Mirai-7338044\n*Virus:Win32/Virut.BO\n*Trojan:Win32/Delf.EM\n*DDoS.XOR\n*Backdoor.Win32.Shiz.ivr, *Backdoor.Win32/Simda.gen!A\n*Alf:HeraklezEval:DoS:Linux/Xorddos!rfn\n*nUFS_html\n*Trojanspy:Win32/Nivdort.CB\n*Win32/Nystprac.A *Ramnit\n*Win32:Sality *Upatre\n*Possible_QuasarRAT_Payload\nxor_0x15_xord_javascript\ninvalid_trailer_structure\n#fp539598-VBS/LoveLetter.BT\n*Trojanspy:Win32/Nivdort.CB\n*Alf:HeraklezEval:DoS:Linux/Xorddos!rfn\n*Trojan:Win64/Gapro\n\u201cMethodology_RareEquities_Tencent_Proxy\u201d\nvad_contains_network_strings\n*Trojan:Win32/Sisproc!gmb\n*TrojanDownloader:Win32/Upatre\n*PWS:MSIL/Grmasi.YA!MTB\n*Trojan:Win32/Danabot.G\n *Virus:Win32/Virut.EPO\n* Ramnit\nConventionEngine_Term_NewFolder", "modified": "2025-11-26T13:01:56.367000", "created": "2025-10-27T16:52:44.619000", "tags": [ "filehashmd5", "filehashsha256", "ipv4", "filehashsha1", "domain", "types", "indicators show", "search", "type indicator", "role title", "added active", "scan", "iocs", "learn more", "related pulses", "url https", "url http", "countrycn", "countrycn sep", "indicator role", "title added", "active related", "pulses url", "xtblogblockid1", "pulses", "zdata0", "browserie", "browserver8", "defaultie", "ver1360122", "defaultch", "browserver11", "filesize", "browserid1", "qmark", "methodpost" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 381, "FileHash-SHA1": 367, "FileHash-SHA256": 767, "domain": 178, "URL": 1615, "hostname": 944 }, "indicator_count": 4252, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "145 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f1860d3062a8cb715ee358", "name": "United Healthcare sponsored Healthy Benefits Plus Attack warning - Contactec", "description": "", "modified": "2024-03-13T10:55:09.654000", "created": "2024-03-13T10:55:09.654000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": "656d71fbc00b370fde721350", "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "768 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658b9e86f7a149333882bfb9", "name": "Hijacking | Typosquatting | Masquerading Shared Modules", "description": "*Shared Modules\t\nExecution\nAdversaries may execute malicious payloads via loading shared modules.\n\n*Masquerading\t\nDefense Evasion\nAdversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.\n\nComponent Object Model Hijacking\t\nPersistence\nPrivilege Escalation\nAdversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.\nPulse: http://ww1.thecoolzipextractorapp.com/\nFound in: https://www.hallrender.com/attorney/brian-sabey/", "modified": "2024-01-26T01:05:54.754000", "created": "2023-12-27T03:48:22.319000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "maltiverse", "dinkle threat", "paste", "iocs", "analyze", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "communicating", "whois whois", "siblings parent", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12134, "FileHash-MD5": 102, "FileHash-SHA1": 101, "FileHash-SHA256": 3982, "hostname": 2878, "domain": 2159, "CVE": 1 }, "indicator_count": 21357, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "815 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658ca3f53717bb3a25e96065", "name": "Hijacking | Typosquatting | Masquerading Shared Modules | http://ww1.thecoolzipextractorapp.com/ via https://www.hallrender.com/attorney/brian-sabey/", "description": "", "modified": "2024-01-26T01:05:54.754000", "created": "2023-12-27T22:23:49.562000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "maltiverse", "dinkle threat", "paste", "iocs", "analyze", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "communicating", "whois whois", "siblings parent", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "658b9e86f7a149333882bfb9", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12134, "FileHash-MD5": 102, "FileHash-SHA1": 101, "FileHash-SHA256": 3982, "hostname": 2878, "domain": 2159, "CVE": 1 }, "indicator_count": 21357, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "815 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656c2345912bea54c4eeb718", "name": "United Healthcare sponsored Healthy Benefits Plus | Apple cyber attack", "description": "I received a request regarding AIG subsidiary United healthcare medicare sponsored healthy benefit plus card. Benefits provided to elderly, disabled SSDI recipients who have lower incomes. I learned 200+ were affected. Remote attacks, apple iOS, phi, health, vision, dental, food beneficiaries. Command and Control server. Research reveals a be deeply impacted target.\nbrowser.events.data.msn.com\nevents-sandbox.data.msn.com\n192.229.211.108 (Virus Network)\nassetscdn.isappcloud.com\nnr-data.net (Apple Private Data Collection)\nphotos1.blogger.com. (Malware site)\nhttp://www.tsarabrashears.com\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \nhttps://www.tsarabrashears.com\ntracker.adxpansion.com access tracker\ntsarabrashears.com\ntt.milehighmedia.com", "modified": "2024-01-02T06:03:26.454000", "created": "2023-12-03T06:42:13.993000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": null, "export_count": 121, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "839 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656d71fbc00b370fde721350", "name": "United Healthcare sponsored Healthy Benefits Plus | Apple cyber ", "description": "", "modified": "2024-01-02T06:03:26.454000", "created": "2023-12-04T06:30:19.057000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": "656c2345912bea54c4eeb718", "export_count": 126, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "839 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://email.casinolawgroup.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://email.casinolawgroup.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776723144.906791 }