{ "type": "URL", "indicator": "https://email.mg.companywide.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://email.mg.companywide.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3195259814, "indicator": "https://email.mg.companywide.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "6958372ef9da31513d96bebb", "name": "Connected-IOS remotely connected to 180.4.1.2 \u2022 ocn.ad.jp -NTT Communications Corporation", "description": "Retaliation? IOS remotely connected to 180.4.1.2 \u2022 ocn.ad.jp -NTT Communications Corporation for malicious control | found in the analytics of a highly target device: I\u2019ve included related pulses from 2 other threat responders and an Apple discussion post. Surprisingly, most of the IoC\u2019s pulsed came from one page of analytics. | \u2022 \"avconferenced\", \"procPath\" : \"\\/usr\\/libexec\\/avconferenced | 180.4.1.2 | a version of\npegasus found. | https://prometheus-pushgateway-internal.preview.tp-staging.com/\t\nhostname: prometheus.netmaker.vonnue.dev\t\nhostname: prometheus.dev.aws.finoa.io |\nSince Prometheus pulse . I realize now every Prometheus pulse illicits outrageous behavior.. Is this a secret society? Try to be more secretive. Owl heads in lawn. This behavior illicits investigation for a fix. Please STOP. I\u2019m done looking at Prometheus. Please stop leaving artifacts.", "modified": "2026-02-01T20:00:08.812000", "created": "2026-01-02T21:22:54.247000", "tags": [ "syscall", "nsrunloop", "objcclass", "region type", "start", "vsize", "prtmax shrmod", "region detailn", "unused space", "at startn", "guard", "urls", "url analysis", "verdict", "domain", "address", "location japan", "hikone", "japan asn", "as4713 ntt", "related tags", "none external", "aaaa", "united", "passive dns", "ip address", "japan", "present dec", "domain add", "files", "japan unknown", "present jul", "present oct", "present sep", "present aug", "present jun", "japan showing", "urls show", "date checked", "url hostname", "server response", "google safe", "reverse dns", "present nov", "present", "present may", "present mar", "present apr", "data upload", "extraction", "failed", "files ip", "moved", "gmt content", "ipv4 add", "location united", "title", "ipv4", "dns resolutions", "hostname add", "asn as4713", "all ipv4", "google", "ocn ntt", "googlecl", "http", "amazon02", "akamaias", "page url", "yahoojp", "december", "jp summary", "february", "asn15169", "tokyo", "kansas city", "asn396982", "asn30286", "asn16509", "cisco", "umbrella rank", "cisco umbrella", "rank", "kitashinagawa", "sureserver ev", "ca g3", "domains", "hashes", "microsoft", "docomo business", "ml14325", "as autonomous", "asn8075", "ip information", "ipasns ip", "detail domain", "domain tree", "links domain", "requested", "value", "automatic", "webgl", "please", "mr value", "muid value", "mjl function", "dcmlinker", "paq string", "kb script", "b image", "b script", "frame a344", "redirect chain", "kb document", "frame", "b xhr", "kb image", "fetch collect", "request chain", "redirected", "http redirect", "name servers", "redacted for", "servers", "unknown aaaa", "search", "for privacy", "domeny serwery", "verdana tahoma", "arial", "gmt contenttype", "meta", "small", "results jan", "present jan", "status", "record value", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "process details", "flag", "japan japan", "pattern match", "ascii text", "mitre att", "ck id", "null", "refresh", "span", "hybrid", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "learn", "name tactics", "suspicious", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "monitored target", "pulse submit", "wikipedia", "imap", "smtp", "ocn open", "discussion", "stub", "jprs database", "ocnnttocn", "maintenance", "outages notice", "lock status", "state", "connected", "organization", "type", "name", "server", "name server", "connected date", "algorithm", "key identifier", "data", "v3 serial", "number", "cjp ocybertrust", "ev ca", "g3 validity", "ku ontt", "docomo", "record type", "ttl value", "thumbprint", "emails", "date", "trojan", "pegasus", "title error", "hostname", "pulse pulses", "entries", "mtb apr", "lowfi", "win32", "a domains", "body", "worm", "virtool", "cybota", "showing", "palantir", "prometheus" ], "references": [ "ocn.ne.jp \u2022 180.4.1.2 \u2022 gateway1.ocn.ad.jp", "login.ocn.ne.jp 122.28.88.229 \u2022 outpost@alpha.ocn.ne.jp", "ocn.ad.jp - Registrant Org: NTT Communications Corporation", "Page Title: \u30ed\u30b0\u30a4\u30f3 | OCN\u30e1\u30fc\u30eb | OCN", "Nippon Telegraph and Telephone Corporation one governmental now privated", "computersandsoftware \u2022 portal sites \u2022 search engines and portals", "(Found on targeted iOS device) mr-file-connector-193.api.auxosandbox.com", "Guardicore by CyberHunterAutoFeed \u2022 https://otx.alienvault.com/pulse/655d47fb128a006a7d06afa2", "Japanese Phishing Site by pingineer \u2022 https://otx.alienvault.com/pulse/61d3b380c44ee030dd092a80", "https://discussions.apple.com/thread/255214328?sortBy=rank", "https://urlscan.io/result/98a3575f-9b94-4ef3-ae84-8e585f882151/#indicators", "Interesting (found in pulse) https://www.studentfinancewales.co.uk/contact", "kalpak.palantirfedstart.com \u2022 lsauth-vault.palantirfedstart.com \u2022 sandboxes-ranunculus.palantirfedstart.com", "swarm-foundry.com", "When you see silly related domains it\u2019s probably Palantir kids: fuckingshitshow.org Domain kinkfuck.com \u2022 nobodycares.art", "heavy-r.com \u2022 fartyphant.com \u2022 uglyphant.com \u2022 maciej.sztajerwald@gmail.com", "https://hybrid-analysis.com/sample/6af451b8e64c3f8abafc84e776fe6c257888e0875b2d22c75b23b13960f46567/69580966ed3458719b0f0ed5", "server-3-164-143-102.nrt20.r.cloudfront.net", "ec2-3-115-135-167.ap-northeast-1.compute.amazonaws.com", "ec2-57-181-50-85.ap-northeast-1.compute.amazonaws.com", "https://ww41.porn25.com/", "https://otx.alienvault.com/indicator/url/https://t.notif-laposte.info/TrackActions/NGJlYjE5NjZhZDlkODU0NzE3Yzg3Zjk3ODJkMmMxZWRjMTlkODAxZmEyMjY5YjU5YjY1MGU1OWFmZTdhMDlhMmM2YjY3ZTBiYzYwNWUwODdmMzkzZDc5ZjAwNDViODM1OGU5MTA0M2IzMjRmOGQwNTgxZGZjMmUyODFlZDI3MDYzZTQzNzg4NGVkMWJmMDgwMzM0NTA5OGRmY2M0NTVjZA", "If something curious is found on privatelybowen property we have a constitutional right to examine it.", "Other constitutional rights and privileges written in law where severe courses of action is allowed", "iOS device, Update 26.2 , heavily monitored target of death threats, attempts & unfortunate outcome..", "Device targeted with l RMS Modules by male in Denver, Co", "Attempts to clip target at high rate of speed.Seen again at her residence in October", "Target was monitored in store and followed home needed to stop multiple times , change routes.", "Multiple attackers. Don\u2019t believe me, look at the pulses. Caged in by male with deauther watch.", "Most of the people doing this are 50\u2019s plus, plus. There are youngsters but many grey haired , grandparents", "The older the smarter the way better. These people are brilliant , ruthless and dangerous", "Phone recently accessed, a tiny unauthorized speaker was on. Threat actors connected.", "Malicious activity seen since a Pulse regarding school outage.", "Location search was used to find device users address. It\u2019s with me.", "Delete service is being used on this Threat service", "Many indicators point to an IP this block is on.", "It\u2019s so out of hand,m for 16 people.", "https://prometheus-pushgateway-internal.preview.tp-staging.com/", "prometheus.netmaker.vonnue.dev", "prometheus.dev.aws.finoa.io", "Prometheus - Alien God? Morality through the eyes of the immoral", "Prometheus- allegedly related to Peter Thiel , Elon Musk and tech bro Joes who are playing God." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2879, "domain": 1372, "URL": 5788, "FileHash-SHA256": 1720, "CVE": 1, "FileHash-MD5": 238, "FileHash-SHA1": 241, "email": 13 }, "indicator_count": 12252, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "119 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695035a98f01d94b2598f8ee", "name": "Mirai \u2022 PrometheusIntelligenceTechnology.com - Extranet affected Universities | Regis University", "description": "PrometheusIntelligenceTechnology.com - Extranet. Regis University experienced an outrageous blackout. I know because I was an outside investigator. Tsara Brashears found the links as a redirect on iOS and MacBook Pro devices.\n She seemed to be the the solely impacted Computer Science student. Further research showed canary cookie in server. Regis ignored all and played down the facts. All computers needed replacing. T advised but they tried to clean them. The elevator didn\u2019t work for years. Call 911 if you get stuck. Tsara went out of her way for 5 months warning them until an fool logged in as her but could only login over iexplorer. RU paid a ransom. Tsara was black listed from school. Above 4.0 GPA 3.8 post assault. Just found another PIT link. \n\nIT Security sent her to the FBI because legitimate death threats and plans were found. \n\nAll attacks immediately following assault.", "modified": "2026-01-26T18:04:20.395000", "created": "2025-12-27T19:38:17.198000", "tags": [ "united", "unknown aaaa", "accept encoding", "moved", "urls", "files", "encrypt", "passive dns", "all ipv4", "america flag", "america asn", "ransom", "backdoor", "mtb win32", "mirai", "united states", "type indicator", "role title", "container", "ip address", "i div", "h2 p", "h4 p", "data", "desktop", "powerful", "url https", "url http", "indicator role", "active related", "cidr", "types", "indicators show", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "mitre att", "ck matrix", "command decode", "programfiles", "suricata ipv4", "windir", "comspec", "hybrid", "general", "path", "model", "click", "strings", "prometheus", "palantir", "kill list", "tracking", "moon linksys", "router", "emotet", "active", "regis university", "ascii text", "show technique", "pattern match", "sha1", "show process", "root", "local", "development att", "ssl certificate", "extranet", "maven" ], "references": [ "Palantir Extranet -https://prometheusintelligencetechnology.com/", "Palantir espionage \u2022 prometheusintelligencetechnology.com \u2022 ad-maven.com \u2022 fastly.com \u2022 Foundry.com \u2022 so many more", "IDS Detections: TheMoon.linksys.router", "We don\u2019t know how Octoseek & ScoreBlie (Team8) became part of \u2018No Problems\u2019", "It\u2019s okay if it\u2019s in there but this is in NO way related to an Alberta University hack.", "This is directed to target, communicated where target was enrolled- Regis University Denver , Co", "Pointed to Data Center 5 Inverness / Denver Tech Center, denies relationship. Seemed to prove originating DC", "Tsara Brashears warned of hack, provided detailed information, provided advice", "\u2018Close enrollment. Get all new devices. Stop using Barracuda.", "Find a way to safely begin from a new server. Work from a Virtual World Class", "Regis needed to close. They treated Brashears as trash after the NEW staff came. Hmm who are tvey", "Old staff slow, foolish but eventually heeded instructions / once it was too late", "Dean is deceased? Was the only staff who insisted that Tsara\u2019s tuition be reimbursed", "She was in the botnet already", "Was denied after third enrollment showed false information", "She sought a certificate from Red Rocks. Kurzweil installed due to being disabled", "Bills from nowhere appeared. Again staff said this never happened before left her with the debt.", "Tsara was unable to finish her second degree this way. But found a way.", "I don\u2019t like finding these remnants. I don\u2019t know why extranet was needed for this Brilliant student", "Professors asked to use her papers. \u2018Sure\u2019 she wasn\u2019t impressed", "Many pulses are missing. When we first began using this tool PIT was what we researched first", "This is when Tsara was interrogated by 2 men at Barnes & No Ken regarding her technical abilities", "One of the interrogators, asked her to be his girlfriend (fake ) tried to move her to a new location .", "She refused. Two weeks later man is parked outside of her residence in a different county and city.", "I\u2019m concerned because they are attacking people associated with her and thins needs to stop", "This is dangerous. What is law enforcement for? They are probably controlled by Palantir as is Trump", "Lots of detail because someone , somewhere is going through this." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "ELF:Mirai-AAL\\ [Trj]", "display_name": "ELF:Mirai-AAL\\ [Trj]", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 5, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1037, "domain": 161, "hostname": 340, "email": 2, "FileHash-SHA256": 315, "FileHash-MD5": 14, "FileHash-SHA1": 20, "CIDR": 16, "SSLCertFingerprint": 8 }, "indicator_count": 1913, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "125 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "prometheus.dev.aws.finoa.io", "Japanese Phishing Site by pingineer \u2022 https://otx.alienvault.com/pulse/61d3b380c44ee030dd092a80", "Phone recently accessed, a tiny unauthorized speaker was on. Threat actors connected.", "We don\u2019t know how Octoseek & ScoreBlie (Team8) became part of \u2018No Problems\u2019", "Most of the people doing this are 50\u2019s plus, plus. There are youngsters but many grey haired , grandparents", "https://discussions.apple.com/thread/255214328?sortBy=rank", "Many indicators point to an IP this block is on.", "Lots of detail because someone , somewhere is going through this.", "prometheus.netmaker.vonnue.dev", "Multiple attackers. Don\u2019t believe me, look at the pulses. Caged in by male with deauther watch.", "It\u2019s okay if it\u2019s in there but this is in NO way related to an Alberta University hack.", "Palantir Extranet -https://prometheusintelligencetechnology.com/", "heavy-r.com \u2022 fartyphant.com \u2022 uglyphant.com \u2022 maciej.sztajerwald@gmail.com", "This is directed to target, communicated where target was enrolled- Regis University Denver , Co", "https://otx.alienvault.com/indicator/url/https://t.notif-laposte.info/TrackActions/NGJlYjE5NjZhZDlkODU0NzE3Yzg3Zjk3ODJkMmMxZWRjMTlkODAxZmEyMjY5YjU5YjY1MGU1OWFmZTdhMDlhMmM2YjY3ZTBiYzYwNWUwODdmMzkzZDc5ZjAwNDViODM1OGU5MTA0M2IzMjRmOGQwNTgxZGZjMmUyODFlZDI3MDYzZTQzNzg4NGVkMWJmMDgwMzM0NTA5OGRmY2M0NTVjZA", "Page Title: \u30ed\u30b0\u30a4\u30f3 | OCN\u30e1\u30fc\u30eb | OCN", "Attempts to clip target at high rate of speed.Seen again at her residence in October", "Interesting (found in pulse) https://www.studentfinancewales.co.uk/contact", "Nippon Telegraph and Telephone Corporation one governmental now privated", "Prometheus - Alien God? Morality through the eyes of the immoral", "Malicious activity seen since a Pulse regarding school outage.", "This is dangerous. What is law enforcement for? They are probably controlled by Palantir as is Trump", "ocn.ne.jp \u2022 180.4.1.2 \u2022 gateway1.ocn.ad.jp", "This is when Tsara was interrogated by 2 men at Barnes & No Ken regarding her technical abilities", "login.ocn.ne.jp 122.28.88.229 \u2022 outpost@alpha.ocn.ne.jp", "I don\u2019t like finding these remnants. I don\u2019t know why extranet was needed for this Brilliant student", "Delete service is being used on this Threat service", "Many pulses are missing. When we first began using this tool PIT was what we researched first", "iOS device, Update 26.2 , heavily monitored target of death threats, attempts & unfortunate outcome..", "Regis needed to close. They treated Brashears as trash after the NEW staff came. Hmm who are tvey", "computersandsoftware \u2022 portal sites \u2022 search engines and portals", "Location search was used to find device users address. It\u2019s with me.", "Dean is deceased? Was the only staff who insisted that Tsara\u2019s tuition be reimbursed", "She was in the botnet already", "ec2-3-115-135-167.ap-northeast-1.compute.amazonaws.com", "Bills from nowhere appeared. Again staff said this never happened before left her with the debt.", "Guardicore by CyberHunterAutoFeed \u2022 https://otx.alienvault.com/pulse/655d47fb128a006a7d06afa2", "I\u2019m concerned because they are attacking people associated with her and thins needs to stop", "Prometheus- allegedly related to Peter Thiel , Elon Musk and tech bro Joes who are playing God.", "If something curious is found on privatelybowen property we have a constitutional right to examine it.", "IDS Detections: TheMoon.linksys.router", "kalpak.palantirfedstart.com \u2022 lsauth-vault.palantirfedstart.com \u2022 sandboxes-ranunculus.palantirfedstart.com", "\u2018Close enrollment. Get all new devices. Stop using Barracuda.", "Palantir espionage \u2022 prometheusintelligencetechnology.com \u2022 ad-maven.com \u2022 fastly.com \u2022 Foundry.com \u2022 so many more", "server-3-164-143-102.nrt20.r.cloudfront.net", "https://ww41.porn25.com/", "(Found on targeted iOS device) mr-file-connector-193.api.auxosandbox.com", "When you see silly related domains it\u2019s probably Palantir kids: fuckingshitshow.org Domain kinkfuck.com \u2022 nobodycares.art", "Device targeted with l RMS Modules by male in Denver, Co", "It\u2019s so out of hand,m for 16 people.", "One of the interrogators, asked her to be his girlfriend (fake ) tried to move her to a new location .", "Pointed to Data Center 5 Inverness / Denver Tech Center, denies relationship. Seemed to prove originating DC", "Find a way to safely begin from a new server. Work from a Virtual World Class", "The older the smarter the way better. These people are brilliant , ruthless and dangerous", "She refused. Two weeks later man is parked outside of her residence in a different county and city.", "Professors asked to use her papers. \u2018Sure\u2019 she wasn\u2019t impressed", "Other constitutional rights and privileges written in law where severe courses of action is allowed", "Target was monitored in store and followed home needed to stop multiple times , change routes.", "ocn.ad.jp - Registrant Org: NTT Communications Corporation", "https://prometheus-pushgateway-internal.preview.tp-staging.com/", "Tsara was unable to finish her second degree this way. But found a way.", "https://urlscan.io/result/98a3575f-9b94-4ef3-ae84-8e585f882151/#indicators", "Old staff slow, foolish but eventually heeded instructions / once it was too late", "Was denied after third enrollment showed false information", "Tsara Brashears warned of hack, provided detailed information, provided advice", "https://hybrid-analysis.com/sample/6af451b8e64c3f8abafc84e776fe6c257888e0875b2d22c75b23b13960f46567/69580966ed3458719b0f0ed5", "She sought a certificate from Red Rocks. Kurzweil installed due to being disabled", "swarm-foundry.com", "ec2-57-181-50-85.ap-northeast-1.compute.amazonaws.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Elf:mirai-aal\\ [trj]", "Emotet", "Mirai", "Win32:ransomx-gen\\ [ransom]" ], "industries": [], "unique_indicators": 14290 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/companywide.com", "whois": "http://whois.domaintools.com/companywide.com", "domain": "companywide.com", "hostname": "email.mg.companywide.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "6958372ef9da31513d96bebb", "name": "Connected-IOS remotely connected to 180.4.1.2 \u2022 ocn.ad.jp -NTT Communications Corporation", "description": "Retaliation? IOS remotely connected to 180.4.1.2 \u2022 ocn.ad.jp -NTT Communications Corporation for malicious control | found in the analytics of a highly target device: I\u2019ve included related pulses from 2 other threat responders and an Apple discussion post. Surprisingly, most of the IoC\u2019s pulsed came from one page of analytics. | \u2022 \"avconferenced\", \"procPath\" : \"\\/usr\\/libexec\\/avconferenced | 180.4.1.2 | a version of\npegasus found. | https://prometheus-pushgateway-internal.preview.tp-staging.com/\t\nhostname: prometheus.netmaker.vonnue.dev\t\nhostname: prometheus.dev.aws.finoa.io |\nSince Prometheus pulse . I realize now every Prometheus pulse illicits outrageous behavior.. Is this a secret society? Try to be more secretive. Owl heads in lawn. This behavior illicits investigation for a fix. Please STOP. I\u2019m done looking at Prometheus. Please stop leaving artifacts.", "modified": "2026-02-01T20:00:08.812000", "created": "2026-01-02T21:22:54.247000", "tags": [ "syscall", "nsrunloop", "objcclass", "region type", "start", "vsize", "prtmax shrmod", "region detailn", "unused space", "at startn", "guard", "urls", "url analysis", "verdict", "domain", "address", "location japan", "hikone", "japan asn", "as4713 ntt", "related tags", "none external", "aaaa", "united", "passive dns", "ip address", "japan", "present dec", "domain add", "files", "japan unknown", "present jul", "present oct", "present sep", "present aug", "present jun", "japan showing", "urls show", "date checked", "url hostname", "server response", "google safe", "reverse dns", "present nov", "present", "present may", "present mar", "present apr", "data upload", "extraction", "failed", "files ip", "moved", "gmt content", "ipv4 add", "location united", "title", "ipv4", "dns resolutions", "hostname add", "asn as4713", "all ipv4", "google", "ocn ntt", "googlecl", "http", "amazon02", "akamaias", "page url", "yahoojp", "december", "jp summary", "february", "asn15169", "tokyo", "kansas city", "asn396982", "asn30286", "asn16509", "cisco", "umbrella rank", "cisco umbrella", "rank", "kitashinagawa", "sureserver ev", "ca g3", "domains", "hashes", "microsoft", "docomo business", "ml14325", "as autonomous", "asn8075", "ip information", "ipasns ip", "detail domain", "domain tree", "links domain", "requested", "value", "automatic", "webgl", "please", "mr value", "muid value", "mjl function", "dcmlinker", "paq string", "kb script", "b image", "b script", "frame a344", "redirect chain", "kb document", "frame", "b xhr", "kb image", "fetch collect", "request chain", "redirected", "http redirect", "name servers", "redacted for", "servers", "unknown aaaa", "search", "for privacy", "domeny serwery", "verdana tahoma", "arial", "gmt contenttype", "meta", "small", "results jan", "present jan", "status", "record value", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "process details", "flag", "japan japan", "pattern match", "ascii text", "mitre att", "ck id", "null", "refresh", "span", "hybrid", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "learn", "name tactics", "suspicious", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "monitored target", "pulse submit", "wikipedia", "imap", "smtp", "ocn open", "discussion", "stub", "jprs database", "ocnnttocn", "maintenance", "outages notice", "lock status", "state", "connected", "organization", "type", "name", "server", "name server", "connected date", "algorithm", "key identifier", "data", "v3 serial", "number", "cjp ocybertrust", "ev ca", "g3 validity", "ku ontt", "docomo", "record type", "ttl value", "thumbprint", "emails", "date", "trojan", "pegasus", "title error", "hostname", "pulse pulses", "entries", "mtb apr", "lowfi", "win32", "a domains", "body", "worm", "virtool", "cybota", "showing", "palantir", "prometheus" ], "references": [ "ocn.ne.jp \u2022 180.4.1.2 \u2022 gateway1.ocn.ad.jp", "login.ocn.ne.jp 122.28.88.229 \u2022 outpost@alpha.ocn.ne.jp", "ocn.ad.jp - Registrant Org: NTT Communications Corporation", "Page Title: \u30ed\u30b0\u30a4\u30f3 | OCN\u30e1\u30fc\u30eb | OCN", "Nippon Telegraph and Telephone Corporation one governmental now privated", "computersandsoftware \u2022 portal sites \u2022 search engines and portals", "(Found on targeted iOS device) mr-file-connector-193.api.auxosandbox.com", "Guardicore by CyberHunterAutoFeed \u2022 https://otx.alienvault.com/pulse/655d47fb128a006a7d06afa2", "Japanese Phishing Site by pingineer \u2022 https://otx.alienvault.com/pulse/61d3b380c44ee030dd092a80", "https://discussions.apple.com/thread/255214328?sortBy=rank", "https://urlscan.io/result/98a3575f-9b94-4ef3-ae84-8e585f882151/#indicators", "Interesting (found in pulse) https://www.studentfinancewales.co.uk/contact", "kalpak.palantirfedstart.com \u2022 lsauth-vault.palantirfedstart.com \u2022 sandboxes-ranunculus.palantirfedstart.com", "swarm-foundry.com", "When you see silly related domains it\u2019s probably Palantir kids: fuckingshitshow.org Domain kinkfuck.com \u2022 nobodycares.art", "heavy-r.com \u2022 fartyphant.com \u2022 uglyphant.com \u2022 maciej.sztajerwald@gmail.com", "https://hybrid-analysis.com/sample/6af451b8e64c3f8abafc84e776fe6c257888e0875b2d22c75b23b13960f46567/69580966ed3458719b0f0ed5", "server-3-164-143-102.nrt20.r.cloudfront.net", "ec2-3-115-135-167.ap-northeast-1.compute.amazonaws.com", "ec2-57-181-50-85.ap-northeast-1.compute.amazonaws.com", "https://ww41.porn25.com/", "https://otx.alienvault.com/indicator/url/https://t.notif-laposte.info/TrackActions/NGJlYjE5NjZhZDlkODU0NzE3Yzg3Zjk3ODJkMmMxZWRjMTlkODAxZmEyMjY5YjU5YjY1MGU1OWFmZTdhMDlhMmM2YjY3ZTBiYzYwNWUwODdmMzkzZDc5ZjAwNDViODM1OGU5MTA0M2IzMjRmOGQwNTgxZGZjMmUyODFlZDI3MDYzZTQzNzg4NGVkMWJmMDgwMzM0NTA5OGRmY2M0NTVjZA", "If something curious is found on privatelybowen property we have a constitutional right to examine it.", "Other constitutional rights and privileges written in law where severe courses of action is allowed", "iOS device, Update 26.2 , heavily monitored target of death threats, attempts & unfortunate outcome..", "Device targeted with l RMS Modules by male in Denver, Co", "Attempts to clip target at high rate of speed.Seen again at her residence in October", "Target was monitored in store and followed home needed to stop multiple times , change routes.", "Multiple attackers. Don\u2019t believe me, look at the pulses. Caged in by male with deauther watch.", "Most of the people doing this are 50\u2019s plus, plus. There are youngsters but many grey haired , grandparents", "The older the smarter the way better. These people are brilliant , ruthless and dangerous", "Phone recently accessed, a tiny unauthorized speaker was on. Threat actors connected.", "Malicious activity seen since a Pulse regarding school outage.", "Location search was used to find device users address. It\u2019s with me.", "Delete service is being used on this Threat service", "Many indicators point to an IP this block is on.", "It\u2019s so out of hand,m for 16 people.", "https://prometheus-pushgateway-internal.preview.tp-staging.com/", "prometheus.netmaker.vonnue.dev", "prometheus.dev.aws.finoa.io", "Prometheus - Alien God? Morality through the eyes of the immoral", "Prometheus- allegedly related to Peter Thiel , Elon Musk and tech bro Joes who are playing God." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2879, "domain": 1372, "URL": 5788, "FileHash-SHA256": 1720, "CVE": 1, "FileHash-MD5": 238, "FileHash-SHA1": 241, "email": 13 }, "indicator_count": 12252, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "119 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695035a98f01d94b2598f8ee", "name": "Mirai \u2022 PrometheusIntelligenceTechnology.com - Extranet affected Universities | Regis University", "description": "PrometheusIntelligenceTechnology.com - Extranet. Regis University experienced an outrageous blackout. I know because I was an outside investigator. Tsara Brashears found the links as a redirect on iOS and MacBook Pro devices.\n She seemed to be the the solely impacted Computer Science student. Further research showed canary cookie in server. Regis ignored all and played down the facts. All computers needed replacing. T advised but they tried to clean them. The elevator didn\u2019t work for years. Call 911 if you get stuck. Tsara went out of her way for 5 months warning them until an fool logged in as her but could only login over iexplorer. RU paid a ransom. Tsara was black listed from school. Above 4.0 GPA 3.8 post assault. Just found another PIT link. \n\nIT Security sent her to the FBI because legitimate death threats and plans were found. \n\nAll attacks immediately following assault.", "modified": "2026-01-26T18:04:20.395000", "created": "2025-12-27T19:38:17.198000", "tags": [ "united", "unknown aaaa", "accept encoding", "moved", "urls", "files", "encrypt", "passive dns", "all ipv4", "america flag", "america asn", "ransom", "backdoor", "mtb win32", "mirai", "united states", "type indicator", "role title", "container", "ip address", "i div", "h2 p", "h4 p", "data", "desktop", "powerful", "url https", "url http", "indicator role", "active related", "cidr", "types", "indicators show", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "mitre att", "ck matrix", "command decode", "programfiles", "suricata ipv4", "windir", "comspec", "hybrid", "general", "path", "model", "click", "strings", "prometheus", "palantir", "kill list", "tracking", "moon linksys", "router", "emotet", "active", "regis university", "ascii text", "show technique", "pattern match", "sha1", "show process", "root", "local", "development att", "ssl certificate", "extranet", "maven" ], "references": [ "Palantir Extranet -https://prometheusintelligencetechnology.com/", "Palantir espionage \u2022 prometheusintelligencetechnology.com \u2022 ad-maven.com \u2022 fastly.com \u2022 Foundry.com \u2022 so many more", "IDS Detections: TheMoon.linksys.router", "We don\u2019t know how Octoseek & ScoreBlie (Team8) became part of \u2018No Problems\u2019", "It\u2019s okay if it\u2019s in there but this is in NO way related to an Alberta University hack.", "This is directed to target, communicated where target was enrolled- Regis University Denver , Co", "Pointed to Data Center 5 Inverness / Denver Tech Center, denies relationship. Seemed to prove originating DC", "Tsara Brashears warned of hack, provided detailed information, provided advice", "\u2018Close enrollment. Get all new devices. Stop using Barracuda.", "Find a way to safely begin from a new server. Work from a Virtual World Class", "Regis needed to close. They treated Brashears as trash after the NEW staff came. Hmm who are tvey", "Old staff slow, foolish but eventually heeded instructions / once it was too late", "Dean is deceased? Was the only staff who insisted that Tsara\u2019s tuition be reimbursed", "She was in the botnet already", "Was denied after third enrollment showed false information", "She sought a certificate from Red Rocks. Kurzweil installed due to being disabled", "Bills from nowhere appeared. Again staff said this never happened before left her with the debt.", "Tsara was unable to finish her second degree this way. But found a way.", "I don\u2019t like finding these remnants. I don\u2019t know why extranet was needed for this Brilliant student", "Professors asked to use her papers. \u2018Sure\u2019 she wasn\u2019t impressed", "Many pulses are missing. When we first began using this tool PIT was what we researched first", "This is when Tsara was interrogated by 2 men at Barnes & No Ken regarding her technical abilities", "One of the interrogators, asked her to be his girlfriend (fake ) tried to move her to a new location .", "She refused. Two weeks later man is parked outside of her residence in a different county and city.", "I\u2019m concerned because they are attacking people associated with her and thins needs to stop", "This is dangerous. What is law enforcement for? They are probably controlled by Palantir as is Trump", "Lots of detail because someone , somewhere is going through this." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "ELF:Mirai-AAL\\ [Trj]", "display_name": "ELF:Mirai-AAL\\ [Trj]", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 5, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1037, "domain": 161, "hostname": 340, "email": 2, "FileHash-SHA256": 315, "FileHash-MD5": 14, "FileHash-SHA1": 20, "CIDR": 16, "SSLCertFingerprint": 8 }, "indicator_count": 1913, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "125 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://email.mg.companywide.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://email.mg.companywide.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780258176.1728907 }