{ "type": "URL", "indicator": "https://enabling.circlsuc.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://enabling.circlsuc.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 2944878298, "indicator": "https://enabling.circlsuc.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "65f1860d3062a8cb715ee358", "name": "United Healthcare sponsored Healthy Benefits Plus Attack warning - Contactec", "description": "", "modified": "2024-03-13T10:55:09.654000", "created": "2024-03-13T10:55:09.654000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": "656d71fbc00b370fde721350", "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "767 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656c2345912bea54c4eeb718", "name": "United Healthcare sponsored Healthy Benefits Plus | Apple cyber attack", "description": "I received a request regarding AIG subsidiary United healthcare medicare sponsored healthy benefit plus card. Benefits provided to elderly, disabled SSDI recipients who have lower incomes. I learned 200+ were affected. Remote attacks, apple iOS, phi, health, vision, dental, food beneficiaries. Command and Control server. Research reveals a be deeply impacted target.\nbrowser.events.data.msn.com\nevents-sandbox.data.msn.com\n192.229.211.108 (Virus Network)\nassetscdn.isappcloud.com\nnr-data.net (Apple Private Data Collection)\nphotos1.blogger.com. (Malware site)\nhttp://www.tsarabrashears.com\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \nhttps://www.tsarabrashears.com\ntracker.adxpansion.com access tracker\ntsarabrashears.com\ntt.milehighmedia.com", "modified": "2024-01-02T06:03:26.454000", "created": "2023-12-03T06:42:13.993000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": null, "export_count": 121, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "838 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656d71fbc00b370fde721350", "name": "United Healthcare sponsored Healthy Benefits Plus | Apple cyber ", "description": "", "modified": "2024-01-02T06:03:26.454000", "created": "2023-12-04T06:30:19.057000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": "656c2345912bea54c4eeb718", "export_count": 126, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "838 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a581b1024ea61979da96", "name": "Quasar - Dark Web Instagram Account | Link found | Remote Access Trojan (RAT)", "description": "", "modified": "2023-12-06T16:46:57.782000", "created": "2023-12-06T16:46:57.782000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-SHA256": 5791, "hostname": 3255, "domain": 2317, "FileHash-MD5": 44, "FileHash-SHA1": 34, "URL": 11513 }, "indicator_count": 22957, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650a0b7c9a6b3c5d0a2a3960", "name": "Quasar - Dark Web Instagram Account | Link found | Remote Access Trojan (RAT)", "description": "Link: apple.instagram.com \nQuasar is a lightweight, publicly available open-source Remote Access Trojan (RAT). Used by a variety of attackers. Typically packed to make analysis of the source demanding.\nAccount appears to have been breached, operational in dark web. Dead host.", "modified": "2023-10-19T14:04:37.381000", "created": "2023-09-19T20:58:36.137000", "tags": [ "contacted", "threat roundup", "execution", "ssl certificate", "dark web", "crypto threat", "resolutions", "referrer", "stealer", "quasar", "asyncrat", "error", "social engineering", "iPhone phishing", "Apple phishing", "email phishing", "emotet", "remote", "attacks" ], "references": [ "Alienvault OTX", "Data Analysis", "Online Research", "WebTools" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "India" ], "malware_families": [ { "id": "Backdoor:MSIL/AsyncRAT", "display_name": "Backdoor:MSIL/AsyncRAT", "target": "/malware/Backdoor:MSIL/AsyncRAT" }, { "id": "Backdoor:MSIL/QuasarRat", "display_name": "Backdoor:MSIL/QuasarRat", "target": "/malware/Backdoor:MSIL/QuasarRat" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" } ], "industries": [ "Media", "Social Media", "Technology", "Hacking" ], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 44, "FileHash-SHA1": 34, "FileHash-SHA256": 5791, "URL": 11513, "domain": 2317, "hostname": 3255, "CVE": 3 }, "indicator_count": 22957, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "913 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Data Analysis", "Alienvault OTX", "WebTools", "Online Research" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Webtoolbar", "Trojanspy", "Backdoor:msil/asyncrat", "Generic", "Backdoor:msil/quasarrat", "Maltiverse" ], "industries": [ "Social media", "Technology", "Health", "Food", "Hacking", "Media" ], "unique_indicators": 44824 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/circlsuc.com", "whois": "http://whois.domaintools.com/circlsuc.com", "domain": "circlsuc.com", "hostname": "enabling.circlsuc.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "65f1860d3062a8cb715ee358", "name": "United Healthcare sponsored Healthy Benefits Plus Attack warning - Contactec", "description": "", "modified": "2024-03-13T10:55:09.654000", "created": "2024-03-13T10:55:09.654000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": "656d71fbc00b370fde721350", "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "767 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656c2345912bea54c4eeb718", "name": "United Healthcare sponsored Healthy Benefits Plus | Apple cyber attack", "description": "I received a request regarding AIG subsidiary United healthcare medicare sponsored healthy benefit plus card. Benefits provided to elderly, disabled SSDI recipients who have lower incomes. I learned 200+ were affected. Remote attacks, apple iOS, phi, health, vision, dental, food beneficiaries. Command and Control server. Research reveals a be deeply impacted target.\nbrowser.events.data.msn.com\nevents-sandbox.data.msn.com\n192.229.211.108 (Virus Network)\nassetscdn.isappcloud.com\nnr-data.net (Apple Private Data Collection)\nphotos1.blogger.com. (Malware site)\nhttp://www.tsarabrashears.com\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \nhttps://www.tsarabrashears.com\ntracker.adxpansion.com access tracker\ntsarabrashears.com\ntt.milehighmedia.com", "modified": "2024-01-02T06:03:26.454000", "created": "2023-12-03T06:42:13.993000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": null, "export_count": 121, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "838 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656d71fbc00b370fde721350", "name": "United Healthcare sponsored Healthy Benefits Plus | Apple cyber ", "description": "", "modified": "2024-01-02T06:03:26.454000", "created": "2023-12-04T06:30:19.057000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": "656c2345912bea54c4eeb718", "export_count": 126, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "838 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a581b1024ea61979da96", "name": "Quasar - Dark Web Instagram Account | Link found | Remote Access Trojan (RAT)", "description": "", "modified": "2023-12-06T16:46:57.782000", "created": "2023-12-06T16:46:57.782000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-SHA256": 5791, "hostname": 3255, "domain": 2317, "FileHash-MD5": 44, "FileHash-SHA1": 34, "URL": 11513 }, "indicator_count": 22957, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650a0b7c9a6b3c5d0a2a3960", "name": "Quasar - Dark Web Instagram Account | Link found | Remote Access Trojan (RAT)", "description": "Link: apple.instagram.com \nQuasar is a lightweight, publicly available open-source Remote Access Trojan (RAT). Used by a variety of attackers. Typically packed to make analysis of the source demanding.\nAccount appears to have been breached, operational in dark web. Dead host.", "modified": "2023-10-19T14:04:37.381000", "created": "2023-09-19T20:58:36.137000", "tags": [ "contacted", "threat roundup", "execution", "ssl certificate", "dark web", "crypto threat", "resolutions", "referrer", "stealer", "quasar", "asyncrat", "error", "social engineering", "iPhone phishing", "Apple phishing", "email phishing", "emotet", "remote", "attacks" ], "references": [ "Alienvault OTX", "Data Analysis", "Online Research", "WebTools" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "India" ], "malware_families": [ { "id": "Backdoor:MSIL/AsyncRAT", "display_name": "Backdoor:MSIL/AsyncRAT", "target": "/malware/Backdoor:MSIL/AsyncRAT" }, { "id": "Backdoor:MSIL/QuasarRat", "display_name": "Backdoor:MSIL/QuasarRat", "target": "/malware/Backdoor:MSIL/QuasarRat" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" } ], "industries": [ "Media", "Social Media", "Technology", "Hacking" ], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 44, "FileHash-SHA1": 34, "FileHash-SHA256": 5791, "URL": 11513, "domain": 2317, "hostname": 3255, "CVE": 3 }, "indicator_count": 22957, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "913 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://enabling.circlsuc.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://enabling.circlsuc.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776658526.5961978 }