{
"type": "URL",
"indicator": "https://erp.p1.decagonsoftware.com/",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://erp.p1.decagonsoftware.com/",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4210337049,
"indicator": "https://erp.p1.decagonsoftware.com/",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 4,
"pulses": [
{
"id": "69ddeb45c45f6a3cd721397d",
"name": "Active attacks \u2022 Apple \u2022 Tulach",
"description": "Including 360+ Apple\nIoC\u2019s from Malicious Tulac.cc + Virtual Servers Pulses. Ongoing history of malicious attacks, custom malware engineer, malicious media , account control. \n\nI was blocked from VirusToltal. It was Tulach Nextcloud posse. What I am doing now s legal. \n\nReferenced below. URL: \"https://accountapple.com/\" contacted related malicious domain: \"accountapple.com\"\nCONTACTED DOMAIN: \"sqllq.com\" has been identified as malicious",
"modified": "2026-04-14T07:22:45.250000",
"created": "2026-04-14T07:22:45.250000",
"tags": [
"url http",
"ipv4",
"indicator role",
"active related",
"united",
"moved",
"gmt content",
"certificate",
"all domain",
"msie",
"chrome",
"extraction",
"data upload",
"twitter",
"cookie",
"extra",
"include data",
"review locs",
"exclude",
"suggested os",
"onlv",
"failed",
"stop data",
"read c",
"unicode",
"rgba",
"memcommit",
"delete",
"dock",
"write",
"execution",
"sc type",
"extri",
"include review",
"exclude sugges",
"typ data",
"a domains",
"present apr",
"script urls",
"files",
"files ip",
"address",
"ios",
"mac",
"apple",
"appleid",
"itunes",
"next associated",
"all ipv4",
"included ic",
"uny teade",
"type hostnar",
"hostnar hostnar",
"hostnar",
"macair",
"macairaustralia",
"ipad",
"ipod",
"cryptexportkey",
"invalid pointer",
"cryptgenkey",
"stream",
"defender",
"delphi",
"class",
"stack",
"format",
"unknown",
"united states",
"phishing",
"password",
"traffic redirected",
"service mod",
"service execution",
"youtube",
"music",
"streams",
"songs",
"played songs",
"music streams",
"most played",
"fonelab",
"indicator",
"included iocs",
"manually add",
"review ocs",
"exclude inn",
"sugges data",
"find",
"include",
"url https",
"enter sc",
"type",
"no matchme",
"search otx",
"https",
"references x",
"analyze",
"open th",
"url data",
"se http",
"no match",
"excluded iocs",
"iocs",
"ip whitelisted",
"whitelisted",
"tcp include",
"analysis date",
"file score",
"medium risk",
"yara detections",
"contacted",
"related tags",
"x vercel",
"file type",
"type indicator",
"role title",
"related pulses",
"mulch virtua",
"library loade",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugt",
"samuel tulach",
"unity engine",
"tulach",
"sa awareness",
"sabey",
"sar cut",
"autofill",
"includer review",
"portiana oney",
"targeting",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"musickit_1_.js",
"lazarus",
"injection",
"CVE-2017-8570",
"prefetch2",
"target",
"aaaa",
"ip address",
"record value",
"emails",
"samuel tuachs",
"sapev",
"review exclude",
"monitored target",
"script",
"mitre att",
"ascii text",
"span",
"path",
"iframe",
"april",
"hybrid",
"general",
"local",
"click",
"strings",
"body",
"development att",
"t1055.012 list planting",
"active"
],
"references": [
"https://trade.kraken.com/charts/KRAKEN:APT-USD>+y",
"https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/",
"https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/",
"https://podcasts.apple.com/us/podcast/lazarus",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"http://help.aiseesoft.jp/blu-ray-player",
"http://help.aiseesoft.jp/fonelab/",
"https://action.aiseesoft.jp/itunes.php",
"http://help.aiseesoft.jp/total-video-converter",
"http://help.aiseesoft.jp/total-video-converter/",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/",
"http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch",
"http://test-firstmile.digitecgalaxus.ch",
"https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/",
"No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]",
"cdn.rss.applemarketingtools.com",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"1.bing.com.cn",
"www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net",
"www.phantomcameras.cn",
"https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"",
"podcasts.apple.com \u2022 23.34.32.21",
"www.apple.com \u2022 23.34.32.199",
"js-cdn.music.apple.com \u2022 23.78.51.170",
"http://firstmile.digitecgalaxus.ch",
"Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb",
"Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca",
"Tulach.cc",
"https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8",
"www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as",
"Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains",
"asp.net domain pointer",
"developer.x.com",
"aotx.alienvault.com (aotx.?)",
"https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh",
"https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1020.001",
"name": "Traffic Duplication",
"display_name": "T1020.001 - Traffic Duplication"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591.002",
"name": "Business Relationships",
"display_name": "T1591.002 - Business Relationships"
},
{
"id": "T1591.001",
"name": "Determine Physical Locations",
"display_name": "T1591.001 - Determine Physical Locations"
},
{
"id": "T1585.001",
"name": "Social Media Accounts",
"display_name": "T1585.001 - Social Media Accounts"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1055.012",
"name": "Process Hollowing",
"display_name": "T1055.012 - Process Hollowing"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1029,
"domain": 396,
"email": 7,
"URL": 2784,
"FileHash-SHA256": 898,
"FileHash-MD5": 79,
"FileHash-SHA1": 68,
"IPv4": 35,
"CVE": 1,
"SSLCertFingerprint": 13
},
"indicator_count": 5310,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "5 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69dc04c12782d2d76c111a93",
"name": "VirusTotal \u2022 PsBanker \u2022 Attacked / Blocked",
"description": "",
"modified": "2026-04-12T20:46:57.338000",
"created": "2026-04-12T20:46:57.338000",
"tags": [
"indicator role",
"active related",
"ck ids",
"files",
"information",
"discovery",
"mitre att",
"pattern match",
"ck id",
"ck matrix",
"ascii text",
"united",
"binary file",
"april",
"hybrid",
"apikey",
"general",
"local",
"path",
"iframe",
"click",
"protocol",
"learn",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"execution att",
"related pulses",
"dll read",
"function read",
"icmp traffic",
"machineguid",
"systembiosdate",
"total",
"read",
"write",
"network_icmp",
"js_eval",
"recon_fingerprint",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tlsv1",
"tls handshake",
"execution",
"dock",
"persistence",
"malware",
"unknown",
"neue",
"certificate",
"error",
"scans show",
"record value",
"title site",
"servers",
"emails",
"all hostname",
"dnsadmin",
"data upload",
"extraction",
"failed",
"include review",
"exclude sugges",
"find s",
"typ no",
"active",
"urls",
"ip address",
"asn as54113",
"registrar",
"wscript",
"united states",
"stcalifornia",
"lmountain view",
"ogoogle llc",
"ogoogle trust",
"cngts ca",
"whitelisted",
"as15169",
"hostile",
"crash",
"contacted",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"detections alf",
"hostile yara",
"detections none",
"less ip",
"domains",
"ms windows",
"intel",
"pe32",
"regsetvalueexa",
"langturkish",
"sublangdefault",
"port",
"destination",
"entries",
"worm",
"delphi",
"win32",
"body",
"explorer",
"defender",
"regdword",
"false",
"true",
"end sub",
"object",
"createobject",
"sheetschanged",
"private sub",
"string",
"boolean",
"cancel",
"trojan",
"copy",
"query",
"dns update",
"useragent",
"myapp",
"delphi alerts",
"alerts deadhost",
"women who code",
"tulach",
"114.114.114.114",
"samuel",
"brian sabey"
],
"references": [
"https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file",
"this.target",
"c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1",
"amazon.com \u2022 pki.goog \u2022 google-analytics.com",
"authrootstl.cab common file extension",
"dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell",
"https://securityaffairs.com/144927/cyber-crime~#",
"https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html",
"virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com",
"https://clockoutbox.es/password",
"http://cr-malware.testpanw.com/url",
"IDS Detections: Query to a *.pw domain - Likely Hostile",
"Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer",
"Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows",
"Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_",
"Alerts: windows_utilities antivm_memory_available pe_features raises_exception",
"IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227",
"IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94",
"Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog",
"Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com",
"Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw",
"Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections compromised_site_redirector_fromcharcode , Delphi",
"Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad",
"Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx",
"IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29",
"Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org",
"Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com",
"114.114.114.114 = Tulach"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ALF:Trojan:Win64/PsBanker",
"display_name": "ALF:Trojan:Win64/PsBanker",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Trojan:O97M/Madeba.A!det",
"display_name": "Trojan:O97M/Madeba.A!det",
"target": "/malware/Trojan:O97M/Madeba.A!det"
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1115",
"name": "Clipboard Data",
"display_name": "T1115 - Clipboard Data"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1114,
"hostname": 594,
"domain": 200,
"FileHash-SHA256": 2379,
"FileHash-MD5": 426,
"FileHash-SHA1": 259,
"IPv4": 322,
"SSLCertFingerprint": 24,
"email": 2,
"IPv6": 1
},
"indicator_count": 5321,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "7 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69a1a73eb0578b92962dae97",
"name": "FBI Link (Ransomware)sent to a device. opened on its own. Why?",
"description": "I wouldn\u2019t typically search an alleged authentic government site , except it opened on a device, no prompt. TrojanDownloader:Win32/Dalexis!rfn!rfn\nIDS Detections\nMaktub Locker TOR Status Check\nTOR Consensus Data Requested\nTOR 1.0 Server Key Retrieval\nTor Get Server Request\nTLS Handshake Failure\nYara Detections\nstack_string\nWho is : [URL\n[https://tor-dirauth.sebastianhahn.net/]\n[https://tor.sebastianhahn.net]\n[tor-dirauth.sebastianhahn.net]\n->gitbot.faui2k9.de\n[Status faui2k9.de -connect] connects to device \n100% Malicious | https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70 | [External resources discovered in HTML content:\ndap.digitalgov.gov | Pattern match: \"fbi.gov/contact-us/field-offices/denver/news/pr\"\nHeuristic match: \"x.com\" | will revisit",
"modified": "2026-03-29T13:04:34.750000",
"created": "2026-02-27T14:16:30.498000",
"tags": [
"regopenkeyexw",
"port",
"destination",
"cryptexportkey",
"search",
"show",
"entries",
"windows nt",
"regsetvalueexa",
"ip address",
"malware",
"copy",
"write",
"win32",
"next",
"format",
"contacted",
"less ip",
"server",
"organization",
"city",
"stateprovince",
"postal code",
"phone",
"date",
"registrar abuse",
"privacy admin",
"paris admin",
"april",
"february",
"failed",
"enter",
"data upload",
"passive dns",
"urls",
"aaaa",
"certificate",
"otx logo",
"all hostname",
"pulse submit",
"url analysis",
"files",
"domain",
"title",
"body",
"encrypt",
"netherlands",
"gmt content",
"all ipv4",
"amsterdam",
"hetzner online",
"gmbh",
"summary",
"url age",
"de seen",
"general info",
"geo germany",
"as as24940",
"de note",
"route",
"direct",
"pro platform",
"logs",
"suricata alert",
"et info",
"tls handshake",
"bad traffic",
"suricata alerts",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"size",
"sha256",
"pattern match",
"ascii text",
"mitre att",
"ck id",
"path",
"unknown",
"stop",
"root",
"hybrid",
"general",
"local",
"form",
"click",
"strings",
"9999",
"learn",
"adversaries",
"name tactics",
"suspicious",
"informative",
"command",
"defense evasion",
"spawns",
"found",
"show technique",
"ck matrix",
"href",
"antivirus",
"maktub locker",
"tor status",
"check"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1129,
"domain": 148,
"hostname": 753,
"FileHash-SHA256": 548,
"FileHash-MD5": 90,
"FileHash-SHA1": 71,
"SSLCertFingerprint": 8,
"CIDR": 1,
"email": 4
},
"indicator_count": 2752,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "21 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "26 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh",
"https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/",
"this.target",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"https://clockoutbox.es/password",
"Requires further research.",
"Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx",
"http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/",
"dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell",
"IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227",
"www.apple.com \u2022 23.34.32.199",
"I apologize for the lack of reference.",
"Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad",
"https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8",
"Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com",
"IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94",
"Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw",
"www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net",
"No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]",
"Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org",
"IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"www.phantomcameras.cn",
"https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f",
"https://trade.kraken.com/charts/KRAKEN:APT-USD>+y",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"amazon.com \u2022 pki.goog \u2022 google-analytics.com",
"https://podcasts.apple.com/us/podcast/lazarus",
"http://firstmile.digitecgalaxus.ch",
"https://securityaffairs.com/144927/cyber-crime~#",
"https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/",
"114.114.114.114 = Tulach",
"aotx.alienvault.com (aotx.?)",
"http://help.aiseesoft.jp/total-video-converter/",
"div>
",
"developer.x.com",
"http://test-firstmile.digitecgalaxus.ch",
"Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog",
"https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file",
"Tulach.cc",
"Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb",
"cdn.rss.applemarketingtools.com",
"Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1",
"Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"http://help.aiseesoft.jp/fonelab/",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Query to a *.pw domain - Likely Hostile",
"Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca",
"https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html",
"1.bing.com.cn",
"http://help.aiseesoft.jp/blu-ray-player",
"https://action.aiseesoft.jp/itunes.php",
"https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as",
"virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com",
"It appears there are 5-7 known affected that I was able to find",
"https://l.us-1.a.mimecastprotect.com/l",
"http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch",
"Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com",
"podcasts.apple.com \u2022 23.34.32.21",
"Alerts: windows_utilities antivm_memory_available pe_features raises_exception",
"js-cdn.music.apple.com \u2022 23.78.51.170",
"authrootstl.cab common file extension",
"asp.net domain pointer",
"Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn",
"www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019",
"Same legal , and quasi governmental pattern identified",
"https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/",
"Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains",
"http://help.aiseesoft.jp/total-video-converter",
"Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer",
"https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"",
"http://cr-malware.testpanw.com/url",
"Yara Detections compromised_site_redirector_fromcharcode , Delphi",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Tulach",
"Worm:win32/autorun!atmn",
"Mydoom",
"Alf:trojan:win64/psbanker",
"Trojan:o97m/madeba.a!det",
"Icedid",
"#lowfi:lua:dllsuspiciousexport.a",
"Trojan:win32/smkldr.h!mtb"
],
"industries": [
"Telecom",
"Technology",
"Legal"
],
"unique_indicators": 24419
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/decagonsoftware.com",
"whois": "http://whois.domaintools.com/decagonsoftware.com",
"domain": "decagonsoftware.com",
"hostname": "erp.p1.decagonsoftware.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 4,
"pulses": [
{
"id": "69ddeb45c45f6a3cd721397d",
"name": "Active attacks \u2022 Apple \u2022 Tulach",
"description": "Including 360+ Apple\nIoC\u2019s from Malicious Tulac.cc + Virtual Servers Pulses. Ongoing history of malicious attacks, custom malware engineer, malicious media , account control. \n\nI was blocked from VirusToltal. It was Tulach Nextcloud posse. What I am doing now s legal. \n\nReferenced below. URL: \"https://accountapple.com/\" contacted related malicious domain: \"accountapple.com\"\nCONTACTED DOMAIN: \"sqllq.com\" has been identified as malicious",
"modified": "2026-04-14T07:22:45.250000",
"created": "2026-04-14T07:22:45.250000",
"tags": [
"url http",
"ipv4",
"indicator role",
"active related",
"united",
"moved",
"gmt content",
"certificate",
"all domain",
"msie",
"chrome",
"extraction",
"data upload",
"twitter",
"cookie",
"extra",
"include data",
"review locs",
"exclude",
"suggested os",
"onlv",
"failed",
"stop data",
"read c",
"unicode",
"rgba",
"memcommit",
"delete",
"dock",
"write",
"execution",
"sc type",
"extri",
"include review",
"exclude sugges",
"typ data",
"a domains",
"present apr",
"script urls",
"files",
"files ip",
"address",
"ios",
"mac",
"apple",
"appleid",
"itunes",
"next associated",
"all ipv4",
"included ic",
"uny teade",
"type hostnar",
"hostnar hostnar",
"hostnar",
"macair",
"macairaustralia",
"ipad",
"ipod",
"cryptexportkey",
"invalid pointer",
"cryptgenkey",
"stream",
"defender",
"delphi",
"class",
"stack",
"format",
"unknown",
"united states",
"phishing",
"password",
"traffic redirected",
"service mod",
"service execution",
"youtube",
"music",
"streams",
"songs",
"played songs",
"music streams",
"most played",
"fonelab",
"indicator",
"included iocs",
"manually add",
"review ocs",
"exclude inn",
"sugges data",
"find",
"include",
"url https",
"enter sc",
"type",
"no matchme",
"search otx",
"https",
"references x",
"analyze",
"open th",
"url data",
"se http",
"no match",
"excluded iocs",
"iocs",
"ip whitelisted",
"whitelisted",
"tcp include",
"analysis date",
"file score",
"medium risk",
"yara detections",
"contacted",
"related tags",
"x vercel",
"file type",
"type indicator",
"role title",
"related pulses",
"mulch virtua",
"library loade",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugt",
"samuel tulach",
"unity engine",
"tulach",
"sa awareness",
"sabey",
"sar cut",
"autofill",
"includer review",
"portiana oney",
"targeting",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"musickit_1_.js",
"lazarus",
"injection",
"CVE-2017-8570",
"prefetch2",
"target",
"aaaa",
"ip address",
"record value",
"emails",
"samuel tuachs",
"sapev",
"review exclude",
"monitored target",
"script",
"mitre att",
"ascii text",
"span",
"path",
"iframe",
"april",
"hybrid",
"general",
"local",
"click",
"strings",
"body",
"development att",
"t1055.012 list planting",
"active"
],
"references": [
"https://trade.kraken.com/charts/KRAKEN:APT-USD>+y",
"https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/",
"https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/",
"https://podcasts.apple.com/us/podcast/lazarus",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"http://help.aiseesoft.jp/blu-ray-player",
"http://help.aiseesoft.jp/fonelab/",
"https://action.aiseesoft.jp/itunes.php",
"http://help.aiseesoft.jp/total-video-converter",
"http://help.aiseesoft.jp/total-video-converter/",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/",
"http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch",
"http://test-firstmile.digitecgalaxus.ch",
"https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/",
"No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]",
"cdn.rss.applemarketingtools.com",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"1.bing.com.cn",
"www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net",
"www.phantomcameras.cn",
"https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"",
"podcasts.apple.com \u2022 23.34.32.21",
"www.apple.com \u2022 23.34.32.199",
"js-cdn.music.apple.com \u2022 23.78.51.170",
"http://firstmile.digitecgalaxus.ch",
"Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb",
"Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca",
"Tulach.cc",
"https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8",
"www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as",
"Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains",
"asp.net domain pointer",
"developer.x.com",
"aotx.alienvault.com (aotx.?)",
"https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh",
"https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1020.001",
"name": "Traffic Duplication",
"display_name": "T1020.001 - Traffic Duplication"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591.002",
"name": "Business Relationships",
"display_name": "T1591.002 - Business Relationships"
},
{
"id": "T1591.001",
"name": "Determine Physical Locations",
"display_name": "T1591.001 - Determine Physical Locations"
},
{
"id": "T1585.001",
"name": "Social Media Accounts",
"display_name": "T1585.001 - Social Media Accounts"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1055.012",
"name": "Process Hollowing",
"display_name": "T1055.012 - Process Hollowing"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1029,
"domain": 396,
"email": 7,
"URL": 2784,
"FileHash-SHA256": 898,
"FileHash-MD5": 79,
"FileHash-SHA1": 68,
"IPv4": 35,
"CVE": 1,
"SSLCertFingerprint": 13
},
"indicator_count": 5310,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "5 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69dc04c12782d2d76c111a93",
"name": "VirusTotal \u2022 PsBanker \u2022 Attacked / Blocked",
"description": "",
"modified": "2026-04-12T20:46:57.338000",
"created": "2026-04-12T20:46:57.338000",
"tags": [
"indicator role",
"active related",
"ck ids",
"files",
"information",
"discovery",
"mitre att",
"pattern match",
"ck id",
"ck matrix",
"ascii text",
"united",
"binary file",
"april",
"hybrid",
"apikey",
"general",
"local",
"path",
"iframe",
"click",
"protocol",
"learn",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"execution att",
"related pulses",
"dll read",
"function read",
"icmp traffic",
"machineguid",
"systembiosdate",
"total",
"read",
"write",
"network_icmp",
"js_eval",
"recon_fingerprint",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tlsv1",
"tls handshake",
"execution",
"dock",
"persistence",
"malware",
"unknown",
"neue",
"certificate",
"error",
"scans show",
"record value",
"title site",
"servers",
"emails",
"all hostname",
"dnsadmin",
"data upload",
"extraction",
"failed",
"include review",
"exclude sugges",
"find s",
"typ no",
"active",
"urls",
"ip address",
"asn as54113",
"registrar",
"wscript",
"united states",
"stcalifornia",
"lmountain view",
"ogoogle llc",
"ogoogle trust",
"cngts ca",
"whitelisted",
"as15169",
"hostile",
"crash",
"contacted",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"detections alf",
"hostile yara",
"detections none",
"less ip",
"domains",
"ms windows",
"intel",
"pe32",
"regsetvalueexa",
"langturkish",
"sublangdefault",
"port",
"destination",
"entries",
"worm",
"delphi",
"win32",
"body",
"explorer",
"defender",
"regdword",
"false",
"true",
"end sub",
"object",
"createobject",
"sheetschanged",
"private sub",
"string",
"boolean",
"cancel",
"trojan",
"copy",
"query",
"dns update",
"useragent",
"myapp",
"delphi alerts",
"alerts deadhost",
"women who code",
"tulach",
"114.114.114.114",
"samuel",
"brian sabey"
],
"references": [
"https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file",
"this.target",
"c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1",
"amazon.com \u2022 pki.goog \u2022 google-analytics.com",
"authrootstl.cab common file extension",
"dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell",
"https://securityaffairs.com/144927/cyber-crime~#",
"https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html",
"virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com",
"https://clockoutbox.es/password",
"http://cr-malware.testpanw.com/url",
"IDS Detections: Query to a *.pw domain - Likely Hostile",
"Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer",
"Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows",
"Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_",
"Alerts: windows_utilities antivm_memory_available pe_features raises_exception",
"IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227",
"IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94",
"Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog",
"Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com",
"Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw",
"Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections compromised_site_redirector_fromcharcode , Delphi",
"Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad",
"Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx",
"IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29",
"Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org",
"Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com",
"114.114.114.114 = Tulach"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ALF:Trojan:Win64/PsBanker",
"display_name": "ALF:Trojan:Win64/PsBanker",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Trojan:O97M/Madeba.A!det",
"display_name": "Trojan:O97M/Madeba.A!det",
"target": "/malware/Trojan:O97M/Madeba.A!det"
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1115",
"name": "Clipboard Data",
"display_name": "T1115 - Clipboard Data"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1114,
"hostname": 594,
"domain": 200,
"FileHash-SHA256": 2379,
"FileHash-MD5": 426,
"FileHash-SHA1": 259,
"IPv4": 322,
"SSLCertFingerprint": 24,
"email": 2,
"IPv6": 1
},
"indicator_count": 5321,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "7 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69a1a73eb0578b92962dae97",
"name": "FBI Link (Ransomware)sent to a device. opened on its own. Why?",
"description": "I wouldn\u2019t typically search an alleged authentic government site , except it opened on a device, no prompt. TrojanDownloader:Win32/Dalexis!rfn!rfn\nIDS Detections\nMaktub Locker TOR Status Check\nTOR Consensus Data Requested\nTOR 1.0 Server Key Retrieval\nTor Get Server Request\nTLS Handshake Failure\nYara Detections\nstack_string\nWho is : [URL\n[https://tor-dirauth.sebastianhahn.net/]\n[https://tor.sebastianhahn.net]\n[tor-dirauth.sebastianhahn.net]\n->gitbot.faui2k9.de\n[Status faui2k9.de -connect] connects to device \n100% Malicious | https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70 | [External resources discovered in HTML content:\ndap.digitalgov.gov | Pattern match: \"fbi.gov/contact-us/field-offices/denver/news/pr\"\nHeuristic match: \"x.com\" | will revisit",
"modified": "2026-03-29T13:04:34.750000",
"created": "2026-02-27T14:16:30.498000",
"tags": [
"regopenkeyexw",
"port",
"destination",
"cryptexportkey",
"search",
"show",
"entries",
"windows nt",
"regsetvalueexa",
"ip address",
"malware",
"copy",
"write",
"win32",
"next",
"format",
"contacted",
"less ip",
"server",
"organization",
"city",
"stateprovince",
"postal code",
"phone",
"date",
"registrar abuse",
"privacy admin",
"paris admin",
"april",
"february",
"failed",
"enter",
"data upload",
"passive dns",
"urls",
"aaaa",
"certificate",
"otx logo",
"all hostname",
"pulse submit",
"url analysis",
"files",
"domain",
"title",
"body",
"encrypt",
"netherlands",
"gmt content",
"all ipv4",
"amsterdam",
"hetzner online",
"gmbh",
"summary",
"url age",
"de seen",
"general info",
"geo germany",
"as as24940",
"de note",
"route",
"direct",
"pro platform",
"logs",
"suricata alert",
"et info",
"tls handshake",
"bad traffic",
"suricata alerts",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"size",
"sha256",
"pattern match",
"ascii text",
"mitre att",
"ck id",
"path",
"unknown",
"stop",
"root",
"hybrid",
"general",
"local",
"form",
"click",
"strings",
"9999",
"learn",
"adversaries",
"name tactics",
"suspicious",
"informative",
"command",
"defense evasion",
"spawns",
"found",
"show technique",
"ck matrix",
"href",
"antivirus",
"maktub locker",
"tor status",
"check"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1129,
"domain": 148,
"hostname": 753,
"FileHash-SHA256": 548,
"FileHash-MD5": 90,
"FileHash-SHA1": 71,
"SSLCertFingerprint": 8,
"CIDR": 1,
"email": 4
},
"indicator_count": 2752,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "21 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "26 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://erp.p1.decagonsoftware.com/",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://erp.p1.decagonsoftware.com/",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776642010.7074995
}