{
"type": "URL",
"indicator": "https://erp.p510.decagonsoftware.com",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://erp.p510.decagonsoftware.com",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4147791969,
"indicator": "https://erp.p510.decagonsoftware.com",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 14,
"pulses": [
{
"id": "69ddeb45c45f6a3cd721397d",
"name": "Active attacks \u2022 Apple \u2022 Tulach",
"description": "Including 360+ Apple\nIoC\u2019s from Malicious Tulac.cc + Virtual Servers Pulses. Ongoing history of malicious attacks, custom malware engineer, malicious media , account control. \n\nI was blocked from VirusToltal. It was Tulach Nextcloud posse. What I am doing now s legal. \n\nReferenced below. URL: \"https://accountapple.com/\" contacted related malicious domain: \"accountapple.com\"\nCONTACTED DOMAIN: \"sqllq.com\" has been identified as malicious",
"modified": "2026-04-14T07:22:45.250000",
"created": "2026-04-14T07:22:45.250000",
"tags": [
"url http",
"ipv4",
"indicator role",
"active related",
"united",
"moved",
"gmt content",
"certificate",
"all domain",
"msie",
"chrome",
"extraction",
"data upload",
"twitter",
"cookie",
"extra",
"include data",
"review locs",
"exclude",
"suggested os",
"onlv",
"failed",
"stop data",
"read c",
"unicode",
"rgba",
"memcommit",
"delete",
"dock",
"write",
"execution",
"sc type",
"extri",
"include review",
"exclude sugges",
"typ data",
"a domains",
"present apr",
"script urls",
"files",
"files ip",
"address",
"ios",
"mac",
"apple",
"appleid",
"itunes",
"next associated",
"all ipv4",
"included ic",
"uny teade",
"type hostnar",
"hostnar hostnar",
"hostnar",
"macair",
"macairaustralia",
"ipad",
"ipod",
"cryptexportkey",
"invalid pointer",
"cryptgenkey",
"stream",
"defender",
"delphi",
"class",
"stack",
"format",
"unknown",
"united states",
"phishing",
"password",
"traffic redirected",
"service mod",
"service execution",
"youtube",
"music",
"streams",
"songs",
"played songs",
"music streams",
"most played",
"fonelab",
"indicator",
"included iocs",
"manually add",
"review ocs",
"exclude inn",
"sugges data",
"find",
"include",
"url https",
"enter sc",
"type",
"no matchme",
"search otx",
"https",
"references x",
"analyze",
"open th",
"url data",
"se http",
"no match",
"excluded iocs",
"iocs",
"ip whitelisted",
"whitelisted",
"tcp include",
"analysis date",
"file score",
"medium risk",
"yara detections",
"contacted",
"related tags",
"x vercel",
"file type",
"type indicator",
"role title",
"related pulses",
"mulch virtua",
"library loade",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugt",
"samuel tulach",
"unity engine",
"tulach",
"sa awareness",
"sabey",
"sar cut",
"autofill",
"includer review",
"portiana oney",
"targeting",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"musickit_1_.js",
"lazarus",
"injection",
"CVE-2017-8570",
"prefetch2",
"target",
"aaaa",
"ip address",
"record value",
"emails",
"samuel tuachs",
"sapev",
"review exclude",
"monitored target",
"script",
"mitre att",
"ascii text",
"span",
"path",
"iframe",
"april",
"hybrid",
"general",
"local",
"click",
"strings",
"body",
"development att",
"t1055.012 list planting",
"active"
],
"references": [
"https://trade.kraken.com/charts/KRAKEN:APT-USD>+y",
"https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/",
"https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/",
"https://podcasts.apple.com/us/podcast/lazarus",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"http://help.aiseesoft.jp/blu-ray-player",
"http://help.aiseesoft.jp/fonelab/",
"https://action.aiseesoft.jp/itunes.php",
"http://help.aiseesoft.jp/total-video-converter",
"http://help.aiseesoft.jp/total-video-converter/",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/",
"http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch",
"http://test-firstmile.digitecgalaxus.ch",
"https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/",
"No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]",
"cdn.rss.applemarketingtools.com",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"1.bing.com.cn",
"www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net",
"www.phantomcameras.cn",
"https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"",
"podcasts.apple.com \u2022 23.34.32.21",
"www.apple.com \u2022 23.34.32.199",
"js-cdn.music.apple.com \u2022 23.78.51.170",
"http://firstmile.digitecgalaxus.ch",
"Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb",
"Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca",
"Tulach.cc",
"https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8",
"www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as",
"Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains",
"asp.net domain pointer",
"developer.x.com",
"aotx.alienvault.com (aotx.?)",
"https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh",
"https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1020.001",
"name": "Traffic Duplication",
"display_name": "T1020.001 - Traffic Duplication"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591.002",
"name": "Business Relationships",
"display_name": "T1591.002 - Business Relationships"
},
{
"id": "T1591.001",
"name": "Determine Physical Locations",
"display_name": "T1591.001 - Determine Physical Locations"
},
{
"id": "T1585.001",
"name": "Social Media Accounts",
"display_name": "T1585.001 - Social Media Accounts"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1055.012",
"name": "Process Hollowing",
"display_name": "T1055.012 - Process Hollowing"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1029,
"domain": 396,
"email": 7,
"URL": 2784,
"FileHash-SHA256": 898,
"FileHash-MD5": 79,
"FileHash-SHA1": 68,
"IPv4": 35,
"CVE": 1,
"SSLCertFingerprint": 13
},
"indicator_count": 5310,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "5 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69dc04c12782d2d76c111a93",
"name": "VirusTotal \u2022 PsBanker \u2022 Attacked / Blocked",
"description": "",
"modified": "2026-04-12T20:46:57.338000",
"created": "2026-04-12T20:46:57.338000",
"tags": [
"indicator role",
"active related",
"ck ids",
"files",
"information",
"discovery",
"mitre att",
"pattern match",
"ck id",
"ck matrix",
"ascii text",
"united",
"binary file",
"april",
"hybrid",
"apikey",
"general",
"local",
"path",
"iframe",
"click",
"protocol",
"learn",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"execution att",
"related pulses",
"dll read",
"function read",
"icmp traffic",
"machineguid",
"systembiosdate",
"total",
"read",
"write",
"network_icmp",
"js_eval",
"recon_fingerprint",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tlsv1",
"tls handshake",
"execution",
"dock",
"persistence",
"malware",
"unknown",
"neue",
"certificate",
"error",
"scans show",
"record value",
"title site",
"servers",
"emails",
"all hostname",
"dnsadmin",
"data upload",
"extraction",
"failed",
"include review",
"exclude sugges",
"find s",
"typ no",
"active",
"urls",
"ip address",
"asn as54113",
"registrar",
"wscript",
"united states",
"stcalifornia",
"lmountain view",
"ogoogle llc",
"ogoogle trust",
"cngts ca",
"whitelisted",
"as15169",
"hostile",
"crash",
"contacted",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"detections alf",
"hostile yara",
"detections none",
"less ip",
"domains",
"ms windows",
"intel",
"pe32",
"regsetvalueexa",
"langturkish",
"sublangdefault",
"port",
"destination",
"entries",
"worm",
"delphi",
"win32",
"body",
"explorer",
"defender",
"regdword",
"false",
"true",
"end sub",
"object",
"createobject",
"sheetschanged",
"private sub",
"string",
"boolean",
"cancel",
"trojan",
"copy",
"query",
"dns update",
"useragent",
"myapp",
"delphi alerts",
"alerts deadhost",
"women who code",
"tulach",
"114.114.114.114",
"samuel",
"brian sabey"
],
"references": [
"https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file",
"this.target",
"c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1",
"amazon.com \u2022 pki.goog \u2022 google-analytics.com",
"authrootstl.cab common file extension",
"dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell",
"https://securityaffairs.com/144927/cyber-crime~#",
"https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html",
"virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com",
"https://clockoutbox.es/password",
"http://cr-malware.testpanw.com/url",
"IDS Detections: Query to a *.pw domain - Likely Hostile",
"Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer",
"Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows",
"Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_",
"Alerts: windows_utilities antivm_memory_available pe_features raises_exception",
"IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227",
"IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94",
"Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog",
"Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com",
"Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw",
"Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections compromised_site_redirector_fromcharcode , Delphi",
"Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad",
"Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx",
"IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29",
"Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org",
"Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com",
"114.114.114.114 = Tulach"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ALF:Trojan:Win64/PsBanker",
"display_name": "ALF:Trojan:Win64/PsBanker",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Trojan:O97M/Madeba.A!det",
"display_name": "Trojan:O97M/Madeba.A!det",
"target": "/malware/Trojan:O97M/Madeba.A!det"
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1115",
"name": "Clipboard Data",
"display_name": "T1115 - Clipboard Data"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1114,
"hostname": 594,
"domain": 200,
"FileHash-SHA256": 2379,
"FileHash-MD5": 426,
"FileHash-SHA1": 259,
"IPv4": 322,
"SSLCertFingerprint": 24,
"email": 2,
"IPv6": 1
},
"indicator_count": 5321,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "6 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69a1a73eb0578b92962dae97",
"name": "FBI Link (Ransomware)sent to a device. opened on its own. Why?",
"description": "I wouldn\u2019t typically search an alleged authentic government site , except it opened on a device, no prompt. TrojanDownloader:Win32/Dalexis!rfn!rfn\nIDS Detections\nMaktub Locker TOR Status Check\nTOR Consensus Data Requested\nTOR 1.0 Server Key Retrieval\nTor Get Server Request\nTLS Handshake Failure\nYara Detections\nstack_string\nWho is : [URL\n[https://tor-dirauth.sebastianhahn.net/]\n[https://tor.sebastianhahn.net]\n[tor-dirauth.sebastianhahn.net]\n->gitbot.faui2k9.de\n[Status faui2k9.de -connect] connects to device \n100% Malicious | https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70 | [External resources discovered in HTML content:\ndap.digitalgov.gov | Pattern match: \"fbi.gov/contact-us/field-offices/denver/news/pr\"\nHeuristic match: \"x.com\" | will revisit",
"modified": "2026-03-29T13:04:34.750000",
"created": "2026-02-27T14:16:30.498000",
"tags": [
"regopenkeyexw",
"port",
"destination",
"cryptexportkey",
"search",
"show",
"entries",
"windows nt",
"regsetvalueexa",
"ip address",
"malware",
"copy",
"write",
"win32",
"next",
"format",
"contacted",
"less ip",
"server",
"organization",
"city",
"stateprovince",
"postal code",
"phone",
"date",
"registrar abuse",
"privacy admin",
"paris admin",
"april",
"february",
"failed",
"enter",
"data upload",
"passive dns",
"urls",
"aaaa",
"certificate",
"otx logo",
"all hostname",
"pulse submit",
"url analysis",
"files",
"domain",
"title",
"body",
"encrypt",
"netherlands",
"gmt content",
"all ipv4",
"amsterdam",
"hetzner online",
"gmbh",
"summary",
"url age",
"de seen",
"general info",
"geo germany",
"as as24940",
"de note",
"route",
"direct",
"pro platform",
"logs",
"suricata alert",
"et info",
"tls handshake",
"bad traffic",
"suricata alerts",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"size",
"sha256",
"pattern match",
"ascii text",
"mitre att",
"ck id",
"path",
"unknown",
"stop",
"root",
"hybrid",
"general",
"local",
"form",
"click",
"strings",
"9999",
"learn",
"adversaries",
"name tactics",
"suspicious",
"informative",
"command",
"defense evasion",
"spawns",
"found",
"show technique",
"ck matrix",
"href",
"antivirus",
"maktub locker",
"tor status",
"check"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1129,
"domain": 148,
"hostname": 753,
"FileHash-SHA256": 548,
"FileHash-MD5": 90,
"FileHash-SHA1": 71,
"SSLCertFingerprint": 8,
"CIDR": 1,
"email": 4
},
"indicator_count": 2752,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "21 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "697cdce9ec418c422eee2054",
"name": "Device Isolation: Lumen Technologies | Palantir and \u2018Boots on the Ground Operations\u2019",
"description": "Device Isolation: Lumen Technologies (formerly CenturyLink) deployed as an admin on iOS devices. Standard factory resets may prove ineffective. Complete hardware \"air-gap\" or clean devices that have never touched your home network may be best option for deeply monitored targets.\n\nSummary of the Campaign:\nThe involvement of Lumen Technologies (as an unwanted admin), Foundry (Palantir) for data mapping, and Mirai Botnet for network disruption represents a \"scorched earth\" approach to digital destruction. Target treated as a criminal through Cellebrite, implicates specific attackers attempted to legalize what was actually a predatory stalking campaign/s.\n\n\nSurveillance Overlap: The use of Lumen Technologies and Palantir, tools allows for real-time tracking of a target's physical location\u2014explains how \u2018boots on the ground\u2019 offenders can stalk , surveillance , confront, assault and engage in various damaging attacks of specific monitored targets.",
"modified": "2026-03-01T16:05:57.375000",
"created": "2026-01-30T16:31:37.011000",
"tags": [
"url https",
"url http",
"tlsv1",
"whitelisted",
"united",
"read c",
"as15169",
"stcalifornia",
"execution",
"dock",
"write",
"persistence",
"malware",
"encrypt",
"active",
"lumen technologies",
"number",
"error",
"regexp",
"sxa0",
"amptoken",
"optout",
"retrieving",
"notfound",
"unknown",
"form",
"flash",
"backdoor",
"writeconsolew",
"yara detections",
"command line",
"pdb path",
"pe resource",
"internalname",
"windows command",
"A",
"aws",
"name servers",
"url analysis",
"passive dns",
"urls",
"data upload",
"extraction",
"palantir",
"c2",
"aerospace",
"tracking",
"spywatchdog",
"palapa-c2",
"communications satellite",
"amazon",
"hughesnet",
"icmp traffic",
"washington c",
"washington ou",
"mopr",
"mon jul",
"local",
"dynamic",
"apple",
"network",
"t1057",
"discovery",
"t1069",
"t1071",
"protocol",
"t1105",
"tool transfer",
"t1480",
"guardrails",
"t1566",
"present jan",
"unknown ns",
"ip address",
"dnssec",
"domain",
"dynamic dns",
"government",
"pcup",
"germany unknown",
"link",
"dns hosting",
"cloudns",
"cloud dns",
"a domains",
"ipv4 add",
"title",
"meta",
"class",
"servers",
"present aug",
"aaaa",
"present sep",
"present nov",
"present jul",
"present may",
"moved",
"canada unknown",
"begin",
"record value",
"gmt content",
"type",
"hostname add",
"files",
"ascii text",
"pattern match",
"href",
"mitre att",
"ck id",
"ck matrix",
"network traffic",
"et info",
"general",
"path",
"click",
"learn",
"command",
"name tactics",
"suspicious",
"informative",
"adversaries",
"input url",
"defense evasion",
"france",
"ireland",
"netherlands",
"denmark",
"united kingdom",
"type indicator",
"role title",
"added active",
"savvis",
"centurylinktechnology",
"hybrid analysis",
"monitoring tools",
"monitored target",
"triangulation",
"worm",
"intel",
"ms windows",
"pe32",
"write c",
"delete c",
"show",
"russia as47764",
"unix",
"lsan jose",
"odigicert inc",
"markus",
"url add",
"http",
"related nids",
"files location",
"russia flag",
"russia hostname",
"russia",
"russia unknown",
"hosting",
"federation flag",
"body",
"gmt vary",
"accept encoding",
"gmt cache",
"certificate",
"pulse submit",
"unknown aaaa",
"search",
"entries",
"script domains",
"script urls",
"pdx cf"
],
"references": [
"\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device",
"Yare: compromised_site_redirector_fromcharcode",
"Alerts: network_icmp nolookup_communication js_eval recon_fingerprint",
"Alerts: console_output has_pdb pe_unknown_resource_name",
"File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..",
"Tipped: A targets AI and other cyber research findings.",
"A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.",
"track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software",
"https://palapa.c.id\t (c.id)",
"Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com",
"cedevice.io \u2022 decagonsoftware.com",
"http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net",
"http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF",
"pcup.gov.ph:",
"http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:",
"https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:",
"https://elegantcosmedampyeah.pages.dev/",
"https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/",
"inst.govelopscold.com",
"https://feedback.ptv.vic.gov.au/360",
"nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au",
"nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au",
"https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d",
"https://brand.centurylinktechnology.com",
"https://prod.centurylinktechnology.com",
"https://brand2.centurylinktechnology.com",
"https://mobile-pocket-guide.centurylinktechnology.com",
"UPX_OEP_place",
"Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg",
"ASP. NET",
"https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:",
"7box.vip"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan.Tofsee/Botx",
"display_name": "Trojan.Tofsee/Botx",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "PWS:Win32/Axespec.A",
"display_name": "PWS:Win32/Axespec.A",
"target": "/malware/PWS:Win32/Axespec.A"
},
{
"id": "Worm:Win32/Lightmoon.H",
"display_name": "Worm:Win32/Lightmoon.H",
"target": "/malware/Worm:Win32/Lightmoon.H"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1439",
"name": "Eavesdrop on Insecure Network Communication",
"display_name": "T1439 - Eavesdrop on Insecure Network Communication"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1069.003",
"name": "Cloud Groups",
"display_name": "T1069.003 - Cloud Groups"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 102,
"FileHash-SHA1": 59,
"FileHash-SHA256": 1929,
"domain": 854,
"hostname": 2156,
"URL": 4475,
"SSLCertFingerprint": 9,
"email": 7,
"CVE": 1
},
"indicator_count": 9592,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "49 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696ac416596cd89cf76bce55",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:04:53.997000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696ac4327b5bc2e8be34f78a",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:05:22.323000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696ac438a696c993b672106d",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:05:28.261000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6961a8ed7b492f9e0ba38990",
"name": "HeartSender.A and other Malware attacks originating from Palantirs Pahamify Pegasus",
"description": "Pahamify Pegasus : HackTool \u2022 Speedcat \u2022 HeartSender.A \u2022 Zbot and other malware found.\nSearc begins with single FileHash referenced below. \nI\u2019m checking the processes and sharing it here one group at a time. Too much research at once could bring Amazon AWS down. Again.",
"modified": "2026-02-09T00:04:37.974000",
"created": "2026-01-10T01:18:36.999000",
"tags": [
"read c",
"write c",
"port",
"destination",
"united",
"medium",
"as16509",
"memcommit",
"write",
"execution",
"dock",
"persistence",
"next executed",
"commands graph",
"tree",
"sample hash",
"passive dns",
"present jan",
"title error",
"urls",
"files",
"date hash",
"avast avg",
"dynamicloader",
"host",
"utf8",
"unicode text",
"crlf line",
"binary resource",
"ms windows",
"search",
"intel",
"pcspeedcat",
"win32",
"internal",
"malware",
"local",
"unknown",
"get na",
"http",
"okrnserver",
"ip address",
"http traffic",
"guard",
"powershell",
"ipv4 add",
"servers",
"name servers",
"capture",
"link",
"gateway",
"tofsee att",
"ck ids",
"t1055",
"injection",
"t1071",
"protocol",
"t1573",
"target",
"url http",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"t1480 execution",
"discovery att",
"mitre att",
"ck matrix",
"ascii text",
"hybrid",
"general",
"path",
"click",
"strings",
"high",
"etpro malware",
"next",
"stack",
"format",
"error",
"unicode",
"head http",
"regsetvalueexa",
"qt binary",
"resource file",
"pe32",
"hostile",
"unknown aaaa",
"unknown ns",
"x content",
"gmt cache",
"domain add",
"title",
"present sep",
"a td",
"td tr",
"dir td",
"td td",
"present may",
"present jun",
"present apr",
"present aug",
"present oct",
"head body",
"gmt server",
"index",
"main",
"accept",
"status",
"th tr",
"moved",
"record value",
"expiration date",
"germany unknown",
"present dec",
"cache control",
"present nov",
"max age1000000",
"cookie",
"hosting",
"reverse dns",
"location france",
"france asn",
"as16276",
"trojandropper",
"next associated",
"mtb jan",
"exploit",
"emails",
"trojan",
"pegasus",
"hostname add",
"url analysis",
"domain",
"files ip",
"address",
"france unknown",
"asn as16276",
"backdoor",
"entries",
"setcookie",
"twitter",
"refloadapihash",
"virtool",
"show",
"displayname",
"windows",
"rndhex",
"tofsee",
"stream",
"encrypt",
"push",
"creation date",
"france",
"date",
"body",
"pup",
"amazon",
"amazon aws",
"salesforce",
"herokuappdev",
"google",
"igoogle",
"monitored target",
"cats"
],
"references": [
"FileHash-SHA256\t9f66cab9d7c581cf2dd28b6ae3178bb3d38975ff257c3ffb67c3e89d0f7135ee",
"https://otx.alienvault.com/indicator/ip/3.163.24.10",
"External Hosts: 52.57.183.74\t access.pcspeedcat.com\taccess.pcspeedcat.com\tGermany\tAS16509 amazon.com inc\taccess.pcspeedcat.com Germany AS16509 amazon.",
"External Hosts: 3.163.24.10\t www.pcspeedcat.com\twww.pcspeedcat.com\tUnited States ASNone",
"https://otx.alienvault.com/indicator/hostname/pegasus.pahamify.com",
"https://otx.alienvault.com/indicator/url/https://pegasus.pahamify.com/",
"https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV",
"http://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV",
"biblegateway.comwww.biblegateway.com \u2022 www.biblegateway.com",
"Malicious Application Development: herokuappdev.com (Patter match 8 years +)",
"direwolf-8b1a1bc476.staging.herokuappdev.com",
"Malicious Application Development: herokuappdev.com (pattern matching spans 8+ years)"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Generic-9871124-0",
"display_name": "Win.Malware.Generic-9871124-0",
"target": null
},
{
"id": "ALF:HackTool:MSIL/HeartSender.A",
"display_name": "ALF:HackTool:MSIL/HeartSender.A",
"target": null
},
{
"id": "Win.Malware.Speedcat-6957425",
"display_name": "Win.Malware.Speedcat-6957425",
"target": null
},
{
"id": "Tofsee Attack",
"display_name": "Tofsee Attack",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1115",
"name": "Clipboard Data",
"display_name": "T1115 - Clipboard Data"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
}
],
"industries": [
"Civil Society",
"Telecommunications",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 404,
"FileHash-SHA1": 286,
"FileHash-SHA256": 1419,
"SSLCertFingerprint": 7,
"domain": 441,
"URL": 4233,
"hostname": 1217,
"email": 10
},
"indicator_count": 8017,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "69 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6958780c8479a9d69920c3d8",
"name": "Telnet - Mirai \u2022 Dark Nexus BusyBox iOS Attack",
"description": "There\u2019s enough here to cause an outage. I will stop here. Illegal activities to silence victim and block her from financial settlement award for permanent injuries under workers compensation in a premise and healthcare worker assault scenario. Attorneys estimated her case to be above $100 million but knew she\u2019d be tampered with. Mark Montano MD forewarned her but is culpable. Still attacking family of victim.\n[ True- otx auto generated: Adversaries may be able to gain access to a victim's network through a drive-by attack, as well as using a short-term SSL certificate, in order to target the victim.] |||\nPositive:\nT1140 - Deobfuscate/Decode Files or Information\nSuspicious IP Address\n104.21.51.140, 172.67.181.41\nLocation United States ASN\nModif AS13335 cloudflare\nAutomate Nameservers:\nns1.colocrossing.com.",
"modified": "2026-02-02T01:02:46.327000",
"created": "2026-01-03T01:59:40.530000",
"tags": [
"united",
"moved",
"title",
"passive dns",
"ipv4 add",
"urls",
"files",
"hosting",
"reverse dns",
"location united",
"hash avast",
"avg clamav",
"msdefender mar",
"read c",
"create c",
"medium",
"search",
"memcommit",
"high",
"checks",
"windows",
"execution",
"dock",
"write",
"persistence",
"capture",
"local",
"ref b",
"wed may",
"backdoor",
"mtb aug",
"next associated",
"mtb dec",
"twitter",
"smoke loader",
"malware",
"virtool",
"hacktool",
"data upload",
"present dec",
"mtb apr",
"win32",
"trojan",
"worm",
"lowfi",
"cybota",
"expiration date",
"name servers",
"ipv4",
"url analysis",
"port",
"destination",
"telnet login",
"bad login",
"gpl telnet",
"suspicious path",
"busybox",
"tcp syn",
"et telnet",
"path",
"mirai",
"filehash",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"america",
"ck id",
"name tactics",
"suspicious",
"informative",
"learn",
"t1179 hooking",
"installs",
"t1035 service",
"adversaries",
"msie",
"windows nt",
"slcc2",
"media center",
"y013",
"flag",
"span",
"accept",
"core",
"february",
"hybrid",
"malicious",
"general",
"click",
"strings",
"roboto",
"next",
"usa windows",
"finished",
"queueprogress",
"timestamp input",
"threat level",
"october",
"september",
"hwp support",
"fresh",
"win64",
"khtml",
"gecko",
"brand",
"microsoft edge",
"programfiles",
"comspec",
"model",
"iframe",
"form",
"listeners",
"initial access",
"t1590 gather",
"victim network",
"ssl certificate",
"quasi government",
"jeffrey reimer",
"palantir",
"Regis university",
"otx hp",
"apple",
"pegasus",
"h5 data center",
"florence colorado",
"brian sabey",
"target : Tsara Brasheaers",
"aig",
"industry and commerce",
"united states",
"State of Colorado.",
"date",
"status",
"domain",
"hostname add",
"pulse pulses",
"files ip",
"address",
"url https",
"url http",
"hostname",
"show",
"type indicator",
"source hostname",
"entries",
"Prometheus Intelligence Technology",
"pulse submit",
"america flag",
"body",
"dynamicloader",
"microsoft azure",
"tls issuing",
"named pipe",
"json",
"ascii text",
"lredmond",
"Apple",
"Telnet",
"BusyBox",
"Pegasus",
"Colorado State Fixer: Christopher P. Ahmann",
"Hijacker: Brian Sabey",
"For: Concentra",
"Protecting Assaulter: Jeffrey Reimer",
"For: AIG",
"For Industry and Commerce",
"For: Quasi Government",
"For: Workers Compensation",
"Authorities",
"Law Enforcement Dark",
"Silencing",
"Tampering with a Victim",
"Meta",
"Palantir",
"Google",
"Bing",
"Microsoft",
"ColoCrossing",
"Associates",
"hit men"
],
"references": [
"ET Telnet | https://www.colocrossing.com | velocity servers",
"https://www.endgamesystems.com/\t This is not a game. This is about people\u2019s lives",
"TELNET SUSPICIOUS Path to BusyBox\", TELNET login failed\", is__elf \u007fELF dead_host",
"Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)",
"(legitimate services will remain up-and-running usually) High | ID dead_host",
"ELF:Mirai-GH\\ [Trj] , Unix.Trojan.DarkNexus-7679166-0",
"IDS Detections SUSPICIOUS Path to BusyBox TELNET login failed Bad Login",
"Yara Detections is__elf",
"Alerts dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"Yara Detections is__elf , ELFHighEntropy , elf_empty_sections",
"http://appleid.apple.com.msg206.site/ http://www.icloud.com.msg206.site/ https://appleid.apple.com.msg206.site/",
"https://colocrossing.com/ \u2022 https://www.colocrossing.com/colocation\t l",
"https://prometheussteakhouse.lupi.delivery/ Thanks! I\u2019m heavy into Picinha. 2 Brazilian roasts please!",
"https://www.colocrossing.com/",
"(TLI did you do her that dirty?) Why\u2019SCS\u2019? Pure shame on you.",
"In all seriousness. The severity of injuries and outcomes 1 victim had is aligned cyber attacks by Q.Gov",
"104.21.51.140, 172.67.181.41",
"Detections Win.Packed.ImminentMonitorRAT-9892275-0 , HackTool:MSIL/Boilod.C!bit",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot",
"stealth_file cape_detected_threat injection_process_hollowing antiav_detectfile injection_runpe",
"Alerts: cape_extracted_content infostealer_cookies recon_fingerprint powershell_download",
"Alerts: dynamic_function_loading ipc_namedpipe createtoolhelp32snapshot_module_enumeration",
"IP\u2019s Contacted: 142.250.147.101 88.221.104.56 13.33.141.29 35.186.249.72 151.101.1.192",
"IP\u2019s Contacted 178.249.97.99 178.249.97.98 178.249.97.23 84.53.172.74 88.221.104.82",
"Domains Contacted: accounts.google.com chrome.cloudflare-dns.com clients2.googleusercontent.com",
"This is hard to comprehend or put into indelible words."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.DarkNexus-7679166-0",
"display_name": "Unix.Trojan.DarkNexus-7679166-0",
"target": null
},
{
"id": "HackTool:MSIL/Boilod.C!bit",
"display_name": "HackTool:MSIL/Boilod.C!bit",
"target": "/malware/HackTool:MSIL/Boilod.C!bit"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1204.002",
"name": "Malicious File",
"display_name": "T1204.002 - Malicious File"
},
{
"id": "T1462",
"name": "Malicious Software Development Tools",
"display_name": "T1462 - Malicious Software Development Tools"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1459",
"name": "Device Unlock Code Guessing or Brute Force",
"display_name": "T1459 - Device Unlock Code Guessing or Brute Force"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [
"Technology",
"Healthcare",
"Insurance",
"Civil Society"
],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6390,
"domain": 723,
"hostname": 1978,
"FileHash-SHA256": 1912,
"FileHash-MD5": 410,
"FileHash-SHA1": 306,
"email": 3,
"SSLCertFingerprint": 28,
"CVE": 3
},
"indicator_count": 11753,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "76 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6935c92c5fc93fd873c6aa6d",
"name": "[COINBASECARTEL] - Ransomware Victim: Cinvestav - RedPacket Security | CVE-2025-11727 (New)",
"description": "Related to multiple exploits. Government Cyber Defense implications but shows as very legitimate looking masquerading. I am not positive and don\u2019t want to move to Belfast. Populated NSA [.] gov domains and subdomains (w/o no headers) lightly researched but does not assert a government identity. \n*New CVE-2025-11727",
"modified": "2026-01-06T18:04:02.620000",
"created": "2025-12-07T18:36:28.055000",
"tags": [
"memcommit",
"read c",
"t1082",
"cryptexportkey",
"invalid pointer",
"write",
"msil",
"malware",
"media",
"autorun",
"countries",
"united",
"america",
"high defense",
"evasion",
"t1055",
"ck technique",
"technique id",
"allocates",
"potential code",
"attempts",
"threatintel",
"dark web",
"coinbasecartel",
"ransomware",
"osint",
"tor",
"data breach",
"cinvestav",
"ai generated",
"ransomware leak",
"page",
"november",
"investigacin y",
"nacional",
"mexican",
"mexico",
"present nov",
"verdana",
"td tr",
"passive dns",
"ip address",
"urls",
"aaaa",
"present may",
"present oct",
"present jul",
"virtool",
"present sep",
"present jun",
"win32",
"default",
"unicode",
"png image",
"rgba",
"high",
"dock",
"execution",
"xport",
"unknown",
"data upload",
"extraction",
"will",
"data",
"name cloudflare",
"hostmaster name",
"org cloudflare",
"townsend st",
"city san",
"us creation",
"kelihos",
"ipv4",
"present dec",
"files",
"domain",
"search",
"hostname",
"verdict",
"location united",
"asn as16625",
"akamai",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"results nov",
"present aug",
"backdoor",
"msie",
"chrome",
"trojan",
"mtb aug",
"worm",
"cryp",
"junkpoly",
"twitter",
"trojandropper",
"title",
"germany unknown",
"ipv4 add",
"pulse pulses",
"hosting",
"reverse dns",
"cologne",
"search engine",
"gse compromised",
"redacted for",
"privacy admin",
"privacy tech",
"server",
"organization",
"street",
"city",
"stateprovince",
"postal code",
"country",
"resolver domain",
"cape sa",
"virustot",
"type pdf",
"name",
"lookups",
"email abuse",
"historical ssl",
"certificates",
"first",
"graph summary",
"cname",
"address",
"ip2location",
"bogon ip",
"admin",
"network",
"wifi password",
"ssid",
"demo",
"details",
"failed",
"include review",
"exclude sugges",
"onlv",
"x try",
"find s",
"typ url",
"url data",
"severity att",
"module load",
"icmp traffic",
"dns query",
"t1055 jseval",
"windows nt",
"port",
"entries",
"destination",
"medium",
"show",
"pecompact",
"june",
"service",
"next",
"xserver",
"encrypt",
"t1129",
"windows module",
"dlls",
"convention",
"windows native"
],
"references": [
"Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS",
"Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection",
"hallplan.vm05.iveins.de",
"https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c",
"Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx",
"Name : iveins.de Service : connect",
"https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com",
"phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com",
"https://otx.alienvault.com/indicator/cve/CVE-2025-11727"
],
"public": 1,
"adversary": "COINBASECARTEL",
"targeted_countries": [
"United States of America",
"Sweden",
"Bangladesh",
"Japan"
],
"malware_families": [
{
"id": "Trojan:Win32/Tiggre!rfn",
"display_name": "Trojan:Win32/Tiggre!rfn",
"target": "/malware/Trojan:Win32/Tiggre!rfn"
},
{
"id": "MSIL:Agent-DQ\\ [Trj]",
"display_name": "MSIL:Agent-DQ\\ [Trj]",
"target": null
},
{
"id": "VirTool:MSIL/Covent.A",
"display_name": "VirTool:MSIL/Covent.A",
"target": "/malware/VirTool:MSIL/Covent.A"
},
{
"id": "Trojan:Win32/Pynamer!rfn",
"display_name": "Trojan:Win32/Pynamer!rfn",
"target": "/malware/Trojan:Win32/Pynamer!rfn"
},
{
"id": "Win64:TrojanX",
"display_name": "Win64:TrojanX",
"target": null
},
{
"id": "VirTool:MSIL/Covent",
"display_name": "VirTool:MSIL/Covent",
"target": "/malware/VirTool:MSIL/Covent"
},
{
"id": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea",
"display_name": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea",
"target": null
},
{
"id": "Win32:Malware",
"display_name": "Win32:Malware",
"target": null
},
{
"id": "Kelihos",
"display_name": "Kelihos",
"target": null
},
{
"id": "CVE-2025-11727",
"display_name": "CVE-2025-11727",
"target": null
},
{
"id": "Exploit:JS/CVE-2014-0322",
"display_name": "Exploit:JS/CVE-2014-0322",
"target": "/malware/Exploit:JS/CVE-2014-0322"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
}
],
"industries": [
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 144,
"FileHash-SHA1": 117,
"FileHash-SHA256": 1746,
"URL": 5018,
"hostname": 1827,
"domain": 1072,
"CVE": 3,
"email": 2,
"SSLCertFingerprint": 9
},
"indicator_count": 9938,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "102 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "692e2d950ac7d1e2a3454a4f",
"name": "Gooogle Accounts | Drive-by Compromise \u2022 Ransomware \u2022 Phishing Attack",
"description": "Google accounts Drive-by Compromise. Affected Google accounts redirects to a suspicious non - Google homepage. |\nRansomware | Adware | Phishing | Injection | \nExploits seen affecting both OS and iOS devices. Threat actors able to remotely access iOS device, unlock, access iCloud. System root control, fully infected devices, Attackers continue to ravage devices w/ drive by compromise, unsafe adware, malware text, etc., Seeks to remove malicious IoC\u2019s on mock accounts , password stealers",
"modified": "2025-12-31T23:04:59.378000",
"created": "2025-12-02T00:06:45.807000",
"tags": [
"iocs",
"drop",
"network traffic",
"ck id",
"mitre att",
"ck matrix",
"network related",
"detected",
"t1566",
"t1204",
"united",
"click",
"windir",
"openurl c",
"prefetch2",
"tor analysis",
"dns requests",
"learn",
"suspicious",
"informative",
"name tactics",
"adversaries",
"command",
"initial access",
"spawns",
"found",
"binary file",
"t1189",
"regsetvalueexa",
"regdword",
"post http",
"medium",
"high",
"regbinary",
"loader",
"dock",
"write",
"malware",
"unknown",
"romania unknown",
"present may",
"msie",
"chrome",
"body",
"passive dns",
"ip address",
"present jun",
"welcome",
"accept",
"encrypt",
"gmt content",
"ipv4 add",
"url analysis",
"urls",
"files",
"reverse dns",
"unknown aaaa",
"certificate",
"hostname add",
"error",
"flag",
"domain address",
"contacted hosts",
"type",
"india unknown",
"record value",
"body html",
"head title",
"title",
"entries",
"read c",
"high defense",
"evasion",
"yara detections",
"virtool",
"win32",
"ahmann",
"hacker group",
"law firm",
"order",
"google",
"smart assembly"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "VirTool:MSIL/Injector.BF",
"display_name": "VirTool:MSIL/Injector.BF",
"target": "/malware/VirTool:MSIL/Injector.BF"
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
}
],
"attack_ids": [
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1087",
"name": "Account Discovery",
"display_name": "T1087 - Account Discovery"
},
{
"id": "T1087.003",
"name": "Email Account",
"display_name": "T1087.003 - Email Account"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1459",
"name": "Device Unlock Code Guessing or Brute Force",
"display_name": "T1459 - Device Unlock Code Guessing or Brute Force"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 115,
"FileHash-SHA1": 112,
"FileHash-SHA256": 589,
"URL": 1795,
"SSLCertFingerprint": 3,
"domain": 319,
"hostname": 847,
"email": 1
},
"indicator_count": 3781,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "108 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "692d400f81164107d98922db",
"name": "Injector.BO : DNS Reply Sinkhole via Phishing emails , texts , drives or malicious links",
"description": "\"Phishing threat: This is a phishing website that impersonates a trusted website to trick you into revealing personal or financial information.\";var L_MalwareThreat_TEXT = \"Malicious software threat: This site contains links to viruses or other software programs that can reveal personal information stored or typed on your computer to malicious persons",
"modified": "2025-12-31T06:01:00.551000",
"created": "2025-12-01T07:13:19.659000",
"tags": [
"url http",
"url https",
"urls",
"files",
"address",
"asn as400519",
"united states",
"info geo",
"united",
"as400519",
"us note",
"route",
"ipv4",
"live",
"superdata",
"viet nam",
"cisco umbrella",
"sectigo rsa",
"secure",
"google safe",
"browsing",
"current dns",
"a record",
"input",
"closenotify",
"phpsessid value",
"source level",
"url text",
"general full",
"protocol h2",
"security tls",
"ecdhersa",
"asn45544",
"reverse dns",
"resource",
"hash",
"as45544",
"vn note",
"backdoor",
"generic",
"cnc activity",
"passive dns",
"ipv4 add",
"company limited",
"dnssec",
"hostname add",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"defense evasion",
"t1480 execution",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"ip address",
"vietnam",
"location viet",
"nam flag",
"urlhttp",
"extracted files",
"unicode text",
"utf8 text",
"lowfihstr",
"trojan",
"mtb trojan",
"spawns",
"found",
"process details",
"flag",
"contacted",
"xb6x04x00",
"t1055",
"search",
"read c",
"cnlolcat",
"microsoft",
"medium",
"entries",
"unknown",
"virtool",
"malware",
"copy",
"write",
"win32",
"next",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"china unknown",
"creation date",
"body",
"please",
"x msedge",
"tracking"
],
"references": [
"anonsecbotnet.cameraddns.net",
"https://api.playit.gg/agents/routing/get",
"http://www.google.com-viruswall1-source-cloud-computing-services-distribution.cpdev.dyson.cn/",
"https://www.endgamesystems.com/",
"IDS Detections : DNS Rep Sinkhole - Microsoft - 199.2.137.0/24"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:MSIL/Ranos.A",
"display_name": "Trojan:MSIL/Ranos.A",
"target": "/malware/Trojan:MSIL/Ranos.A"
},
{
"id": "Trojan:MSIL/ClipBanker.GC!MTB",
"display_name": "Trojan:MSIL/ClipBanker.GC!MTB",
"target": "/malware/Trojan:MSIL/ClipBanker.GC!MTB"
},
{
"id": "Win.Packed.Msilperseus-9956592-0",
"display_name": "Win.Packed.Msilperseus-9956592-0",
"target": null
},
{
"id": "ALF:Backdoor:MSIL/Noancooe.",
"display_name": "ALF:Backdoor:MSIL/Noancooe.",
"target": null
},
{
"id": "Win.Trojan.Generic-6417450-0",
"display_name": "Win.Trojan.Generic-6417450-0",
"target": null
},
{
"id": "Win.Packed.Bladabindi-6872770-0",
"display_name": "Win.Packed.Bladabindi-6872770-0",
"target": null
},
{
"id": "#LowFiHSTR:MSIL/Confuser",
"display_name": "#LowFiHSTR:MSIL/Confuser",
"target": "/malware/#LowFiHSTR:MSIL/Confuser"
},
{
"id": "Win.Dropper.njRAT-10015886-0",
"display_name": "Win.Dropper.njRAT-10015886-0",
"target": null
},
{
"id": "Backdoor:MSIL/Bladabindi.AP",
"display_name": "Backdoor:MSIL/Bladabindi.AP",
"target": "/malware/Backdoor:MSIL/Bladabindi.AP"
},
{
"id": "Win.Packed.Generic-9795615-0",
"display_name": "Win.Packed.Generic-9795615-0",
"target": null
},
{
"id": "Win.Packed.Generic-9795615-0",
"display_name": "Win.Packed.Generic-9795615-0",
"target": null
},
{
"id": "Win.Packed.Fecn-7077459-0",
"display_name": "Win.Packed.Fecn-7077459-0",
"target": null
},
{
"id": "Win.Packed.Marsilia-10021147-0",
"display_name": "Win.Packed.Marsilia-10021147-0",
"target": null
},
{
"id": "VirTool:Win32/Injector.BO",
"display_name": "VirTool:Win32/Injector.BO",
"target": "/malware/VirTool:Win32/Injector.BO"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1578.001",
"name": "Create Snapshot",
"display_name": "T1578.001 - Create Snapshot"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1610,
"domain": 147,
"hostname": 501,
"FileHash-SHA256": 384,
"CIDR": 3,
"FileHash-MD5": 79,
"FileHash-SHA1": 77,
"email": 3,
"SSLCertFingerprint": 1
},
"indicator_count": 2805,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "109 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6916dc43beba2f3839fd7c36",
"name": "Ransomware | FIREEYE.COM redirects to www.TRELLIX.com",
"description": "FireEye appears to have been a Cybersecurity that now redirects to www.trellix.com. Seen before in a malicious MO.gov w/names of 2 \u2018alleged\u2019 female SA victims. I researched was without realizing it was a CySec.We have researched Trellix , found it to be malicious ; reported false information / documentation. FEDNS1.FIREEYE.COM URL is still found in several searches. So we researched it.\nRe: Safebae the other Mo. Gov SA URL found a\u2019. \u2018non profit\u2019 for Catherine \u2018Daisy\u2019 Coleman that isn\u2019t in any way related to her. It makes me believe it\u2019s could be related to Bae systems a collaboration with Peter Thiel's company Palantir, which provides data analytics software to governments and militaries. Significance: This partnership showcases the convergence of American tech innovation and traditional defense contracting, involving companies like Palantir and BAE Systems. \n\n#foundry #josht _ca #hostile #advesarial #contacted_hosts #safebae_or_bae_systems? #honeypotbot # fireeye #trellix",
"modified": "2025-12-14T05:04:31.480000",
"created": "2025-11-14T07:37:39.794000",
"tags": [
"gmt content",
"related tags",
"found title",
"cache control",
"x request",
"runtime",
"vary",
"reverse dns",
"ashburn",
"resource",
"verdict",
"address",
"read c",
"unicode",
"high",
"memcommit",
"delete",
"dock",
"write",
"execution",
"next associated",
"server response",
"port",
"destination",
"crlf line",
"malware",
"png image",
"rgba",
"united states",
"medium",
"encrypt",
"america",
"msie",
"unknown",
"present jan",
"name servers",
"present oct",
"present may",
"present mar",
"present dec",
"present nov",
"united",
"present apr",
"present jun",
"urls show",
"url hostname",
"ip address",
"google safe",
"results jun",
"canada unknown",
"passive dns",
"canada",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"twitter",
"chrome",
"urls",
"files",
"asn as13335",
"dns resolutions",
"trojan",
"trojanspy",
"win32",
"title",
"servers",
"unknown ns",
"domain",
"present aug",
"present sep",
"files domain",
"files related",
"none google",
"safe browsing",
"unknown aaaa",
"moved",
"cloudfront x",
"meta",
"ip whois",
"registrar",
"hostname",
"files ip",
"ipv4 add",
"location united",
"america flag",
"america asn",
"present jul",
"virtool",
"record value",
"dnssec",
"meta http",
"content",
"gmt server",
"litespeed x",
"present feb",
"write c",
"as62597 nsone",
"as16509",
"module load",
"t1129",
"service",
"dynamicloader",
"windows",
"tofsee",
"stream",
"hostile",
"win64",
"delete c",
"all ipv4",
"url analysis",
"status",
"error",
"aaaa",
"ireland unknown",
"asn as14618",
"backdoor",
"a domains",
"russia",
"mtb nov",
"ransom",
"displayname",
"push",
"yara rule",
"loaderid",
"lidfileupd",
"localcfg",
"rndhex",
"rndchar",
"checks",
"checks system",
"filehash",
"av detections",
"ids detections",
"yara detections",
"learn",
"command",
"adversaries",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"found",
"ssl certificate",
"flag",
"server",
"cloudflare",
"csc corporate",
"domains",
"fireeye",
"contacted hosts",
"mitre att",
"pattern match",
"ck matrix",
"hybrid",
"local",
"path",
"click",
"strings",
"foundry",
"josht.ca",
"paid parking",
"parking crews"
],
"references": [
"Fireye - FEDNS1.FIREEYE.COM",
"http://3marketeers.org/sstcp/ss_ct/ct/Foundry-US-Palo-Alto-Networks-Q423-The-Complete-Cloud-Security-LP.html?_v_c=MzI5MDQ0OQ==sosODczNzY1sosNTM1NTU5Mjc=&ide=YXZhLmNoYXdsYUBhbGdvc2VjLmNvbQ==&lbu=eQ==",
"http://allitlive.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1OA==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==",
"https://tecwebnow.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1Nw==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==",
"https://visionayr-live.com/sstcp/ss_at/at/Foundry-Q423-The-Quantified-Benefits-of-Fortinet-Security-Operations-Solutions-lp.html?_v_c=MzE3MDM0Mg==sosMzczODcwsosNDkzNDA4ODI=&lb_email=carine.malessard@idorsia.com&campaign_id=254013&program_id=36356",
"http://p2d.josht.ca/assets/content-delivery/depots/download",
"test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 p2d.josht.ca pma.josht.ca \u2022 sa.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
"http://josht.ca/portfolio \u2022 http://josht.ca/portfolio/ \u2022 http://p2d.josht.ca/ \u2022 http://pma.josht.ca/ \u2022 http://sa.josht.ca",
"http://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 http://staging.josht.\u2022 https://dev.josht.ca/",
"https://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 https://test.josht.ca/ \u2022",
"https://josht.ca/portfolio/style.css \u2022https://sa.josht.ca \u2022 https://staging.josht.ca/",
"https://josht.ca/favicon.ico \u2022 https://josht.ca/portfolio/ \u2022 https://josht.ca/portfolio/background.jpg",
"https://p2d.josht.ca/api/depots/info/?depot=",
"https://p2d.josht.ca/assets/content \u2022 http://joshwilsonmusic.umg-wp.com/",
"Audrie & Daisy documentary unknown to any Sexual Assault advocacies across USA. We really researched.",
"According to newspaper accounts and Daisy Coleman committed suicide in Lakewood , Co in 2021",
"Next her mom commits suicide, brother died in a one car accident, Fatver died in an accident. Entire family dead?",
"Daisy was allegedly brutally assaulted by Matthew Barnett,",
"Matthew grandfather , a powerful local politician & former republican Missouri state representative, Rex Barnett.",
"Is that where they\u2019re getting these names? Rexxfield.com. SMH",
"There is evidence that Miss Coleman lived and died in Colorado after reporting being stalked.",
"According to accounts she was afraid for her life , found to be safe then took her own life?",
"Typing a suicide note on social media is suspicious since it could come from your murderer.",
"So both Tsara Brashears & Daisy Coleman have identical stories? No one would help her?",
"Since I don\u2019t know Daisy and have zero records except from accounts by someone in a botnet\u2026.",
"and our limited information, is Daisy a victim or a crisis actor?",
"Dad drives off road. Daisy raped, bullied, brother driven off road if you ask me",
"Daisy dies in the same night she doesn\u2019t want to, Mom decided to join her? No. Murder or HoneyPot tales.",
"Mo.Gov associated https://otx.alienvault.com/pulse/6916d97edb28b2616ffac3ab (cloned from OctoSeek)",
"Sometimes pulses are attacked by a delete service. Sometimes people asked to have IoC\u2019s removed.",
"FireEye was there in 2 year old pulse now removed? I\u2019ll find it."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 7617,
"domain": 1127,
"hostname": 3591,
"email": 9,
"FileHash-SHA256": 1160,
"FileHash-MD5": 481,
"FileHash-SHA1": 404,
"SSLCertFingerprint": 13,
"CVE": 1
},
"indicator_count": 14403,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "126 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"https://otx.alienvault.com/indicator/ip/3.163.24.10",
"http://help.aiseesoft.jp/total-video-converter",
"nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au",
"http://help.aiseesoft.jp/total-video-converter/",
"ASP. NET",
"FireEye was there in 2 year old pulse now removed? I\u2019ll find it.",
"https://josht.ca/favicon.ico \u2022 https://josht.ca/portfolio/ \u2022 https://josht.ca/portfolio/background.jpg",
"https://www.endgamesystems.com/\t This is not a game. This is about people\u2019s lives",
"http://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 http://staging.josht.\u2022 https://dev.josht.ca/",
"https://trade.kraken.com/charts/KRAKEN:APT-USD>+y",
"IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29",
"File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..",
"this.target",
"Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)",
"Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx",
"IDS Detections : DNS Rep Sinkhole - Microsoft - 199.2.137.0/24",
"IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227",
"Since I don\u2019t know Daisy and have zero records except from accounts by someone in a botnet\u2026.",
"www.phantomcameras.cn",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"Name : iveins.de Service : connect",
"Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"https://feedback.ptv.vic.gov.au/360",
"http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF",
"Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot",
"FileHash-SHA256\t9f66cab9d7c581cf2dd28b6ae3178bb3d38975ff257c3ffb67c3e89d0f7135ee",
"www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net",
"(legitimate services will remain up-and-running usually) High | ID dead_host",
"https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8",
"I apologize for the lack of reference.",
"https://otx.alienvault.com/indicator/url/https://pegasus.pahamify.com/",
"https://otx.alienvault.com/indicator/cve/CVE-2025-11727",
"External Hosts: 52.57.183.74\t access.pcspeedcat.com\taccess.pcspeedcat.com\tGermany\tAS16509 amazon.com inc\taccess.pcspeedcat.com Germany AS16509 amazon.",
"Detections Win.Packed.ImminentMonitorRAT-9892275-0 , HackTool:MSIL/Boilod.C!bit",
"\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device",
"Malicious Application Development: herokuappdev.com (Patter match 8 years +)",
"Alerts: cape_extracted_content infostealer_cookies recon_fingerprint powershell_download",
"Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer",
"Sometimes pulses are attacked by a delete service. Sometimes people asked to have IoC\u2019s removed.",
"phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com",
"Yara Detections is__elf",
"pcup.gov.ph:",
"External Hosts: 3.163.24.10\t www.pcspeedcat.com\twww.pcspeedcat.com\tUnited States ASNone",
"https://api.playit.gg/agents/routing/get",
"Fireye - FEDNS1.FIREEYE.COM",
"In all seriousness. The severity of injuries and outcomes 1 victim had is aligned cyber attacks by Q.Gov",
"https://p2d.josht.ca/assets/content \u2022 http://joshwilsonmusic.umg-wp.com/",
"IP\u2019s Contacted: 142.250.147.101 88.221.104.56 13.33.141.29 35.186.249.72 151.101.1.192",
"http://3marketeers.org/sstcp/ss_ct/ct/Foundry-US-Palo-Alto-Networks-Q423-The-Complete-Cloud-Security-LP.html?_v_c=MzI5MDQ0OQ==sosODczNzY1sosNTM1NTU5Mjc=&ide=YXZhLmNoYXdsYUBhbGdvc2VjLmNvbQ==&lbu=eQ==",
"Typing a suicide note on social media is suspicious since it could come from your murderer.",
"http://firstmile.digitecgalaxus.ch",
"nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au",
"Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org",
"www.apple.com \u2022 23.34.32.199",
"https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file",
"inst.govelopscold.com",
"http://appleid.apple.com.msg206.site/ http://www.icloud.com.msg206.site/ https://appleid.apple.com.msg206.site/",
"https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw",
"search.roi.ros.gov.uk",
"Next her mom commits suicide, brother died in a one car accident, Fatver died in an accident. Entire family dead?",
"https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV",
"c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1",
"https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as",
"Tulach.cc",
"Alerts dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"So both Tsara Brashears & Daisy Coleman have identical stories? No one would help her?",
"https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com",
"https://prod.centurylinktechnology.com",
"hallplan.vm05.iveins.de",
"virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com",
"http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/",
"ET Telnet | https://www.colocrossing.com | velocity servers",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94",
"7box.vip",
"stealth_file cape_detected_threat injection_process_hollowing antiav_detectfile injection_runpe",
"js-cdn.music.apple.com \u2022 23.78.51.170",
"test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 p2d.josht.ca pma.josht.ca \u2022 sa.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
"http://help.aiseesoft.jp/blu-ray-player",
"Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows",
"Audrie & Daisy documentary unknown to any Sexual Assault advocacies across USA. We really researched.",
"It appears there are 5-7 known affected that I was able to find",
"https://brand2.centurylinktechnology.com",
"Dad drives off road. Daisy raped, bullied, brother driven off road if you ask me",
"1.bing.com.cn",
"Daisy dies in the same night she doesn\u2019t want to, Mom decided to join her? No. Murder or HoneyPot tales.",
"Matthew grandfather , a powerful local politician & former republican Missouri state representative, Rex Barnett.",
"dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell",
"https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:",
"podcasts.apple.com \u2022 23.34.32.21",
"Is that where they\u2019re getting these names? Rexxfield.com. SMH",
"Yare: compromised_site_redirector_fromcharcode",
"Yara Detections compromised_site_redirector_fromcharcode , Delphi",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht",
"cedevice.io \u2022 decagonsoftware.com",
"https://clockoutbox.es/password",
"https://prometheussteakhouse.lupi.delivery/ Thanks! I\u2019m heavy into Picinha. 2 Brazilian roasts please!",
"biblegateway.comwww.biblegateway.com \u2022 www.biblegateway.com",
"Requires further research.",
"https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:",
"Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad",
"track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software",
"https://colocrossing.com/ \u2022 https://www.colocrossing.com/colocation\t l",
"http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch",
"114.114.114.114 = Tulach",
"http://allitlive.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1OA==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==",
"Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_",
"There is evidence that Miss Coleman lived and died in Colorado after reporting being stalked.",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Alerts: console_output has_pdb pe_unknown_resource_name",
"https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/",
"https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/",
"https://action.aiseesoft.jp/itunes.php",
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"https://otx.alienvault.com/indicator/hostname/pegasus.pahamify.com",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"http://p2d.josht.ca/assets/content-delivery/depots/download",
"IDS Detections SUSPICIOUS Path to BusyBox TELNET login failed Bad Login",
"http://test-firstmile.digitecgalaxus.ch",
"Alerts: windows_utilities antivm_memory_available pe_features raises_exception",
"https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f",
"Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection",
"https://securityaffairs.com/144927/cyber-crime~#",
"Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx",
"https://podcasts.apple.com/us/podcast/lazarus",
"http://www.google.com-viruswall1-source-cloud-computing-services-distribution.cpdev.dyson.cn/",
"https://www.endgamesystems.com/",
"Daisy was allegedly brutally assaulted by Matthew Barnett,",
"Tipped: A targets AI and other cyber research findings.",
"amazon.com \u2022 pki.goog \u2022 google-analytics.com",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"https://palapa.c.id\t (c.id)",
"This is hard to comprehend or put into indelible words.",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:",
"Denver, US 80211 http://library.verizon.onereach.ai",
"http://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV",
"developer.x.com",
"Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com",
"A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.",
"According to newspaper accounts and Daisy Coleman committed suicide in Lakewood , Co in 2021",
"anonsecbotnet.cameraddns.net",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://www.colocrossing.com/",
"UPX_OEP_place",
"https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c",
"https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh",
"http://josht.ca/portfolio \u2022 http://josht.ca/portfolio/ \u2022 http://p2d.josht.ca/ \u2022 http://pma.josht.ca/ \u2022 http://sa.josht.ca",
"https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"",
"https://brand.centurylinktechnology.com",
"Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS",
"www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019",
"https://l.us-1.a.mimecastprotect.com/l",
"TELNET SUSPICIOUS Path to BusyBox\", TELNET login failed\", is__elf \u007fELF dead_host",
"https://tecwebnow.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1Nw==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==",
"No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]",
"Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com",
"http://help.aiseesoft.jp/fonelab/",
"http://cr-malware.testpanw.com/url",
"According to accounts she was afraid for her life , found to be safe then took her own life?",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://mobile-pocket-guide.centurylinktechnology.com",
"Alerts: dynamic_function_loading ipc_namedpipe createtoolhelp32snapshot_module_enumeration",
"Same legal , and quasi governmental pattern identified",
"asp.net domain pointer",
"Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com",
"Alerts: network_icmp nolookup_communication js_eval recon_fingerprint",
"https://elegantcosmedampyeah.pages.dev/",
"https://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 https://test.josht.ca/ \u2022",
"pegasuspartners.followupboss.com",
"Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca",
"(TLI did you do her that dirty?) Why\u2019SCS\u2019? Pure shame on you.",
"https://josht.ca/portfolio/style.css \u2022https://sa.josht.ca \u2022 https://staging.josht.ca/",
"and our limited information, is Daisy a victim or a crisis actor?",
"https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/",
"https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/",
"direwolf-8b1a1bc476.staging.herokuappdev.com",
"104.21.51.140, 172.67.181.41",
"authrootstl.cab common file extension",
"div>
",
"https://visionayr-live.com/sstcp/ss_at/at/Foundry-Q423-The-Quantified-Benefits-of-Fortinet-Security-Operations-Solutions-lp.html?_v_c=MzE3MDM0Mg==sosMzczODcwsosNDkzNDA4ODI=&lb_email=carine.malessard@idorsia.com&campaign_id=254013&program_id=36356",
"aotx.alienvault.com (aotx.?)",
"Domains Contacted: accounts.google.com chrome.cloudflare-dns.com clients2.googleusercontent.com",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"https://p2d.josht.ca/api/depots/info/?depot=",
"https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html",
"IP\u2019s Contacted 178.249.97.99 178.249.97.98 178.249.97.23 84.53.172.74 88.221.104.82",
"Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg",
"Yara Detections is__elf , ELFHighEntropy , elf_empty_sections",
"Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"Malicious Application Development: herokuappdev.com (pattern matching spans 8+ years)",
"IDS Detections: Query to a *.pw domain - Likely Hostile",
"Mo.Gov associated https://otx.alienvault.com/pulse/6916d97edb28b2616ffac3ab (cloned from OctoSeek)",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog",
"ELF:Mirai-GH\\ [Trj] , Unix.Trojan.DarkNexus-7679166-0",
"cdn.rss.applemarketingtools.com"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"COINBASECARTEL"
],
"malware_families": [
"Virtool:win32/injector.bo",
"Alf:backdoor:msil/noancooe.",
"Worm:win32/autorun!atmn",
"Tofsee attack",
"Pws:win32/axespec.a",
"Other malware",
"Virtool:msil/covent.a",
"Pegasus",
"Win.dropper.njrat-10015886-0",
"Icedid",
"Trojan:msil/clipbanker.gc!mtb",
"Alf:jasyp:trojan:win32/ircbot!atmn",
"Mirai",
"#lowfihstr:msil/confuser",
"Virtool:msil/covent",
"Win.packed.marsilia-10021147-0",
"Unix.trojan.darknexus-7679166-0",
"Win64:trojanx",
"Win32:malware",
"Worm:win32/lightmoon.h",
"Win.packed.msilperseus-9956592-0",
"Win.malware.speedcat-6957425",
"Cve-2025-11727",
"#lowfi:hstr:msil/obfuscator.deepsea",
"Trojan:win32/smkldr.h!mtb",
"Msil:agent-dq\\ [trj]",
"Trojan:win32/pynamer!rfn",
"Trojan:o97m/madeba.a!det",
"Kelihos",
"Trojan:msil/ranos.a",
"Win.trojan.generic-6417450-0",
"Win.packed.fecn-7077459-0",
"#lowfi:lua:dllsuspiciousexport.a",
"Win.packed.generic-9795615-0",
"Alf:heraklezeval:trojan:win32/clipbanker",
"Tulach",
"Tofsee",
"Trojan.tofsee/botx",
"Virtool:msil/injector.bf",
"Exploit:js/cve-2014-0322",
"Win.malware.generic-9871124-0",
"Mydoom",
"Hacktool:msil/boilod.c!bit",
"Backdoor:msil/bladabindi.ap",
"Ransomware",
"Win.packed.bladabindi-6872770-0",
"Zbot",
"Alf:hacktool:msil/heartsender.a",
"Trojan:win32/tiggre!rfn",
"Alf:trojan:win64/psbanker"
],
"industries": [
"Legal",
"Civil society",
"Insurance",
"Education",
"Telecom",
"Healthcare",
"Technology",
"Telecommunications"
],
"unique_indicators": 96008
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/decagonsoftware.com",
"whois": "http://whois.domaintools.com/decagonsoftware.com",
"domain": "decagonsoftware.com",
"hostname": "erp.p510.decagonsoftware.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 14,
"pulses": [
{
"id": "69ddeb45c45f6a3cd721397d",
"name": "Active attacks \u2022 Apple \u2022 Tulach",
"description": "Including 360+ Apple\nIoC\u2019s from Malicious Tulac.cc + Virtual Servers Pulses. Ongoing history of malicious attacks, custom malware engineer, malicious media , account control. \n\nI was blocked from VirusToltal. It was Tulach Nextcloud posse. What I am doing now s legal. \n\nReferenced below. URL: \"https://accountapple.com/\" contacted related malicious domain: \"accountapple.com\"\nCONTACTED DOMAIN: \"sqllq.com\" has been identified as malicious",
"modified": "2026-04-14T07:22:45.250000",
"created": "2026-04-14T07:22:45.250000",
"tags": [
"url http",
"ipv4",
"indicator role",
"active related",
"united",
"moved",
"gmt content",
"certificate",
"all domain",
"msie",
"chrome",
"extraction",
"data upload",
"twitter",
"cookie",
"extra",
"include data",
"review locs",
"exclude",
"suggested os",
"onlv",
"failed",
"stop data",
"read c",
"unicode",
"rgba",
"memcommit",
"delete",
"dock",
"write",
"execution",
"sc type",
"extri",
"include review",
"exclude sugges",
"typ data",
"a domains",
"present apr",
"script urls",
"files",
"files ip",
"address",
"ios",
"mac",
"apple",
"appleid",
"itunes",
"next associated",
"all ipv4",
"included ic",
"uny teade",
"type hostnar",
"hostnar hostnar",
"hostnar",
"macair",
"macairaustralia",
"ipad",
"ipod",
"cryptexportkey",
"invalid pointer",
"cryptgenkey",
"stream",
"defender",
"delphi",
"class",
"stack",
"format",
"unknown",
"united states",
"phishing",
"password",
"traffic redirected",
"service mod",
"service execution",
"youtube",
"music",
"streams",
"songs",
"played songs",
"music streams",
"most played",
"fonelab",
"indicator",
"included iocs",
"manually add",
"review ocs",
"exclude inn",
"sugges data",
"find",
"include",
"url https",
"enter sc",
"type",
"no matchme",
"search otx",
"https",
"references x",
"analyze",
"open th",
"url data",
"se http",
"no match",
"excluded iocs",
"iocs",
"ip whitelisted",
"whitelisted",
"tcp include",
"analysis date",
"file score",
"medium risk",
"yara detections",
"contacted",
"related tags",
"x vercel",
"file type",
"type indicator",
"role title",
"related pulses",
"mulch virtua",
"library loade",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugt",
"samuel tulach",
"unity engine",
"tulach",
"sa awareness",
"sabey",
"sar cut",
"autofill",
"includer review",
"portiana oney",
"targeting",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"musickit_1_.js",
"lazarus",
"injection",
"CVE-2017-8570",
"prefetch2",
"target",
"aaaa",
"ip address",
"record value",
"emails",
"samuel tuachs",
"sapev",
"review exclude",
"monitored target",
"script",
"mitre att",
"ascii text",
"span",
"path",
"iframe",
"april",
"hybrid",
"general",
"local",
"click",
"strings",
"body",
"development att",
"t1055.012 list planting",
"active"
],
"references": [
"https://trade.kraken.com/charts/KRAKEN:APT-USD>+y",
"https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/",
"https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/",
"https://podcasts.apple.com/us/podcast/lazarus",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"http://help.aiseesoft.jp/blu-ray-player",
"http://help.aiseesoft.jp/fonelab/",
"https://action.aiseesoft.jp/itunes.php",
"http://help.aiseesoft.jp/total-video-converter",
"http://help.aiseesoft.jp/total-video-converter/",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/",
"http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch",
"http://test-firstmile.digitecgalaxus.ch",
"https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/",
"No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]",
"cdn.rss.applemarketingtools.com",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"1.bing.com.cn",
"www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net",
"www.phantomcameras.cn",
"https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"",
"podcasts.apple.com \u2022 23.34.32.21",
"www.apple.com \u2022 23.34.32.199",
"js-cdn.music.apple.com \u2022 23.78.51.170",
"http://firstmile.digitecgalaxus.ch",
"Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb",
"Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca",
"Tulach.cc",
"https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8",
"www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as",
"Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains",
"asp.net domain pointer",
"developer.x.com",
"aotx.alienvault.com (aotx.?)",
"https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh",
"https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1020.001",
"name": "Traffic Duplication",
"display_name": "T1020.001 - Traffic Duplication"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591.002",
"name": "Business Relationships",
"display_name": "T1591.002 - Business Relationships"
},
{
"id": "T1591.001",
"name": "Determine Physical Locations",
"display_name": "T1591.001 - Determine Physical Locations"
},
{
"id": "T1585.001",
"name": "Social Media Accounts",
"display_name": "T1585.001 - Social Media Accounts"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1055.012",
"name": "Process Hollowing",
"display_name": "T1055.012 - Process Hollowing"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1029,
"domain": 396,
"email": 7,
"URL": 2784,
"FileHash-SHA256": 898,
"FileHash-MD5": 79,
"FileHash-SHA1": 68,
"IPv4": 35,
"CVE": 1,
"SSLCertFingerprint": 13
},
"indicator_count": 5310,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "5 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69dc04c12782d2d76c111a93",
"name": "VirusTotal \u2022 PsBanker \u2022 Attacked / Blocked",
"description": "",
"modified": "2026-04-12T20:46:57.338000",
"created": "2026-04-12T20:46:57.338000",
"tags": [
"indicator role",
"active related",
"ck ids",
"files",
"information",
"discovery",
"mitre att",
"pattern match",
"ck id",
"ck matrix",
"ascii text",
"united",
"binary file",
"april",
"hybrid",
"apikey",
"general",
"local",
"path",
"iframe",
"click",
"protocol",
"learn",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"execution att",
"related pulses",
"dll read",
"function read",
"icmp traffic",
"machineguid",
"systembiosdate",
"total",
"read",
"write",
"network_icmp",
"js_eval",
"recon_fingerprint",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tlsv1",
"tls handshake",
"execution",
"dock",
"persistence",
"malware",
"unknown",
"neue",
"certificate",
"error",
"scans show",
"record value",
"title site",
"servers",
"emails",
"all hostname",
"dnsadmin",
"data upload",
"extraction",
"failed",
"include review",
"exclude sugges",
"find s",
"typ no",
"active",
"urls",
"ip address",
"asn as54113",
"registrar",
"wscript",
"united states",
"stcalifornia",
"lmountain view",
"ogoogle llc",
"ogoogle trust",
"cngts ca",
"whitelisted",
"as15169",
"hostile",
"crash",
"contacted",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"detections alf",
"hostile yara",
"detections none",
"less ip",
"domains",
"ms windows",
"intel",
"pe32",
"regsetvalueexa",
"langturkish",
"sublangdefault",
"port",
"destination",
"entries",
"worm",
"delphi",
"win32",
"body",
"explorer",
"defender",
"regdword",
"false",
"true",
"end sub",
"object",
"createobject",
"sheetschanged",
"private sub",
"string",
"boolean",
"cancel",
"trojan",
"copy",
"query",
"dns update",
"useragent",
"myapp",
"delphi alerts",
"alerts deadhost",
"women who code",
"tulach",
"114.114.114.114",
"samuel",
"brian sabey"
],
"references": [
"https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file",
"this.target",
"c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1",
"amazon.com \u2022 pki.goog \u2022 google-analytics.com",
"authrootstl.cab common file extension",
"dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell",
"https://securityaffairs.com/144927/cyber-crime~#",
"https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html",
"virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com",
"https://clockoutbox.es/password",
"http://cr-malware.testpanw.com/url",
"IDS Detections: Query to a *.pw domain - Likely Hostile",
"Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer",
"Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows",
"Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_",
"Alerts: windows_utilities antivm_memory_available pe_features raises_exception",
"IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227",
"IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94",
"Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog",
"Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com",
"Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw",
"Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections compromised_site_redirector_fromcharcode , Delphi",
"Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad",
"Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx",
"IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29",
"Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org",
"Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com",
"114.114.114.114 = Tulach"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ALF:Trojan:Win64/PsBanker",
"display_name": "ALF:Trojan:Win64/PsBanker",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Trojan:O97M/Madeba.A!det",
"display_name": "Trojan:O97M/Madeba.A!det",
"target": "/malware/Trojan:O97M/Madeba.A!det"
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1115",
"name": "Clipboard Data",
"display_name": "T1115 - Clipboard Data"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1114,
"hostname": 594,
"domain": 200,
"FileHash-SHA256": 2379,
"FileHash-MD5": 426,
"FileHash-SHA1": 259,
"IPv4": 322,
"SSLCertFingerprint": 24,
"email": 2,
"IPv6": 1
},
"indicator_count": 5321,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "6 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69a1a73eb0578b92962dae97",
"name": "FBI Link (Ransomware)sent to a device. opened on its own. Why?",
"description": "I wouldn\u2019t typically search an alleged authentic government site , except it opened on a device, no prompt. TrojanDownloader:Win32/Dalexis!rfn!rfn\nIDS Detections\nMaktub Locker TOR Status Check\nTOR Consensus Data Requested\nTOR 1.0 Server Key Retrieval\nTor Get Server Request\nTLS Handshake Failure\nYara Detections\nstack_string\nWho is : [URL\n[https://tor-dirauth.sebastianhahn.net/]\n[https://tor.sebastianhahn.net]\n[tor-dirauth.sebastianhahn.net]\n->gitbot.faui2k9.de\n[Status faui2k9.de -connect] connects to device \n100% Malicious | https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70 | [External resources discovered in HTML content:\ndap.digitalgov.gov | Pattern match: \"fbi.gov/contact-us/field-offices/denver/news/pr\"\nHeuristic match: \"x.com\" | will revisit",
"modified": "2026-03-29T13:04:34.750000",
"created": "2026-02-27T14:16:30.498000",
"tags": [
"regopenkeyexw",
"port",
"destination",
"cryptexportkey",
"search",
"show",
"entries",
"windows nt",
"regsetvalueexa",
"ip address",
"malware",
"copy",
"write",
"win32",
"next",
"format",
"contacted",
"less ip",
"server",
"organization",
"city",
"stateprovince",
"postal code",
"phone",
"date",
"registrar abuse",
"privacy admin",
"paris admin",
"april",
"february",
"failed",
"enter",
"data upload",
"passive dns",
"urls",
"aaaa",
"certificate",
"otx logo",
"all hostname",
"pulse submit",
"url analysis",
"files",
"domain",
"title",
"body",
"encrypt",
"netherlands",
"gmt content",
"all ipv4",
"amsterdam",
"hetzner online",
"gmbh",
"summary",
"url age",
"de seen",
"general info",
"geo germany",
"as as24940",
"de note",
"route",
"direct",
"pro platform",
"logs",
"suricata alert",
"et info",
"tls handshake",
"bad traffic",
"suricata alerts",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"size",
"sha256",
"pattern match",
"ascii text",
"mitre att",
"ck id",
"path",
"unknown",
"stop",
"root",
"hybrid",
"general",
"local",
"form",
"click",
"strings",
"9999",
"learn",
"adversaries",
"name tactics",
"suspicious",
"informative",
"command",
"defense evasion",
"spawns",
"found",
"show technique",
"ck matrix",
"href",
"antivirus",
"maktub locker",
"tor status",
"check"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1129,
"domain": 148,
"hostname": 753,
"FileHash-SHA256": 548,
"FileHash-MD5": 90,
"FileHash-SHA1": 71,
"SSLCertFingerprint": 8,
"CIDR": 1,
"email": 4
},
"indicator_count": 2752,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "21 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "697cdce9ec418c422eee2054",
"name": "Device Isolation: Lumen Technologies | Palantir and \u2018Boots on the Ground Operations\u2019",
"description": "Device Isolation: Lumen Technologies (formerly CenturyLink) deployed as an admin on iOS devices. Standard factory resets may prove ineffective. Complete hardware \"air-gap\" or clean devices that have never touched your home network may be best option for deeply monitored targets.\n\nSummary of the Campaign:\nThe involvement of Lumen Technologies (as an unwanted admin), Foundry (Palantir) for data mapping, and Mirai Botnet for network disruption represents a \"scorched earth\" approach to digital destruction. Target treated as a criminal through Cellebrite, implicates specific attackers attempted to legalize what was actually a predatory stalking campaign/s.\n\n\nSurveillance Overlap: The use of Lumen Technologies and Palantir, tools allows for real-time tracking of a target's physical location\u2014explains how \u2018boots on the ground\u2019 offenders can stalk , surveillance , confront, assault and engage in various damaging attacks of specific monitored targets.",
"modified": "2026-03-01T16:05:57.375000",
"created": "2026-01-30T16:31:37.011000",
"tags": [
"url https",
"url http",
"tlsv1",
"whitelisted",
"united",
"read c",
"as15169",
"stcalifornia",
"execution",
"dock",
"write",
"persistence",
"malware",
"encrypt",
"active",
"lumen technologies",
"number",
"error",
"regexp",
"sxa0",
"amptoken",
"optout",
"retrieving",
"notfound",
"unknown",
"form",
"flash",
"backdoor",
"writeconsolew",
"yara detections",
"command line",
"pdb path",
"pe resource",
"internalname",
"windows command",
"A",
"aws",
"name servers",
"url analysis",
"passive dns",
"urls",
"data upload",
"extraction",
"palantir",
"c2",
"aerospace",
"tracking",
"spywatchdog",
"palapa-c2",
"communications satellite",
"amazon",
"hughesnet",
"icmp traffic",
"washington c",
"washington ou",
"mopr",
"mon jul",
"local",
"dynamic",
"apple",
"network",
"t1057",
"discovery",
"t1069",
"t1071",
"protocol",
"t1105",
"tool transfer",
"t1480",
"guardrails",
"t1566",
"present jan",
"unknown ns",
"ip address",
"dnssec",
"domain",
"dynamic dns",
"government",
"pcup",
"germany unknown",
"link",
"dns hosting",
"cloudns",
"cloud dns",
"a domains",
"ipv4 add",
"title",
"meta",
"class",
"servers",
"present aug",
"aaaa",
"present sep",
"present nov",
"present jul",
"present may",
"moved",
"canada unknown",
"begin",
"record value",
"gmt content",
"type",
"hostname add",
"files",
"ascii text",
"pattern match",
"href",
"mitre att",
"ck id",
"ck matrix",
"network traffic",
"et info",
"general",
"path",
"click",
"learn",
"command",
"name tactics",
"suspicious",
"informative",
"adversaries",
"input url",
"defense evasion",
"france",
"ireland",
"netherlands",
"denmark",
"united kingdom",
"type indicator",
"role title",
"added active",
"savvis",
"centurylinktechnology",
"hybrid analysis",
"monitoring tools",
"monitored target",
"triangulation",
"worm",
"intel",
"ms windows",
"pe32",
"write c",
"delete c",
"show",
"russia as47764",
"unix",
"lsan jose",
"odigicert inc",
"markus",
"url add",
"http",
"related nids",
"files location",
"russia flag",
"russia hostname",
"russia",
"russia unknown",
"hosting",
"federation flag",
"body",
"gmt vary",
"accept encoding",
"gmt cache",
"certificate",
"pulse submit",
"unknown aaaa",
"search",
"entries",
"script domains",
"script urls",
"pdx cf"
],
"references": [
"\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device",
"Yare: compromised_site_redirector_fromcharcode",
"Alerts: network_icmp nolookup_communication js_eval recon_fingerprint",
"Alerts: console_output has_pdb pe_unknown_resource_name",
"File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..",
"Tipped: A targets AI and other cyber research findings.",
"A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.",
"track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software",
"https://palapa.c.id\t (c.id)",
"Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com",
"cedevice.io \u2022 decagonsoftware.com",
"http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net",
"http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF",
"pcup.gov.ph:",
"http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:",
"https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:",
"https://elegantcosmedampyeah.pages.dev/",
"https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/",
"inst.govelopscold.com",
"https://feedback.ptv.vic.gov.au/360",
"nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au",
"nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au",
"https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d",
"https://brand.centurylinktechnology.com",
"https://prod.centurylinktechnology.com",
"https://brand2.centurylinktechnology.com",
"https://mobile-pocket-guide.centurylinktechnology.com",
"UPX_OEP_place",
"Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg",
"ASP. NET",
"https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:",
"7box.vip"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan.Tofsee/Botx",
"display_name": "Trojan.Tofsee/Botx",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "PWS:Win32/Axespec.A",
"display_name": "PWS:Win32/Axespec.A",
"target": "/malware/PWS:Win32/Axespec.A"
},
{
"id": "Worm:Win32/Lightmoon.H",
"display_name": "Worm:Win32/Lightmoon.H",
"target": "/malware/Worm:Win32/Lightmoon.H"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1439",
"name": "Eavesdrop on Insecure Network Communication",
"display_name": "T1439 - Eavesdrop on Insecure Network Communication"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1069.003",
"name": "Cloud Groups",
"display_name": "T1069.003 - Cloud Groups"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 102,
"FileHash-SHA1": 59,
"FileHash-SHA256": 1929,
"domain": 854,
"hostname": 2156,
"URL": 4475,
"SSLCertFingerprint": 9,
"email": 7,
"CVE": 1
},
"indicator_count": 9592,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "49 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696ac416596cd89cf76bce55",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:04:53.997000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696ac4327b5bc2e8be34f78a",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:05:22.323000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696ac438a696c993b672106d",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:05:28.261000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6961a8ed7b492f9e0ba38990",
"name": "HeartSender.A and other Malware attacks originating from Palantirs Pahamify Pegasus",
"description": "Pahamify Pegasus : HackTool \u2022 Speedcat \u2022 HeartSender.A \u2022 Zbot and other malware found.\nSearc begins with single FileHash referenced below. \nI\u2019m checking the processes and sharing it here one group at a time. Too much research at once could bring Amazon AWS down. Again.",
"modified": "2026-02-09T00:04:37.974000",
"created": "2026-01-10T01:18:36.999000",
"tags": [
"read c",
"write c",
"port",
"destination",
"united",
"medium",
"as16509",
"memcommit",
"write",
"execution",
"dock",
"persistence",
"next executed",
"commands graph",
"tree",
"sample hash",
"passive dns",
"present jan",
"title error",
"urls",
"files",
"date hash",
"avast avg",
"dynamicloader",
"host",
"utf8",
"unicode text",
"crlf line",
"binary resource",
"ms windows",
"search",
"intel",
"pcspeedcat",
"win32",
"internal",
"malware",
"local",
"unknown",
"get na",
"http",
"okrnserver",
"ip address",
"http traffic",
"guard",
"powershell",
"ipv4 add",
"servers",
"name servers",
"capture",
"link",
"gateway",
"tofsee att",
"ck ids",
"t1055",
"injection",
"t1071",
"protocol",
"t1573",
"target",
"url http",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"t1480 execution",
"discovery att",
"mitre att",
"ck matrix",
"ascii text",
"hybrid",
"general",
"path",
"click",
"strings",
"high",
"etpro malware",
"next",
"stack",
"format",
"error",
"unicode",
"head http",
"regsetvalueexa",
"qt binary",
"resource file",
"pe32",
"hostile",
"unknown aaaa",
"unknown ns",
"x content",
"gmt cache",
"domain add",
"title",
"present sep",
"a td",
"td tr",
"dir td",
"td td",
"present may",
"present jun",
"present apr",
"present aug",
"present oct",
"head body",
"gmt server",
"index",
"main",
"accept",
"status",
"th tr",
"moved",
"record value",
"expiration date",
"germany unknown",
"present dec",
"cache control",
"present nov",
"max age1000000",
"cookie",
"hosting",
"reverse dns",
"location france",
"france asn",
"as16276",
"trojandropper",
"next associated",
"mtb jan",
"exploit",
"emails",
"trojan",
"pegasus",
"hostname add",
"url analysis",
"domain",
"files ip",
"address",
"france unknown",
"asn as16276",
"backdoor",
"entries",
"setcookie",
"twitter",
"refloadapihash",
"virtool",
"show",
"displayname",
"windows",
"rndhex",
"tofsee",
"stream",
"encrypt",
"push",
"creation date",
"france",
"date",
"body",
"pup",
"amazon",
"amazon aws",
"salesforce",
"herokuappdev",
"google",
"igoogle",
"monitored target",
"cats"
],
"references": [
"FileHash-SHA256\t9f66cab9d7c581cf2dd28b6ae3178bb3d38975ff257c3ffb67c3e89d0f7135ee",
"https://otx.alienvault.com/indicator/ip/3.163.24.10",
"External Hosts: 52.57.183.74\t access.pcspeedcat.com\taccess.pcspeedcat.com\tGermany\tAS16509 amazon.com inc\taccess.pcspeedcat.com Germany AS16509 amazon.",
"External Hosts: 3.163.24.10\t www.pcspeedcat.com\twww.pcspeedcat.com\tUnited States ASNone",
"https://otx.alienvault.com/indicator/hostname/pegasus.pahamify.com",
"https://otx.alienvault.com/indicator/url/https://pegasus.pahamify.com/",
"https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV",
"http://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV",
"biblegateway.comwww.biblegateway.com \u2022 www.biblegateway.com",
"Malicious Application Development: herokuappdev.com (Patter match 8 years +)",
"direwolf-8b1a1bc476.staging.herokuappdev.com",
"Malicious Application Development: herokuappdev.com (pattern matching spans 8+ years)"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Generic-9871124-0",
"display_name": "Win.Malware.Generic-9871124-0",
"target": null
},
{
"id": "ALF:HackTool:MSIL/HeartSender.A",
"display_name": "ALF:HackTool:MSIL/HeartSender.A",
"target": null
},
{
"id": "Win.Malware.Speedcat-6957425",
"display_name": "Win.Malware.Speedcat-6957425",
"target": null
},
{
"id": "Tofsee Attack",
"display_name": "Tofsee Attack",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1115",
"name": "Clipboard Data",
"display_name": "T1115 - Clipboard Data"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
}
],
"industries": [
"Civil Society",
"Telecommunications",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 404,
"FileHash-SHA1": 286,
"FileHash-SHA256": 1419,
"SSLCertFingerprint": 7,
"domain": 441,
"URL": 4233,
"hostname": 1217,
"email": 10
},
"indicator_count": 8017,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "69 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6958780c8479a9d69920c3d8",
"name": "Telnet - Mirai \u2022 Dark Nexus BusyBox iOS Attack",
"description": "There\u2019s enough here to cause an outage. I will stop here. Illegal activities to silence victim and block her from financial settlement award for permanent injuries under workers compensation in a premise and healthcare worker assault scenario. Attorneys estimated her case to be above $100 million but knew she\u2019d be tampered with. Mark Montano MD forewarned her but is culpable. Still attacking family of victim.\n[ True- otx auto generated: Adversaries may be able to gain access to a victim's network through a drive-by attack, as well as using a short-term SSL certificate, in order to target the victim.] |||\nPositive:\nT1140 - Deobfuscate/Decode Files or Information\nSuspicious IP Address\n104.21.51.140, 172.67.181.41\nLocation United States ASN\nModif AS13335 cloudflare\nAutomate Nameservers:\nns1.colocrossing.com.",
"modified": "2026-02-02T01:02:46.327000",
"created": "2026-01-03T01:59:40.530000",
"tags": [
"united",
"moved",
"title",
"passive dns",
"ipv4 add",
"urls",
"files",
"hosting",
"reverse dns",
"location united",
"hash avast",
"avg clamav",
"msdefender mar",
"read c",
"create c",
"medium",
"search",
"memcommit",
"high",
"checks",
"windows",
"execution",
"dock",
"write",
"persistence",
"capture",
"local",
"ref b",
"wed may",
"backdoor",
"mtb aug",
"next associated",
"mtb dec",
"twitter",
"smoke loader",
"malware",
"virtool",
"hacktool",
"data upload",
"present dec",
"mtb apr",
"win32",
"trojan",
"worm",
"lowfi",
"cybota",
"expiration date",
"name servers",
"ipv4",
"url analysis",
"port",
"destination",
"telnet login",
"bad login",
"gpl telnet",
"suspicious path",
"busybox",
"tcp syn",
"et telnet",
"path",
"mirai",
"filehash",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"america",
"ck id",
"name tactics",
"suspicious",
"informative",
"learn",
"t1179 hooking",
"installs",
"t1035 service",
"adversaries",
"msie",
"windows nt",
"slcc2",
"media center",
"y013",
"flag",
"span",
"accept",
"core",
"february",
"hybrid",
"malicious",
"general",
"click",
"strings",
"roboto",
"next",
"usa windows",
"finished",
"queueprogress",
"timestamp input",
"threat level",
"october",
"september",
"hwp support",
"fresh",
"win64",
"khtml",
"gecko",
"brand",
"microsoft edge",
"programfiles",
"comspec",
"model",
"iframe",
"form",
"listeners",
"initial access",
"t1590 gather",
"victim network",
"ssl certificate",
"quasi government",
"jeffrey reimer",
"palantir",
"Regis university",
"otx hp",
"apple",
"pegasus",
"h5 data center",
"florence colorado",
"brian sabey",
"target : Tsara Brasheaers",
"aig",
"industry and commerce",
"united states",
"State of Colorado.",
"date",
"status",
"domain",
"hostname add",
"pulse pulses",
"files ip",
"address",
"url https",
"url http",
"hostname",
"show",
"type indicator",
"source hostname",
"entries",
"Prometheus Intelligence Technology",
"pulse submit",
"america flag",
"body",
"dynamicloader",
"microsoft azure",
"tls issuing",
"named pipe",
"json",
"ascii text",
"lredmond",
"Apple",
"Telnet",
"BusyBox",
"Pegasus",
"Colorado State Fixer: Christopher P. Ahmann",
"Hijacker: Brian Sabey",
"For: Concentra",
"Protecting Assaulter: Jeffrey Reimer",
"For: AIG",
"For Industry and Commerce",
"For: Quasi Government",
"For: Workers Compensation",
"Authorities",
"Law Enforcement Dark",
"Silencing",
"Tampering with a Victim",
"Meta",
"Palantir",
"Google",
"Bing",
"Microsoft",
"ColoCrossing",
"Associates",
"hit men"
],
"references": [
"ET Telnet | https://www.colocrossing.com | velocity servers",
"https://www.endgamesystems.com/\t This is not a game. This is about people\u2019s lives",
"TELNET SUSPICIOUS Path to BusyBox\", TELNET login failed\", is__elf \u007fELF dead_host",
"Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)",
"(legitimate services will remain up-and-running usually) High | ID dead_host",
"ELF:Mirai-GH\\ [Trj] , Unix.Trojan.DarkNexus-7679166-0",
"IDS Detections SUSPICIOUS Path to BusyBox TELNET login failed Bad Login",
"Yara Detections is__elf",
"Alerts dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"Yara Detections is__elf , ELFHighEntropy , elf_empty_sections",
"http://appleid.apple.com.msg206.site/ http://www.icloud.com.msg206.site/ https://appleid.apple.com.msg206.site/",
"https://colocrossing.com/ \u2022 https://www.colocrossing.com/colocation\t l",
"https://prometheussteakhouse.lupi.delivery/ Thanks! I\u2019m heavy into Picinha. 2 Brazilian roasts please!",
"https://www.colocrossing.com/",
"(TLI did you do her that dirty?) Why\u2019SCS\u2019? Pure shame on you.",
"In all seriousness. The severity of injuries and outcomes 1 victim had is aligned cyber attacks by Q.Gov",
"104.21.51.140, 172.67.181.41",
"Detections Win.Packed.ImminentMonitorRAT-9892275-0 , HackTool:MSIL/Boilod.C!bit",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot",
"stealth_file cape_detected_threat injection_process_hollowing antiav_detectfile injection_runpe",
"Alerts: cape_extracted_content infostealer_cookies recon_fingerprint powershell_download",
"Alerts: dynamic_function_loading ipc_namedpipe createtoolhelp32snapshot_module_enumeration",
"IP\u2019s Contacted: 142.250.147.101 88.221.104.56 13.33.141.29 35.186.249.72 151.101.1.192",
"IP\u2019s Contacted 178.249.97.99 178.249.97.98 178.249.97.23 84.53.172.74 88.221.104.82",
"Domains Contacted: accounts.google.com chrome.cloudflare-dns.com clients2.googleusercontent.com",
"This is hard to comprehend or put into indelible words."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.DarkNexus-7679166-0",
"display_name": "Unix.Trojan.DarkNexus-7679166-0",
"target": null
},
{
"id": "HackTool:MSIL/Boilod.C!bit",
"display_name": "HackTool:MSIL/Boilod.C!bit",
"target": "/malware/HackTool:MSIL/Boilod.C!bit"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1204.002",
"name": "Malicious File",
"display_name": "T1204.002 - Malicious File"
},
{
"id": "T1462",
"name": "Malicious Software Development Tools",
"display_name": "T1462 - Malicious Software Development Tools"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1459",
"name": "Device Unlock Code Guessing or Brute Force",
"display_name": "T1459 - Device Unlock Code Guessing or Brute Force"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [
"Technology",
"Healthcare",
"Insurance",
"Civil Society"
],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6390,
"domain": 723,
"hostname": 1978,
"FileHash-SHA256": 1912,
"FileHash-MD5": 410,
"FileHash-SHA1": 306,
"email": 3,
"SSLCertFingerprint": 28,
"CVE": 3
},
"indicator_count": 11753,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "76 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://erp.p510.decagonsoftware.com",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://erp.p510.decagonsoftware.com",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776616816.1237514
}