{ "type": "URL", "indicator": "https://eservices2.env01.dev.aaalife.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://eservices2.env01.dev.aaalife.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4126187701, "indicator": "https://eservices2.env01.dev.aaalife.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "6939d93da11a7d2bf7535ef1", "name": "Tesla Hackers Log In | Disqus", "description": "I\u2019m not for certain when blog \u2018https://pickyhot.disqus.com/tsara-brashears\u2019 first appeared online. It was present in 2016 -2021. It was a porn spewing blog that obviously was full of tools. The lot pics debated targets race , beauty and other silly things. I don\u2019t know if target ever clicked on links. Tesla Hackers have played a major role in attacks against target. I haven\u2019t sifted through all malware yet. \n\n\n - Elon Musk - When Brashears suffered attempted hit on roadway she described suspect as an Elon Musk type, possible, offspring, or someone closely tied to him.", "modified": "2026-01-09T19:02:12.608000", "created": "2025-12-10T20:34:05.903000", "tags": [ "disqus", "disqus.com", "comments", "blog", "blogs", "discussion", "google facebook", "twitter", "microsoft apple", "email", "forgot password", "login", "sign", "general full", "url https", "security tls", "united", "asn54113", "fastly", "reverse dns", "resource", "hash", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "ck id", "show technique", "mitre att", "ck matrix", "pattern match", "ascii text", "network traffic", "t1057", "path", "learn", "command", "suspicious", "informative", "name tactics", "spawns", "t1480 execution", "signing defense", "file defense", "read c", "tlsv1", "search", "jfif", "ijg jpeg", "tls handshake", "failure", "show", "port", "execution", "next", "dock", "write", "persistence", "malware", "unknown", "waymo", "tesla", "musk", "austin", "bay area", "tesla ceo", "elon musk", "wednesday", "safety monitor", "synacktiv", "aaaa", "present jul", "status", "asnone country", "as13335", "present sep", "present apr", "present dec", "present jun", "lte all", "search otx", "additionally", "enter source", "url or", "data upload", "extraction", "entries", "present may", "dynamicloader", "as15169", "medium", "write c", "odigicert inc", "windows", "as54113", "worm", "copy", "explorer", "encrypt", "target tsraa brashears" ], "references": [ "http://pickyhot.disqus.com/", "https://www.teslarati.com/tesla-hackers", "https://pickyhot.disqus.com/tsara-brashears", "All tags auto populated including\u2019 Elon Musk\u2019", "Running webserver Running WordPress Running Drupal", "bulletproof.palantirapollo.com \u2022 vpn-etuleusj2dpr.palantirclou", "https://publicsector.google/404-page-not-found/\t \u2022 www.founderstack.pro \u2022 oedfoundation.org", "https://www.founderstack.pro/feedhive \u2022 https://coinbase.getro.com/companies/astar-foundation \u2022 founders-vision.com", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "www.endgame.com", "://blog.endgamesystems.com/ \u2022 http://httpswww.endgamesystems.com\t URL\thttp://wg41xm05b3.endgamesystems.com", "https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com\t\u2022 http://blog.endgamesystems.com", "https://httpswww.endgamesystems.com\t\u2022 https://wg41xm05b3.endgamesystems.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com", "https://blog.endgamesystems.com/\t\u2022 https://blog.endgamesystems.com", "http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/", "http://www.endgamesystems.com/", "Requires further research" ], "public": 1, "adversary": "Tesla Hackers", "targeted_countries": [], "malware_families": [ { "id": "Synacktiv", "display_name": "Synacktiv", "target": null }, { "id": "Tesla Hackers", "display_name": "Tesla Hackers", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Mofksys", "display_name": "Mofksys", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2523, "URL": 6583, "FileHash-SHA256": 1132, "domain": 1483, "FileHash-SHA1": 43, "SSLCertFingerprint": 17, "FileHash-MD5": 109, "email": 2 }, "indicator_count": 11892, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6907f7e98289b75f3e5ecaba", "name": "- Treece Alfrey Musat P.C. - Malicious Legal Google Botnet", "description": "Christopher P.\nAhmann\u2019s Google Botnet. Defense attorneys fighting worker\u2019s compensation case and ruining a targets life for years. Malicious.[OTX auto popular-HOSTNAME: Google Video.com (GOOGlevideo.COM), an unauthorised website, has been blocked by the internet service regulator, the regulator of the domain registry.]\n\n#pulsed_by_otx #private_google #legal_goigle #malicious_practices", "modified": "2025-12-03T00:01:23.660000", "created": "2025-11-03T00:31:37.396000", "tags": [ "status", "date", "name servers", "lowfi", "passive dns", "urls", "domain", "susp", "win32", "search", "win64", "error", "url https", "url http", "ipv4", "type indicator", "role title", "added active", "related pulses", "morocco", "united kingdom", "united", "present nov", "aaaa", "present oct", "cname", "brazil", "malaysia", "title", "present jun", "ip address", "creation date", "record value", "emails", "unknown aaaa", "body", "url add", "pulse pulses", "http", "related nids", "files location", "flag united", "trojan", "trojandropper", "virtool", "entries", "next associated", "ipv4 add", "unknown ns", "present jul", "present sep", "present aug", "win32upatre nov", "candyopen", "tlsv1", "port", "destination", "ogoogle trust", "cngts ca", "show", "read c", "youtube", "copy", "dock", "write", "next", "malware", "persistence", "execution", "filehashmd5", "hostname", "filehashsha256", "types of", "germany", "poland", "indicator role", "title added", "active related", "pulses url", "p1377925676", "gaz1", "sid1696503456", "sct1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 400, "URL": 2857, "FileHash-MD5": 217, "FileHash-SHA1": 172, "FileHash-SHA256": 1426, "email": 6, "hostname": 1019, "SSLCertFingerprint": 6 }, "indicator_count": 6103, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "138 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69138421066f81131da59cc5", "name": "Malicious Legal Google Botnet - Treece Alfrey Musat P.C.\u2022 Christopher P. Ahmann Spam - Malicious ", "description": "", "modified": "2025-12-03T00:01:23.660000", "created": "2025-11-11T18:44:49.343000", "tags": [ "status", "date", "name servers", "lowfi", "passive dns", "urls", "domain", "susp", "win32", "search", "win64", "error", "url https", "url http", "ipv4", "type indicator", "role title", "added active", "related pulses", "morocco", "united kingdom", "united", "present nov", "aaaa", "present oct", "cname", "brazil", "malaysia", "title", "present jun", "ip address", "creation date", "record value", "emails", "unknown aaaa", "body", "url add", "pulse pulses", "http", "related nids", "files location", "flag united", "trojan", "trojandropper", "virtool", "entries", "next associated", "ipv4 add", "unknown ns", "present jul", "present sep", "present aug", "win32upatre nov", "candyopen", "tlsv1", "port", "destination", "ogoogle trust", "cngts ca", "show", "read c", "youtube", "copy", "dock", "write", "next", "malware", "persistence", "execution", "filehashmd5", "hostname", "filehashsha256", "types of", "germany", "poland", "indicator role", "title added", "active related", "pulses url", "p1377925676", "gaz1", "sid1696503456", "sct1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6907f7e98289b75f3e5ecaba", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 400, "URL": 2857, "FileHash-MD5": 217, "FileHash-SHA1": 172, "FileHash-SHA256": 1426, "email": 6, "hostname": 1019, "SSLCertFingerprint": 6 }, "indicator_count": 6103, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "138 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9288e0d98f3b44c2cb90c", "name": "Ultrasounds attack - South African criminal group-Denver, Vo affects critical infrastructure , Oil and public safety", "description": "South African and Ethiopian crime group with Denver , Co presence is not only infiltrating infrastructure from banking to oil, they are human traffickers, hitmen and yes, I received this tip from team member Pheona who a \u2018sassa.gov.za\u2018 South African link recurrently as a top search suggestion in a \u2018targets\u2019 browser. The most frightening piece is that a name listed is of an Ethiopian man who attempted to force a very targeted victim to go somewhere with him,, be his girlfriend and did show up outside of her residence in a different City & County. He also knew the exact name of where she purchased specific items. If you can see this. Please help the best way you can. Something is incredibly wrong. [OTX auto populated Title: We can\u2019t rely on goodwill to protect our critical infrastructure - Help Net Security]", "modified": "2025-11-21T18:02:11.054000", "created": "2025-10-22T18:55:10.527000", "tags": [ "server nginx", "date fri", "etag w", "urls", "passive dns", "acceptranges", "contentlength", "date thu", "gmt expires", "server", "code", "link", "script script", "south africa", "ipv4", "files", "location south", "accept", "present aug", "certificate", "hostname add", "domain", "files ip", "unknown a", "script urls", "ip address", "unknown soa", "unknown ns", "reverse dns", "africa flag", "asn as16637", "dns resolutions", "domains top", "level", "unique tld", "related pulses", "tags none", "indicator facts", "title", "ipv4 add", "opinion", "netacea", "lockbit", "wannacry attack", "nhs trusts", "council", "uk government", "protect", "cni safe", "acls", "praio", "prink", "prsc", "prla", "lg2en", "cti98", "search", "seiko epson", "corporation", "arc file", "malware", "delete c", "default", "show", "write", "next", "unknown", "united", "tlsv1", "msie", "windows nt", "wow64", "slcc2", "media center", "as15169", "port", "execution", "dock", "capture", "persistence", "yara detections", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "cabinet archive", "microsoft", "read c", "dynamicloader", "medium", "ltda me", "high", "write c", "entries", "checks", "delphi", "win32", "url pulse", "data upload", "extraction", "find suggested", "type", "domain hostname", "url add", "http", "related nids", "files location", "ireland flag", "files domain", "chrome", "ireland unknown", "pulse submit", "url analysis", "body", "date", "status", "name servers", "creation date", "expiration date", "flag united", "destination", "systemdrive", "html document", "crlf line", "updater", "copy", "unknown aaaa", "moved", "domain add", "extri data", "enter sc", "extr include", "review exclude", "sugges", "present jul", "saudi arabia", "present mar", "present oct", "present jun", "present feb", "present nov", "present may", "eeee", "eeeeeee", "eeeeee", "eefe", "ebeee", "ee eme", "eeheee", "eeefee e", "eeeee e", "vmprotect", "push", "local", "defender", "regsetvalueexa", "utf8 unicode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lockbit", "display_name": "Lockbit", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "target": null }, { "id": "Other Dangerous Malware", "display_name": "Other Dangerous Malware", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Oil" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 648, "hostname": 1604, "FileHash-SHA256": 1826, "URL": 4153, "FileHash-MD5": 102, "FileHash-SHA1": 60, "SSLCertFingerprint": 18, "CVE": 2, "email": 5 }, "indicator_count": 8418, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f93b1cebf80f48450bd517", "name": "Yuner - File deletion and Disk Wiping / Cyberstalking ", "description": "", "modified": "2025-11-21T18:02:11.054000", "created": "2025-10-22T20:14:20.632000", "tags": [ "server nginx", "date fri", "etag w", "urls", "passive dns", "acceptranges", "contentlength", "date thu", "gmt expires", "server", "code", "link", "script script", "south africa", "ipv4", "files", "location south", "accept", "present aug", "certificate", "hostname add", "domain", "files ip", "unknown a", "script urls", "ip address", "unknown soa", "unknown ns", "reverse dns", "africa flag", "asn as16637", "dns resolutions", "domains top", "level", "unique tld", "related pulses", "tags none", "indicator facts", "title", "ipv4 add", "opinion", "netacea", "lockbit", "wannacry attack", "nhs trusts", "council", "uk government", "protect", "cni safe", "acls", "praio", "prink", "prsc", "prla", "lg2en", "cti98", "search", "seiko epson", "corporation", "arc file", "malware", "delete c", "default", "show", "write", "next", "unknown", "united", "tlsv1", "msie", "windows nt", "wow64", "slcc2", "media center", "as15169", "port", "execution", "dock", "capture", "persistence", "yara detections", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "cabinet archive", "microsoft", "read c", "dynamicloader", "medium", "ltda me", "high", "write c", "entries", "checks", "delphi", "win32", "url pulse", "data upload", "extraction", "find suggested", "type", "domain hostname", "url add", "http", "related nids", "files location", "ireland flag", "files domain", "chrome", "ireland unknown", "pulse submit", "url analysis", "body", "date", "status", "name servers", "creation date", "expiration date", "flag united", "destination", "systemdrive", "html document", "crlf line", "updater", "copy", "unknown aaaa", "moved", "domain add", "extri data", "enter sc", "extr include", "review exclude", "sugges", "present jul", "saudi arabia", "present mar", "present oct", "present jun", "present feb", "present nov", "present may", "eeee", "eeeeeee", "eeeeee", "eefe", "ebeee", "ee eme", "eeheee", "eeefee e", "eeeee e", "vmprotect", "push", "local", "defender", "regsetvalueexa", "utf8 unicode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lockbit", "display_name": "Lockbit", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "target": null }, { "id": "Other Dangerous Malware", "display_name": "Other Dangerous Malware", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Oil" ], "TLP": "green", "cloned_from": "68f9288e0d98f3b44c2cb90c", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 648, "hostname": 1604, "FileHash-SHA256": 1826, "URL": 4153, "FileHash-MD5": 102, "FileHash-SHA1": 60, "SSLCertFingerprint": 18, "CVE": 2, "email": 5 }, "indicator_count": 8418, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f5cfa9b74d6faa43eb6585", "name": "Indicator Removal service affecting Threat Hunters | Brian Sabey", "description": "Indicator removal used by M. Brian Sabey to for the purpose of attacking networks and removing malicious indicators related to entities and attacks deployed by & Co. Impacts: Threat hunting services. * Worm:Win32/AutoRun.XXY!bit (Emotet and Neshta relationship).\nThere are many other malicious indicators.\n\n* foundryvttcasero.roleros.cl", "modified": "2025-11-19T05:02:39.961000", "created": "2025-10-20T05:59:04.173000", "tags": [ "url https", "url http", "hostname", "b9sdwan", "b9 no", "united", "passive dns", "ipv4 add", "urls", "location united", "america flag", "san jose", "trojan", "canada unknown", "hostname add", "url analysis", "http", "ip address", "related nids", "path", "america asn", "as4983 intel", "canada", "gmt p3p", "cp noi", "adm dev", "psai com", "unknown ns", "united states", "twitter", "url add", "files location", "flag united", "status", "emails", "servers", "mtb aug", "win32", "invalid url", "lowfi", "body html", "head title", "files", "files ip", "filehashmd5", "iocs", "type indicator", "role title", "related pulses", "dynamicloader", "directui", "write c", "element", "classinfobase", "forbidden", "write", "high", "worm", "delphi", "guard", "error", "vmprotect", "malware", "defender", "suspicious", "port", "read c", "destination", "crlf line", "rgba", "unicode", "png image", "td td", "td tr", "a td", "dynamic dns", "search", "arial", "trojandropper", "null", "enough", "hosts", "fast", "afraid", "a domains", "welcome", "ok server", "gmt content", "present sep", "unknown soa", "unknown cname", "present oct", "present aug", "event rocket", "title", "cookie", "encrypt", "sabey type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1434, "URL": 3982, "FileHash-MD5": 391, "FileHash-SHA1": 309, "FileHash-SHA256": 1525, "domain": 758, "email": 10, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 8413, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "152 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f80aa152fdd795fa008e2e", "name": "Small & Comisproc Indicator Removal service Affects Threat Hunter Sevices", "description": "", "modified": "2025-11-19T05:02:39.961000", "created": "2025-10-21T22:35:13.128000", "tags": [ "url https", "url http", "hostname", "b9sdwan", "b9 no", "united", "passive dns", "ipv4 add", "urls", "location united", "america flag", "san jose", "trojan", "canada unknown", "hostname add", "url analysis", "http", "ip address", "related nids", "path", "america asn", "as4983 intel", "canada", "gmt p3p", "cp noi", "adm dev", "psai com", "unknown ns", "united states", "twitter", "url add", "files location", "flag united", "status", "emails", "servers", "mtb aug", "win32", "invalid url", "lowfi", "body html", "head title", "files", "files ip", "filehashmd5", "iocs", "type indicator", "role title", "related pulses", "dynamicloader", "directui", "write c", "element", "classinfobase", "forbidden", "write", "high", "worm", "delphi", "guard", "error", "vmprotect", "malware", "defender", "suspicious", "port", "read c", "destination", "crlf line", "rgba", "unicode", "png image", "td td", "td tr", "a td", "dynamic dns", "search", "arial", "trojandropper", "null", "enough", "hosts", "fast", "afraid", "a domains", "welcome", "ok server", "gmt content", "present sep", "unknown soa", "unknown cname", "present oct", "present aug", "event rocket", "title", "cookie", "encrypt", "sabey type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": "68f5cfa9b74d6faa43eb6585", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1434, "URL": 3982, "FileHash-MD5": 391, "FileHash-SHA1": 309, "FileHash-SHA256": 1525, "domain": 758, "email": 10, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 8413, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "152 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68efedf37890e1b32d60eb55", "name": "Assurant Insurance \u2022 Injection, Crypt , ProRat , Tofsee and a version Mirai affecting Assurant , T-Mobile & me", "description": "Injection, Crypt , ProRat , Tofsee and a version Mirai affecting Assurant and T-Mobile and me. There is truth to the tip I received. This is the 3rd time all of my networks went down , even my phone disconnected and phone number changed temporarily. \n\nJosh T found again. Online profile possibly staged. Stated he is a gamer , self trained in Lua, , CS major in Canada. He is a malicious hacker and streamer and probably an entity. Eric _E iCloud related. Found DoD & Mil hackers related. I haven\u2019t taken the time to authenticate.. Very malicious and talented hackers attacking. I can\u2019t ignore the .mil and DoD items that populated in previous pulses. \n \n[OTX Auto Populated-Trojan-gen-Glupteba, Danabot, Prorat, and other names have been identified as the names of those affected by the latest cyber-attack on the internet.]", "modified": "2025-11-14T17:02:12.746000", "created": "2025-10-15T18:54:43.205000", "tags": [ "ipv4", "email abuse", "email info", "active related", "passive dns", "files related", "related tags", "none google", "external", "present aug", "present sep", "present jun", "present jul", "present oct", "ipv4 https", "crosscountry", "mortgagefamily", "port", "read c", "destination", "high", "intel", "ms windows", "stream", "explorer", "write", "malware", "united", "asnone", "et trojan", "windows nt", "suspicious", "win64", "zune", "et", "netherlands", "segoe ui", "found content", "length", "content type", "ipv4 add", "pulse pulses", "urls", "error", "ip address", "pulse submit", "url analysis", "files", "domain", "ip related", "pulses none", "learn", "ck id", "name tactics", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "ssl certificate", "execution", "path", "secure", "show technique", "mitre att", "ck matrix", "maxage31536000", "expirestue", "brand", "microsoft edge", "date", "cookie", "sha1", "ascii text", "sha256", "pattern match", "hybrid", "local", "click", "strings", "show process", "flag", "programfiles", "command decode", "comspec", "model", "general", "starfield", "encrypt", "iframe", "development att", "backdoor", "win32", "reverse dns", "location india", "india asn", "trojan", "mtb win32" ], "references": [ "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "you.are.poor.i.got.trap.money?", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Romania", "South Africa" ], "malware_families": [ { "id": "BC.Win.Packer.Troll-11", "display_name": "BC.Win.Packer.Troll-11", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Crypt3.BOJE", "display_name": "Crypt3.BOJE", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Trojan:Win32/Glupteba.OV!MTB", "display_name": "Trojan:Win32/Glupteba.OV!MTB", "target": "/malware/Trojan:Win32/Glupteba.OV!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "ProRat", "display_name": "ProRat", "target": null }, { "id": "Backdoor:Win32/Prorat.L", "display_name": "Backdoor:Win32/Prorat.L", "target": "/malware/Backdoor:Win32/Prorat.L" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Crypt5.BBYH", "display_name": "Crypt5.BBYH", "target": null }, { "id": "Crypt4.AHSW", "display_name": "Crypt4.AHSW", "target": null }, { "id": "Crypt3.COIZ", "display_name": "Crypt3.COIZ", "target": null }, { "id": "Crypt3.CMTM", "display_name": "Crypt3.CMTM", "target": null }, { "id": "Crypt3.CKTO", "display_name": "Crypt3.CKTO", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXGR", "display_name": "Crypt3.BXGR", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BOQD", "display_name": "Crypt3.BOQD", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "Crypt3.BOIU", "display_name": "Crypt3.BOIU", "target": null }, { "id": "Inject2.BHBW", "display_name": "Inject2.BHBW", "target": null }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10010, "FileHash-MD5": 150, "FileHash-SHA1": 144, "FileHash-SHA256": 2869, "domain": 2046, "email": 6, "hostname": 3705, "SSLCertFingerprint": 19 }, "indicator_count": 18949, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "156 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68efee5ba882db423d3bad8f", "name": "Assurant & T-Mobile BLYP Checkin ET MALWARE TROJAN \u2022 Kryptic", "description": "", "modified": "2025-11-14T17:02:12.746000", "created": "2025-10-15T18:56:27.950000", "tags": [ "ipv4", "email abuse", "email info", "active related", "passive dns", "files related", "related tags", "none google", "external", "present aug", "present sep", "present jun", "present jul", "present oct", "ipv4 https", "crosscountry", "mortgagefamily", "port", "read c", "destination", "high", "intel", "ms windows", "stream", "explorer", "write", "malware", "united", "asnone", "et trojan", "windows nt", "suspicious", "win64", "zune", "et", "netherlands", "segoe ui", "found content", "length", "content type", "ipv4 add", "pulse pulses", "urls", "error", "ip address", "pulse submit", "url analysis", "files", "domain", "ip related", "pulses none", "learn", "ck id", "name tactics", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "ssl certificate", "execution", "path", "secure", "show technique", "mitre att", "ck matrix", "maxage31536000", "expirestue", "brand", "microsoft edge", "date", "cookie", "sha1", "ascii text", "sha256", "pattern match", "hybrid", "local", "click", "strings", "show process", "flag", "programfiles", "command decode", "comspec", "model", "general", "starfield", "encrypt", "iframe", "development att", "backdoor", "win32", "reverse dns", "location india", "india asn", "trojan", "mtb win32" ], "references": [ "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "you.are.poor.i.got.trap.money?", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Romania", "South Africa" ], "malware_families": [ { "id": "BC.Win.Packer.Troll-11", "display_name": "BC.Win.Packer.Troll-11", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Crypt3.BOJE", "display_name": "Crypt3.BOJE", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Trojan:Win32/Glupteba.OV!MTB", "display_name": "Trojan:Win32/Glupteba.OV!MTB", "target": "/malware/Trojan:Win32/Glupteba.OV!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "ProRat", "display_name": "ProRat", "target": null }, { "id": "Backdoor:Win32/Prorat.L", "display_name": "Backdoor:Win32/Prorat.L", "target": "/malware/Backdoor:Win32/Prorat.L" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Crypt5.BBYH", "display_name": "Crypt5.BBYH", "target": null }, { "id": "Crypt4.AHSW", "display_name": "Crypt4.AHSW", "target": null }, { "id": "Crypt3.COIZ", "display_name": "Crypt3.COIZ", "target": null }, { "id": "Crypt3.CMTM", "display_name": "Crypt3.CMTM", "target": null }, { "id": "Crypt3.CKTO", "display_name": "Crypt3.CKTO", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXGR", "display_name": "Crypt3.BXGR", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BOQD", "display_name": "Crypt3.BOQD", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "Crypt3.BOIU", "display_name": "Crypt3.BOIU", "target": null }, { "id": "Inject2.BHBW", "display_name": "Inject2.BHBW", "target": null }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Insurance" ], "TLP": "white", "cloned_from": "68efedf37890e1b32d60eb55", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10010, "FileHash-MD5": 150, "FileHash-SHA1": 144, "FileHash-SHA256": 2869, "domain": 2046, "email": 6, "hostname": 3705, "SSLCertFingerprint": 19 }, "indicator_count": 18949, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "156 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68eff0848071708f9ee0c0bd", "name": "Gamarue \u2022 G3nasom\u2022 Simda\u2022 Ganelp affecting Assurant and T-Mobile Part 3", "description": "", "modified": "2025-11-14T17:02:12.746000", "created": "2025-10-15T19:05:40.466000", "tags": [ "ipv4", "email abuse", "email info", "active related", "passive dns", "files related", "related tags", "none google", "external", "present aug", "present sep", "present jun", "present jul", "present oct", "ipv4 https", "crosscountry", "mortgagefamily", "port", "read c", "destination", "high", "intel", "ms windows", "stream", "explorer", "write", "malware", "united", "asnone", "et trojan", "windows nt", "suspicious", "win64", "zune", "et", "netherlands", "segoe ui", "found content", "length", "content type", "ipv4 add", "pulse pulses", "urls", "error", "ip address", "pulse submit", "url analysis", "files", "domain", "ip related", "pulses none", "learn", "ck id", "name tactics", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "ssl certificate", "execution", "path", "secure", "show technique", "mitre att", "ck matrix", "maxage31536000", "expirestue", "brand", "microsoft edge", "date", "cookie", "sha1", "ascii text", "sha256", "pattern match", "hybrid", "local", "click", "strings", "show process", "flag", "programfiles", "command decode", "comspec", "model", "general", "starfield", "encrypt", "iframe", "development att", "backdoor", "win32", "reverse dns", "location india", "india asn", "trojan", "mtb win32" ], "references": [ "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "you.are.poor.i.got.trap.money?", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Romania", "South Africa" ], "malware_families": [ { "id": "BC.Win.Packer.Troll-11", "display_name": "BC.Win.Packer.Troll-11", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Crypt3.BOJE", "display_name": "Crypt3.BOJE", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Trojan:Win32/Glupteba.OV!MTB", "display_name": "Trojan:Win32/Glupteba.OV!MTB", "target": "/malware/Trojan:Win32/Glupteba.OV!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "ProRat", "display_name": "ProRat", "target": null }, { "id": "Backdoor:Win32/Prorat.L", "display_name": "Backdoor:Win32/Prorat.L", "target": "/malware/Backdoor:Win32/Prorat.L" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Crypt5.BBYH", "display_name": "Crypt5.BBYH", "target": null }, { "id": "Crypt4.AHSW", "display_name": "Crypt4.AHSW", "target": null }, { "id": "Crypt3.COIZ", "display_name": "Crypt3.COIZ", "target": null }, { "id": "Crypt3.CMTM", "display_name": "Crypt3.CMTM", "target": null }, { "id": "Crypt3.CKTO", "display_name": "Crypt3.CKTO", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXGR", "display_name": "Crypt3.BXGR", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BOQD", "display_name": "Crypt3.BOQD", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "Crypt3.BOIU", "display_name": "Crypt3.BOIU", "target": null }, { "id": "Inject2.BHBW", "display_name": "Inject2.BHBW", "target": null }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Insurance" ], "TLP": "white", "cloned_from": "68efee5ba882db423d3bad8f", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10010, "FileHash-MD5": 150, "FileHash-SHA1": 144, "FileHash-SHA256": 2869, "domain": 2046, "email": 6, "hostname": 3705, "SSLCertFingerprint": 19 }, "indicator_count": 18949, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "156 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b798c0a419c49eeb4e2a13", "name": "Archive.ph - Mirai", "description": "Outdated archiving domain of questionable origin can expose or has exposed monitored target/s to\nUnix.Dropper.Mirai-7135858-0.\n\nThe domain seems to want to appear as if it originates from Russia. There is a DoD & Endgame systems relationship. Multiple archived pages have been injected and deleted.\n(Little Endian) is a name seen often related to an innocent known to be targeted by a pro male entity who utilizes Pegasus, Palantir, Gotham, Foundry , Tulach, for silencing.\n#trulymissed #mirai #malicious", "modified": "2025-10-03T00:01:12.616000", "created": "2025-09-03T01:24:16.418000", "tags": [ "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "initial access", "javascript", "spawns", "united", "present aug", "div div", "meta", "fffae1", "xml title", "drag", "div form", "form div", "a li", "encrypt", "russia", "passive dns", "urls", "aaaa", "netherlands", "your ip", "panama", "russia unknown", "present mar", "present jun", "moved", "present jul", "present sep", "ip address", "present jan", "body", "title", "domain", "files", "content type", "body doctype", "as16509", "intel mac", "os x", "ipv4 add", "port", "destination", "read c", "medium", "entries", "et info", "execution", "next", "dock", "write", "persistence", "malware", "url analysis", "files ip", "name server", "domain address", "algorithm", "key identifier", "v3 serial", "number", "cus olet", "encrypt cne6", "validity", "subject public", "key info", "us as15169", "us as396982", "mitre att", "pattern match", "form", "onload", "general", "local", "path", "click", "strings", "verify", "asnone", "china as4134", "resolverror", "high", "dns query", "as7018 att", "japan as4713", "south korea", "little \u2018endian\u2019", "mirai", "dod", "endgame systems", "government overreach", "sabey type", "foundry type", "apple", "cve" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135858-0", "display_name": "Unix.Dropper.Mirai-7135858-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2069, "domain": 406, "FileHash-SHA256": 1498, "hostname": 811, "FileHash-MD5": 150, "FileHash-SHA1": 138, "SSLCertFingerprint": 8, "CIDR": 1, "CVE": 1 }, "indicator_count": 5082, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "199 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c54659742e10df0e2dd0ec", "name": "Archive.ph - Mirai", "description": "", "modified": "2025-10-03T00:01:12.616000", "created": "2025-09-13T10:24:25.814000", "tags": [ "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "initial access", "javascript", "spawns", "united", "present aug", "div div", "meta", "fffae1", "xml title", "drag", "div form", "form div", "a li", "encrypt", "russia", "passive dns", "urls", "aaaa", "netherlands", "your ip", "panama", "russia unknown", "present mar", "present jun", "moved", "present jul", "present sep", "ip address", "present jan", "body", "title", "domain", "files", "content type", "body doctype", "as16509", "intel mac", "os x", "ipv4 add", "port", "destination", "read c", "medium", "entries", "et info", "execution", "next", "dock", "write", "persistence", "malware", "url analysis", "files ip", "name server", "domain address", "algorithm", "key identifier", "v3 serial", "number", "cus olet", "encrypt cne6", "validity", "subject public", "key info", "us as15169", "us as396982", "mitre att", "pattern match", "form", "onload", "general", "local", "path", "click", "strings", "verify", "asnone", "china as4134", "resolverror", "high", "dns query", "as7018 att", "japan as4713", "south korea", "little \u2018endian\u2019", "mirai", "dod", "endgame systems", "government overreach", "sabey type", "foundry type", "apple", "cve" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135858-0", "display_name": "Unix.Dropper.Mirai-7135858-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": "68b798c0a419c49eeb4e2a13", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "privacynotacrime", "id": "349346", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2069, "domain": 406, "FileHash-SHA256": 1498, "hostname": 811, "FileHash-MD5": 150, "FileHash-SHA1": 138, "SSLCertFingerprint": 8, "CIDR": 1, "CVE": 1 }, "indicator_count": 5082, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "199 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "bulletproof.palantirapollo.com \u2022 vpn-etuleusj2dpr.palantirclou", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "http://www.endgamesystems.com/", "Requires further research", "https://www.teslarati.com/tesla-hackers", "https://publicsector.google/404-page-not-found/\t \u2022 www.founderstack.pro \u2022 oedfoundation.org", "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "http://pickyhot.disqus.com/", "https://www.endgames.us \u2022 https://www.endgames.us/", "www.endgame.com", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "://blog.endgamesystems.com/ \u2022 http://httpswww.endgamesystems.com\t URL\thttp://wg41xm05b3.endgamesystems.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com", "wg41xm05b3.endgamesystems.com\t\u2022 http://blog.endgamesystems.com", "Running webserver Running WordPress Running Drupal", "https://blog.endgamesystems.com/\t\u2022 https://blog.endgamesystems.com", "you.are.poor.i.got.trap.money?", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "https://httpswww.endgamesystems.com\t\u2022 https://wg41xm05b3.endgamesystems.com", "All tags auto populated including\u2019 Elon Musk\u2019", "https://www.founderstack.pro/feedhive \u2022 https://coinbase.getro.com/companies/astar-foundation \u2022 founders-vision.com", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://wg41xm05b3.endgamesystems.com/", "https://pickyhot.disqus.com/tsara-brashears", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Tesla Hackers" ], "malware_families": [ "Et", "Crypt3.ckto", "Trojan:win32/glupteba.ov!mtb", "Bc.win.packer.troll-11", "Crypt3.boje", "Atros3.ahfb", "Crypt4.ahsw", "Lockbit", "Alf:heraklezeval:pua:win32/ultradownloads", "Crypt3.bxvc", "Crypt5.bbyh", "Win32:trojan", "Crypt3.boiu", "Crypt3.bxgr", "Backdoor:win32/prorat.l", "Danabot", "Other malware", "Crypt3.coiz", "Worm:win32/autorun.xxy!bit", "Crypt3.cmtm", "Mofksys", "Tofsee", "Tesla hackers", "Synacktiv", "Inject2.bhbw", "Other dangerous malware", "Win32:malware-gen", "Prorat", "Inject2.bive", "Crypt3.bxmj", "Unix.dropper.mirai-7135858-0", "Crypt3.blxp", "Crypt3.boqd" ], "industries": [ "Oil", "Government", "Technology", "Insurance", "Telecommunications" ], "unique_indicators": 56351 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/aaalife.com", "whois": "http://whois.domaintools.com/aaalife.com", "domain": "aaalife.com", "hostname": "eservices2.env01.dev.aaalife.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "6939d93da11a7d2bf7535ef1", "name": "Tesla Hackers Log In | Disqus", "description": "I\u2019m not for certain when blog \u2018https://pickyhot.disqus.com/tsara-brashears\u2019 first appeared online. It was present in 2016 -2021. It was a porn spewing blog that obviously was full of tools. The lot pics debated targets race , beauty and other silly things. I don\u2019t know if target ever clicked on links. Tesla Hackers have played a major role in attacks against target. I haven\u2019t sifted through all malware yet. \n\n\n - Elon Musk - When Brashears suffered attempted hit on roadway she described suspect as an Elon Musk type, possible, offspring, or someone closely tied to him.", "modified": "2026-01-09T19:02:12.608000", "created": "2025-12-10T20:34:05.903000", "tags": [ "disqus", "disqus.com", "comments", "blog", "blogs", "discussion", "google facebook", "twitter", "microsoft apple", "email", "forgot password", "login", "sign", "general full", "url https", "security tls", "united", "asn54113", "fastly", "reverse dns", "resource", "hash", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "ck id", "show technique", "mitre att", "ck matrix", "pattern match", "ascii text", "network traffic", "t1057", "path", "learn", "command", "suspicious", "informative", "name tactics", "spawns", "t1480 execution", "signing defense", "file defense", "read c", "tlsv1", "search", "jfif", "ijg jpeg", "tls handshake", "failure", "show", "port", "execution", "next", "dock", "write", "persistence", "malware", "unknown", "waymo", "tesla", "musk", "austin", "bay area", "tesla ceo", "elon musk", "wednesday", "safety monitor", "synacktiv", "aaaa", "present jul", "status", "asnone country", "as13335", "present sep", "present apr", "present dec", "present jun", "lte all", "search otx", "additionally", "enter source", "url or", "data upload", "extraction", "entries", "present may", "dynamicloader", "as15169", "medium", "write c", "odigicert inc", "windows", "as54113", "worm", "copy", "explorer", "encrypt", "target tsraa brashears" ], "references": [ "http://pickyhot.disqus.com/", "https://www.teslarati.com/tesla-hackers", "https://pickyhot.disqus.com/tsara-brashears", "All tags auto populated including\u2019 Elon Musk\u2019", "Running webserver Running WordPress Running Drupal", "bulletproof.palantirapollo.com \u2022 vpn-etuleusj2dpr.palantirclou", "https://publicsector.google/404-page-not-found/\t \u2022 www.founderstack.pro \u2022 oedfoundation.org", "https://www.founderstack.pro/feedhive \u2022 https://coinbase.getro.com/companies/astar-foundation \u2022 founders-vision.com", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "www.endgame.com", "://blog.endgamesystems.com/ \u2022 http://httpswww.endgamesystems.com\t URL\thttp://wg41xm05b3.endgamesystems.com", "https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com\t\u2022 http://blog.endgamesystems.com", "https://httpswww.endgamesystems.com\t\u2022 https://wg41xm05b3.endgamesystems.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com", "https://blog.endgamesystems.com/\t\u2022 https://blog.endgamesystems.com", "http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/", "http://www.endgamesystems.com/", "Requires further research" ], "public": 1, "adversary": "Tesla Hackers", "targeted_countries": [], "malware_families": [ { "id": "Synacktiv", "display_name": "Synacktiv", "target": null }, { "id": "Tesla Hackers", "display_name": "Tesla Hackers", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Mofksys", "display_name": "Mofksys", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2523, "URL": 6583, "FileHash-SHA256": 1132, "domain": 1483, "FileHash-SHA1": 43, "SSLCertFingerprint": 17, "FileHash-MD5": 109, "email": 2 }, "indicator_count": 11892, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6907f7e98289b75f3e5ecaba", "name": "- Treece Alfrey Musat P.C. - Malicious Legal Google Botnet", "description": "Christopher P.\nAhmann\u2019s Google Botnet. Defense attorneys fighting worker\u2019s compensation case and ruining a targets life for years. Malicious.[OTX auto popular-HOSTNAME: Google Video.com (GOOGlevideo.COM), an unauthorised website, has been blocked by the internet service regulator, the regulator of the domain registry.]\n\n#pulsed_by_otx #private_google #legal_goigle #malicious_practices", "modified": "2025-12-03T00:01:23.660000", "created": "2025-11-03T00:31:37.396000", "tags": [ "status", "date", "name servers", "lowfi", "passive dns", "urls", "domain", "susp", "win32", "search", "win64", "error", "url https", "url http", "ipv4", "type indicator", "role title", "added active", "related pulses", "morocco", "united kingdom", "united", "present nov", "aaaa", "present oct", "cname", "brazil", "malaysia", "title", "present jun", "ip address", "creation date", "record value", "emails", "unknown aaaa", "body", "url add", "pulse pulses", "http", "related nids", "files location", "flag united", "trojan", "trojandropper", "virtool", "entries", "next associated", "ipv4 add", "unknown ns", "present jul", "present sep", "present aug", "win32upatre nov", "candyopen", "tlsv1", "port", "destination", "ogoogle trust", "cngts ca", "show", "read c", "youtube", "copy", "dock", "write", "next", "malware", "persistence", "execution", "filehashmd5", "hostname", "filehashsha256", "types of", "germany", "poland", "indicator role", "title added", "active related", "pulses url", "p1377925676", "gaz1", "sid1696503456", "sct1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 400, "URL": 2857, "FileHash-MD5": 217, "FileHash-SHA1": 172, "FileHash-SHA256": 1426, "email": 6, "hostname": 1019, "SSLCertFingerprint": 6 }, "indicator_count": 6103, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "138 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69138421066f81131da59cc5", "name": "Malicious Legal Google Botnet - Treece Alfrey Musat P.C.\u2022 Christopher P. Ahmann Spam - Malicious ", "description": "", "modified": "2025-12-03T00:01:23.660000", "created": "2025-11-11T18:44:49.343000", "tags": [ "status", "date", "name servers", "lowfi", "passive dns", "urls", "domain", "susp", "win32", "search", "win64", "error", "url https", "url http", "ipv4", "type indicator", "role title", "added active", "related pulses", "morocco", "united kingdom", "united", "present nov", "aaaa", "present oct", "cname", "brazil", "malaysia", "title", "present jun", "ip address", "creation date", "record value", "emails", "unknown aaaa", "body", "url add", "pulse pulses", "http", "related nids", "files location", "flag united", "trojan", "trojandropper", "virtool", "entries", "next associated", "ipv4 add", "unknown ns", "present jul", "present sep", "present aug", "win32upatre nov", "candyopen", "tlsv1", "port", "destination", "ogoogle trust", "cngts ca", "show", "read c", "youtube", "copy", "dock", "write", "next", "malware", "persistence", "execution", "filehashmd5", "hostname", "filehashsha256", "types of", "germany", "poland", "indicator role", "title added", "active related", "pulses url", "p1377925676", "gaz1", "sid1696503456", "sct1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6907f7e98289b75f3e5ecaba", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 400, "URL": 2857, "FileHash-MD5": 217, "FileHash-SHA1": 172, "FileHash-SHA256": 1426, "email": 6, "hostname": 1019, "SSLCertFingerprint": 6 }, "indicator_count": 6103, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "138 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9288e0d98f3b44c2cb90c", "name": "Ultrasounds attack - South African criminal group-Denver, Vo affects critical infrastructure , Oil and public safety", "description": "South African and Ethiopian crime group with Denver , Co presence is not only infiltrating infrastructure from banking to oil, they are human traffickers, hitmen and yes, I received this tip from team member Pheona who a \u2018sassa.gov.za\u2018 South African link recurrently as a top search suggestion in a \u2018targets\u2019 browser. The most frightening piece is that a name listed is of an Ethiopian man who attempted to force a very targeted victim to go somewhere with him,, be his girlfriend and did show up outside of her residence in a different City & County. He also knew the exact name of where she purchased specific items. If you can see this. Please help the best way you can. Something is incredibly wrong. [OTX auto populated Title: We can\u2019t rely on goodwill to protect our critical infrastructure - Help Net Security]", "modified": "2025-11-21T18:02:11.054000", "created": "2025-10-22T18:55:10.527000", "tags": [ "server nginx", "date fri", "etag w", "urls", "passive dns", "acceptranges", "contentlength", "date thu", "gmt expires", "server", "code", "link", "script script", "south africa", "ipv4", "files", "location south", "accept", "present aug", "certificate", "hostname add", "domain", "files ip", "unknown a", "script urls", "ip address", "unknown soa", "unknown ns", "reverse dns", "africa flag", "asn as16637", "dns resolutions", "domains top", "level", "unique tld", "related pulses", "tags none", "indicator facts", "title", "ipv4 add", "opinion", "netacea", "lockbit", "wannacry attack", "nhs trusts", "council", "uk government", "protect", "cni safe", "acls", "praio", "prink", "prsc", "prla", "lg2en", "cti98", "search", "seiko epson", "corporation", "arc file", "malware", "delete c", "default", "show", "write", "next", "unknown", "united", "tlsv1", "msie", "windows nt", "wow64", "slcc2", "media center", "as15169", "port", "execution", "dock", "capture", "persistence", "yara detections", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "cabinet archive", "microsoft", "read c", "dynamicloader", "medium", "ltda me", "high", "write c", "entries", "checks", "delphi", "win32", "url pulse", "data upload", "extraction", "find suggested", "type", "domain hostname", "url add", "http", "related nids", "files location", "ireland flag", "files domain", "chrome", "ireland unknown", "pulse submit", "url analysis", "body", "date", "status", "name servers", "creation date", "expiration date", "flag united", "destination", "systemdrive", "html document", "crlf line", "updater", "copy", "unknown aaaa", "moved", "domain add", "extri data", "enter sc", "extr include", "review exclude", "sugges", "present jul", "saudi arabia", "present mar", "present oct", "present jun", "present feb", "present nov", "present may", "eeee", "eeeeeee", "eeeeee", "eefe", "ebeee", "ee eme", "eeheee", "eeefee e", "eeeee e", "vmprotect", "push", "local", "defender", "regsetvalueexa", "utf8 unicode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lockbit", "display_name": "Lockbit", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "target": null }, { "id": "Other Dangerous Malware", "display_name": "Other Dangerous Malware", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Oil" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 648, "hostname": 1604, "FileHash-SHA256": 1826, "URL": 4153, "FileHash-MD5": 102, "FileHash-SHA1": 60, "SSLCertFingerprint": 18, "CVE": 2, "email": 5 }, "indicator_count": 8418, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f93b1cebf80f48450bd517", "name": "Yuner - File deletion and Disk Wiping / Cyberstalking ", "description": "", "modified": "2025-11-21T18:02:11.054000", "created": "2025-10-22T20:14:20.632000", "tags": [ "server nginx", "date fri", "etag w", "urls", "passive dns", "acceptranges", "contentlength", "date thu", "gmt expires", "server", "code", "link", "script script", "south africa", "ipv4", "files", "location south", "accept", "present aug", "certificate", "hostname add", "domain", "files ip", "unknown a", "script urls", "ip address", "unknown soa", "unknown ns", "reverse dns", "africa flag", "asn as16637", "dns resolutions", "domains top", "level", "unique tld", "related pulses", "tags none", "indicator facts", "title", "ipv4 add", "opinion", "netacea", "lockbit", "wannacry attack", "nhs trusts", "council", "uk government", "protect", "cni safe", "acls", "praio", "prink", "prsc", "prla", "lg2en", "cti98", "search", "seiko epson", "corporation", "arc file", "malware", "delete c", "default", "show", "write", "next", "unknown", "united", "tlsv1", "msie", "windows nt", "wow64", "slcc2", "media center", "as15169", "port", "execution", "dock", "capture", "persistence", "yara detections", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "cabinet archive", "microsoft", "read c", "dynamicloader", "medium", "ltda me", "high", "write c", "entries", "checks", "delphi", "win32", "url pulse", "data upload", "extraction", "find suggested", "type", "domain hostname", "url add", "http", "related nids", "files location", "ireland flag", "files domain", "chrome", "ireland unknown", "pulse submit", "url analysis", "body", "date", "status", "name servers", "creation date", "expiration date", "flag united", "destination", "systemdrive", "html document", "crlf line", "updater", "copy", "unknown aaaa", "moved", "domain add", "extri data", "enter sc", "extr include", "review exclude", "sugges", "present jul", "saudi arabia", "present mar", "present oct", "present jun", "present feb", "present nov", "present may", "eeee", "eeeeeee", "eeeeee", "eefe", "ebeee", "ee eme", "eeheee", "eeefee e", "eeeee e", "vmprotect", "push", "local", "defender", "regsetvalueexa", "utf8 unicode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lockbit", "display_name": "Lockbit", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "target": null }, { "id": "Other Dangerous Malware", "display_name": "Other Dangerous Malware", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Oil" ], "TLP": "green", "cloned_from": "68f9288e0d98f3b44c2cb90c", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 648, "hostname": 1604, "FileHash-SHA256": 1826, "URL": 4153, "FileHash-MD5": 102, "FileHash-SHA1": 60, "SSLCertFingerprint": 18, "CVE": 2, "email": 5 }, "indicator_count": 8418, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f5cfa9b74d6faa43eb6585", "name": "Indicator Removal service affecting Threat Hunters | Brian Sabey", "description": "Indicator removal used by M. Brian Sabey to for the purpose of attacking networks and removing malicious indicators related to entities and attacks deployed by & Co. Impacts: Threat hunting services. * Worm:Win32/AutoRun.XXY!bit (Emotet and Neshta relationship).\nThere are many other malicious indicators.\n\n* foundryvttcasero.roleros.cl", "modified": "2025-11-19T05:02:39.961000", "created": "2025-10-20T05:59:04.173000", "tags": [ "url https", "url http", "hostname", "b9sdwan", "b9 no", "united", "passive dns", "ipv4 add", "urls", "location united", "america flag", "san jose", "trojan", "canada unknown", "hostname add", "url analysis", "http", "ip address", "related nids", "path", "america asn", "as4983 intel", "canada", "gmt p3p", "cp noi", "adm dev", "psai com", "unknown ns", "united states", "twitter", "url add", "files location", "flag united", "status", "emails", "servers", "mtb aug", "win32", "invalid url", "lowfi", "body html", "head title", "files", "files ip", "filehashmd5", "iocs", "type indicator", "role title", "related pulses", "dynamicloader", "directui", "write c", "element", "classinfobase", "forbidden", "write", "high", "worm", "delphi", "guard", "error", "vmprotect", "malware", "defender", "suspicious", "port", "read c", "destination", "crlf line", "rgba", "unicode", "png image", "td td", "td tr", "a td", "dynamic dns", "search", "arial", "trojandropper", "null", "enough", "hosts", "fast", "afraid", "a domains", "welcome", "ok server", "gmt content", "present sep", "unknown soa", "unknown cname", "present oct", "present aug", "event rocket", "title", "cookie", "encrypt", "sabey type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1434, "URL": 3982, "FileHash-MD5": 391, "FileHash-SHA1": 309, "FileHash-SHA256": 1525, "domain": 758, "email": 10, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 8413, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "152 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f80aa152fdd795fa008e2e", "name": "Small & Comisproc Indicator Removal service Affects Threat Hunter Sevices", "description": "", "modified": "2025-11-19T05:02:39.961000", "created": "2025-10-21T22:35:13.128000", "tags": [ "url https", "url http", "hostname", "b9sdwan", "b9 no", "united", "passive dns", "ipv4 add", "urls", "location united", "america flag", "san jose", "trojan", "canada unknown", "hostname add", "url analysis", "http", "ip address", "related nids", "path", "america asn", "as4983 intel", "canada", "gmt p3p", "cp noi", "adm dev", "psai com", "unknown ns", "united states", "twitter", "url add", "files location", "flag united", "status", "emails", "servers", "mtb aug", "win32", "invalid url", "lowfi", "body html", "head title", "files", "files ip", "filehashmd5", "iocs", "type indicator", "role title", "related pulses", "dynamicloader", "directui", "write c", "element", "classinfobase", "forbidden", "write", "high", "worm", "delphi", "guard", "error", "vmprotect", "malware", "defender", "suspicious", "port", "read c", "destination", "crlf line", "rgba", "unicode", "png image", "td td", "td tr", "a td", "dynamic dns", "search", "arial", "trojandropper", "null", "enough", "hosts", "fast", "afraid", "a domains", "welcome", "ok server", "gmt content", "present sep", "unknown soa", "unknown cname", "present oct", "present aug", "event rocket", "title", "cookie", "encrypt", "sabey type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": "68f5cfa9b74d6faa43eb6585", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1434, "URL": 3982, "FileHash-MD5": 391, "FileHash-SHA1": 309, "FileHash-SHA256": 1525, "domain": 758, "email": 10, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 8413, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "152 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68efedf37890e1b32d60eb55", "name": "Assurant Insurance \u2022 Injection, Crypt , ProRat , Tofsee and a version Mirai affecting Assurant , T-Mobile & me", "description": "Injection, Crypt , ProRat , Tofsee and a version Mirai affecting Assurant and T-Mobile and me. There is truth to the tip I received. This is the 3rd time all of my networks went down , even my phone disconnected and phone number changed temporarily. \n\nJosh T found again. Online profile possibly staged. Stated he is a gamer , self trained in Lua, , CS major in Canada. He is a malicious hacker and streamer and probably an entity. Eric _E iCloud related. Found DoD & Mil hackers related. I haven\u2019t taken the time to authenticate.. Very malicious and talented hackers attacking. I can\u2019t ignore the .mil and DoD items that populated in previous pulses. \n \n[OTX Auto Populated-Trojan-gen-Glupteba, Danabot, Prorat, and other names have been identified as the names of those affected by the latest cyber-attack on the internet.]", "modified": "2025-11-14T17:02:12.746000", "created": "2025-10-15T18:54:43.205000", "tags": [ "ipv4", "email abuse", "email info", "active related", "passive dns", "files related", "related tags", "none google", "external", "present aug", "present sep", "present jun", "present jul", "present oct", "ipv4 https", "crosscountry", "mortgagefamily", "port", "read c", "destination", "high", "intel", "ms windows", "stream", "explorer", "write", "malware", "united", "asnone", "et trojan", "windows nt", "suspicious", "win64", "zune", "et", "netherlands", "segoe ui", "found content", "length", "content type", "ipv4 add", "pulse pulses", "urls", "error", "ip address", "pulse submit", "url analysis", "files", "domain", "ip related", "pulses none", "learn", "ck id", "name tactics", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "ssl certificate", "execution", "path", "secure", "show technique", "mitre att", "ck matrix", "maxage31536000", "expirestue", "brand", "microsoft edge", "date", "cookie", "sha1", "ascii text", "sha256", "pattern match", "hybrid", "local", "click", "strings", "show process", "flag", "programfiles", "command decode", "comspec", "model", "general", "starfield", "encrypt", "iframe", "development att", "backdoor", "win32", "reverse dns", "location india", "india asn", "trojan", "mtb win32" ], "references": [ "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "you.are.poor.i.got.trap.money?", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Romania", "South Africa" ], "malware_families": [ { "id": "BC.Win.Packer.Troll-11", "display_name": "BC.Win.Packer.Troll-11", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Crypt3.BOJE", "display_name": "Crypt3.BOJE", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Trojan:Win32/Glupteba.OV!MTB", "display_name": "Trojan:Win32/Glupteba.OV!MTB", "target": "/malware/Trojan:Win32/Glupteba.OV!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "ProRat", "display_name": "ProRat", "target": null }, { "id": "Backdoor:Win32/Prorat.L", "display_name": "Backdoor:Win32/Prorat.L", "target": "/malware/Backdoor:Win32/Prorat.L" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Crypt5.BBYH", "display_name": "Crypt5.BBYH", "target": null }, { "id": "Crypt4.AHSW", "display_name": "Crypt4.AHSW", "target": null }, { "id": "Crypt3.COIZ", "display_name": "Crypt3.COIZ", "target": null }, { "id": "Crypt3.CMTM", "display_name": "Crypt3.CMTM", "target": null }, { "id": "Crypt3.CKTO", "display_name": "Crypt3.CKTO", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXGR", "display_name": "Crypt3.BXGR", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BOQD", "display_name": "Crypt3.BOQD", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "Crypt3.BOIU", "display_name": "Crypt3.BOIU", "target": null }, { "id": "Inject2.BHBW", "display_name": "Inject2.BHBW", "target": null }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10010, "FileHash-MD5": 150, "FileHash-SHA1": 144, "FileHash-SHA256": 2869, "domain": 2046, "email": 6, "hostname": 3705, "SSLCertFingerprint": 19 }, "indicator_count": 18949, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "156 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68efee5ba882db423d3bad8f", "name": "Assurant & T-Mobile BLYP Checkin ET MALWARE TROJAN \u2022 Kryptic", "description": "", "modified": "2025-11-14T17:02:12.746000", "created": "2025-10-15T18:56:27.950000", "tags": [ "ipv4", "email abuse", "email info", "active related", "passive dns", "files related", "related tags", "none google", "external", "present aug", "present sep", "present jun", "present jul", "present oct", "ipv4 https", "crosscountry", "mortgagefamily", "port", "read c", "destination", "high", "intel", "ms windows", "stream", "explorer", "write", "malware", "united", "asnone", "et trojan", "windows nt", "suspicious", "win64", "zune", "et", "netherlands", "segoe ui", "found content", "length", "content type", "ipv4 add", "pulse pulses", "urls", "error", "ip address", "pulse submit", "url analysis", "files", "domain", "ip related", "pulses none", "learn", "ck id", "name tactics", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "ssl certificate", "execution", "path", "secure", "show technique", "mitre att", "ck matrix", "maxage31536000", "expirestue", "brand", "microsoft edge", "date", "cookie", "sha1", "ascii text", "sha256", "pattern match", "hybrid", "local", "click", "strings", "show process", "flag", "programfiles", "command decode", "comspec", "model", "general", "starfield", "encrypt", "iframe", "development att", "backdoor", "win32", "reverse dns", "location india", "india asn", "trojan", "mtb win32" ], "references": [ "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "you.are.poor.i.got.trap.money?", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Romania", "South Africa" ], "malware_families": [ { "id": "BC.Win.Packer.Troll-11", "display_name": "BC.Win.Packer.Troll-11", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Crypt3.BOJE", "display_name": "Crypt3.BOJE", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Trojan:Win32/Glupteba.OV!MTB", "display_name": "Trojan:Win32/Glupteba.OV!MTB", "target": "/malware/Trojan:Win32/Glupteba.OV!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "ProRat", "display_name": "ProRat", "target": null }, { "id": "Backdoor:Win32/Prorat.L", "display_name": "Backdoor:Win32/Prorat.L", "target": "/malware/Backdoor:Win32/Prorat.L" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Crypt5.BBYH", "display_name": "Crypt5.BBYH", "target": null }, { "id": "Crypt4.AHSW", "display_name": "Crypt4.AHSW", "target": null }, { "id": "Crypt3.COIZ", "display_name": "Crypt3.COIZ", "target": null }, { "id": "Crypt3.CMTM", "display_name": "Crypt3.CMTM", "target": null }, { "id": "Crypt3.CKTO", "display_name": "Crypt3.CKTO", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXGR", "display_name": "Crypt3.BXGR", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BOQD", "display_name": "Crypt3.BOQD", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "Crypt3.BOIU", "display_name": "Crypt3.BOIU", "target": null }, { "id": "Inject2.BHBW", "display_name": "Inject2.BHBW", "target": null }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Insurance" ], "TLP": "white", "cloned_from": "68efedf37890e1b32d60eb55", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10010, "FileHash-MD5": 150, "FileHash-SHA1": 144, "FileHash-SHA256": 2869, "domain": 2046, "email": 6, "hostname": 3705, "SSLCertFingerprint": 19 }, "indicator_count": 18949, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "156 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68eff0848071708f9ee0c0bd", "name": "Gamarue \u2022 G3nasom\u2022 Simda\u2022 Ganelp affecting Assurant and T-Mobile Part 3", "description": "", "modified": "2025-11-14T17:02:12.746000", "created": "2025-10-15T19:05:40.466000", "tags": [ "ipv4", "email abuse", "email info", "active related", "passive dns", "files related", "related tags", "none google", "external", "present aug", "present sep", "present jun", "present jul", "present oct", "ipv4 https", "crosscountry", "mortgagefamily", "port", "read c", "destination", "high", "intel", "ms windows", "stream", "explorer", "write", "malware", "united", "asnone", "et trojan", "windows nt", "suspicious", "win64", "zune", "et", "netherlands", "segoe ui", "found content", "length", "content type", "ipv4 add", "pulse pulses", "urls", "error", "ip address", "pulse submit", "url analysis", "files", "domain", "ip related", "pulses none", "learn", "ck id", "name tactics", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "ssl certificate", "execution", "path", "secure", "show technique", "mitre att", "ck matrix", "maxage31536000", "expirestue", "brand", "microsoft edge", "date", "cookie", "sha1", "ascii text", "sha256", "pattern match", "hybrid", "local", "click", "strings", "show process", "flag", "programfiles", "command decode", "comspec", "model", "general", "starfield", "encrypt", "iframe", "development att", "backdoor", "win32", "reverse dns", "location india", "india asn", "trojan", "mtb win32" ], "references": [ "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "you.are.poor.i.got.trap.money?", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Romania", "South Africa" ], "malware_families": [ { "id": "BC.Win.Packer.Troll-11", "display_name": "BC.Win.Packer.Troll-11", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Crypt3.BOJE", "display_name": "Crypt3.BOJE", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Trojan:Win32/Glupteba.OV!MTB", "display_name": "Trojan:Win32/Glupteba.OV!MTB", "target": "/malware/Trojan:Win32/Glupteba.OV!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "ProRat", "display_name": "ProRat", "target": null }, { "id": "Backdoor:Win32/Prorat.L", "display_name": "Backdoor:Win32/Prorat.L", "target": "/malware/Backdoor:Win32/Prorat.L" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Crypt5.BBYH", "display_name": "Crypt5.BBYH", "target": null }, { "id": "Crypt4.AHSW", "display_name": "Crypt4.AHSW", "target": null }, { "id": "Crypt3.COIZ", "display_name": "Crypt3.COIZ", "target": null }, { "id": "Crypt3.CMTM", "display_name": "Crypt3.CMTM", "target": null }, { "id": "Crypt3.CKTO", "display_name": "Crypt3.CKTO", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXGR", "display_name": "Crypt3.BXGR", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BOQD", "display_name": "Crypt3.BOQD", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "Crypt3.BOIU", "display_name": "Crypt3.BOIU", "target": null }, { "id": "Inject2.BHBW", "display_name": "Inject2.BHBW", "target": null }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Insurance" ], "TLP": "white", "cloned_from": "68efee5ba882db423d3bad8f", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10010, "FileHash-MD5": 150, "FileHash-SHA1": 144, "FileHash-SHA256": 2869, "domain": 2046, "email": 6, "hostname": 3705, "SSLCertFingerprint": 19 }, "indicator_count": 18949, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "156 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://eservices2.env01.dev.aaalife.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://eservices2.env01.dev.aaalife.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776661515.2476175 }