{ "type": "URL", "indicator": "https://example.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://example.com", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #1608", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain example.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain example.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3838702045, "indicator": "https://example.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 19, "pulses": [ { "id": "69640c0afc9805a6fa2da07b", "name": "MUSO.AI Malware \u2018Incredimail\u2019 Palantir in use[OTX auto populated title -Tsara Brashears]", "description": "MUSO.Ai , Is have to do more research. Some searches on reports MUSO as an opt in resource for artist to view, sort, and manage legacy credits, MUSO also collects royalties. Research and investigation confirms no one on music team is associated with or l thinks they may have heard of MUSO. Is MUSO. AI Palantir customer or service ,spy app services by the folks at Palantir. . [otx auto pop praise: Tsara Brashears is the most popular songwriter in the world, but can you use the app to find out more about the artist and the musicians behind the tracks?] cute. \n#dembiak #palantir #muso #ai", "modified": "2026-02-10T20:03:47.214000", "created": "2026-01-11T20:46:02.176000", "tags": [ "lark kdence", "zack dare", "zafira", "jon bonus", "andy flebbe", "div div", "present nov", "a domains", "united", "script urls", "div a", "script domains", "discover", "moved", "insert", "x0 tw", "urls", "cloudfront x", "title error", "url analysis", "reverse dns", "servers", "name servers", "united states", "all ipv4", "aaaa", "ip address", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "evasion att", "t1480 execution", "ascii text", "mitre att", "pattern match", "null", "error", "click", "hybrid", "general", "local", "path", "starfield", "strings", "refresh", "tools", "meta", "onload", "span", "data upload", "extraction", "type", "extra", "referen https", "include review", "exclude sugges", "stop", "aivoes typ", "passive dns", "date", "united states", "status", "domain add", "files", "hostname", "read c", "medium", "search", "show", "memcommit", "high", "checks", "windows", "delete", "execution", "dock", "write", "persistence", "capture", "next", "amazon02", "as autonomous", "system", "asn16509", "domain", "current dns", "a record", "as16509", "december", "ip information", "ipasns ip", "google", "fastly", "googlecl", "akamaias", "cloudflar", "domain tree", "links ip", "address as", "cisco", "umbrella rank", "general full", "url https", "software", "resource hash", "protocol h2", "security tls", "hostname add", "challengescript", "captchascript", "name", "value", "source level", "url text", "automatic", "webgl", "please", "extr data", "data", "size", "title", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "entries", "rgba", "unicode", "asnone", "malware", "port", "destination", "tlsv1", "tls handshake", "failure", "roboto", "msie", "windows nt", "wow64", "slcc2", "media center", "expiration", "url http", "no expiration", "present jan", "unknown ns", "certificate", "body", "present oct", "present may", "present dec", "present sep", "present feb", "showing", "next associated", "all se", "pulse pulses", "http", "files domain", "files related", "pulses none", "debiak", "tsara brashears", "ai", "palantir", "muso ai", "sort", "artists", "royalties", "music", "songwriter", "collect", "view", "malicious app", "false claims" ], "references": [ "https://credits.muso.ai/profile/ad62a9c1-de4a-4b3a-91d4-8f1ca6b5ad7a", "22.hio52.r.cloudfront.net", "us-gov-west-1.gov.reveal-global.com", "us-g0v-wact-1anvrav\u0645al=\u0635\u0639 \u0627\u062d\u0637\u0645\u0644\u0647", "MD5 be5eae9bd85769bce02d6e52a4927bcd Pulses Integrations C EXIF Data: HTML:Title\tINetSim default HTML page", "External Hosts Israel Unique Countries 2 Unique ASNs 2 IP", "ASN 82.80.204.63 www5.incredimail.com \u2022 Israel", "United States | ASNone 82.80.204.5 cen.incredibar.com \u2022 Israel", "AS8551 bezeq international-Itd 3.163.24.31 www5l.incredimail.com \u2022 Israel", "Antivirus Detections: Win.Malware.Incredimail-6804483-0 IDS Detections: Misspelled Mozilla User-Agent (Mozila)", "IP\u2019s Contacted : 82.80.204.63 3.163.24.31 82.80.204.5", "Domains Contacted: cen.incredibar.com www5l.incredimail.com www5.incredimail.com", "medallion-compute.washington.palantircloud.com \u2022 graviera-compute.palantirfedstart.com", "caerphilly-containers.palantirfedstart.com \u2022 equilibrium.palantirfoundry.com \u2022 palantirfoundry.com", "upstreamx.palantirfoundry.com \u2022 https://usw-2-dev.palantirfoundry.com", "https://upstreamx.palantirfoundry.com \u2022 edwards.palantirfoundry.com \u2022 stagwellmarketingcloud.palantirfoundry.com", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master", "https://paloma.palantirfoundry.com https://lucyw.palantirfoundry.com \u2022 http://edwards.palantirfoundry.com/", "http://dasima-containers.palantirfoundry.com \u2022 http://usw-2-dev.palantirfoundry.com", "https://kt-presales.palantirfoundry.co \u2022 https://glare.palantirfoundry.com", "engage.palantirfoundry.com \u2022 http://engage.palantirfoundry.com", "https://equilibrium.palantirfoundry.com \u2022\u2019https://engage.palantirfoundry.com", "http://upstreamx.palantirfoundry.com/ \u2022 https://equilibrium.palantirfoundry.com/", "https://glare.pali om. \u2022 http://engage.palantirfou?", "What? patch.virtualworldweb.com \u2022 s.palantirfoundry.com \u2022 http://u tirfoundry.co", "(patch.virtualworldweb.com) why does this sound so creepy? DIT , simulation, OWO ,sentient weird.", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t\u2022", "www.endgame \u2022 http://battlefront.com/matrixgames.html \u2022 prometheus.services.myscript.com - Wild!", "campdeadwood2026.com", "http://www.mobile-connection-alert.fyi/eb/bn/bn-9-nopop/9-nopop-1.html?var=&var2=&var3=$device=MOBILE&brand=Apple&model=iPhone&city=San%20Antonio&os=IOS&osversion=IOS%2011.4&country=US&countryname=United%20States&carrier=&referrerdomain=&language=en&connectiontype=CABLE&ip=76.185.246.58®ion=Texas&cep=W-gWTncHS9Jzl2WpUnQW3DI5dgjcKdwNWM11yWj-BtNBDFNTD52Baezh0F6DNui3qOYcu9zUPktlUvTulBlF6GONqMgW0w5NXdG42lOJGAp8P79kEUkAM3xGHBcIuf2PfSpz0mTGxnhbXyAteh4g-wCUR45SdW6fMtSANbFpDDpNDCq8LpN8mLeQJjdLUA_TGOXW9mubTgOyAGy", "Pornhub to your phone. Dumping or by request?", "https://soerkvingo.msnstyle.dk/vaginas-escort-girl-ukraina-pure-nudisme-dyresex-noveller-sukker-pris-porno-med-norsk-tale/", "www.killer333.club So I\u2019m right." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Incredimail-6804483-0", "display_name": "Win.Malware.Incredimail-6804483-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "TA0028", "name": "Persistence", "display_name": "TA0028 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10686, "hostname": 2427, "domain": 1094, "FileHash-MD5": 175, "FileHash-SHA1": 65, "FileHash-SHA256": 1118, "email": 4, "SSLCertFingerprint": 14 }, "indicator_count": 15583, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d877e28416d81633bae1ad", "name": "PolyRansom attack through malicious actor on threat platforms", "description": "Virlock , PolyRansom and multiple other attacks through malicious actor using social engineering tactics. Has a rigged platform. Goal -\n to gain complete command and control of users in great platforms. Has infected at least a single device.\n#domainrobot #socialengineeeing #Tofsee\n#Trojan:Win32/Vflooder\n#Unix.Dropper.Mirai-7135870-0\n#Virus.Virlock/Nabucur\n#Win.Packer.pkr_ce1a-9980177-0\n#Win.Virus.PolyRansom", "modified": "2025-10-27T22:02:25.163000", "created": "2025-09-27T23:48:50.976000", "tags": [ "iocs", "indicator role", "write c", "intel", "ms windows", "medium", "pe32", "delete", "ids detections", "yara detections", "write", "malware", "delete c", "windows", "high", "port", "encrypt", "tofsee", "stream", "passive dns", "http", "ip address", "related nids", "files location", "united states", "united", "win32", "trojan", "mtb may", "twitter", "hellspawn", "worm", "title", "emails", "servers", "get http", "dns resolutions", "http traffic", "command", "control ta0011", "protocol t1071", "match info", "t1573 severity", "info", "request", "windows nt", "win64", "khtml", "gecko", "response", "present sep", "aaaa", "resolved ips", "ip traffic", "displayname", "yara rule", "loaderid", "name servers", "urls", "domain robot", "mail", "moved", "media gmbh", "info file", "network dropped", "duration cuckoo", "version file", "machine label", "manager", "shutdown", "host", "generic http", "exe upload", "inbound", "outbound", "markus", "certificate", "record value", "object", "path", "server", "registrar abuse", "contact email", "contact phone", "registrar iana", "registrar url", "diablo", "gandi sas", "gandi", "diablo attacks", "bluemind", "alberta", "domain add", "asn as16625", "akamai", "less whois", "registrar", "metrobytmobile", "t mobile", "metro", "present jul", "present jun", "present aug", "germany unknown", "germany", "invalid url", "ipv4 add", "frankfurt", "main", "no entries", "entrust", "hostname add", "files loading", "mimic", "first address", "medium attempts", "process", "explorer", "windows startup", "kuwiqsma", "match medium", "medium installs", "installs", "t regdword", "user", "ntcreatefile", "filehandle", "createfilew", "getfilesize", "blpdqe", "jjqcpluanwwhg", "u0012", "desiredaccess", "keyhandle", "ntopenkeyex", "u001aw", "u0018", "read", "next", "tags none", "file type", "date september", "am size", "imphash pehash", "richhash", "south korea", "taiwan as3462", "as21928", "china as4134", "as4766 korea", "china as4837", "as9318 sk", "as701 verizon", "verizon", "tcp syn", "infectednight", "resolverror", "tref neutral", "ck technique", "technique id", "tofsee high", "overview whois", "pulses", "tags", "related tags", "more external", "resources whois", "urlvoid", "tavao.exe", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "defense evasion", "spawns", "access att", "ascii text", "pattern match", "mitre att", "size", "meta", "null", "error", "click", "roboto", "hybrid", "general", "local", "starfield", "strings", "refresh", "tools", "onload", "span", "iframe", "found", "t1480 execution", "backdoor", "a domains", "russia", "next associated", "link", "windir", "interesting", "show technique", "ck matrix", "network traffic", "t1071", "t1057", "lowfi", "gameforprofits", "game att", "night got", "job done infected" ], "references": [ "DiabloFans ClapBack: Google. Com", "Crowdsourced IDS: ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check Rule Match", "CS\u2019d IDS: ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com) Rule Match", "Crowdsourced IDS: Matches rule SURICATA HTTP missing Host header", "Crowdsourced IDS: Unique rule identifier: This rule belongs to a private collection", "MetrobyT-mobile", "UA Alberta | Somehow I don\u2019t think this is part of a match but rather an attack. Mimic", "Unix.Dropper.Mirai inc. 100.181.126.203 \u2022 United States\tAS21928 t-mobile usa inc.", "Unix.Dropper.Mirai inc. 1 Korea Telecom 1.107.218.24 \u2022 South Korea\tAS4766", "Unix.Dropper.Mirai inc. 1 Telstra Corporation Ltd 1.125.165.62 \u2022 Australia AS1221 Telstra", "Unix.Dropper.Mirai inc. 1 Verizon : 100.10.95.119 United States \u2022 AS701 Verizon", "Sigma: Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "Virus.Virlock/Nabucur", "display_name": "Virus.Virlock/Nabucur", "target": null }, { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 450, "FileHash-SHA1": 435, "FileHash-SHA256": 2092, "URL": 646, "domain": 593, "SSLCertFingerprint": 9, "hostname": 657, "email": 13 }, "indicator_count": 4895, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "174 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d877d6231fc1cbe1792ee1", "name": "PolyRansom attack through malicious actor on threat platforms", "description": "Virlock , PolyRansom and multiple other attacks through malicious actor using social engineering tactics. Has a rigged platform. Goal -\n to gain complete command and control of users in great platforms. Has infected at least a single device.\n#domainrobot #socialengineeeing #Tofsee\n#Trojan:Win32/Vflooder\n#Unix.Dropper.Mirai-7135870-0\n#Virus.Virlock/Nabucur\n#Win.Packer.pkr_ce1a-9980177-0\n#Win.Virus.PolyRansom", "modified": "2025-10-27T22:02:25.163000", "created": "2025-09-27T23:48:38.895000", "tags": [ "iocs", "indicator role", "write c", "intel", "ms windows", "medium", "pe32", "delete", "ids detections", "yara detections", "write", "malware", "delete c", "windows", "high", "port", "encrypt", "tofsee", "stream", "passive dns", "http", "ip address", "related nids", "files location", "united states", "united", "win32", "trojan", "mtb may", "twitter", "hellspawn", "worm", "title", "emails", "servers", "get http", "dns resolutions", "http traffic", "command", "control ta0011", "protocol t1071", "match info", "t1573 severity", "info", "request", "windows nt", "win64", "khtml", "gecko", "response", "present sep", "aaaa", "resolved ips", "ip traffic", "displayname", "yara rule", "loaderid", "name servers", "urls", "domain robot", "mail", "moved", "media gmbh", "info file", "network dropped", "duration cuckoo", "version file", "machine label", "manager", "shutdown", "host", "generic http", "exe upload", "inbound", "outbound", "markus", "certificate", "record value", "object", "path", "server", "registrar abuse", "contact email", "contact phone", "registrar iana", "registrar url", "diablo", "gandi sas", "gandi", "diablo attacks", "bluemind", "alberta", "domain add", "asn as16625", "akamai", "less whois", "registrar", "metrobytmobile", "t mobile", "metro", "present jul", "present jun", "present aug", "germany unknown", "germany", "invalid url", "ipv4 add", "frankfurt", "main", "no entries", "entrust", "hostname add", "files loading", "mimic", "first address", "medium attempts", "process", "explorer", "windows startup", "kuwiqsma", "match medium", "medium installs", "installs", "t regdword", "user", "ntcreatefile", "filehandle", "createfilew", "getfilesize", "blpdqe", "jjqcpluanwwhg", "u0012", "desiredaccess", "keyhandle", "ntopenkeyex", "u001aw", "u0018", "read", "next", "tags none", "file type", "date september", "am size", "imphash pehash", "richhash", "south korea", "taiwan as3462", "as21928", "china as4134", "as4766 korea", "china as4837", "as9318 sk", "as701 verizon", "verizon", "tcp syn", "infectednight", "resolverror", "tref neutral", "ck technique", "technique id", "tofsee high", "overview whois", "pulses", "tags", "related tags", "more external", "resources whois", "urlvoid", "tavao.exe", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "defense evasion", "spawns", "access att", "ascii text", "pattern match", "mitre att", "size", "meta", "null", "error", "click", "roboto", "hybrid", "general", "local", "starfield", "strings", "refresh", "tools", "onload", "span", "iframe", "found", "t1480 execution", "backdoor", "a domains", "russia", "next associated", "link", "windir", "interesting", "show technique", "ck matrix", "network traffic", "t1071", "t1057", "lowfi", "gameforprofits", "game att", "night got", "job done infected" ], "references": [ "DiabloFans ClapBack: Google. Com", "Crowdsourced IDS: ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check Rule Match", "CS\u2019d IDS: ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com) Rule Match", "Crowdsourced IDS: Matches rule SURICATA HTTP missing Host header", "Crowdsourced IDS: Unique rule identifier: This rule belongs to a private collection", "MetrobyT-mobile", "UA Alberta | Somehow I don\u2019t think this is part of a match but rather an attack. Mimic", "Unix.Dropper.Mirai inc. 100.181.126.203 \u2022 United States\tAS21928 t-mobile usa inc.", "Unix.Dropper.Mirai inc. 1 Korea Telecom 1.107.218.24 \u2022 South Korea\tAS4766", "Unix.Dropper.Mirai inc. 1 Telstra Corporation Ltd 1.125.165.62 \u2022 Australia AS1221 Telstra", "Unix.Dropper.Mirai inc. 1 Verizon : 100.10.95.119 United States \u2022 AS701 Verizon", "Sigma: Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "Virus.Virlock/Nabucur", "display_name": "Virus.Virlock/Nabucur", "target": null }, { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 450, "FileHash-SHA1": 435, "FileHash-SHA256": 2092, "URL": 646, "domain": 593, "SSLCertFingerprint": 9, "hostname": 657, "email": 13 }, "indicator_count": 4895, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "174 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c62316b24b23e6d4c579ef", "name": "Predator - Dr. Jeffrey Reimer, DPT - Physical Therapist in Denver, CO | Healthgrades", "description": "Malware with code overlap. JSR , DPT Health Grades account has been removed. An investigator claims Reimer & family have been moved, names , career , changes years ago, claims of government protection for him. After victims MRI JSR left town immediately. Returning in 2016 , coincidentally driving near victim location on various locations. \nIt\u2019s disgusting how technology is being used to cover up a crime instead of solve one.\n#code_overlap #malware #hosts_contacted\n#itstoolatetoapologizeitstoolate", "modified": "2025-10-14T01:04:58.605000", "created": "2025-09-14T02:06:14.853000", "tags": [ "denver", "jeffrey reimer", "star rating", "appointment", "post", "response are", "listened", "wait", "reimer", "healthgrades", "reply flag", "doctors", "find", "jeff", "back", "aurora", "leave", "crying", "tips", "tags na", "utc scorecard", "research beacon", "utc yahoo", "dot tags", "united", "mozilla", "write c", "nsisinetc", "undetermined", "medium", "intel", "ms windows", "write", "trojan", "defender", "delphi", "win32", "malware", "win64", "local", "next", "code overlap", "dynamicloader", "as15169", "brazil as28604", "brazil as396982", "upatre", "passive dns", "title error", "ipv4 add", "pulse pulses", "urls", "files", "reverse dns", "location united", "america flag", "body", "script script", "powder sdk", "a domains", "title", "script", "certificate", "hostname add", "pulse submit", "meta", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "evasion att", "t1480 execution", "signing defense", "flag", "whois privacy", "service name", "server", "contacted hosts", "ip address", "process details", "size", "div id", "beginstring", "beginerror", "null", "error", "strings", "refresh", "tools", "onload", "click", "span", "remote access" ], "references": [ "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler", "YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd", "CodeOverlap | All malware listed exists", "Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "All #tags auto populated.", "URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf", "blog.manpowergroup.com.py (aww like dadvocates)", "https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)", "r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.", "display_name": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.", "target": null }, { "id": "Win.Malware.Tfuvtcog-7194372-0", "display_name": "Win.Malware.Tfuvtcog-7194372-0", "target": null }, { "id": "Trojan.Win32.Fakemalard", "display_name": "Trojan.Win32.Fakemalard", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Trojan.Win32.Banload", "display_name": "Trojan.Win32.Banload", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Too much to search for", "display_name": "Too much to search for", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Medical", "Media", "Government." ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 609, "URL": 1550, "domain": 280, "FileHash-SHA256": 1428, "FileHash-MD5": 133, "FileHash-SHA1": 115, "SSLCertFingerprint": 4 }, "indicator_count": 4119, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "187 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c62306c74c7f57dc993d13", "name": "Predator - Dr. Jeffrey Reimer, DPT - Physical Therapist in Denver, CO | Healthgrades", "description": "Malware with code overlap. JSR , DPT Health Grades account has been removed. An investigator claims Reimer & family have been moved, names , career , changes years ago, claims of government protection for him. After victims MRI JSR left town immediately. Returning in 2016 , coincidentally driving near victim location on various locations. \nIt\u2019s disgusting how technology is being used to cover up a crime instead of solve one.\n#code_overlap #malware #hosts_contacted\n#itstoolatetoapologizeitstoolate", "modified": "2025-10-14T01:04:58.605000", "created": "2025-09-14T02:05:58.793000", "tags": [ "denver", "jeffrey reimer", "star rating", "appointment", "post", "response are", "listened", "wait", "reimer", "healthgrades", "reply flag", "doctors", "find", "jeff", "back", "aurora", "leave", "crying", "tips", "tags na", "utc scorecard", "research beacon", "utc yahoo", "dot tags", "united", "mozilla", "write c", "nsisinetc", "undetermined", "medium", "intel", "ms windows", "write", "trojan", "defender", "delphi", "win32", "malware", "win64", "local", "next", "code overlap", "dynamicloader", "as15169", "brazil as28604", "brazil as396982", "upatre", "passive dns", "title error", "ipv4 add", "pulse pulses", "urls", "files", "reverse dns", "location united", "america flag", "body", "script script", "powder sdk", "a domains", "title", "script", "certificate", "hostname add", "pulse submit", "meta", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "evasion att", "t1480 execution", "signing defense", "flag", "whois privacy", "service name", "server", "contacted hosts", "ip address", "process details", "size", "div id", "beginstring", "beginerror", "null", "error", "strings", "refresh", "tools", "onload", "click", "span", "remote access" ], "references": [ "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler", "YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd", "CodeOverlap | All malware listed exists", "Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "All #tags auto populated.", "URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf", "blog.manpowergroup.com.py (aww like dadvocates)", "https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)", "r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.", "display_name": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.", "target": null }, { "id": "Win.Malware.Tfuvtcog-7194372-0", "display_name": "Win.Malware.Tfuvtcog-7194372-0", "target": null }, { "id": "Trojan.Win32.Fakemalard", "display_name": "Trojan.Win32.Fakemalard", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Trojan.Win32.Banload", "display_name": "Trojan.Win32.Banload", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Medical", "Media", "Government." ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 609, "URL": 1550, "domain": 280, "FileHash-SHA256": 1428, "FileHash-MD5": 133, "FileHash-SHA1": 115, "SSLCertFingerprint": 4 }, "indicator_count": 4119, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "187 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68beb866c8ed898ed0ece438", "name": "BlackieVirus . Expanded- Apple", "description": "", "modified": "2025-10-08T10:00:30.227000", "created": "2025-09-08T11:05:10.064000", "tags": [ "present may", "present apr", "unknown ns", "present sep", "unknown aaaa", "present jun", "present dec", "passive dns", "ip address", "virtool", "win32cve sep", "trojan", "mtb sep", "ipv4", "urls", "trojanspy", "united states", "dynamicloader", "ms windows", "observed dns", "query", "windows nt", "wow64", "khtml", "gecko", "pe32", "write", "media", "malware", "suspicious", "learn", "ck id", "name tactics", "informative", "command", "defense evasion", "adversaries", "spawns", "t1204 user", "mitre att", "ck matrix", "null", "error", "click", "general", "local", "path", "strings", "refresh", "tools", "meta", "onload", "span", "apple", "entries", "write c", "defender", "tencent", "hostname add", "pulse submit", "url analysis", "present jul", "present mar", "present oct", "saudi arabia", "united", "present feb", "creation date", "search", "title", "date", "botnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "Win.Trojan.Filerepmalware-10008115-0", "display_name": "Win.Trojan.Filerepmalware-10008115-0", "target": null }, { "id": "ALF:HeraklezEval:Ransom:Win32/CVE", "display_name": "ALF:HeraklezEval:Ransom:Win32/CVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 951, "hostname": 1766, "URL": 4969, "FileHash-MD5": 337, "FileHash-SHA1": 317, "FileHash-SHA256": 4296, "CVE": 1, "SSLCertFingerprint": 1, "email": 1 }, "indicator_count": 12639, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68a23eef53f1124e8dc273fc", "name": "Sign in to your account - Anorocuriv", "description": "Short link sent to an iPhone user possibly by accident or maybe not. Unraveled :[https://ns4.whichkill.net/]\n[https://l.us-1.a.mimecastprotect.com/l]\n[https://api-glintstage.glintinc.com/api/client/tiaa/token/saml2/consume/includeDeskLink]\n\n[https://api.glintinc.com/api/client/tiaa/token/saml2/consume/includeDeskLink]\t\n\n*api.us1.glintinc.com #malta\n*ALF:Trojan:Win32/Anorocuriv.A.#virtool #LowFI:HookwowLow \n#tracking #tiaa #locate recording #userpics #movies #audio #screen #mobile_assets #https://biccerija.gov.mt/en/contact/", "modified": "2025-09-16T20:00:00.565000", "created": "2025-08-17T20:43:27.502000", "tags": [ "url http", "url https", "search", "type indicator", "role title", "added active", "related pulses", "showing", "entries", "status", "msie", "chrome", "passive dns", "urls", "date", "pulse pulses", "files", "domain", "files ip", "body", "http", "hostname", "files domain", "present jan", "present dec", "united", "present aug", "present jun", "unknown aaaa", "present mar", "present may", "present feb", "present jul", "error", "a domains", "gmt content", "accept encoding", "config nocache", "hostname add", "pulse submit", "content type", "certificate", "ip address", "cookie", "mita", "next associated", "please", "x msedge", "ipv4 add", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "signing defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "size", "pattern match", "mitre att", "ascii text", "null", "click", "august", "hybrid", "general", "local", "path", "strings", "refresh", "tools", "meta", "onload", "span", "adversaries", "ssl certificate", "logo", "av detection", "default browser", "guest system", "professional", "falcon sandbox", "response risk", "ck techniques", "detection", "show process", "prefetch8", "windows nt", "win64", "khtml", "gecko", "post collect", "microsoft edge", "nota", "brand", "class", "facebook", "ascii", "hex dump", "extraction", "failed", "data upload", "pul data", "enter", "s data", "type", "extr error", "href", "mask", "extra", "uta support", "include review", "exclude sugges", "find", "wow64", "show", "observed dns", "query", "unknown", "virtool", "copy", "write", "defender", "expiro", "malware", "next", "lowfi", "hookwowlow dec", "mtb jan", "mtb nov", "hookwowlow nov", "trojan", "trojandropper", "http request", "delete", "yara detections", "pe exe", "dll windows", "minimal http", "february", "guard", "alerts", "analysis date", "file score", "detections alf", "detections http", "http executable", "retrieved", "location united", "america flag", "america asn", "urls show", "date checked", "url hostname", "server response" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 853, "hostname": 1835, "URL": 7127, "email": 3, "FileHash-SHA256": 1470, "FileHash-MD5": 293, "FileHash-SHA1": 284, "SSLCertFingerprint": 426, "CVE": 1 }, "indicator_count": 12292, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "215 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689d7fd544aa8cf483b02d5c", "name": "Sinkhole | Win32/Dofoil.R CnC Beacon", "description": "#LowFI:VBExpensiveLoop\n*Worm:Win32/Gamarue [Static Pe Anomaly \u2022\nContains Pe Overlay \u2022\nBinary Yara]\n- Win32/Dofoil.R CnC Beacon |\nAlerts:\n\u2022 suspicious_iocontrol_codes\n\u2022 physical_drive_access", "modified": "2025-09-13T06:02:44.359000", "created": "2025-08-14T06:19:01.666000", "tags": [ "lowfi", "united", "entries", "passive dns", "open ports", "next associated", "ipv4", "pulse pulses", "urls", "files", "domain", "address", "creation date", "name servers", "date", "hostname add", "dynamicloader", "medium", "fake", "high", "post", "show", "search", "observed http", "reg add", "copy", "write", "june", "malware", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "size", "pattern match", "ascii text", "mitre att", "ck id", "null", "error", "click", "body", "august", "hybrid", "general", "local", "path", "strings", "refresh", "tools", "meta", "onload", "span", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "mask", "generator" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 175, "FileHash-SHA1": 180, "FileHash-SHA256": 458, "URL": 436, "domain": 69, "hostname": 156, "email": 1, "SSLCertFingerprint": 9 }, "indicator_count": 1484, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "218 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68958d96a43dd0d3b5a65220", "name": "Mirai Communication Networks Inc", "description": "BGP Mirai Communication Networks Inc. May be used for Red Hat activities considered enterprise open source solutions. Used for adversarial motives. Abuse.\nResearched a device-local-**********.remotewd.com found in last residential community a monitored target lived.", "modified": "2025-09-07T05:03:49.633000", "created": "2025-08-08T05:39:34.315000", "tags": [ "united", "unknown ns", "moved", "passive dns", "ip address", "cloudfront x", "hio50 c1", "a domains", "domains", "meta", "mirai", "apache", "url hostname", "server response", "google safe", "learn", "ck id", "name tactics", "suspicious", "informative", "spawns", "command", "found", "mitre att", "ck techniques", "sha256", "sha1", "ascii text", "pattern match", "size", "null", "refresh", "body", "span", "august", "hybrid", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "defense evasion", "t1480 execution", "file defense", "show technique", "ck matrix", "adversaries", "general", "starfield", "iframe", "onload", "status", "urls", "domain", "name servers", "hostname", "files", "files ip", "certificate", "urls show", "results aug", "entries", "show process", "utf8", "crlf line", "network traffic", "title error", "next associated", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "equiv content", "win32", "trojan", "servers", "search", "whois show", "record value", "emails", "name legal", "department name", "address po", "city seattle", "present oct", "present jul", "present dec", "present aug", "files domain", "files related", "related tags", "none google", "safe browsing", "external", "data upload", "extraction", "include review", "exclude sugges", "uny inuuue", "find s", "extr", "typ dom", "failed", "extri data", "mirai meta", "japan unknown", "miraipcok meta", "overview ip", "address", "location united", "asn as15169", "nameservers", "less whois", "registrar", "overview domain", "address domain", "ip whois", "title", "create c", "read c", "delete", "write", "medium", "create", "showing", "rgba", "next", "dock", "execution", "malware", "sqlite rollback", "jfif", "journal", "regsetvalueexa", "ascii", "regdword", "baidu", "url add", "http", "related nids", "files location", "flag united", "redacted for", "unknown aaaa", "hostname add", "url analysis", "encrypt", "date", "germany unknown", "ascio", "creation date", "alfper", "ipv4 add", "reverse dns", "mozilla", "set spray", "pty ltd", "date checked", "present jun", "present nov", "present may", "present mar", "present sep", "present jan", "for privacy", "lngen", "ransom", "virtool", "exploit", "as133618", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "asn as133618", "whois registrar", "ietfdtd html", "gmt server", "debian", "dynamicloader", "unknown", "feat", "query", "installer", "results oct", "results jan", "aaaa", "tlsv1", "stcalifornia", "lmountain view", "ogoogle llc", "ogoogle trust", "cngts ca", "lowfi", "urlshortner aug", "urlshortner jul", "urlshortner", "write c", "high", "et exploit", "probe ms17010", "f codeoverlap", "copy", "contacted", "w3wwhb", "svwjh5dd u", "uv5b usvwu", "f us3v9", "cu codeoverlap", "filehash", "sha256 add", "monitored target", "sloffeefoundry.com", "apple", "samsung", "galaxy", "msie", "windows nt", "wow64", "slcc2", "media center", "persistence", "edge", "bing", "racism", "amazon music", "ios", "twitter", "googleapis", "denver" ], "references": [ "Researched: 210.172.192.15 | p192015.mirai.ne.jp | sanso-mirai.jp", "Mirai Communication Network Inc. (AS7690) Seto, Japan ASN is a BGP Network", "*ccm-command-center.int.m1np.symetra.cloud", "Monitored Target/s", "https://hybrid-analysis.com/sample/ff37a006ed8677bafa412d653ce9adfe84744702f28f7dfe9f5f4ec51b599419/689505a3a647793a0300f73f", "https://hybrid-analysis.com/sample/d30cf86f09e3ab7bb7d0a4ac2608aafb31e07c94fe77f5a264ccdb35fe153c59/689505ded9be5613900509fd", "https://hybrid-analysis.com/sample/f6e628e57373bf795bae87c883dcaefdbb720960133edc1adacc6146d10fc88a", "https://otx.alienvault.com/indicator/ip/210.172.192.15", "https://otx.alienvault.com/indicator/domain/sanso-mirai.jp", "device-local-**********. remotewd.com", "https://sms-apple.com/login", "https://www.exito.com/galaxy-m12-64-gb-negro-samsung-sm-m127fzkkcoo-3016108/p", "https://4.img-dpreview.com/files/p/articles/2356747397/samsung_nv24hd_bk.jpeg", "https://shell-gift.website/sweeps/de/amazon-voucher/question1000-agg/index.html?uclick=qdlpqnvr&uclickhash=qdlpqnvr-qdlpqnvr-pmwj-0-xsi4-hovr-hoi4-9b6533", "api.omgpornpics.com", "http://www.mylifelawyer.com/services/denver-affordable-lawyer-child-custody/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Crypt-142", "display_name": "Win.Trojan.Crypt-142", "target": null }, { "id": "#Lowfi:SIGATTR:URLShortner", "display_name": "#Lowfi:SIGATTR:URLShortner", "target": null }, { "id": "Win.Trojan.14278494-1", "display_name": "Win.Trojan.14278494-1", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ransom:Win32/WannaCrypt.H", "display_name": "ransom:Win32/WannaCrypt.H", "target": "/malware/ransom:Win32/WannaCrypt.H" }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Mirai Communications", "display_name": "Mirai Communications", "target": null }, { "id": "Alfper", "display_name": "Alfper", "target": null }, { "id": "telper:HSTR:CLEAN:Ninite", "display_name": "telper:HSTR:CLEAN:Ninite", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" } ], "industries": [ "Technology", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8962, "domain": 1671, "hostname": 2125, "FileHash-SHA256": 2031, "FileHash-MD5": 718, "FileHash-SHA1": 523, "SSLCertFingerprint": 12, "email": 7, "CVE": 1 }, "indicator_count": 16050, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "224 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688716977e80a4274f2eafa9", "name": "LeadIQ | The Smart B2B Prospecting Platform | Malware Packed | Agent Tesla & more", "description": "Found in Bot joining Pulse.", "modified": "2025-08-27T06:03:05.020000", "created": "2025-07-28T06:20:07.660000", "tags": [ "present jul", "united", "entries", "search", "moved", "ip address", "creation date", "record value", "date", "showing", "body", "meta", "passive dns", "next associated", "win32spigot apr", "title error", "ipv4 add", "pulse pulses", "urls", "files", "adaptivebee", "worm", "win32", "urls show", "date checked", "url hostname", "server response", "google safe", "results jul", "location united", "asn asnone", "nameservers", "less whois", "registrar", "csc corporate", "status", "servers", "name servers", "hostname", "hostname add", "a domains", "script urls", "unknown aaaa", "technology one", "script script", "certificate", "null", "trojan", "twitter", "domain", "files ip", "address domain", "ip related", "pulses otx", "virtool", "http", "present jun", "present may", "pulse submit", "url analysis", "reverse dns", "australia asn", "as55532 squiz", "dns resolutions", "overview ip", "address", "ipv4", "iocs", "data upload", "extraction", "ided iocs", "failed", "shaw", "ail tvnas", "rl irl", "domain add", "ostname add", "verdict", "show", "types", "type", "indicator data", "searc type", "a indicator", "data", "select across", "all pages", "domain domain", "checked url", "hostname server", "response ip", "address google", "safe browsing", "msie", "chrome", "present dec", "base", "read c", "port", "destination", "delete", "copy", "write", "memcommit", "cryptexportkey", "invalid pointer", "writeconsolea", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "defense evasion", "t1480 execution", "signing defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "ascii text", "crlf line", "mitre att", "error", "click", "hybrid", "local", "path", "starfield", "strings", "refresh", "tools", "onload", "span", "form", "adversaries", "windows nt", "generic http", "exe upload", "inbound", "outbound", "yara detections", "malware", "expiration date", "whois show", "name andrew", "bauer name", "div id", "beginstring", "beginerror", "script", "general", "cloud", "find", "footer", "ninite feb", "telper", "ninite mar", "ninite apr", "trojandropper", "mtb mar", "url https", "general full", "security tls", "software", "resource hash", "protocol h2", "frankfurt", "main", "germany", "input", "skype", "opciones", "july", "es form", "dom name", "post https", "imagen", "microsoft", "iniciar sesin", "value", "variables", "config", "debug", "loader", "geturl", "b function", "addlistener", "proof", "amazon02", "dk summary", "amazon rsa", "september", "browsing", "resource", "asn16509", "name value", "queueprogress", "timestamp input", "status actions" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 487, "FileHash-SHA1": 461, "URL": 10732, "domain": 1672, "email": 6, "hostname": 3039, "FileHash-SHA256": 2569, "SSLCertFingerprint": 7 }, "indicator_count": 18973, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "235 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68858e8244c8db854e8947c1", "name": "Goodreads Malware", "description": "Goodreads is an older book review website. I found Goodreads[.]com links botnet joining Pulse. Just curious. #goodreads #malware #goodreads_botnet_join #thismightbeabotnet\n#gogray #purpleteamit #malware \n#thismightbeabotnet #ineedtolearnmore", "modified": "2025-08-26T01:03:19.405000", "created": "2025-07-27T02:27:14.517000", "tags": [ "passive dns", "urls", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "united", "flag united", "present jun", "present may", "present apr", "search", "moved", "creation date", "record value", "date", "body", "meta", "indicator role", "title added", "active related", "pulses url", "memcommit", "value1", "partnerid4146", "username", "gamesessionid", "port", "destination", "regsetvalueexa", "mozilla", "write", "persistence", "execution", "malware", "copy", "next", "process32nextw", "show", "entries", "module load", "t1129", "intel", "ms windows", "showing", "t1045", "win32", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "mitre att", "ck techniques", "evasion att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "size", "pattern match", "ascii text", "null", "error", "starfield", "click", "hybrid", "local", "path", "strings", "refresh", "tools", "onload", "span", "smbds ipc", "ms17010", "msf style", "probe ms17010", "generic flags", "yara detections", "nrv2x", "upxoepplace" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 155, "hostname": 1237, "FileHash-SHA256": 1141, "domain": 574, "URL": 4593, "FileHash-SHA1": 139, "email": 1, "SSLCertFingerprint": 8 }, "indicator_count": 7848, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688343b9e60e8693f50e515f", "name": "Cycbot & worse - Palantir Monitoring Target/s", "description": "Palantir \u2022 Gotham \u2022 Foundry Top tier sells tools used to monitor, harass, smear , invoke fear, even \u2018kill\u2019. Used by military., too many partners to name (includes the entire government., heavy military, NSA use) of course Twitter, Apple Facebook, Pegasus related, possibly Paragon if what I\u2019ve read and researched is true. *There are 188 Palantir Foundry links in this pulse. ||\nMonitored target || Apparently ,\u2018tool\u2019 is weaponized against civilians for unknown and unwarranted purposes. || Lofty and unclear how or why a manner of death of target was predicted and posted online 12 years ago. || More research is needed.\n\nMalware named was found in research. \n\n #targeted #rip #palantir #foundry #gotham #twitter #techbromafia #silencing #overreach #quasi_gov #ongoing #active #moved #dangerous", "modified": "2025-08-24T06:01:34.920000", "created": "2025-07-25T08:43:37.734000", "tags": [ "status", "united", "unknown ns", "passive dns", "urls", "creation date", "search", "emails", "date", "expiration date", "tcp include", "top source", "top destination", "show", "source source", "data upload", "extraction", "showing", "moved", "certificate", "ip address", "domain", "body", "present jul", "present jun", "present aug", "present sep", "trojan", "name servers", "twitter", "vtflooder", "foundry", "virustotal", "gotham", "palantir", "tools", "destination", "port", "msie", "windows nt", "unknown", "read c", "etpro trojan", "malware", "copy", "write", "infostealer", "possible", "virustotal", "copyleft", "present jan", "entries", "next associated", "ipv4 add", "pulse submit", "url analysis", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "discovery att", "hostname add", "files", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "ascii text", "mitre att", "pattern match", "show technique", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "look", "verify", "restart", "se extri", "referen", "etpro tr", "virtool", "referencec", "failed", "se extra", "eanioae", "include review", "exclude sugges", "includec review", "exclude", "suggest data", "open ports", "reverse dns", "location united", "america flag", "boardman", "t1045", "ck ids", "packing", "t1060", "run keys", "startup", "folder", "t1057", "discovery", "t1071", "value emails", "name domain", "org microsoft", "microsoft way", "city redmond", "country us", "dnssec", "t1012", "t1047", "instrumentation", "t1053", "taskjob", "spyware", "source", "signing defense", "size", "meta", "onload", "dynamicloader", "unicode text", "crlf line", "utf8", "medium", "write c", "default", "delphi", "win32", "code", "stream", "next", "akamai rank", "show process", "prefetch2", "dns server", "network traffic", "virus", "monitored target", "tofsee", "generic http", "exe upload", "inbound", "outbound", "delete", "yara detections", "markus", "flowid22101", "pixelevtid11771", "dvid", "urls show", "date checked", "188 palantir results", "adversaries", "development att", "ssl certificate", "flag", "stop", "facebook", "4328", "5943", "stealer", "unknown aaaa", "present may", "domain add", "hyundaitx", "twitter", "monitored tsara", "brashears", "apple", "ios", "remote", "cycbot", "maudio fw", "heur", "productversion", "fileversion", "maudio firewire" ], "references": [ "palantirfoundry.com \u2022 https://edenglobalpartners.palantirfoundry.com/", "247seekscenter.com \u2022 ns-1986.awsdns-56.co.uk: | 365-notifcation.com", "ETPRO TROJAN Win32/Oderoor Checkin \u2022 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain", "Domain ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com)", "ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection", "platform.twitter.co \u2022 rm.twitter.co \u2022 upload.twitter.co \u2022 http://2fsyndication.twitter.co/", "http://legal.twitter.co \u2022 http://mobile.twitter.co/", "ec2-44-228-94-74.us-west-2.compute.amazonaws.com \u2022 defender.palantirfoundry.com", "https://embaxter.palantirfoundry.com \u2022 https://amgistudios.palantirfoundry.com", "https://ametrine-containers.palantirfoundry.com \u2022 https://amfp.palantirfoundry.com", "https://ameteklms.palantirfoundry.com \u2022 https://ametrine-compute.palantirfoundry.com", "https://amiable-constellation.palantirfoundry.com \u2022 https://amplifi.palantirfoundry.com", "https://oscar.palantirfoundry.com/ \u2022 https://replica.palantirfoundry.com/", "https://statemed.palantirgov.com/workspace/settings/notifications \u2022 https://cchbc.palantirfoundry.com", "https://test-1.washington.palantircloud.com \u2022 https://tarn.palantirgov.com \u2022 https://stateplatform.palantirgov.com", "https://imperium-dev-1.palantircloud.com \u2022 https://hii.palantirgov.com \u2022 https://genoa.washington.palantircloud.com", "tsystems.palantirfoundry.com \u2022 https://statemed.palantirgov.com \u2022 https://statecms.palantirgov.com", "https://replica.palantirfoundry.com/ \u2022 https://spacejam.palantirfoundry.com/ \u2022", "https://pl.pornhub.mrst.one/ \u2022 hotamateurpornsite.xxx \u2022 squirting.porn \u2022 https://de-pornhub.mrst.one/", "Hostname: hcl-dna-sandbox.palantirfoundry.com", "https://www.hyundaitx.com/", "ETPRO TROJAN Win32/Tofsee.AX google.com connectivity check", "https://remote.downloadnow-1.com/", "Alerts: injection_runpe deletes_self persistence_autorun stealth_file antivirus_virustotal infostealer_ftp", "Alerts: infostealer_mail network_smtp persistence_ads recon_programs injection", "Monitored Target - Spawned process \"iexplore.exe\" w/commandline \"SCODEF:5860 CREDAT:275457 /prefetch:2\" (Show Process) source", "Monitored Target: Queries DNS server details \"www.hyundaitx.com\" source Network Traffic T1071.004", "Palantir/ Hyuandi coexist | Confirmed Targets transportation was a Hyuandi SUV |", "ipad-steals-app-ideas_1_.jpg - MD5 6dd66b729a649dec250b24533a58a996" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Vtflooder-9783271-0", "display_name": "Win.Malware.Vtflooder-9783271-0", "target": null }, { "id": "Trojan.Kazy-237", "display_name": "Trojan.Kazy-237", "target": null }, { "id": "Trojan.Vundo-5335", "display_name": "Trojan.Vundo-5335", "target": null }, { "id": "Generic31.BKFG", "display_name": "Generic31.BKFG", "target": null }, { "id": "Win.Packed.Krucky-6941986-0", "display_name": "Win.Packed.Krucky-6941986-0", "target": null }, { "id": "ALF:HSTR:KrunchyMalPacker!MTB", "display_name": "ALF:HSTR:KrunchyMalPacker!MTB", "target": null }, { "id": "Win.Trojan.Agent-920890", "display_name": "Win.Trojan.Agent-920890", "target": null }, { "id": "Win.Trojan.Jorik-10365", "display_name": "Win.Trojan.Jorik-10365", "target": null }, { "id": "Trojan.Adload-2492", "display_name": "Trojan.Adload-2492", "target": null }, { "id": "Trojan.Spy-59563", "display_name": "Trojan.Spy-59563", "target": null }, { "id": "Ransom:Win32/Cryptor", "display_name": "Ransom:Win32/Cryptor", "target": "/malware/Ransom:Win32/Cryptor" }, { "id": "Win32/Blacked", "display_name": "Win32/Blacked", "target": null }, { "id": "Win.Trojan.Cycbot-764", "display_name": "Win.Trojan.Cycbot-764", "target": null }, { "id": "Trojan.VB-47534", "display_name": "Trojan.VB-47534", "target": null }, { "id": "Backdoor:Win32/Drixed.J ,", "display_name": "Backdoor:Win32/Drixed.J ,", "target": "/malware/Backdoor:Win32/Drixed.J ," }, { "id": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "display_name": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "target": null }, { "id": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "display_name": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "target": null }, { "id": "Malware Tool", "display_name": "Malware Tool", "target": null }, { "id": "Palantir Spyware", "display_name": "Palantir Spyware", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0030", "name": "Defense Evasion", "display_name": "TA0030 - Defense Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4203, "domain": 1218, "email": 9, "hostname": 2006, "FileHash-SHA256": 2740, "FileHash-MD5": 424, "FileHash-SHA1": 419, "SSLCertFingerprint": 12 }, "indicator_count": 11031, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6874b2f986cefd9575013e6c", "name": "", "description": "", "modified": "2025-08-13T07:05:31.278000", "created": "2025-07-14T07:34:17.604000", "tags": [ "size81b", "search", "write c", "united", "show", "showing", "entries", "tlsv1", "pe32 executable", "intel", "ms windows", "win64", "unknown", "write", "next", "encrypt", "guard", "powershell", "malware", "service", "copy", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "re att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "ascii text", "mitre att", "meta", "null", "path", "error", "body", "click", "date", "roboto", "hybrid", "general", "local", "starfield", "strings", "refresh", "tools", "onload", "span", "iframe" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 50, "URL": 29, "FileHash-MD5": 44, "FileHash-SHA1": 33, "SSLCertFingerprint": 5, "domain": 20, "hostname": 14 }, "indicator_count": 195, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "249 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68743465f53cdee0dcd25195", "name": "Attack on LevelBlue - OTX | Stealer? Cloudfront?", "description": "Strange incidents on OTX.\n1. Can\u2019t finish adding IoC\u2019s for a small\nOlor large pulse.\n2. I can annotate in rare occasions.\n3. The worst is there is a team of us working on Tsara Brashears using this tool on downtime. Yesterday there were over 1000 pulses now there are more only 144. There were 100\u2019s of indicators now it read 0 indicators on my end. 4. Tsara or Tsara Brashears goes to an IP with an unsigned signature 5. Receiving emails re: pulses pulsed years ago. ||\n\nThis is the second time and the largest grab. Other pulses are missing information regarding very concerning IoC\u2019s. The information truly needs to be restored. It is checked every time there is a login. \n\nFurther research is needed, the information is being stolen quickly and all devices ever used are still available. \n\n\nOpen Threat Exchange, I feel threatened. I noticed malware expert dorkingbeauty (and others with related content) has some pulses with 0 IoC\u2019s and has seemingly abandoned platform?", "modified": "2025-08-12T00:00:35.297000", "created": "2025-07-13T22:34:13.242000", "tags": [ "data upload", "extraction", "gtmkvjvztk", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "learn", "levelblue", "open threat", "exchange og", "levelblue open", "threat exchange", "exchange", "cloudfront", "contenttype", "connection", "date sun", "gmt etag", "united", "country", "alienvault name", "server", "date", "flag", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "size", "script", "segoe ui", "div id", "beginstring", "meta", "null", "error", "body", "click", "roboto", "path", "strings", "refresh", "tools", "onload", "span", "iframe", "pattern match", "ascii text", "ck id", "show technique", "mitre att", "ck matrix", "show process", "utf8", "crlf line", "unicode text", "local", "starfield", "command", "name tactics", "suspicious", "informative", "spawns", "ck techniques", "evasion att", "t1480 execution", "y ts", "include review", "exclude sugges", "uny incuat", "find s", "typ no", "failed", "extra data", "included ous", "review ic", "excludea tous", "suggeste data", "find suresteu", "type indicaloka" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 107, "FileHash-SHA256": 187, "hostname": 25, "FileHash-MD5": 30, "FileHash-SHA1": 31, "domain": 30, "SSLCertFingerprint": 3 }, "indicator_count": 413, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "250 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684b22bdc77f5036b2e583d4", "name": "AWS (DGA) Network Rats - Unknown Cyber defense entity threats", "description": "Network Rat\nI can\u2019t add much. The IoC\u2019s have been whitelisted. There are connection errors and self deleting compromises. Based on research the IoC were a part of a Global pattern of malware advertising, network rats, stealthy effective defense evasion, botnets and all manner of compromise.\nDGA domains everywhere. Potentially related to rogue red team behavior with hackers of the highest level of abilities. This graph won\u2019t be able to show anything. As I researched many IoC\u2019s self deleted.\nI\u2019m impressed.", "modified": "2025-07-12T09:00:04.754000", "created": "2025-06-12T18:55:57.189000", "tags": [ "port", "destination", "bad login", "show", "high", "tcp syn", "search", "showing", "entries", "icmp traffic", "copy", "malware", "strings", "india unknown", "passive dns", "ipv4 add", "pulse pulses", "urls", "files", "reverse dns", "location india", "mumbai", "india asn", "date", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "size", "mitre att", "ck id", "show technique", "ck matrix", "null", "span", "error", "body", "june", "hybrid", "general", "local", "path", "click", "refresh", "tools", "all ipv4", "learn", "name tactics", "suspicious", "informative", "adversaries", "spawns", "command", "found", "yara detections", "mirai", "pattern match", "meta", "onload", "ascii text", "look", "verify", "restart", "ck techniques", "evasion att" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 20, "FileHash-MD5": 112, "FileHash-SHA1": 123, "FileHash-SHA256": 103, "URL": 102, "domain": 27 }, "indicator_count": 487, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "281 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6761c6d68582c49eff306fe6", "name": "Likely malicious Google Analytics Alternative - App & Web Analytics - Matomo", "description": "The full text of the \"suspicious\"obfuscation using unescape has been published on the website tylabs.com, as well as the official release of a new version of PDF.", "modified": "2025-05-14T21:24:25.364000", "created": "2024-12-17T18:45:42.250000", "tags": [ "bitcoin address", "didier stevens", "didierstevens", "bitcoinaddress", "june", "copyright", "t1027", "unesc", "unescape", "flash define", "matomo", "string", "date", "sufeffxa0", "regexp", "please", "blob", "null", "tag manager", "link", "url https", "ipv4", "url http", "learn", "it for", "no credit", "cloud trial", "start", "contact", "matomo team", "help", "free", "easy", "tools" ], "references": [ "https://matomo.org https://matomo.www.gov.pl/analytics/js/container_68lYTZ79.js", "https://www.filescan.io/uploads/67619a0f99caec9a276f9efd/reports/92e63ab1-1ebd-41a7-90da-f842f0b90392/details" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 62, "YARA": 8, "domain": 83, "URL": 657, "email": 3, "hostname": 152, "IPv4": 15, "CIDR": 1, "FileHash-SHA1": 57, "FileHash-SHA256": 734 }, "indicator_count": 1772, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "340 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67f5555b6ce863d998e83e26", "name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net", "description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.", "modified": "2025-05-11T19:03:59.885000", "created": "2025-04-08T16:56:59.641000", "tags": [ "generated from", "do not", "edit uri", "urls", "edit", "rewriteengine", "rewritecond", "rewriterule", "r301", "xml2encalias", "beralloct", "berbvarrayadd", "berbvarrayfree", "berbvdup", "berbvecadd", "berbvecfree", "berbvfree", "berdump", "berdup", "berdupbv", "laerrordomain", "laerrornoncekey", "lamechanismtree", "lacontext", "ladomainstate", "laenvironment", "lanotification", "laprivatekey", "lapublickey", "laright", "apple swift", "o librarylevel", "combine import", "foundation", "swift import", "mcpeerid", "mcsession", "property", "copyright", "protocol", "class", "bonjour", "ascii lowercase", "abc company", "section", "bonjour txt", "note", "ui element", "utf8 encoding", "nscopying", "nsdictionary", "nsstring", "mcextern", "attribute", "mcextern extern", "mcexternweak", "nsenum", "nsinteger", "mcerrorcode", "mcerrorunknown", "mcerrortimedout", "peer", "example", "bonjour apis", "stop", "tags", "session", "nsprogress", "nserror", "nsurl", "nsarray", "create", "nsuinteger", "notifies", "mcsession api", "interface", "dbictrace", "dbivporth", "dbictracelevel", "dbdtffoo", "dbihseterrchar", "dbicstate", "dbictraceflags", "provides macros", "dbi release", "only", "sqlsuccess", "odbc", "sqlok", "tim bunce", "england", "sql cli", "sql datatype", "sqlguid", "sqlwlongvarchar", "main", "beware", "sv sth", "sv dbh", "impsth", "impdbh", "sv keysv", "sv params", "sv attr", "sv attribs", "sv drh", "void", "fri jul", "mixed", "dbixsrevision", "plsvundef", "license", "spagain", "perlioprintf", "dbiclogpio", "putback", "ireland", "gnu general", "super", "magic", "dbicflags", "dbis", "svrv", "null", "imp2com", "dbicactivekids", "dbicfiadestroy", "sv h", "dbicdbistate", "code", "copy", "refer", "trace", "error", "unknown", "hookopcheckh", "startexternc", "hookopcheckcb", "userdata", "endexternc", "isinternalbuild", "kickmcxdforuid", "loadappkit", "ardconfig", "authenticator", "dsauthenticator", "dsnode", "dsrecord", "group", "hostconfig", "apfsvolumelock", "apfsvolumerole", "aoskgetosinfo", "aoskgetuserinfo", "aosaddappleid", "aosdisablepcs", "aosenablepcs", "aoslog", "aoslogforce", "aosrelaycookie", "didfailcallback", "kaosaccountkey", "kapcsbundle", "kapcspath", "kjsonextension", "apcsbucketid", "apcsreports", "apconfiguration", "apversiondata", "apversionhelper", "systemvolumesvm", "name size", "identifier", "gb disk0s3", "devdisk3", "apfs container", "scheme", "physical store", "macintosh hd", "apfs snapshot", "preboot", "refs address", "size wired", "name", "version", "uuid", "linked against", "renderer", "helper", "chrome helper", "contains", "cloud ui", "macintosh", "khtml", "gecko", "ui helper", "plugin", "service", "good", "battery power", "apfs encryption", "jumpcloud go", "chrome web", "store", "privacy badger", "flowcrypt", "encrypt gmail", "simple", "google", "b2b phone", "number", "apollo", "future", "exccrash", "sigkill", "code signature", "invalid", "sigabrt", "protonvpn", "excguard", "excbreakpoint", "sigtrap", "excbadaccess", "appl", "english", "adobe crash", "adobe", "acrobat dcadobe", "processor", "uninstaller", "assistant", "install", "cloud", "dock", "calendar", "music", "terminal", "tips", "installer", "updater", "proton", "tools", "stub", "python", "clock", "powershell", "team", "rave scout", "cookies", "public folder", "key cert", "sign", "crl sign", "root ca", "authority", "public primary", "global root", "verisign", "academic", "premium", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "agent", "command line", "progress", "yubico", "macos13action", "disableoverride", "disableairdrop", "denyactivation", "enable", "loginwindowtext", "jumpcloud", "autoupdate", "loggingoption", "enablefirewall", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "daemon", "server", "open directory", "user", "account", "kerberos admin", "kerberos change", "device daemon", "network", "desktop", "screensaver", "bridge", "aesxtsarm", "aesecbarm", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "darwin kernel", "wed mar", "wkarraycreate", "wkbooleancreate", "wkcontextcreate", "wkdatacreate", "wkdatagettypeid", "wkdoublecreate", "wkframecopyurl", "wkgettypeid", "wkimagecreate", "wkpagecandelete", "webview", "notice", "this software", "including", "but not", "limited to", "redistribution", "is provided", "by apple", "direct", "damage", "apiavailable", "webkit", "nsswiftname", "document", "a block", "as is", "hasinclude", "wkdownload", "abstract", "wkerrorcode", "wkerrorunknown", "discussion", "bool", "whether", "wkcontentworld", "wkwebview", "javascript", "nsunavailable", "vaargs", "nsswiftasync", "wkswiftasync", "wkcookiepolicy", "wkswiftuiactor", "nshttpcookie", "targetosiphone", "wknavigation", "decides", "boolean value", "apideprecated", "methodkind", "wkerrordomain", "wkscriptmessage", "promise", "fulfill", "const", "url scheme", "mark", "wkuserscript", "targetosvision", "param", "wkframeinfo", "targetosios", "pass", "window", "mime type", "link", "nsimage", "returns", "nsset", "checks", "matches", "a boolean", "defaults", "wkwebextension", "cgsize", "uiimage", "apis", "nsdate", "wkcontentmode", "wkextern", "possible", "cgfloat", "media", "cgrect", "apiunavailable", "framework", "nsswiftuiactor", "targetoswatch", "confirms", "apple upgrade", "nsstring user", "nsobject", "provider", "apple", "password", "uicontrol", "nscontrol", "asuseragerange", "check", "opaque user", "apple id", "initiate", "asauthorization", "operation", "state", "nserrorenum", "nsdata", "relying party", "asapiavailable", "perform", "realm", "http response", "authorization", "http", "oauth", "saml", "a byte", "nsdata userid", "relying", "a string", "nsdata readdata", "bool didwrite", "a cose", "nsdata first", "nsdata second", "nsstring name", "bool appid", "targetosxr", "nsstring appid", "bluetooth", "mdm profile", "nsurl url", "returns yes", "a state", "a json", "web token", "private seckeys", "enables", "keychain", "asswiftsendable", "cose algorithm", "ecdsa", "sha256", "cose curve", "p256", "nullable", "bool success", "remove", "call", "complete", "initializes", "time code", "extensions", "asextern extern", "asextern", "nsswiftsendable", "prepare", "list", "nsextension", "attempt", "nsstring label", "creates", "nsstring code", "a key", "webauthn", "nssecurecoding", "input", "output", "initialize", "nsinteger rank", "json", "inputs", "hash", "nsstring origin", "settings app", "extension", "https urls", "safari", "cancel", "nsuuid uuid", "r uftpexu", "nsmutabledata", "vnsdate", "mprcjy", "postfix", "domain", "canonical", "tables", "ldap", "post", "replace user", "address", "wietse venema", "bugs", "mail", "aliases", "postfix version", "restrict", "sample", "person", "basic system", "general", "reject empty", "postfix smtp", "ipv6 host", "reject", "reply", "access", "prior", "hold", "info", "mail delivery", "charset", "system", "report", "postfix dsn", "mail returned", "this", "generic", "smtp", "isp mail", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "write", "date", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "unix", "cyrus", "path", "uucp", "shell", "local", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "file", "update", "usrsbin", "file format", "no group", "daemondirectory", "deliver mail", "transport", "description", "result format", "virtual", "virtual alias", "redirect mail", "relocated", "matches user", "synopsis", "lastname", "firstname", "apple computer", "tcpip", "supported", "quantum", "facility", "level", "level info", "broadcast", "ignore", "rules", "sender", "automounter map", "use directory", "get home", "home autohome", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "kernel", "readline", "jabber", "group database", "dovecot", "postfix scsd", "networkd", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "status mailfrom", "returnpath via", "pidfile", "flags", "bcgjnuwz", "bin usrsbin", "sbin", "default pf", "care", "audio", "user database", "unix copy", "gate daemon", "bashno", "r etcbashrc", "rfc1323", "m1460", "macos x", "signature", "linux", "opera", "xp sp1", "windows sp1", "nmap syn", "m265", "synack", "mind", "macos", "warp", "ipv6", "internet", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "networkup", "term", "devnull", "common setup", "configure", "set command", "dns hostname", "dns query", "see also", "kame", "sunnet manager", "rpcsrc", "netlicense", "ftpd", "bindash binksh", "binsh bintcsh", "jumpcloud ldap", "smb2", "security", "workgroup", "standalone", "samba server", "enforce", "smb3", "example share", "improper use", "ctrlc", "none", "fax reception", "hardwired", "0007", "must", "visudo", "blocksize", "charset lang", "language lcall", "lines columns", "lscolors", "sshauthsock", "orion", "setup user", "home", "zdotdir", "delete", "beep", "vendor", "kf10", "kf11", "kf12", "kf13", "backspace", "insert", "resume", "termsessionid", "savehist", "sharehistory", "h do", "volume", "de l", "l uuid", "m tra", "n est", "suuid", "prfen", "fusion", "syst", "look", "executant", "alla", "over", "test", "overie", "zapis", "rapid", "disco usa", "de macos", "nie s", "i denne", "adgjmpsvx", "diskgthis disk", "01k8x j", "34disk", "levy kytt", "dict", "array", "plist", "apple root", "code signing", "inode64r", "xofkoxzh", "integer", "doctype", "brain", "abcd", "ogwo", "boaw", "cobwa", "uhawavauatsh", "ip bitmap", "foewdc", "could", "ip block", "funcs", "cogwo", "trash", "double", "hunt", "affa", "carr", "crypto", "docwbac", "q1b0", "q1 0", "h h5", "docwbag", "slice", "format", "zero", "alfa", "hera", "lelei", "hehe", "hisp", "fail", "katy", "zakk", "eodwcbgao", "hhk8di", "alma", "topo", "open", "huhk", "piper", "hehx", "eh ui", "h20hph", "hif h", "hmhhihqhyla hq", "r11b0", "target", "uus10u", "hifh", "loghookfailed", "loghook", "hell", "q1b 0", "f duh", "aqw1", "1160" ], "references": [ "index.html.en", "bind.html", "caching.html", "BUILDING", "configuring.html", "content-negotiation.html", "custom-error.html", "convenience.map", "LDAP.tbd", "lber.h", "ldap.h", "LocalAuthentication.tbd", "arm64e-apple-macos.swiftinterface", "x86_64-apple-ios-macabi.swiftinterface", "arm64e-apple-ios-macabi.swiftinterface", "x86_64-apple-macos.swiftinterface", "MultipeerConnectivity.tbd", "module.modulemap", "MCNearbyServiceAdvertiser.h", "MCPeerID.h", "MCError.h", "MCNearbyServiceBrowser.h", "MCAdvertiserAssistant.h", "MultipeerConnectivity.apinotes", "MultipeerConnectivity.h", "MCSession.h", "MCBrowserViewController.h", "dbivport.h", "dbi_sql.h", "dbd_xsh.h", "dbixs_rev.h", "Driver_xst.h", "DBIXS.h", "hook_op_check.h", "Admin.tbd", "AirPlayReceiver.tbd", "apfs_boot_mount.tbd", "AOSKit.tbd", "APConfigurationSystem.tbd", "AppleFirmwareUpdate.tbd", "launchdaemons.txt", "preboot_archive_errors.log", "mounts.txt", "launchagents.txt", "disk_structure.txt", "user_launchagents.txt", "security_status.txt", "kexts.txt", "process_list.txt", "battery.csv", "diskEncryption.csv", "chromeExtensions.csv", "crashes.csv", "interfaceAddrs.csv", "kernel.csv", "interfaceDetails.csv", "etcHosts.csv", "applications.csv", "mounts.csv", "sharedFolders.csv", "certificates.csv", "sharingPreferences.csv", "launchD.csv", "usbDevices.csv", "managedPolicies.csv", "systemInfo.csv", "users.csv", "sipConfig.csv", "systemControls.csv", "canonical", "aliases", "custom_header_checks", "access", "bounce.cf.default", "generic", "header_checks", "main.cf.default", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "main.cf.proto", "master.cf.proto", "master.cf", "TLS_LICENSE", "postfix-files", "transport", "virtual", "relocated", "afpovertcp.cfg", "asl.conf", "auto_home", "auto_master", "autofs.conf", "bashrc_Apple_Terminal", "com.apple.screensharing.agent.launchd", "bashrc", "command_args.json", "csh.cshrc", "csh.login", "find.codes", "csh.logout", "ftpusers", "gettytab", "irbrc", "kern_loader.conf", "group", "locate.rc", "man.conf", "mail.rc", "manpaths", "networks", "nfs.conf", "newsyslog.conf", "ntp_opendirectory.conf", "ntp.conf", "notify.conf", "paths", "pf.conf", "passwd", "profile", "pf.os", "protocols", "rc.netboot", "rc.common", "rmtab", "resolv.conf", "rtadvd.conf", "rpc", "shells", "smb.conf", "sudo_lecture", "ttys", "syslog.conf", "xtab", "sudoers", "zprofile", "zshrc", "zshrc_Apple_Terminal", "CodeResources", "version.plist", "Info.plist" ], "public": 1, "adversary": "DragonForce Malaysia Hacker Group", "targeted_countries": [], "malware_families": [ { "id": "Lastname", "display_name": "Lastname", "target": null }, { "id": "Firstname", "display_name": "Firstname", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4449, "domain": 3847, "URL": 14263, "FileHash-SHA256": 2356, "FileHash-MD5": 223, "FileHash-SHA1": 523, "email": 223, "CVE": 40, "CIDR": 12, "SSLCertFingerprint": 302 }, "indicator_count": 26238, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "343 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c994c8b145925072b6583a", "name": "Private Loader cyber threat - Sliq.net | https://house.mo.gov", "description": "Link found active in https://house.mo.gov. \nhttps://sg001-harmony.sliq.net/00325/harmony/en/PowerBrowser/RoomRouter?location=chamber&viewMode=3&globalStreamId=1 |", "modified": "2024-03-13T03:00:40.889000", "created": "2024-02-12T03:47:20.138000", "tags": [ "ssl certificate", "threat roundup", "referrer", "historical ssl", "remcos rat", "august", "iocs", "contacted", "qakbot", "june", "service", "privateloader", "amadey", "blacknet rat", "qbot", "cobalt strike", "push", "core", "malformed domains", "sliq", "typosquatting", "malware", "network", "dns", "spyware", "access", "remote", "cyber threat", "virus network", "command and control", "remote connections", "exploits", "injection", "legislature", "trojan", "scanning host", "threat analyzer", "threat", "paste", "urls https", "locationchamber", "viewmode3", "hostnames", "url https", "false layer", "http" ], "references": [ "https://sg001-harmony.sliq.net/00325/harmony/en/PowerBrowser/RoomRouter?location=chamber&viewMode=3&globalStreamId=1", "https://www.facebooksunglassshop.com [pegasus related]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "PrivateLoader", "display_name": "PrivateLoader", "target": null } ], "attack_ids": [ { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Government", "Technology", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 36, "FileHash-SHA256": 1384, "CVE": 5, "URL": 1865, "domain": 222, "hostname": 648 }, "indicator_count": 4216, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "767 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab679e6ff8544ecf11962", "name": "Private Loader cyber threat - Sliq.net | https://house.mo.gov ", "description": "", "modified": "2024-03-13T03:00:40.889000", "created": "2024-02-13T00:23:21.062000", "tags": [ "ssl certificate", "threat roundup", "referrer", "historical ssl", "remcos rat", "august", "iocs", "contacted", "qakbot", "june", "service", "privateloader", "amadey", "blacknet rat", "qbot", "cobalt strike", "push", "core", "malformed domains", "sliq", "typosquatting", "malware", "network", "dns", "spyware", "access", "remote", "cyber threat", "virus network", "command and control", "remote connections", "exploits", "injection", "legislature", "trojan", "scanning host", "threat analyzer", "threat", "paste", "urls https", "locationchamber", "viewmode3", "hostnames", "url https", "false layer", "http" ], "references": [ "https://sg001-harmony.sliq.net/00325/harmony/en/PowerBrowser/RoomRouter?location=chamber&viewMode=3&globalStreamId=1", "https://www.facebooksunglassshop.com [pegasus related]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "PrivateLoader", "display_name": "PrivateLoader", "target": null } ], "attack_ids": [ { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Government", "Technology", "Civil Society" ], "TLP": "white", "cloned_from": "65c994c8b145925072b6583a", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 36, "FileHash-SHA256": 1384, "CVE": 5, "URL": 1865, "domain": 222, "hostname": 648 }, "indicator_count": 4216, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "767 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "MD5 be5eae9bd85769bce02d6e52a4927bcd Pulses Integrations C EXIF Data: HTML:Title\tINetSim default HTML page", "MultipeerConnectivity.apinotes", "AirPlayReceiver.tbd", "process_list.txt", "irbrc", "Palantir/ Hyuandi coexist | Confirmed Targets transportation was a Hyuandi SUV |", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master", "https://oscar.palantirfoundry.com/ \u2022 https://replica.palantirfoundry.com/", "master.cf", "master.cf.proto", "ETPRO TROJAN Win32/Oderoor Checkin \u2022 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain", "group", "arm64e-apple-ios-macabi.swiftinterface", "launchD.csv", "UA Alberta | Somehow I don\u2019t think this is part of a match but rather an attack. Mimic", "Monitored Target/s", "apfs_boot_mount.tbd", "generic", "https://ametrine-containers.palantirfoundry.com \u2022 https://amfp.palantirfoundry.com", "https://www.filescan.io/uploads/67619a0f99caec9a276f9efd/reports/92e63ab1-1ebd-41a7-90da-f842f0b90392/details", "sudo_lecture", "247seekscenter.com \u2022 ns-1986.awsdns-56.co.uk: | 365-notifcation.com", "platform.twitter.co \u2022 rm.twitter.co \u2022 upload.twitter.co \u2022 http://2fsyndication.twitter.co/", "rc.netboot", "upstreamx.palantirfoundry.com \u2022 https://usw-2-dev.palantirfoundry.com", "ec2-44-228-94-74.us-west-2.compute.amazonaws.com \u2022 defender.palantirfoundry.com", "manpaths", "csh.login", "usbDevices.csv", "Researched: 210.172.192.15 | p192015.mirai.ne.jp | sanso-mirai.jp", "Alerts: infostealer_mail network_smtp persistence_ads recon_programs injection", "paths", "main.cf.default", "rtadvd.conf", "Domains Contacted: cen.incredibar.com www5l.incredimail.com www5.incredimail.com", "newsyslog.conf", "MultipeerConnectivity.tbd", "engage.palantirfoundry.com \u2022 http://engage.palantirfoundry.com", "ETPRO TROJAN Win32/Tofsee.AX google.com connectivity check", "campdeadwood2026.com", "AppleFirmwareUpdate.tbd", "External Hosts Israel Unique Countries 2 Unique ASNs 2 IP", "device-local-**********. remotewd.com", "http://www.mylifelawyer.com/services/denver-affordable-lawyer-child-custody/", "AOSKit.tbd", "systemInfo.csv", "com.apple.screensharing.agent.launchd", "Unix.Dropper.Mirai inc. 1 Telstra Corporation Ltd 1.125.165.62 \u2022 Australia AS1221 Telstra", "mounts.txt", "https://www.exito.com/galaxy-m12-64-gb-negro-samsung-sm-m127fzkkcoo-3016108/p", "ttys", "CS\u2019d IDS: ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com) Rule Match", "Crowdsourced IDS: Matches rule SURICATA HTTP missing Host header", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master", "disk_structure.txt", "sudoers", "Unix.Dropper.Mirai inc. 1 Korea Telecom 1.107.218.24 \u2022 South Korea\tAS4766", "aliases", "https://remote.downloadnow-1.com/", "virtual", "DBIXS.h", "csh.cshrc", "palantirfoundry.com \u2022 https://edenglobalpartners.palantirfoundry.com/", "BUILDING", "https://www.hyundaitx.com/", "http://www.mobile-connection-alert.fyi/eb/bn/bn-9-nopop/9-nopop-1.html?var=&var2=&var3=$device=MOBILE&brand=Apple&model=iPhone&city=San%20Antonio&os=IOS&osversion=IOS%2011.4&country=US&countryname=United%20States&carrier=&referrerdomain=&language=en&connectiontype=CABLE&ip=76.185.246.58®ion=Texas&cep=W-gWTncHS9Jzl2WpUnQW3DI5dgjcKdwNWM11yWj-BtNBDFNTD52Baezh0F6DNui3qOYcu9zUPktlUvTulBlF6GONqMgW0w5NXdG42lOJGAp8P79kEUkAM3xGHBcIuf2PfSpz0mTGxnhbXyAteh4g-wCUR45SdW6fMtSANbFpDDpNDCq8LpN8mLeQJjdLUA_TGOXW9mubTgOyAGy", "dbi_sql.h", "autofs.conf", "zshrc_Apple_Terminal", "Mirai Communication Network Inc. (AS7690) Seto, Japan ASN is a BGP Network", "certificates.csv", "custom_header_checks", "transport", "main.cf", "URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf", "MultipeerConnectivity.h", "us-gov-west-1.gov.reveal-global.com", "IP\u2019s Contacted : 82.80.204.63 3.163.24.31 82.80.204.5", "ldap.h", "dbd_xsh.h", "medallion-compute.washington.palantircloud.com \u2022 graviera-compute.palantirfedstart.com", "kern_loader.conf", "https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)", "Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "content-negotiation.html", "interfaceAddrs.csv", "sharedFolders.csv", "AS8551 bezeq international-Itd 3.163.24.31 www5l.incredimail.com \u2022 Israel", "systemControls.csv", "afpovertcp.cfg", "United States | ASNone 82.80.204.5 cen.incredibar.com \u2022 Israel", "resolv.conf", "*ccm-command-center.int.m1np.symetra.cloud", "https://amiable-constellation.palantirfoundry.com \u2022 https://amplifi.palantirfoundry.com", "preboot_archive_errors.log", "rmtab", "Info.plist", "22.hio52.r.cloudfront.net", "security_status.txt", "csh.logout", "CodeOverlap | All malware listed exists", "Driver_xst.h", "MCPeerID.h", "bounce.cf.default", "gettytab", "All #tags auto populated.", "smb.conf", "https://otx.alienvault.com/indicator/domain/sanso-mirai.jp", "https://upstreamx.palantirfoundry.com \u2022 edwards.palantirfoundry.com \u2022 stagwellmarketingcloud.palantirfoundry.com", "MCNearbyServiceBrowser.h", "module.modulemap", "MCSession.h", "https://matomo.org https://matomo.www.gov.pl/analytics/js/container_68lYTZ79.js", "dbivport.h", "main.cf.proto", "networks", "ASN 82.80.204.63 www5.incredimail.com \u2022 Israel", "(patch.virtualworldweb.com) why does this sound so creepy? DIT , simulation, OWO ,sentient weird.", "Antivirus Detections: Win.Malware.Incredimail-6804483-0 IDS Detections: Misspelled Mozilla User-Agent (Mozila)", "xtab", "api.omgpornpics.com", "access", "launchagents.txt", "kernel.csv", "DiabloFans ClapBack: Google. Com", "tsystems.palantirfoundry.com \u2022 https://statemed.palantirgov.com \u2022 https://statecms.palantirgov.com", "man.conf", "lber.h", "managedPolicies.csv", "https://statemed.palantirgov.com/workspace/settings/notifications \u2022 https://cchbc.palantirfoundry.com", "mail.rc", "https://4.img-dpreview.com/files/p/articles/2356747397/samsung_nv24hd_bk.jpeg", "rpc", "relocated", "mounts.csv", "MetrobyT-mobile", "launchdaemons.txt", "header_checks", "profile", "zshrc", "www.killer333.club So I\u2019m right.", "YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd", "custom-error.html", "MCAdvertiserAssistant.h", "caerphilly-containers.palantirfedstart.com \u2022 equilibrium.palantirfoundry.com \u2022 palantirfoundry.com", "https://kt-presales.palantirfoundry.co \u2022 https://glare.palantirfoundry.com", "user_launchagents.txt", "x86_64-apple-ios-macabi.swiftinterface", "chromeExtensions.csv", "https://hybrid-analysis.com/sample/d30cf86f09e3ab7bb7d0a4ac2608aafb31e07c94fe77f5a264ccdb35fe153c59/689505ded9be5613900509fd", "r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev", "auto_home", "https://sms-apple.com/login", "us-g0v-wact-1anvrav\u0645al=\u0635\u0639 \u0627\u062d\u0637\u0645\u0644\u0647", "https://paloma.palantirfoundry.com https://lucyw.palantirfoundry.com \u2022 http://edwards.palantirfoundry.com/", "kexts.txt", "ftpusers", "http://upstreamx.palantirfoundry.com/ \u2022 https://equilibrium.palantirfoundry.com/", "pf.os", "index.html.en", "MCError.h", "command_args.json", "canonical", "notify.conf", "shells", "zprofile", "bashrc_Apple_Terminal", "Monitored Target - Spawned process \"iexplore.exe\" w/commandline \"SCODEF:5860 CREDAT:275457 /prefetch:2\" (Show Process) source", "Crowdsourced IDS: ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check Rule Match", "crashes.csv", "postfix-files", "TLS_LICENSE", "bashrc", "LICENSE", "https://ameteklms.palantirfoundry.com \u2022 https://ametrine-compute.palantirfoundry.com", "users.csv", "auto_master", "ntp_opendirectory.conf", "Unix.Dropper.Mirai inc. 100.181.126.203 \u2022 United States\tAS21928 t-mobile usa inc.", "MCBrowserViewController.h", "https://imperium-dev-1.palantircloud.com \u2022 https://hii.palantirgov.com \u2022 https://genoa.washington.palantircloud.com", "http://dasima-containers.palantirfoundry.com \u2022 http://usw-2-dev.palantirfoundry.com", "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler", "https://credits.muso.ai/profile/ad62a9c1-de4a-4b3a-91d4-8f1ca6b5ad7a", "LocalAuthentication.tbd", "LDAP.tbd", "What? patch.virtualworldweb.com \u2022 s.palantirfoundry.com \u2022 http://u tirfoundry.co", "ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t\u2022", "https://test-1.washington.palantircloud.com \u2022 https://tarn.palantirgov.com \u2022 https://stateplatform.palantirgov.com", "rc.common", "blog.manpowergroup.com.py (aww like dadvocates)", "http://legal.twitter.co \u2022 http://mobile.twitter.co/", "bind.html", "https://equilibrium.palantirfoundry.com \u2022\u2019https://engage.palantirfoundry.com", "https://sg001-harmony.sliq.net/00325/harmony/en/PowerBrowser/RoomRouter?location=chamber&viewMode=3&globalStreamId=1", "battery.csv", "protocols", "ntp.conf", "https://glare.pali om. \u2022 http://engage.palantirfou?", "Hostname: hcl-dna-sandbox.palantirfoundry.com", "caching.html", "sharingPreferences.csv", "APConfigurationSystem.tbd", "Unix.Dropper.Mirai inc. 1 Verizon : 100.10.95.119 United States \u2022 AS701 Verizon", "locate.rc", "Alerts: injection_runpe deletes_self persistence_autorun stealth_file antivirus_virustotal infostealer_ftp", "arm64e-apple-macos.swiftinterface", "Sigma: Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "https://hybrid-analysis.com/sample/ff37a006ed8677bafa412d653ce9adfe84744702f28f7dfe9f5f4ec51b599419/689505a3a647793a0300f73f", "https://www.facebooksunglassshop.com [pegasus related]", "Pornhub to your phone. Dumping or by request?", "CodeResources", "https://embaxter.palantirfoundry.com \u2022 https://amgistudios.palantirfoundry.com", "hook_op_check.h", "pf.conf", "Crowdsourced IDS: Unique rule identifier: This rule belongs to a private collection", "https://pl.pornhub.mrst.one/ \u2022 hotamateurpornsite.xxx \u2022 squirting.porn \u2022 https://de-pornhub.mrst.one/", "master.cf.default", "ipad-steals-app-ideas_1_.jpg - MD5 6dd66b729a649dec250b24533a58a996", "nfs.conf", "etcHosts.csv", "Monitored Target: Queries DNS server details \"www.hyundaitx.com\" source Network Traffic T1071.004", "www.endgame \u2022 http://battlefront.com/matrixgames.html \u2022 prometheus.services.myscript.com - Wild!", "makedefs.out", "Domain ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com)", "syslog.conf", "applications.csv", "https://soerkvingo.msnstyle.dk/vaginas-escort-girl-ukraina-pure-nudisme-dyresex-noveller-sukker-pris-porno-med-norsk-tale/", "passwd", "version.plist", "https://otx.alienvault.com/indicator/ip/210.172.192.15", "dbixs_rev.h", "Admin.tbd", "configuring.html", "diskEncryption.csv", "sipConfig.csv", "asl.conf", "MCNearbyServiceAdvertiser.h", "find.codes", "interfaceDetails.csv", "https://shell-gift.website/sweeps/de/amazon-voucher/question1000-agg/index.html?uclick=qdlpqnvr&uclickhash=qdlpqnvr-qdlpqnvr-pmwj-0-xsi4-hovr-hoi4-9b6533", "x86_64-apple-macos.swiftinterface", "https://replica.palantirfoundry.com/ \u2022 https://spacejam.palantirfoundry.com/ \u2022", "convenience.map", "https://hybrid-analysis.com/sample/f6e628e57373bf795bae87c883dcaefdbb720960133edc1adacc6146d10fc88a" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "DragonForce Malaysia Hacker Group" ], "malware_families": [ "Trojan.vundo-5335", "Lastname", "Win.trojan.jorik-10365", "Trojan.vb-47534", "Amadey", "Win.trojan.filerepmalware-10008115-0", "Trojan.kazy-237", "Telper:hstr:clean:ninite", "Win.packed.krucky-6941986-0", "Formbook", "Trojan.adload-2492", "Win32/blacked", "Mirai communications", "Trojan.spy-59563", "Qakbot", "Ransom:win32/cryptor", "Win.packer.pkr_ce1a-9980177-0", "Alf:heraklezeval:ransom:win32/cve", "Code overlap", "Tofsee", "Firstname", "Privateloader", "Trojan.win32.banload", "Win.trojan.crypt-142", "Alfper", "Blacknet rat", "Win.malware.incredimail-6804483-0", "Virus.virlock/nabucur", "Trojan.win32.fakemalard", "Emotet", "Alf:hstr:krunchymalpacker!mtb", "Too much to search for", "#lowfi:sigattr:urlshortner", "#lowfi:aggregator:hasknownadwaredomain_nsisbundler.", "Cobalt strike", "Backdoor:win32/drixed.j ,", "Win.virus.polyransom-5704625-0", "Alf:heraklezeval:pws:win32/ldpinch!rfn", "Qbot", "Win.trojan.cycbot-764", "Palantir spyware", "Malware", "Generic31.bkfg", "Trojan:win32/vflooder", "Win.trojan.agent-920890", "Malware tool", "Win.malware.vtflooder-9783271-0", "Win.malware.tfuvtcog-7194372-0", "Win.trojan.14278494-1", "Mirai", "#virtool:win32/obfuscator.adb", "Ransom:win32/wannacrypt.h", "Unix.dropper.mirai-7135870-0" ], "industries": [ "Civil society", "Telecommunications", "Government", "Media", "Medical", "Technology", "Government." ], "unique_indicators": 125989 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/example.com", "whois": "http://whois.domaintools.com/example.com", "domain": "example.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 19, "pulses": [ { "id": "69640c0afc9805a6fa2da07b", "name": "MUSO.AI Malware \u2018Incredimail\u2019 Palantir in use[OTX auto populated title -Tsara Brashears]", "description": "MUSO.Ai , Is have to do more research. Some searches on reports MUSO as an opt in resource for artist to view, sort, and manage legacy credits, MUSO also collects royalties. Research and investigation confirms no one on music team is associated with or l thinks they may have heard of MUSO. Is MUSO. AI Palantir customer or service ,spy app services by the folks at Palantir. . [otx auto pop praise: Tsara Brashears is the most popular songwriter in the world, but can you use the app to find out more about the artist and the musicians behind the tracks?] cute. \n#dembiak #palantir #muso #ai", "modified": "2026-02-10T20:03:47.214000", "created": "2026-01-11T20:46:02.176000", "tags": [ "lark kdence", "zack dare", "zafira", "jon bonus", "andy flebbe", "div div", "present nov", "a domains", "united", "script urls", "div a", "script domains", "discover", "moved", "insert", "x0 tw", "urls", "cloudfront x", "title error", "url analysis", "reverse dns", "servers", "name servers", "united states", "all ipv4", "aaaa", "ip address", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "evasion att", "t1480 execution", "ascii text", "mitre att", "pattern match", "null", "error", "click", "hybrid", "general", "local", "path", "starfield", "strings", "refresh", "tools", "meta", "onload", "span", "data upload", "extraction", "type", "extra", "referen https", "include review", "exclude sugges", "stop", "aivoes typ", "passive dns", "date", "united states", "status", "domain add", "files", "hostname", "read c", "medium", "search", "show", "memcommit", "high", "checks", "windows", "delete", "execution", "dock", "write", "persistence", "capture", "next", "amazon02", "as autonomous", "system", "asn16509", "domain", "current dns", "a record", "as16509", "december", "ip information", "ipasns ip", "google", "fastly", "googlecl", "akamaias", "cloudflar", "domain tree", "links ip", "address as", "cisco", "umbrella rank", "general full", "url https", "software", "resource hash", "protocol h2", "security tls", "hostname add", "challengescript", "captchascript", "name", "value", "source level", "url text", "automatic", "webgl", "please", "extr data", "data", "size", "title", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "entries", "rgba", "unicode", "asnone", "malware", "port", "destination", "tlsv1", "tls handshake", "failure", "roboto", "msie", "windows nt", "wow64", "slcc2", "media center", "expiration", "url http", "no expiration", "present jan", "unknown ns", "certificate", "body", "present oct", "present may", "present dec", "present sep", "present feb", "showing", "next associated", "all se", "pulse pulses", "http", "files domain", "files related", "pulses none", "debiak", "tsara brashears", "ai", "palantir", "muso ai", "sort", "artists", "royalties", "music", "songwriter", "collect", "view", "malicious app", "false claims" ], "references": [ "https://credits.muso.ai/profile/ad62a9c1-de4a-4b3a-91d4-8f1ca6b5ad7a", "22.hio52.r.cloudfront.net", "us-gov-west-1.gov.reveal-global.com", "us-g0v-wact-1anvrav\u0645al=\u0635\u0639 \u0627\u062d\u0637\u0645\u0644\u0647", "MD5 be5eae9bd85769bce02d6e52a4927bcd Pulses Integrations C EXIF Data: HTML:Title\tINetSim default HTML page", "External Hosts Israel Unique Countries 2 Unique ASNs 2 IP", "ASN 82.80.204.63 www5.incredimail.com \u2022 Israel", "United States | ASNone 82.80.204.5 cen.incredibar.com \u2022 Israel", "AS8551 bezeq international-Itd 3.163.24.31 www5l.incredimail.com \u2022 Israel", "Antivirus Detections: Win.Malware.Incredimail-6804483-0 IDS Detections: Misspelled Mozilla User-Agent (Mozila)", "IP\u2019s Contacted : 82.80.204.63 3.163.24.31 82.80.204.5", "Domains Contacted: cen.incredibar.com www5l.incredimail.com www5.incredimail.com", "medallion-compute.washington.palantircloud.com \u2022 graviera-compute.palantirfedstart.com", "caerphilly-containers.palantirfedstart.com \u2022 equilibrium.palantirfoundry.com \u2022 palantirfoundry.com", "upstreamx.palantirfoundry.com \u2022 https://usw-2-dev.palantirfoundry.com", "https://upstreamx.palantirfoundry.com \u2022 edwards.palantirfoundry.com \u2022 stagwellmarketingcloud.palantirfoundry.com", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master", "https://paloma.palantirfoundry.com https://lucyw.palantirfoundry.com \u2022 http://edwards.palantirfoundry.com/", "http://dasima-containers.palantirfoundry.com \u2022 http://usw-2-dev.palantirfoundry.com", "https://kt-presales.palantirfoundry.co \u2022 https://glare.palantirfoundry.com", "engage.palantirfoundry.com \u2022 http://engage.palantirfoundry.com", "https://equilibrium.palantirfoundry.com \u2022\u2019https://engage.palantirfoundry.com", "http://upstreamx.palantirfoundry.com/ \u2022 https://equilibrium.palantirfoundry.com/", "https://glare.pali om. \u2022 http://engage.palantirfou?", "What? patch.virtualworldweb.com \u2022 s.palantirfoundry.com \u2022 http://u tirfoundry.co", "(patch.virtualworldweb.com) why does this sound so creepy? DIT , simulation, OWO ,sentient weird.", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t\u2022", "www.endgame \u2022 http://battlefront.com/matrixgames.html \u2022 prometheus.services.myscript.com - Wild!", "campdeadwood2026.com", "http://www.mobile-connection-alert.fyi/eb/bn/bn-9-nopop/9-nopop-1.html?var=&var2=&var3=$device=MOBILE&brand=Apple&model=iPhone&city=San%20Antonio&os=IOS&osversion=IOS%2011.4&country=US&countryname=United%20States&carrier=&referrerdomain=&language=en&connectiontype=CABLE&ip=76.185.246.58®ion=Texas&cep=W-gWTncHS9Jzl2WpUnQW3DI5dgjcKdwNWM11yWj-BtNBDFNTD52Baezh0F6DNui3qOYcu9zUPktlUvTulBlF6GONqMgW0w5NXdG42lOJGAp8P79kEUkAM3xGHBcIuf2PfSpz0mTGxnhbXyAteh4g-wCUR45SdW6fMtSANbFpDDpNDCq8LpN8mLeQJjdLUA_TGOXW9mubTgOyAGy", "Pornhub to your phone. Dumping or by request?", "https://soerkvingo.msnstyle.dk/vaginas-escort-girl-ukraina-pure-nudisme-dyresex-noveller-sukker-pris-porno-med-norsk-tale/", "www.killer333.club So I\u2019m right." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Incredimail-6804483-0", "display_name": "Win.Malware.Incredimail-6804483-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "TA0028", "name": "Persistence", "display_name": "TA0028 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10686, "hostname": 2427, "domain": 1094, "FileHash-MD5": 175, "FileHash-SHA1": 65, "FileHash-SHA256": 1118, "email": 4, "SSLCertFingerprint": 14 }, "indicator_count": 15583, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d877e28416d81633bae1ad", "name": "PolyRansom attack through malicious actor on threat platforms", "description": "Virlock , PolyRansom and multiple other attacks through malicious actor using social engineering tactics. Has a rigged platform. Goal -\n to gain complete command and control of users in great platforms. Has infected at least a single device.\n#domainrobot #socialengineeeing #Tofsee\n#Trojan:Win32/Vflooder\n#Unix.Dropper.Mirai-7135870-0\n#Virus.Virlock/Nabucur\n#Win.Packer.pkr_ce1a-9980177-0\n#Win.Virus.PolyRansom", "modified": "2025-10-27T22:02:25.163000", "created": "2025-09-27T23:48:50.976000", "tags": [ "iocs", "indicator role", "write c", "intel", "ms windows", "medium", "pe32", "delete", "ids detections", "yara detections", "write", "malware", "delete c", "windows", "high", "port", "encrypt", "tofsee", "stream", "passive dns", "http", "ip address", "related nids", "files location", "united states", "united", "win32", "trojan", "mtb may", "twitter", "hellspawn", "worm", "title", "emails", "servers", "get http", "dns resolutions", "http traffic", "command", "control ta0011", "protocol t1071", "match info", "t1573 severity", "info", "request", "windows nt", "win64", "khtml", "gecko", "response", "present sep", "aaaa", "resolved ips", "ip traffic", "displayname", "yara rule", "loaderid", "name servers", "urls", "domain robot", "mail", "moved", "media gmbh", "info file", "network dropped", "duration cuckoo", "version file", "machine label", "manager", "shutdown", "host", "generic http", "exe upload", "inbound", "outbound", "markus", "certificate", "record value", "object", "path", "server", "registrar abuse", "contact email", "contact phone", "registrar iana", "registrar url", "diablo", "gandi sas", "gandi", "diablo attacks", "bluemind", "alberta", "domain add", "asn as16625", "akamai", "less whois", "registrar", "metrobytmobile", "t mobile", "metro", "present jul", "present jun", "present aug", "germany unknown", "germany", "invalid url", "ipv4 add", "frankfurt", "main", "no entries", "entrust", "hostname add", "files loading", "mimic", "first address", "medium attempts", "process", "explorer", "windows startup", "kuwiqsma", "match medium", "medium installs", "installs", "t regdword", "user", "ntcreatefile", "filehandle", "createfilew", "getfilesize", "blpdqe", "jjqcpluanwwhg", "u0012", "desiredaccess", "keyhandle", "ntopenkeyex", "u001aw", "u0018", "read", "next", "tags none", "file type", "date september", "am size", "imphash pehash", "richhash", "south korea", "taiwan as3462", "as21928", "china as4134", "as4766 korea", "china as4837", "as9318 sk", "as701 verizon", "verizon", "tcp syn", "infectednight", "resolverror", "tref neutral", "ck technique", "technique id", "tofsee high", "overview whois", "pulses", "tags", "related tags", "more external", "resources whois", "urlvoid", "tavao.exe", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "defense evasion", "spawns", "access att", "ascii text", "pattern match", "mitre att", "size", "meta", "null", "error", "click", "roboto", "hybrid", "general", "local", "starfield", "strings", "refresh", "tools", "onload", "span", "iframe", "found", "t1480 execution", "backdoor", "a domains", "russia", "next associated", "link", "windir", "interesting", "show technique", "ck matrix", "network traffic", "t1071", "t1057", "lowfi", "gameforprofits", "game att", "night got", "job done infected" ], "references": [ "DiabloFans ClapBack: Google. Com", "Crowdsourced IDS: ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check Rule Match", "CS\u2019d IDS: ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com) Rule Match", "Crowdsourced IDS: Matches rule SURICATA HTTP missing Host header", "Crowdsourced IDS: Unique rule identifier: This rule belongs to a private collection", "MetrobyT-mobile", "UA Alberta | Somehow I don\u2019t think this is part of a match but rather an attack. Mimic", "Unix.Dropper.Mirai inc. 100.181.126.203 \u2022 United States\tAS21928 t-mobile usa inc.", "Unix.Dropper.Mirai inc. 1 Korea Telecom 1.107.218.24 \u2022 South Korea\tAS4766", "Unix.Dropper.Mirai inc. 1 Telstra Corporation Ltd 1.125.165.62 \u2022 Australia AS1221 Telstra", "Unix.Dropper.Mirai inc. 1 Verizon : 100.10.95.119 United States \u2022 AS701 Verizon", "Sigma: Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "Virus.Virlock/Nabucur", "display_name": "Virus.Virlock/Nabucur", "target": null }, { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 450, "FileHash-SHA1": 435, "FileHash-SHA256": 2092, "URL": 646, "domain": 593, "SSLCertFingerprint": 9, "hostname": 657, "email": 13 }, "indicator_count": 4895, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "174 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d877d6231fc1cbe1792ee1", "name": "PolyRansom attack through malicious actor on threat platforms", "description": "Virlock , PolyRansom and multiple other attacks through malicious actor using social engineering tactics. Has a rigged platform. Goal -\n to gain complete command and control of users in great platforms. Has infected at least a single device.\n#domainrobot #socialengineeeing #Tofsee\n#Trojan:Win32/Vflooder\n#Unix.Dropper.Mirai-7135870-0\n#Virus.Virlock/Nabucur\n#Win.Packer.pkr_ce1a-9980177-0\n#Win.Virus.PolyRansom", "modified": "2025-10-27T22:02:25.163000", "created": "2025-09-27T23:48:38.895000", "tags": [ "iocs", "indicator role", "write c", "intel", "ms windows", "medium", "pe32", "delete", "ids detections", "yara detections", "write", "malware", "delete c", "windows", "high", "port", "encrypt", "tofsee", "stream", "passive dns", "http", "ip address", "related nids", "files location", "united states", "united", "win32", "trojan", "mtb may", "twitter", "hellspawn", "worm", "title", "emails", "servers", "get http", "dns resolutions", "http traffic", "command", "control ta0011", "protocol t1071", "match info", "t1573 severity", "info", "request", "windows nt", "win64", "khtml", "gecko", "response", "present sep", "aaaa", "resolved ips", "ip traffic", "displayname", "yara rule", "loaderid", "name servers", "urls", "domain robot", "mail", "moved", "media gmbh", "info file", "network dropped", "duration cuckoo", "version file", "machine label", "manager", "shutdown", "host", "generic http", "exe upload", "inbound", "outbound", "markus", "certificate", "record value", "object", "path", "server", "registrar abuse", "contact email", "contact phone", "registrar iana", "registrar url", "diablo", "gandi sas", "gandi", "diablo attacks", "bluemind", "alberta", "domain add", "asn as16625", "akamai", "less whois", "registrar", "metrobytmobile", "t mobile", "metro", "present jul", "present jun", "present aug", "germany unknown", "germany", "invalid url", "ipv4 add", "frankfurt", "main", "no entries", "entrust", "hostname add", "files loading", "mimic", "first address", "medium attempts", "process", "explorer", "windows startup", "kuwiqsma", "match medium", "medium installs", "installs", "t regdword", "user", "ntcreatefile", "filehandle", "createfilew", "getfilesize", "blpdqe", "jjqcpluanwwhg", "u0012", "desiredaccess", "keyhandle", "ntopenkeyex", "u001aw", "u0018", "read", "next", "tags none", "file type", "date september", "am size", "imphash pehash", "richhash", "south korea", "taiwan as3462", "as21928", "china as4134", "as4766 korea", "china as4837", "as9318 sk", "as701 verizon", "verizon", "tcp syn", "infectednight", "resolverror", "tref neutral", "ck technique", "technique id", "tofsee high", "overview whois", "pulses", "tags", "related tags", "more external", "resources whois", "urlvoid", "tavao.exe", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "defense evasion", "spawns", "access att", "ascii text", "pattern match", "mitre att", "size", "meta", "null", "error", "click", "roboto", "hybrid", "general", "local", "starfield", "strings", "refresh", "tools", "onload", "span", "iframe", "found", "t1480 execution", "backdoor", "a domains", "russia", "next associated", "link", "windir", "interesting", "show technique", "ck matrix", "network traffic", "t1071", "t1057", "lowfi", "gameforprofits", "game att", "night got", "job done infected" ], "references": [ "DiabloFans ClapBack: Google. Com", "Crowdsourced IDS: ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check Rule Match", "CS\u2019d IDS: ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com) Rule Match", "Crowdsourced IDS: Matches rule SURICATA HTTP missing Host header", "Crowdsourced IDS: Unique rule identifier: This rule belongs to a private collection", "MetrobyT-mobile", "UA Alberta | Somehow I don\u2019t think this is part of a match but rather an attack. Mimic", "Unix.Dropper.Mirai inc. 100.181.126.203 \u2022 United States\tAS21928 t-mobile usa inc.", "Unix.Dropper.Mirai inc. 1 Korea Telecom 1.107.218.24 \u2022 South Korea\tAS4766", "Unix.Dropper.Mirai inc. 1 Telstra Corporation Ltd 1.125.165.62 \u2022 Australia AS1221 Telstra", "Unix.Dropper.Mirai inc. 1 Verizon : 100.10.95.119 United States \u2022 AS701 Verizon", "Sigma: Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "Virus.Virlock/Nabucur", "display_name": "Virus.Virlock/Nabucur", "target": null }, { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 450, "FileHash-SHA1": 435, "FileHash-SHA256": 2092, "URL": 646, "domain": 593, "SSLCertFingerprint": 9, "hostname": 657, "email": 13 }, "indicator_count": 4895, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "174 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c62316b24b23e6d4c579ef", "name": "Predator - Dr. Jeffrey Reimer, DPT - Physical Therapist in Denver, CO | Healthgrades", "description": "Malware with code overlap. JSR , DPT Health Grades account has been removed. An investigator claims Reimer & family have been moved, names , career , changes years ago, claims of government protection for him. After victims MRI JSR left town immediately. Returning in 2016 , coincidentally driving near victim location on various locations. \nIt\u2019s disgusting how technology is being used to cover up a crime instead of solve one.\n#code_overlap #malware #hosts_contacted\n#itstoolatetoapologizeitstoolate", "modified": "2025-10-14T01:04:58.605000", "created": "2025-09-14T02:06:14.853000", "tags": [ "denver", "jeffrey reimer", "star rating", "appointment", "post", "response are", "listened", "wait", "reimer", "healthgrades", "reply flag", "doctors", "find", "jeff", "back", "aurora", "leave", "crying", "tips", "tags na", "utc scorecard", "research beacon", "utc yahoo", "dot tags", "united", "mozilla", "write c", "nsisinetc", "undetermined", "medium", "intel", "ms windows", "write", "trojan", "defender", "delphi", "win32", "malware", "win64", "local", "next", "code overlap", "dynamicloader", "as15169", "brazil as28604", "brazil as396982", "upatre", "passive dns", "title error", "ipv4 add", "pulse pulses", "urls", "files", "reverse dns", "location united", "america flag", "body", "script script", "powder sdk", "a domains", "title", "script", "certificate", "hostname add", "pulse submit", "meta", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "evasion att", "t1480 execution", "signing defense", "flag", "whois privacy", "service name", "server", "contacted hosts", "ip address", "process details", "size", "div id", "beginstring", "beginerror", "null", "error", "strings", "refresh", "tools", "onload", "click", "span", "remote access" ], "references": [ "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler", "YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd", "CodeOverlap | All malware listed exists", "Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "All #tags auto populated.", "URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf", "blog.manpowergroup.com.py (aww like dadvocates)", "https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)", "r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.", "display_name": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.", "target": null }, { "id": "Win.Malware.Tfuvtcog-7194372-0", "display_name": "Win.Malware.Tfuvtcog-7194372-0", "target": null }, { "id": "Trojan.Win32.Fakemalard", "display_name": "Trojan.Win32.Fakemalard", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Trojan.Win32.Banload", "display_name": "Trojan.Win32.Banload", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Too much to search for", "display_name": "Too much to search for", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Medical", "Media", "Government." ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 609, "URL": 1550, "domain": 280, "FileHash-SHA256": 1428, "FileHash-MD5": 133, "FileHash-SHA1": 115, "SSLCertFingerprint": 4 }, "indicator_count": 4119, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "187 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c62306c74c7f57dc993d13", "name": "Predator - Dr. Jeffrey Reimer, DPT - Physical Therapist in Denver, CO | Healthgrades", "description": "Malware with code overlap. JSR , DPT Health Grades account has been removed. An investigator claims Reimer & family have been moved, names , career , changes years ago, claims of government protection for him. After victims MRI JSR left town immediately. Returning in 2016 , coincidentally driving near victim location on various locations. \nIt\u2019s disgusting how technology is being used to cover up a crime instead of solve one.\n#code_overlap #malware #hosts_contacted\n#itstoolatetoapologizeitstoolate", "modified": "2025-10-14T01:04:58.605000", "created": "2025-09-14T02:05:58.793000", "tags": [ "denver", "jeffrey reimer", "star rating", "appointment", "post", "response are", "listened", "wait", "reimer", "healthgrades", "reply flag", "doctors", "find", "jeff", "back", "aurora", "leave", "crying", "tips", "tags na", "utc scorecard", "research beacon", "utc yahoo", "dot tags", "united", "mozilla", "write c", "nsisinetc", "undetermined", "medium", "intel", "ms windows", "write", "trojan", "defender", "delphi", "win32", "malware", "win64", "local", "next", "code overlap", "dynamicloader", "as15169", "brazil as28604", "brazil as396982", "upatre", "passive dns", "title error", "ipv4 add", "pulse pulses", "urls", "files", "reverse dns", "location united", "america flag", "body", "script script", "powder sdk", "a domains", "title", "script", "certificate", "hostname add", "pulse submit", "meta", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "evasion att", "t1480 execution", "signing defense", "flag", "whois privacy", "service name", "server", "contacted hosts", "ip address", "process details", "size", "div id", "beginstring", "beginerror", "null", "error", "strings", "refresh", "tools", "onload", "click", "span", "remote access" ], "references": [ "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler", "YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd", "CodeOverlap | All malware listed exists", "Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "All #tags auto populated.", "URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf", "blog.manpowergroup.com.py (aww like dadvocates)", "https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)", "r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.", "display_name": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.", "target": null }, { "id": "Win.Malware.Tfuvtcog-7194372-0", "display_name": "Win.Malware.Tfuvtcog-7194372-0", "target": null }, { "id": "Trojan.Win32.Fakemalard", "display_name": "Trojan.Win32.Fakemalard", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Trojan.Win32.Banload", "display_name": "Trojan.Win32.Banload", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Medical", "Media", "Government." ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 609, "URL": 1550, "domain": 280, "FileHash-SHA256": 1428, "FileHash-MD5": 133, "FileHash-SHA1": 115, "SSLCertFingerprint": 4 }, "indicator_count": 4119, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "187 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68beb866c8ed898ed0ece438", "name": "BlackieVirus . Expanded- Apple", "description": "", "modified": "2025-10-08T10:00:30.227000", "created": "2025-09-08T11:05:10.064000", "tags": [ "present may", "present apr", "unknown ns", "present sep", "unknown aaaa", "present jun", "present dec", "passive dns", "ip address", "virtool", "win32cve sep", "trojan", "mtb sep", "ipv4", "urls", "trojanspy", "united states", "dynamicloader", "ms windows", "observed dns", "query", "windows nt", "wow64", "khtml", "gecko", "pe32", "write", "media", "malware", "suspicious", "learn", "ck id", "name tactics", "informative", "command", "defense evasion", "adversaries", "spawns", "t1204 user", "mitre att", "ck matrix", "null", "error", "click", "general", "local", "path", "strings", "refresh", "tools", "meta", "onload", "span", "apple", "entries", "write c", "defender", "tencent", "hostname add", "pulse submit", "url analysis", "present jul", "present mar", "present oct", "saudi arabia", "united", "present feb", "creation date", "search", "title", "date", "botnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "Win.Trojan.Filerepmalware-10008115-0", "display_name": "Win.Trojan.Filerepmalware-10008115-0", "target": null }, { "id": "ALF:HeraklezEval:Ransom:Win32/CVE", "display_name": "ALF:HeraklezEval:Ransom:Win32/CVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 951, "hostname": 1766, "URL": 4969, "FileHash-MD5": 337, "FileHash-SHA1": 317, "FileHash-SHA256": 4296, "CVE": 1, "SSLCertFingerprint": 1, "email": 1 }, "indicator_count": 12639, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68a23eef53f1124e8dc273fc", "name": "Sign in to your account - Anorocuriv", "description": "Short link sent to an iPhone user possibly by accident or maybe not. Unraveled :[https://ns4.whichkill.net/]\n[https://l.us-1.a.mimecastprotect.com/l]\n[https://api-glintstage.glintinc.com/api/client/tiaa/token/saml2/consume/includeDeskLink]\n\n[https://api.glintinc.com/api/client/tiaa/token/saml2/consume/includeDeskLink]\t\n\n*api.us1.glintinc.com #malta\n*ALF:Trojan:Win32/Anorocuriv.A.#virtool #LowFI:HookwowLow \n#tracking #tiaa #locate recording #userpics #movies #audio #screen #mobile_assets #https://biccerija.gov.mt/en/contact/", "modified": "2025-09-16T20:00:00.565000", "created": "2025-08-17T20:43:27.502000", "tags": [ "url http", "url https", "search", "type indicator", "role title", "added active", "related pulses", "showing", "entries", "status", "msie", "chrome", "passive dns", "urls", "date", "pulse pulses", "files", "domain", "files ip", "body", "http", "hostname", "files domain", "present jan", "present dec", "united", "present aug", "present jun", "unknown aaaa", "present mar", "present may", "present feb", "present jul", "error", "a domains", "gmt content", "accept encoding", "config nocache", "hostname add", "pulse submit", "content type", "certificate", "ip address", "cookie", "mita", "next associated", "please", "x msedge", "ipv4 add", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "signing defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "size", "pattern match", "mitre att", "ascii text", "null", "click", "august", "hybrid", "general", "local", "path", "strings", "refresh", "tools", "meta", "onload", "span", "adversaries", "ssl certificate", "logo", "av detection", "default browser", "guest system", "professional", "falcon sandbox", "response risk", "ck techniques", "detection", "show process", "prefetch8", "windows nt", "win64", "khtml", "gecko", "post collect", "microsoft edge", "nota", "brand", "class", "facebook", "ascii", "hex dump", "extraction", "failed", "data upload", "pul data", "enter", "s data", "type", "extr error", "href", "mask", "extra", "uta support", "include review", "exclude sugges", "find", "wow64", "show", "observed dns", "query", "unknown", "virtool", "copy", "write", "defender", "expiro", "malware", "next", "lowfi", "hookwowlow dec", "mtb jan", "mtb nov", "hookwowlow nov", "trojan", "trojandropper", "http request", "delete", "yara detections", "pe exe", "dll windows", "minimal http", "february", "guard", "alerts", "analysis date", "file score", "detections alf", "detections http", "http executable", "retrieved", "location united", "america flag", "america asn", "urls show", "date checked", "url hostname", "server response" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 853, "hostname": 1835, "URL": 7127, "email": 3, "FileHash-SHA256": 1470, "FileHash-MD5": 293, "FileHash-SHA1": 284, "SSLCertFingerprint": 426, "CVE": 1 }, "indicator_count": 12292, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "215 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689d7fd544aa8cf483b02d5c", "name": "Sinkhole | Win32/Dofoil.R CnC Beacon", "description": "#LowFI:VBExpensiveLoop\n*Worm:Win32/Gamarue [Static Pe Anomaly \u2022\nContains Pe Overlay \u2022\nBinary Yara]\n- Win32/Dofoil.R CnC Beacon |\nAlerts:\n\u2022 suspicious_iocontrol_codes\n\u2022 physical_drive_access", "modified": "2025-09-13T06:02:44.359000", "created": "2025-08-14T06:19:01.666000", "tags": [ "lowfi", "united", "entries", "passive dns", "open ports", "next associated", "ipv4", "pulse pulses", "urls", "files", "domain", "address", "creation date", "name servers", "date", "hostname add", "dynamicloader", "medium", "fake", "high", "post", "show", "search", "observed http", "reg add", "copy", "write", "june", "malware", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "size", "pattern match", "ascii text", "mitre att", "ck id", "null", "error", "click", "body", "august", "hybrid", "general", "local", "path", "strings", "refresh", "tools", "meta", "onload", "span", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "mask", "generator" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 175, "FileHash-SHA1": 180, "FileHash-SHA256": 458, "URL": 436, "domain": 69, "hostname": 156, "email": 1, "SSLCertFingerprint": 9 }, "indicator_count": 1484, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "218 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68958d96a43dd0d3b5a65220", "name": "Mirai Communication Networks Inc", "description": "BGP Mirai Communication Networks Inc. May be used for Red Hat activities considered enterprise open source solutions. Used for adversarial motives. Abuse.\nResearched a device-local-**********.remotewd.com found in last residential community a monitored target lived.", "modified": "2025-09-07T05:03:49.633000", "created": "2025-08-08T05:39:34.315000", "tags": [ "united", "unknown ns", "moved", "passive dns", "ip address", "cloudfront x", "hio50 c1", "a domains", "domains", "meta", "mirai", "apache", "url hostname", "server response", "google safe", "learn", "ck id", "name tactics", "suspicious", "informative", "spawns", "command", "found", "mitre att", "ck techniques", "sha256", "sha1", "ascii text", "pattern match", "size", "null", "refresh", "body", "span", "august", "hybrid", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "defense evasion", "t1480 execution", "file defense", "show technique", "ck matrix", "adversaries", "general", "starfield", "iframe", "onload", "status", "urls", "domain", "name servers", "hostname", "files", "files ip", "certificate", "urls show", "results aug", "entries", "show process", "utf8", "crlf line", "network traffic", "title error", "next associated", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "equiv content", "win32", "trojan", "servers", "search", "whois show", "record value", "emails", "name legal", "department name", "address po", "city seattle", "present oct", "present jul", "present dec", "present aug", "files domain", "files related", "related tags", "none google", "safe browsing", "external", "data upload", "extraction", "include review", "exclude sugges", "uny inuuue", "find s", "extr", "typ dom", "failed", "extri data", "mirai meta", "japan unknown", "miraipcok meta", "overview ip", "address", "location united", "asn as15169", "nameservers", "less whois", "registrar", "overview domain", "address domain", "ip whois", "title", "create c", "read c", "delete", "write", "medium", "create", "showing", "rgba", "next", "dock", "execution", "malware", "sqlite rollback", "jfif", "journal", "regsetvalueexa", "ascii", "regdword", "baidu", "url add", "http", "related nids", "files location", "flag united", "redacted for", "unknown aaaa", "hostname add", "url analysis", "encrypt", "date", "germany unknown", "ascio", "creation date", "alfper", "ipv4 add", "reverse dns", "mozilla", "set spray", "pty ltd", "date checked", "present jun", "present nov", "present may", "present mar", "present sep", "present jan", "for privacy", "lngen", "ransom", "virtool", "exploit", "as133618", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "asn as133618", "whois registrar", "ietfdtd html", "gmt server", "debian", "dynamicloader", "unknown", "feat", "query", "installer", "results oct", "results jan", "aaaa", "tlsv1", "stcalifornia", "lmountain view", "ogoogle llc", "ogoogle trust", "cngts ca", "lowfi", "urlshortner aug", "urlshortner jul", "urlshortner", "write c", "high", "et exploit", "probe ms17010", "f codeoverlap", "copy", "contacted", "w3wwhb", "svwjh5dd u", "uv5b usvwu", "f us3v9", "cu codeoverlap", "filehash", "sha256 add", "monitored target", "sloffeefoundry.com", "apple", "samsung", "galaxy", "msie", "windows nt", "wow64", "slcc2", "media center", "persistence", "edge", "bing", "racism", "amazon music", "ios", "twitter", "googleapis", "denver" ], "references": [ "Researched: 210.172.192.15 | p192015.mirai.ne.jp | sanso-mirai.jp", "Mirai Communication Network Inc. (AS7690) Seto, Japan ASN is a BGP Network", "*ccm-command-center.int.m1np.symetra.cloud", "Monitored Target/s", "https://hybrid-analysis.com/sample/ff37a006ed8677bafa412d653ce9adfe84744702f28f7dfe9f5f4ec51b599419/689505a3a647793a0300f73f", "https://hybrid-analysis.com/sample/d30cf86f09e3ab7bb7d0a4ac2608aafb31e07c94fe77f5a264ccdb35fe153c59/689505ded9be5613900509fd", "https://hybrid-analysis.com/sample/f6e628e57373bf795bae87c883dcaefdbb720960133edc1adacc6146d10fc88a", "https://otx.alienvault.com/indicator/ip/210.172.192.15", "https://otx.alienvault.com/indicator/domain/sanso-mirai.jp", "device-local-**********. remotewd.com", "https://sms-apple.com/login", "https://www.exito.com/galaxy-m12-64-gb-negro-samsung-sm-m127fzkkcoo-3016108/p", "https://4.img-dpreview.com/files/p/articles/2356747397/samsung_nv24hd_bk.jpeg", "https://shell-gift.website/sweeps/de/amazon-voucher/question1000-agg/index.html?uclick=qdlpqnvr&uclickhash=qdlpqnvr-qdlpqnvr-pmwj-0-xsi4-hovr-hoi4-9b6533", "api.omgpornpics.com", "http://www.mylifelawyer.com/services/denver-affordable-lawyer-child-custody/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Crypt-142", "display_name": "Win.Trojan.Crypt-142", "target": null }, { "id": "#Lowfi:SIGATTR:URLShortner", "display_name": "#Lowfi:SIGATTR:URLShortner", "target": null }, { "id": "Win.Trojan.14278494-1", "display_name": "Win.Trojan.14278494-1", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ransom:Win32/WannaCrypt.H", "display_name": "ransom:Win32/WannaCrypt.H", "target": "/malware/ransom:Win32/WannaCrypt.H" }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Mirai Communications", "display_name": "Mirai Communications", "target": null }, { "id": "Alfper", "display_name": "Alfper", "target": null }, { "id": "telper:HSTR:CLEAN:Ninite", "display_name": "telper:HSTR:CLEAN:Ninite", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" } ], "industries": [ "Technology", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8962, "domain": 1671, "hostname": 2125, "FileHash-SHA256": 2031, "FileHash-MD5": 718, "FileHash-SHA1": 523, "SSLCertFingerprint": 12, "email": 7, "CVE": 1 }, "indicator_count": 16050, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "224 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688716977e80a4274f2eafa9", "name": "LeadIQ | The Smart B2B Prospecting Platform | Malware Packed | Agent Tesla & more", "description": "Found in Bot joining Pulse.", "modified": "2025-08-27T06:03:05.020000", "created": "2025-07-28T06:20:07.660000", "tags": [ "present jul", "united", "entries", "search", "moved", "ip address", "creation date", "record value", "date", "showing", "body", "meta", "passive dns", "next associated", "win32spigot apr", "title error", "ipv4 add", "pulse pulses", "urls", "files", "adaptivebee", "worm", "win32", "urls show", "date checked", "url hostname", "server response", "google safe", "results jul", "location united", "asn asnone", "nameservers", "less whois", "registrar", "csc corporate", "status", "servers", "name servers", "hostname", "hostname add", "a domains", "script urls", "unknown aaaa", "technology one", "script script", "certificate", "null", "trojan", "twitter", "domain", "files ip", "address domain", "ip related", "pulses otx", "virtool", "http", "present jun", "present may", "pulse submit", "url analysis", "reverse dns", "australia asn", "as55532 squiz", "dns resolutions", "overview ip", "address", "ipv4", "iocs", "data upload", "extraction", "ided iocs", "failed", "shaw", "ail tvnas", "rl irl", "domain add", "ostname add", "verdict", "show", "types", "type", "indicator data", "searc type", "a indicator", "data", "select across", "all pages", "domain domain", "checked url", "hostname server", "response ip", "address google", "safe browsing", "msie", "chrome", "present dec", "base", "read c", "port", "destination", "delete", "copy", "write", "memcommit", "cryptexportkey", "invalid pointer", "writeconsolea", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "defense evasion", "t1480 execution", "signing defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "ascii text", "crlf line", "mitre att", "error", "click", "hybrid", "local", "path", "starfield", "strings", "refresh", "tools", "onload", "span", "form", "adversaries", "windows nt", "generic http", "exe upload", "inbound", "outbound", "yara detections", "malware", "expiration date", "whois show", "name andrew", "bauer name", "div id", "beginstring", "beginerror", "script", "general", "cloud", "find", "footer", "ninite feb", "telper", "ninite mar", "ninite apr", "trojandropper", "mtb mar", "url https", "general full", "security tls", "software", "resource hash", "protocol h2", "frankfurt", "main", "germany", "input", "skype", "opciones", "july", "es form", "dom name", "post https", "imagen", "microsoft", "iniciar sesin", "value", "variables", "config", "debug", "loader", "geturl", "b function", "addlistener", "proof", "amazon02", "dk summary", "amazon rsa", "september", "browsing", "resource", "asn16509", "name value", "queueprogress", "timestamp input", "status actions" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 487, "FileHash-SHA1": 461, "URL": 10732, "domain": 1672, "email": 6, "hostname": 3039, "FileHash-SHA256": 2569, "SSLCertFingerprint": 7 }, "indicator_count": 18973, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "235 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://example.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://example.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776639144.6155698 }