{
"type": "URL",
"indicator": "https://extensionwebstorebase.edgesv.net",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://extensionwebstorebase.edgesv.net",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3946837162,
"indicator": "https://extensionwebstorebase.edgesv.net",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 26,
"pulses": [
{
"id": "6962b68da732abc66a0c2caf",
"name": "Der Zugriff \u2022 Kanna \u2022 MyDoom \u2022 Sigur - Pahamify Pegasus",
"description": "Pahamify Pegasus | Execution Attack, Access Attack | Drive by Compromise | \nSifting through Pahamify Pegasus this is no longer your computer , injection, google connects, remote connections, remote mouse movement, remote access, Google espionage, bad traffic, Apple complicit access. This is your Google account and browser, this is your appleid. Still researching\u2026. || \n*https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_ ||\nMalware: Der Zugriff ,\nKanna ,\nMyDoom ,\nSigur \n#firebase #google_connection #bible_gateway_honeypot #crypto #hidden_users #who_else",
"modified": "2026-02-09T19:00:09.890000",
"created": "2026-01-10T20:29:01.675000",
"tags": [
"ip address",
"status code",
"kb body",
"iocs",
"deny age",
"cloudfront",
"utc google",
"tag manager",
"g8t6ln06z40",
"utc na",
"google tag",
"injection",
"t1055 malware",
"tree",
"help v",
"defense evasion",
"injection t1055",
"resolved ips",
"get http",
"dns resolutions",
"v memory",
"pattern domains",
"full reports",
"v help",
"memory pattern",
"urls https",
"hashes",
"tiktok",
"microsoft",
"dashboard falcon",
"request",
"windows nt",
"win64",
"khtml",
"gecko",
"response",
"appleid",
"united",
"name servers",
"aaaa",
"servers",
"moved",
"script urls",
"passive dns",
"urls",
"data upload",
"extraction",
"failed",
"jsvendor",
"jsapp",
"script script",
"cssapp",
"jsfirebase",
"pegasus",
"encrypt",
"title error",
"ipv4",
"files",
"reverse dns",
"united states",
"malware",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"execution att",
"t1204 user",
"script",
"beginstring",
"bad traffic",
"et info",
"null",
"title",
"refresh",
"span",
"strings",
"error",
"tools",
"meta",
"look",
"verify",
"restart",
"mitre att",
"ascii text",
"pattern match",
"ck matrix",
"tls handshake",
"hybrid",
"general",
"local",
"path",
"click",
"ck techniques",
"access att",
"div div",
"a li",
"ul div",
"record value",
"emails",
"accept",
"referen https",
"microsoft-falcon.net",
"proxy",
"status",
"certificate",
"updated date",
"whois server",
"zipcode",
"entries http",
"scans show",
"search",
"matches x",
"type",
"gmt cache",
"all ipv4",
"america flag",
"america asn",
"sameorigin",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"results jan",
"ipv4 add",
"win32mydoom jan",
"trojan",
"worm",
"expiration date",
"files show",
"date hash",
"avast avg",
"win32mydoom",
"backdoor",
"found",
"gmt connection",
"control",
"content type",
"twitter",
"dynamicloader",
"medium",
"high",
"msie",
"wow64",
"slcc2",
"media center",
"write",
"global",
"domain name",
"hostname",
"apple",
"racebook",
"mouse movement",
"remote mouse",
"domain",
"hostname add",
"url analysis",
"crlf line",
"ff d5",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"f0 ff",
"ff bb",
"music",
"push",
"autorun",
"unknown",
"present sep",
"present may",
"present jan",
"present aug",
"cname",
"present nov",
"present jun",
"apache",
"body",
"pragma",
"found registry",
"able",
"model",
"indicator",
"source",
"show technique",
"file",
"internet",
"errore",
"erreur",
"download",
"service",
"crypto",
"compiler",
"installer",
"yang",
"updater",
"shutdown",
"thunk",
"este",
"install",
"reboot",
"code",
"downloader",
"sigur",
"kanna",
"der zugriff",
"google",
"chrome",
"Pahamify Pegasus",
"christoper p. ahmann",
"law enforcement",
"retaliation",
"phone",
"espionage",
"united states",
"m brian sabey",
"quasi government",
"target",
"monitored targeting",
"aig",
"therahand (old name)",
"target: tsara brashears",
"douglas county, co",
"sheriff",
"industry and commerce",
"worker\u2019s compensation",
"crime",
"financial crime",
"danger",
"nem tih",
"amazon",
"aws",
"amazon aws",
"deal",
"deal with it lawfully",
"pay victim",
"protecting reimer"
],
"references": [
"https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com",
"https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
"Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur",
"Pahamify Pegasus",
"Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)",
"https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android",
"https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4",
"tv.apple.com",
"dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net",
"Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A",
"IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)",
"IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)",
"IDS: TLS Handshake Failure",
"Yara Detections BackdoorWin32Simda",
"Google_Chrome_64bit_v136.0.7103.49.exe",
"https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7",
"https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Pariham.A",
"display_name": "Trojan:Win32/Pariham.A",
"target": "/malware/Trojan:Win32/Pariham.A"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Virus:Win95/Cerebrus",
"display_name": "Virus:Win95/Cerebrus",
"target": "/malware/Virus:Win95/Cerebrus"
},
{
"id": "AutoRunIt",
"display_name": "AutoRunIt",
"target": null
},
{
"id": "Sigur",
"display_name": "Sigur",
"target": null
},
{
"id": "Kanna",
"display_name": "Kanna",
"target": null
},
{
"id": "Der Zugriff",
"display_name": "Der Zugriff",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1029",
"name": "Scheduled Transfer",
"display_name": "T1029 - Scheduled Transfer"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1074",
"name": "Data Staged",
"display_name": "T1074 - Data Staged"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1124",
"name": "System Time Discovery",
"display_name": "T1124 - System Time Discovery"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1213",
"name": "Data from Information Repositories",
"display_name": "T1213 - Data from Information Repositories"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1486",
"name": "Data Encrypted for Impact",
"display_name": "T1486 - Data Encrypted for Impact"
},
{
"id": "T1489",
"name": "Service Stop",
"display_name": "T1489 - Service Stop"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1529",
"name": "System Shutdown/Reboot",
"display_name": "T1529 - System Shutdown/Reboot"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1559",
"name": "Inter-Process Communication",
"display_name": "T1559 - Inter-Process Communication"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1569",
"name": "System Services",
"display_name": "T1569 - System Services"
},
{
"id": "T1570",
"name": "Lateral Tool Transfer",
"display_name": "T1570 - Lateral Tool Transfer"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1569.002",
"name": "Service Execution",
"display_name": "T1569.002 - Service Execution"
},
{
"id": "T1543.003",
"name": "Windows Service",
"display_name": "T1543.003 - Windows Service"
},
{
"id": "T1546.015",
"name": "Component Object Model Hijacking",
"display_name": "T1546.015 - Component Object Model Hijacking"
},
{
"id": "T1055.003",
"name": "Thread Execution Hijacking",
"display_name": "T1055.003 - Thread Execution Hijacking"
},
{
"id": "T1134.001",
"name": "Token Impersonation/Theft",
"display_name": "T1134.001 - Token Impersonation/Theft"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1134.002",
"name": "Create Process with Token",
"display_name": "T1134.002 - Create Process with Token"
},
{
"id": "T1070.006",
"name": "Timestomp",
"display_name": "T1070.006 - Timestomp"
},
{
"id": "T1564.003",
"name": "Hidden Window",
"display_name": "T1564.003 - Hidden Window"
},
{
"id": "T1497.003",
"name": "Time Based Evasion",
"display_name": "T1497.003 - Time Based Evasion"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1497.002",
"name": "User Activity Based Checks",
"display_name": "T1497.002 - User Activity Based Checks"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1027.005",
"name": "Indicator Removal from Tools",
"display_name": "T1027.005 - Indicator Removal from Tools"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1074.001",
"name": "Local Data Staging",
"display_name": "T1074.001 - Local Data Staging"
},
{
"id": "T1560.002",
"name": "Archive via Library",
"display_name": "T1560.002 - Archive via Library"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
}
],
"industries": [
"Civil Society",
"Legal",
"Government",
"Technology",
"Telecommunications",
"Financial"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6094,
"domain": 1195,
"hostname": 2001,
"FileHash-SHA256": 2598,
"FileHash-MD5": 546,
"FileHash-SHA1": 403,
"email": 16,
"CVE": 2,
"SSLCertFingerprint": 3
},
"indicator_count": 12858,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "69 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69612a0df518040b20932bef",
"name": "Pahamify Pegasus | Palantir Malicious delivery via Bible app downloaded from iOS App Store",
"description": "Pahamify Pegasus | Requires much further research.\nWorking backwards: Targeted device had a Bible Gateway app download by target from both iOS and Android devices. As per report each time app was accessed, iOS became glitched, passwords stolen, drive by compromise on lock screen prompted target to review app. She found the app login was changed to an unknown users name. I tested a (Bible Gateway) URI to see if her belief BG was a honey pot was true. \nThis may take 2-3 more rounds of research. \nIs Pegasus. Is Palantir. Is intrusive and malicious.\n\n[OTC auto generated Title: 2 Timothy 3 NIV - But mark this: There will be terrible - Bible Gateway]",
"modified": "2026-02-08T15:00:50.749000",
"created": "2026-01-09T16:17:17.632000",
"tags": [
"defense evasion",
"cor ta0011",
"techni process",
"application l",
"encrypted ch",
"christ jesus",
"just",
"final charge",
"timothy10",
"antioch",
"iconium",
"lystra",
"lord",
"holy scriptures",
"scripture",
"bible gateway",
"no expiration",
"expiration",
"a domains",
"present sep",
"united",
"present jun",
"meta",
"present oct",
"present aug",
"servers",
"title",
"data upload",
"extraction",
"palantir foundry",
"listeners",
"dev",
"redirects",
"redirect health",
"health data",
"utc google",
"utc na",
"script",
"utc amazon",
"bible",
"meta tags",
"read",
"bible reading",
"trackers google",
"anchor",
"analyse headers",
"contenttype",
"transferenco",
"connection",
"date fri",
"server",
"read c",
"as16509",
"rgba",
"unicode",
"execution",
"dock",
"write",
"persistence",
"jsvendor",
"jsapp",
"script script",
"cssapp",
"jsfirebase",
"moved",
"urls",
"pegasus",
"encrypt",
"script urls",
"record value",
"tls handshake",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tlsv1",
"next",
"capture",
"malware",
"unknown",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"spawns",
"access att",
"t1189 driveby",
"html",
"mitre att",
"ck matrix",
"ascii text",
"pattern match",
"et info",
"bad traffic",
"hybrid",
"general",
"local",
"path",
"click",
"adversaries",
"execution att",
"t1204 user",
"t1480 execution",
"null",
"refresh",
"span",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"timothy",
"search",
"tag manager",
"g8t6ln06z40",
"code",
"css",
"js",
"router",
"cloudfront",
"John 12:17",
"port",
"yara rule",
"high",
"tofsee",
"rndhex",
"rndchar",
"destination",
"loaderid",
"lidfileupd",
"stream"
],
"references": [
"https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV",
"https://pegasus.pahamify.com/",
"aptia.palantirfoundry.com \u2022 palantirfoundry.com \u2022\u2019agent-infra-mojito.palantirfoundry.com",
"equilibrium.palantirfoundry.com \u2022 kt-presales.palantirfoundry.com \u2022 paloma.palantirfoundry.com",
"usw-2-dev.palantirfoundry.com \u2022 lucyw.palantirfoundry.com \u2022 https://fegdip.palantirfoundry.com/",
"http://dasima-containers.palantirfoundry.com/ \u2022 https://glare.palantirfoundry.com/",
"https://inbound-message-listener-temporary-testing.palantirfoundry.com",
"https://listeners.usw-16.palantirfoundry.com \u2022 https://pacificlife.palantirfoundry.com/",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.afa33b71-01ea-477c-bc01-f6a3ab623e9d/master",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master",
"https://sfmg-testing.palantirfoundry.com\t\u2022 https://signup.palantirfoundry.com/",
"https://uhsinc.palantirfoundry.com/ \u2022 https://velocityglobal.palantirfoundry.com",
"https://wes.palantirfoundry.com/ \u2022 http://utilities-bootcamp.palantirfoundry.com/",
"http://glare.palantirfoundry.com/ \u2022 https://woodward.palantirfoundry.com/",
"https://sfmg-testing.palantirfoundry.com\t\u2022 https://signup.palantirfoundry.com/",
"https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd45176426a",
"https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd458176426a",
"https://pegasus.pahamify.com/ \u2022 https://pegasus.pahamify.com/study-plan/ \u2022 pegasus.pahamify.com",
"John 12:17"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Bible Gateway",
"display_name": "Bible Gateway",
"target": null
},
{
"id": "Pahamify Pegasus",
"display_name": "Pahamify Pegasus",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1608.004",
"name": "Drive-by Target",
"display_name": "T1608.004 - Drive-by Target"
},
{
"id": "T1608.005",
"name": "Link Target",
"display_name": "T1608.005 - Link Target"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1115",
"name": "Clipboard Data",
"display_name": "T1115 - Clipboard Data"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6527,
"hostname": 2450,
"FileHash-SHA256": 1716,
"FileHash-MD5": 245,
"FileHash-SHA1": 134,
"domain": 1101,
"email": 3,
"SSLCertFingerprint": 8
},
"indicator_count": 12184,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "70 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "102 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "693596f8cd50958de6e9415c",
"name": "Eternal Blue Probe - YouTube - GSE",
"description": "EternalBlue is an exploit that targets a critical vulnerability (CVE-2017-0144, part of the larger MS17-010 security bulletin) in Microsoft's implementation of the Server Message Block (SMB) version 1 (SMBv1) protocol, which is used for file and printer sharing on Windows networks. \nVulnerability: The flaw allows an unauthenticated, remote attacker to execute arbitrary code on a vulnerable system by sending specially crafted packets to the SMBv1 server.\nOrigin: The exploit was developed by the NSA but was stolen and publicly leaked in April 2017 by a hacker group known as the Shadow Brokers.\nMajor Attacks: Shortly after its leak, EternalBlue was used in major, widespread cyberattacks, most notably the WannaCry and NotPetya ransomware outbreaks, which caused massive global disruption. The self-propagating \"wormable\" nature of the exploit allowed malware to spread rapidly across networks.",
"modified": "2026-01-06T00:03:32.099000",
"created": "2025-12-07T15:02:16.840000",
"tags": [
"asn as8068",
"cloud provider",
"reverse dns",
"america flag",
"united",
"america asn",
"as8068",
"united states",
"avast avg",
"ids detections",
"yara detections",
"probe ms17010",
"smbds ipc",
"av detections",
"alerts",
"read c",
"medium",
"rgba",
"unicode",
"msf style",
"dock",
"write",
"execution",
"malware",
"eternal blue",
"check in",
"file score",
"medium risk",
"generic flags",
"ms17010",
"none alerts",
"less ip",
"contacted",
"matches",
"mirroring",
"chromeshorts",
"gse",
"google",
"youtube",
"dating apps",
"suspicious apps",
"search engine",
"redirect",
"eternalblue"
],
"references": [
"chromeshorts.com mirroring YouTube.com googlechinablog.com \u2022 www.google.com \u2022 108.177.121.105",
"IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010",
"IDS Detections : Possible ETERNALBLUE Probe MS17-010 (MSF style)",
"IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)",
"IDS Detections: SMB-DS IPC$ unicode share access SMB-DS IPC$ share access",
"Environment Awareness : Able to access user sensitive domai",
"Alerts : suspicious_write_exe nids_exploit_alert process_martian injection_resumethread js_eval",
"Alerts : network_http allocates_rwx suspicious_process stealth_window uses_windows_utilities",
"Alerts : recono_fingerprint antivm_memory_available",
"www.endgame.com",
"admin-contact-api.uat2.white-label-dating.com \u2022 capi-sns.qa1.white-label-dating.com \u2022 http://payments.uat1.white-label-dating.com",
"URL https://mailcatcher.qa2.white-label-dating.com",
"Attackers : Christopher P. Ahmann , Hall Render , Brian Sabey & Co , Foundry , Tulach , Quasi government entities.",
"Alt + Google \u2018branded\u2019 search engine (monitoring targets searches) YouTube mirroring.",
"Suspicious apps"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 449,
"FileHash-MD5": 26,
"FileHash-SHA1": 6,
"FileHash-SHA256": 169,
"URL": 719,
"domain": 86,
"SSLCertFingerprint": 1
},
"indicator_count": 1456,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68db395368d6c4042517f3f3",
"name": "Target Saver M1 Agent TSA Spy \u2022 Mastadon - Hit Tip! Thanks!",
"description": "Hot Tip! I would love to give a shout out to the person who provided this information, I\u2019m not sure if they want to remain anonymous or not. Thank SO Much!\n\nSpyware and a source for distributing malicious media. Complete foothold\non networks, browsers, phones, search history and everything, massive streaming pornography distributed, members and contributors. \n\nVery important tip. I will analyze and break down into digestible pulse sizes.",
"modified": "2025-12-27T15:01:22.545000",
"created": "2025-09-30T01:58:43.592000",
"tags": [
"http traffic",
"match info",
"http get",
"info performs",
"dns query",
"https http",
"mitre att",
"evasion ta0005",
"creates",
"info",
"oc0006 http",
"wininet c0005",
"resolved ips",
"get http",
"html document",
"unicode text",
"dynamicloader",
"fe ff",
"medium",
"x00bx00",
"uswv",
"k uswv",
"search",
"high",
"delete c",
"yara detections",
"redline",
"guard",
"write",
"united",
"present sep",
"aaaa",
"passive dns",
"urls",
"next associated",
"found",
"x content",
"hacktool",
"trojan",
"error",
"lowfi",
"win32",
"worm",
"ip address",
"mtb apr",
"ransom",
"virtool",
"ain add",
"directui",
"element",
"classinfobase",
"ccbase",
"hwndhost",
"yara rule",
"hpavvalue",
"qaejh",
"name servers",
"cryp",
"emails",
"next related",
"domain related",
"no expiration",
"url http",
"url https",
"indicator role",
"hostname",
"email",
"present jun",
"present aug",
"present jul",
"servers",
"title",
"encrypt",
"altsvc h3",
"date tue",
"acceptranges",
"reportto",
"server",
"gmt expires",
"gmt contenttype",
"script",
"expiresthu",
"maxage63072000",
"pragma",
"google safe",
"unknown ns",
"files",
"location united",
"asn as15169",
"trojandropper",
"susp",
"creation date",
"asn as133618",
"tags",
"related tags",
"indicator facts",
"backdoor",
"ipv4 add",
"click",
"artro",
"target saver",
"trojanspy",
"reverse dns",
"america flag",
"443 ma2592000",
"hostname add",
"verdict",
"present mar",
"present jan",
"present dec",
"present apr",
"ipv4",
"type indicator",
"role title",
"related pulses",
"iocs",
"moved",
"downloads",
"apple",
"microsoft",
"hexagonsystem",
"mastadon",
"status",
"twitter",
"gmt content",
"easyredir cache",
"v4 add",
"redacted for",
"privacy tech",
"privacy admin",
"registrar abuse",
"available from",
"algorithm",
"key identifier",
"x509v3 subject",
"entity",
"code",
"date",
"dnssec",
"showing",
"unknown aaaa",
"sha256",
"sha1",
"ascii text",
"ck id",
"show technique",
"ck matrix",
"meta",
"hybrid",
"general",
"local",
"path",
"strings",
"copy md5",
"copy sha1",
"copy sha256",
"certificate"
],
"references": [
"FileHash-SHA256 025ca2c59c26197f3c1cd746469a5b9fe219a748716abd90daee792f34037d63",
"mastodon.social",
"https://families.google/intl/pt-PT_ALL/familylink/",
"http://service.adultprovide.com/docs/records.htm?site=bigtitsboss",
"slscr.update.microsoft.com \u2022client.wns.windows.com \u2022 c.pki.goog \u2022 login.live.com",
"https://discuss.ai.google.dev/c/gemma/10",
"https://uj140.keap-link003.com/v2/render/acc9c3f6b0340c8e01d0d3d0e1662c9e/eJxtjjsLwjAUhf_LnTP0hdRspYQSWkXEwU1Ce4XUmob0Riil_90o0snxPD7OWYDQKEOyAw6-j7MIGDhstdVoqBwNqfYbprs4T3IGgzaPyo3eAl_-sVv-cbM0yfYRA5otho44FLKBddOXc1HW8ljdTvIqmgDjU5N4heEJODmPDJS1aLrfjxpn4Hc1TLi-ARRkO0Y=/pixel.png",
"https://m.bigwetbutts.com/ tmi",
"Spyware: FileHash-SHA256 035e393630953b89c602e7cfa3409da790e99309c2d916336147cf9c59ee1b89",
"Mirai: simswap.in",
"66.254.114.41 \u2022 brazzersnetwork.com \u2022 brazzers.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 www.pornhub.com",
"https://buildings.hexagongeosystems.com \u2022 https://connect.hexagongeosystems.com",
"https://load.ss.hexagongeosystems.com \u2022 https://rail.hexagongeosystems.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "#Lowfi:HSTR:VirTool:Win32/GenDecnryptAlgo.S02",
"display_name": "#Lowfi:HSTR:VirTool:Win32/GenDecnryptAlgo.S02",
"target": null
},
{
"id": "Win.Ransomware.Bitman-9862733-0",
"display_name": "Win.Ransomware.Bitman-9862733-0",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
},
{
"id": "Target Saver",
"display_name": "Target Saver",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Hacktool",
"display_name": "Hacktool",
"target": null
}
],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [
"Media",
"Legal",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2964,
"hostname": 1164,
"URL": 4334,
"domain": 956,
"FileHash-MD5": 476,
"FileHash-SHA1": 451,
"CVE": 1,
"email": 20,
"SSLCertFingerprint": 2
},
"indicator_count": 10368,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "113 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "690e8b773dc39921d88abd44",
"name": "Nanocore - Affected",
"description": "- wmsspacer.gif\n| Photography: WMSspacer.gif, |[wmstransparent.org,]\n* YARA Detections : \nDotNET_Reactor\nSystem.Security.Cryptography.AesCryptoServiceProvider\nSystem.Security.Cryptography\nSystem.Security.Cryptography ~\nI CryptoTransform |\n Wmsspacer, i.g.sg.js..png.com, on-screen.|",
"modified": "2025-12-07T23:02:29.645000",
"created": "2025-11-08T00:14:47.600000",
"tags": [
"hgnvastlaiz",
"read c",
"medium",
"rgba",
"memcommit",
"delete",
"png image",
"unicode",
"dock",
"execution",
"malware",
"crlf line",
"speichermedium",
"productversion",
"fileversion",
"engine dll",
"internalname",
"einstellungen",
"comodo ca",
"limited st",
"yara detections",
"next pe",
"eula",
"policy",
"direct",
"opencandy",
"suspicious_write_exe",
"network_icmp",
"process_martian",
"present jun",
"present jul",
"domain",
"united",
"ip address",
"unknown ns",
"ms windows",
"intel",
"verisign",
"time stamping",
"unknown",
"class",
"write",
"markus",
"temple",
"msie",
"windows nt",
"get http",
"lehash",
"av detections",
"ids detections",
"alerts",
"file score",
"low risk",
"compromised_site_redirector_fromcharcode",
"present aug",
"passive dns",
"all ipv4",
"urls",
"files",
"hosting",
"america flag",
"win32",
"ipv4 add",
"signed file, valid signature. revoked.",
"united states",
"pws",
"atros",
"fiha",
"search",
"entries",
"present oct",
"next associated",
"show",
"high",
"wow64",
"slcc2",
"next",
"domain add",
"poland",
"poland unknown",
"ipv4",
"location poland",
"poland asn",
"et policy",
"pe exe",
"dll windows",
"amazon s3",
"location united",
"associated urls",
"date checked",
"url hostname",
"server response",
"google safe",
"results feb",
"nanocore",
"url add",
"http",
"related nids",
"files location",
"flag united",
"malicious image",
"files domain",
"files related",
"pulses otx",
"related tags",
"resources whois",
"virustotal",
"present sep",
"status",
"present nov",
"present mar",
"trojan",
"script script",
"div div",
"link",
"a li",
"meta",
"sweden",
"invalid url",
"head title",
"title head",
"reference",
"bad request",
"server",
"netherlands",
"creation date",
"date",
"running server",
"ahmann",
"christopher",
"p",
"tam",
"legal",
"treece",
"alfrey",
"muscat",
"adversaries",
"cyber crime",
"quasi",
"government"
],
"references": [
"wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87",
"ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua",
"http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022",
"www.opencandy.com",
"http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022",
"Yara Detections : compromised_site_redirector_fromcharcode",
"Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx",
"pcoptimizerpro.com \u2022 www.pcoptimizerpro.com",
"PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23",
"YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform",
"https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg",
"https://heavyfetish.com/search/CHEESE-PIZZA-porn/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Nanocore-5",
"display_name": "Win.Trojan.Nanocore-5",
"target": null
},
{
"id": "Win.Trojan.Adinstall-2",
"display_name": "Win.Trojan.Adinstall-2",
"target": null
},
{
"id": "PSW.Generic13",
"display_name": "PSW.Generic13",
"target": null
},
{
"id": "Atros.UPK",
"display_name": "Atros.UPK",
"target": null
},
{
"id": "Luhe.Fiha.A",
"display_name": "Luhe.Fiha.A",
"target": null
},
{
"id": "Pua.Optimizerpro/PCOptimizerPro",
"display_name": "Pua.Optimizerpro/PCOptimizerPro",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1491.001",
"name": "Internal Defacement",
"display_name": "T1491.001 - Internal Defacement"
},
{
"id": "T1204.003",
"name": "Malicious Image",
"display_name": "T1204.003 - Malicious Image"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 753,
"FileHash-SHA1": 622,
"FileHash-SHA256": 4336,
"URL": 2448,
"domain": 300,
"hostname": 788,
"CVE": 1,
"email": 4
},
"indicator_count": 9252,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "133 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68feb98a8c1b75b4431a3e8e",
"name": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator?",
"description": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator? 1.) (userlolxxl) is also disable_duck, has an unhealthy interest in the Tsara Brashears \u2018dead yet\u2019 theory , has many profiles. His issues are self made by grabbing vulnerabilities found and linking them to a fake University website. We checked. Profile belongs to a group causing needless distraction and hooking users into the \u2018No Problems\u2019 group. \n\nWe swiftly got Regis University to take notice of Palantirs Prometheus Intelligence Technology tracking. Dean let semester begin putting students at risk despite warnings from Tsara Brashears of owa canary cookie in server, to replace computers , halt school , deal with issue. RU ignored issues, Brashears didn\u2019t. They went black , blacklisted Tsara warning of credible death threats on dark web.",
"modified": "2025-11-25T20:05:31.749000",
"created": "2025-10-27T00:15:06.191000",
"tags": [
"html internet",
"html document",
"ascii text",
"language",
"cve202323397",
"iframe tags",
"tag manager",
"gtmkvjvztk",
"anchor hrefs",
"info ta0011",
"protocol",
"layer protocol",
"port",
"t1571 encrypted",
"channel",
"t1573 malware",
"tree",
"oc0006 http",
"c0014",
"get http",
"dns resolutions",
"resolved ips",
"user",
"data",
"datacrashpad",
"edge",
"v full",
"reports v",
"chrome u",
"appdata local",
"googlechrome u",
"u ser",
"cname",
"ip address",
"http",
"accept",
"network dropped",
"duration cuckoo",
"version file",
"machine label",
"shutdown",
"extraction",
"suggested iocs",
"data upload",
"cry dee",
"stop",
"type",
"url indicator",
"enter",
"failed",
"se share",
"extrac",
"enter so",
"passive dns",
"urls",
"hostname add",
"pulse pulses",
"files",
"domain",
"files ip",
"address",
"location united",
"asn as20473",
"dynamicloader",
"directui",
"write c",
"intel",
"ms windows",
"pe32",
"element",
"delete c",
"document file",
"v2 document",
"explorer",
"trojandropper",
"write",
"markus",
"august",
"movie",
"insert",
"pulse submit",
"url analysis",
"asn as8068",
"united",
"entries",
"body",
"please",
"x msedge",
"ipv4 add",
"present sep",
"present oct",
"present feb",
"status",
"unknown ns",
"search",
"name servers",
"present jul",
"aaaa",
"present apr",
"trojan",
"medium",
"high",
"yara rule",
"globalc",
"june",
"malware",
"win64",
"unknown",
"america flag",
"twitter",
"hostname",
"domain add",
"reverse dns",
"america asn",
"present aug",
"a domains",
"moved",
"first pqc",
"unknown aaaa",
"title",
"meta",
"window",
"encrypt",
"pulse indicator",
"body doctype",
"welcome",
"ok server",
"gmt content",
"atlanta",
"abuse",
"agent",
"service",
"present jun",
"present may",
"creation date",
"record value",
"servers",
"libretv meta",
"certificate",
"value",
"whois lookup",
"loopia ab",
"userlolxxl"
],
"references": [
"http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist",
"It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!",
"pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz",
"Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com",
"docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips",
"https://hs.ecam.com/your-challenges-ecams-solutions",
"https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022",
"https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/",
"Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Wannacry",
"display_name": "Wannacry",
"target": null
},
{
"id": "Foundry",
"display_name": "Foundry",
"target": null
},
{
"id": "Trojan:Win32/Comisproc!gmb",
"display_name": "Trojan:Win32/Comisproc!gmb",
"target": "/malware/Trojan:Win32/Comisproc!gmb"
},
{
"id": "Trojandropper:Win32/VB.IL",
"display_name": "Trojandropper:Win32/VB.IL",
"target": "/malware/Trojandropper:Win32/VB.IL"
},
{
"id": "#Exploit:Win32/CVE- 2023 - 23397",
"display_name": "#Exploit:Win32/CVE- 2023 - 23397",
"target": "/malware/#Exploit:Win32/CVE- 2023 - 23397"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "ALF:PulZati:Worm:Win32/Mydoom",
"display_name": "ALF:PulZati:Worm:Win32/Mydoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 8,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 248,
"FileHash-SHA1": 134,
"FileHash-SHA256": 2661,
"URL": 6257,
"domain": 682,
"email": 8,
"hostname": 2077,
"CVE": 1
},
"indicator_count": 12068,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "145 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68fd0cc422cea2fd989581fd",
"name": "LevelBlue - Open Threat Exchange (Malicious Attacks)",
"description": "I\u2019ll\nrefer to these bad actors as the .lol .fun group. London, Australia , South Africa with US base External resources. With this group, you e probably met though attackers.. OTX errors! Difficult to pulse. There are some profiles in here that are shady and attempt or do co connect to your products. They usually begin social engineering by saying that you have a \u2018problem\u2019 just like they do. Say they are from Canada or\nFrance , somewhere abroad when they are down the street using your services. There was user \u2018Merkd\u2019 whose entire system seem to become infected by someone or someone about this platform. Check the IP address at all\nTo see if it matches or is on the same block as OTC, region will show as well. Hackers may potentially cnc / move your profile on their own block. What happened today was weird. Alien Vault became a PHP and turned bright pink and black, requesting I download page. Keep your systems locked down if you\u2019re researching not reporting vulnerabilities.",
"modified": "2025-11-24T17:02:12.441000",
"created": "2025-10-25T17:45:40.291000",
"tags": [
"ipv4",
"levelblue",
"open threat",
"date sat",
"connection",
"etag w",
"cloudfront",
"sameorigin age",
"vary",
"ip address",
"kb body",
"gtmkvjvztk",
"utc gcfezl5ynvb",
"utc na",
"utc google",
"analytics na",
"utc linkedin",
"insight tag",
"learn",
"exchange og",
"levelblue open",
"threat exchange",
"exchange",
"google tag",
"iocs",
"search otx",
"included iocs",
"review iocs",
"data upload",
"extraction",
"layer protocol",
"v full",
"reports v",
"port t1571",
"t1573",
"oc0006 http",
"c0014",
"get http",
"dns resolutions",
"user",
"data",
"datacrashpad",
"edge",
"tag manager",
"us er",
"help files",
"shell",
"html",
"cve202323397",
"iframe tags",
"community score",
"url http",
"url https",
"united",
"united kingdom",
"netherlands",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"indicator role",
"title added",
"active related",
"otc oct",
"report spam",
"week ago",
"scan",
"learn more",
"filehashmd5",
"filehashsha1",
"domain",
"australia",
"does",
"josh",
"created",
"filehashsha256",
"present jul",
"present oct",
"date",
"a domains",
"script urls",
"for privacy",
"moved",
"script domains",
"meta",
"title",
"body",
"pragma",
"encrypt",
"ck ids",
"t1060",
"run keys",
"startup",
"folder",
"t1027",
"files",
"information",
"t1055",
"injection",
"capture",
"south korea",
"malaysia",
"pulses",
"fatal error",
"hacker known",
"name",
"unknown",
"risk",
"weeks ago",
"scary",
"sova",
"colorado",
"wire",
"name unknown",
"thursday",
"denver",
"types of",
"indicators hong",
"kong",
"tsara brashears",
"african",
"ethiopia",
"b8reactjs",
"india",
"america",
"x ua",
"hostname",
"dicator role",
"pulses url",
"airplane",
"icator role",
"t1432",
"access contact",
"list",
"t1525",
"image",
"security scan",
"heuristic oct",
"discovery",
"t1069",
"t1071",
"protocol",
"t1105",
"tool transfer",
"t1114",
"t1480",
"internal image",
"brian sabey",
"month ago",
"modified",
"days ago",
"green well",
"sabey stash",
"service",
"t1040",
"sniffing",
"t1045",
"packing",
"t1053",
"taskjob"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Sova",
"display_name": "Sova",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1022",
"name": "Data Encrypted",
"display_name": "T1022 - Data Encrypted"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1525",
"name": "Implant Internal Image",
"display_name": "T1525 - Implant Internal Image"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1448",
"name": "Carrier Billing Fraud",
"display_name": "T1448 - Carrier Billing Fraud"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 956,
"FileHash-SHA1": 906,
"FileHash-SHA256": 2651,
"URL": 4450,
"domain": 708,
"hostname": 2403,
"CVE": 1,
"email": 5
},
"indicator_count": 12080,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "146 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68dff573cf17000ebca4e63f",
"name": "The University of British Columbia",
"description": "https://www.virustotal.com/gui/domain/ubc.ca\nhttps://www.virustotal.com/gui/file/2849292fde24ca7833a3fcde7852e6e76df178ea271e271d2d2b551c10033a09/details",
"modified": "2025-11-02T15:02:38.292000",
"created": "2025-10-03T16:10:27.760000",
"tags": [
"university",
"research",
"strong",
"ubc search",
"teaching",
"okanagan",
"bc canada",
"contact",
"skip",
"search ubc",
"find",
"back",
"user",
"cape sandbox",
"medium",
"http",
"matches rule",
"tls sni",
"memory pattern",
"size",
"date",
"info",
"shell",
"vhash",
"ssdeep",
"jjwad5 tlsh"
],
"references": [
"Contact Information | The University of British Columbia",
"spph.ca",
"www.ubc.ca",
"ubc.ca",
"CA-2020-01-12 05-18-26088DE56F-E544B574-D3166097-17FA11BC-45321A6D-v33.zip"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 29,
"FileHash-SHA256": 742,
"FileHash-MD5": 89,
"FileHash-SHA1": 42,
"URL": 243,
"hostname": 98
},
"indicator_count": 1243,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 124,
"modified_text": "168 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68dc624893ea922b898f911b",
"name": "FBI? Ghe real one? Idk - Cab / Deive by compromised an iOS device",
"description": "Checking a targets phone, it\u2019s seems very infected with limited results on google searches results. I clicked on an image I thought looked suspicious. Image was coded. I have no idea if this is the FBI I haven\u2019t examined or researched for vulnerabilities yet. I will break this down over time. The number is kept alive but number could not be verified , it was a different number altogether. The phone was out of service, I reached out to 911. And spoke to a person I can\u2019t verify. The service was reconnected a day later. It\u2019s a very crazy hack!",
"modified": "2025-10-30T22:01:00.256000",
"created": "2025-09-30T23:05:44.154000",
"tags": [
"search",
"google search",
"in a",
"relevance",
"internet storm",
"intranet",
"part",
"steps",
"hyper v",
"windowssystem32",
"ping request",
"algorithm",
"ouno sni",
"key usage",
"google llc",
"v3 serial",
"number",
"public key",
"info",
"key algorithm",
"domain",
"subject key",
"identifier",
"net173",
"net1730000",
"gogl",
"orgid",
"gogl address",
"city",
"mountain view",
"stateprov",
"postalcode",
"registrar",
"ip address",
"http",
"port",
"accept",
"info file",
"network dropped",
"duration cuckoo",
"version file",
"machine label",
"shutdown",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"defense evasion",
"spawns",
"found",
"united",
"ascii text",
"pattern match",
"mitre att",
"title",
"hybrid",
"general",
"path",
"click",
"strings",
"body",
"initial access",
"local",
"passive dns",
"urls",
"url add",
"related nids",
"files location",
"flag united",
"backdoor",
"status",
"aaaa",
"date",
"name servers",
"record value",
"emails",
"present aug",
"present sep",
"moved",
"error",
"antivm",
"drive by",
"cab by"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 3,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 544,
"FileHash-SHA256": 2300,
"URL": 3905,
"hostname": 1675,
"FileHash-MD5": 209,
"FileHash-SHA1": 210,
"CIDR": 1,
"email": 7,
"SSLCertFingerprint": 8,
"CVE": 2
},
"indicator_count": 8861,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "171 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68cb233ba91aa1eb958b3f31",
"name": "Home - RMHS | APT 10 \u2022 Andromeda \u2022 OneLouder",
"description": "I don\u2019t even know what to say. I\u2019ve received several complaints. This is 2nd time checking out technical issues that do exist. Operates as a Human Service entity for injured persons. OTX auto populated \u2018Golfing\u2019 as industry. \n\nDoes serve the severely disabled population. Does pay caregivers. Possibly a front page a FF link page, I have no idea",
"modified": "2025-10-17T19:03:15.031000",
"created": "2025-09-17T21:08:11.518000",
"tags": [
"script urls",
"meta",
"moved",
"x tec",
"passive dns",
"encrypt",
"america flag",
"san francisco",
"extraction",
"data upload",
"type indicatod",
"united states",
"a domains",
"united",
"gmt server",
"jose",
"university",
"bill",
"rmhs",
"information",
"board",
"lorin",
"joseph",
"all veterans",
"rocky mountain",
"mission",
"vice",
"april",
"school",
"austin",
"prior",
"ipv4 add",
"urls",
"files",
"location united",
"wordpress",
"rmhs meta",
"tags viewport",
"rmhs og",
"rmhs article",
"wpbakery page",
"builder",
"slider plugin",
"google tag",
"mountain human",
"denver",
"connecting",
"denver start",
"relevance home",
"providers",
"contact us",
"rmhs main",
"server",
"redacted tech",
"redacted admin",
"registrar abuse",
"algorithm",
"key identifier",
"x509v3 subject",
"dnssec",
"country",
"ttl value",
"graph summary",
"resolved ips",
"ip address",
"port",
"data",
"screenshots no",
"involved direct",
"country name",
"name response",
"tcp connections",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"found",
"spawns",
"t1590 gather",
"path",
"ascii text",
"exif standard",
"tiff image",
"format",
"stop",
"false",
"soldier",
"model",
"youth",
"baby",
"june",
"general",
"local",
"click",
"strings",
"core",
"warrior",
"green",
"emotion",
"flash",
"nina",
"hunk",
"fono",
"daam",
"mitre att",
"ck techniques",
"id name",
"malicious",
"windows nt",
"win64",
"khtml",
"gecko",
"brand",
"microsoft edge",
"show process",
"self",
"date",
"comspec",
"hybrid",
"form",
"log id",
"gmtn",
"tls web",
"b2 f6",
"b0n timestamp",
"f9401a",
"record value",
"x wix",
"certificate",
"domain add",
"pulse submit",
"body",
"domain related",
"blackbox",
"apple",
"helix",
"dvrdns",
"tracking",
"remote access",
"ios",
"spyware",
"hoax",
"dynamicloader",
"ptls6",
"medium",
"flashpix",
"high",
"ygjpavclsline",
"officespace",
"chartshared",
"powershell",
"write",
"malware",
"ygjpaulscontext",
"status",
"japan unknown",
"domain",
"pulses",
"search",
"accept",
"apt10",
"trojanspy",
"win32",
"entries",
"susp",
"backdoor",
"useragent",
"showing",
"virtool",
"twitter",
"mozilla",
"trojandropper",
"trojan",
"title",
"onelouder",
"yara det",
"maware samoe",
"genaco x",
"ids detec",
"ids terse",
"win3 data",
"include review",
"exclude sugges",
"targeting",
"show",
"copy",
"reads",
"dynamic",
"vendor finding",
"notes clamav",
"files matching",
"number",
"sample analysis",
"hide samples",
"date hash",
"next yara"
],
"references": [
"rmhumanservices.org",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt",
"ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://www.dvrdns.net/BlackBox/google/googleMapKey.txt",
"http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/",
"https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound",
"https://www.mlkfoundation.net/ (Foundry DGA)",
"remotewd.com x 34 devices",
"South Africa based: remote.advisoroffice.com",
"acc.lehigtapp.com - malware",
"http://watchhers.net/index.php (espionage entity /palantir relationship - seen before with palantir and Pegasus sometimes simultaneously )",
"Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022 emails.redvue.com \u2022",
"Active - pointing: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
"http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
"http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
"Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/",
"https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting",
"YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
"acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net",
"IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2",
"IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)",
"IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname",
"1.organization.api.powerplatform.partner.microsoftonline.cn",
"chinaeast2.admin.api.powerautomate.cn",
"https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/",
"https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A",
"ssa-gov.authorizeddns",
"hmmm\u2026http://palander.stjernstrom.se/",
"https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU"
],
"public": 1,
"adversary": "APT 10",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APT 10",
"display_name": "APT 10",
"target": null
},
{
"id": "OneLouder",
"display_name": "OneLouder",
"target": null
},
{
"id": "Andromeda",
"display_name": "Andromeda",
"target": null
},
{
"id": "Sality",
"display_name": "Sality",
"target": null
},
{
"id": "KoobFace",
"display_name": "KoobFace",
"target": null
},
{
"id": "Bayrob",
"display_name": "Bayrob",
"target": null
},
{
"id": "Nivdort Checkin",
"display_name": "Nivdort Checkin",
"target": null
},
{
"id": "Win.Malware.Installcore-6950365-0",
"display_name": "Win.Malware.Installcore-6950365-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1574.006",
"name": "Dynamic Linker Hijacking",
"display_name": "T1574.006 - Dynamic Linker Hijacking"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [
"Golfing",
"Healthcare",
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 690,
"hostname": 1912,
"URL": 5925,
"FileHash-SHA1": 273,
"email": 8,
"FileHash-SHA256": 3618,
"CIDR": 3,
"FileHash-MD5": 254,
"SSLCertFingerprint": 19,
"CVE": 2
},
"indicator_count": 12704,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "184 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68eff833ed84ceaf611521d2",
"name": "Tucker Carlson | AutInject \u2022 Zbot \u2022 CoinMiner \u2022 Zombie \u2022 Qbot affects his YouTube Channel (9.14.2025) ",
"description": "",
"modified": "2025-10-15T19:38:27.739000",
"created": "2025-10-15T19:38:27.739000",
"tags": [
"resolved ips",
"parent pid",
"full path",
"command line",
"cname",
"ip address",
"port",
"involved direct",
"country name",
"nxdomain",
"tcp connections",
"udp connections",
"data",
"datacrashpad",
"edge",
"passive dns",
"origin trial",
"gmt cache",
"sameorigin",
"443 ma2592000",
"ipv4 add",
"files",
"title",
"date",
"found",
"gmt content",
"hostname",
"verdict",
"error",
"code",
"present aug",
"present sep",
"aaaa",
"search",
"domain",
"present apr",
"present jun",
"address google",
"safe browsing",
"present oct",
"match info",
"mitre att",
"control ta0011",
"protocol t1071",
"protocol t1095",
"match medium",
"icmp traffic",
"port t1571",
"info",
"c0002 wininet",
"flag",
"markmonitor",
"domain address",
"contacted hosts",
"process details",
"size",
"iend ihdridatx",
"qrmf",
"qkdi",
"qiyay",
"kjtn8",
"r0x3",
"ihdridatx",
"yg6qp",
"kkrz",
"t6 ex",
"click",
"windir",
"openurl c",
"prefetch2",
"data upload",
"extraction",
"failed",
"please",
"your browser",
"learn",
"opera mozilla",
"firefox google",
"chrome remind",
"privacy policy",
"safety",
"google llc",
"youtube",
"mozilla firefox",
"safari google",
"edge opera",
"browse youtube",
"file",
"indicator",
"pattern match",
"ascii text",
"ck id",
"ck matrix",
"href",
"general",
"local",
"path",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"t1590 gather",
"victim network",
"files domain",
"files related",
"related tags",
"registrar",
"files ip",
"asn as15169",
"address domain",
"ip whois",
"service address",
"po box",
"city hayes",
"country gb",
"dnssec",
"domain name",
"emails",
"script urls",
"a domains",
"texas flyover",
"script domains",
"script script",
"trojan",
"meta",
"window",
"msie",
"chrome",
"twitter",
"unknown aaaa",
"record value",
"content type",
"united states",
"dynamicloader",
"medium",
"write c",
"high",
"show",
"digicert",
"olet",
"encrypt",
"win64",
"responder",
"write",
"next",
"unknown",
"install",
"dummy",
"entries",
"displayname",
"windows",
"united",
"tofsee",
"copy",
"stream",
"malware",
"hostile",
"body",
"hostile client",
"apollo",
"jaik",
"code overlap",
"sri lanka",
"pintuck sri",
"lanka",
"unknown ns",
"moved",
"buy apparal",
"win32",
"trojandropper",
"virtool",
"susp",
"ipv4",
"pulse pulses",
"urls",
"reverse dns",
"location united",
"installer"
],
"references": [
"https://www.youtube.com/watch?v=5KmpT-BoVf4",
"https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4",
"critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade",
"http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net",
"canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com",
"docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com",
"ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net",
"malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -",
"Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login",
"Yara Detections: RansomWin32Apollo \u2022 216.239.32.27"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Malware + Code Overlap",
"display_name": "Malware + Code Overlap",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Trojandownloader:Win32/Upatre",
"display_name": "Trojandownloader:Win32/Upatre",
"target": "/malware/Trojandownloader:Win32/Upatre"
},
{
"id": "Trojan:BAT/Musecador",
"display_name": "Trojan:BAT/Musecador",
"target": "/malware/Trojan:BAT/Musecador"
},
{
"id": "Win32:Trojan",
"display_name": "Win32:Trojan",
"target": null
},
{
"id": "Bancos",
"display_name": "Bancos",
"target": null
},
{
"id": "Hematite",
"display_name": "Hematite",
"target": null
},
{
"id": "Trojanspy:Win32/Banker.LY",
"display_name": "Trojanspy:Win32/Banker.LY",
"target": "/malware/Trojanspy:Win32/Banker.LY"
},
{
"id": "Trojan:Win32/Vflooder!rfn",
"display_name": "Trojan:Win32/Vflooder!rfn",
"target": "/malware/Trojan:Win32/Vflooder!rfn"
},
{
"id": "Win32:MalwareX",
"display_name": "Win32:MalwareX",
"target": null
},
{
"id": "Malwarex",
"display_name": "Malwarex",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.AKZ!bit",
"display_name": "Virtool:Win32/CeeInject.AKZ!bit",
"target": "/malware/Virtool:Win32/CeeInject.AKZ!bit"
},
{
"id": "Win32:Dropper",
"display_name": "Win32:Dropper",
"target": null
},
{
"id": "Ymacco",
"display_name": "Ymacco",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "Trojandownloader:Win32/Upatre.A",
"display_name": "Trojandownloader:Win32/Upatre.A",
"target": "/malware/Trojandownloader:Win32/Upatre.A"
},
{
"id": "Win32:Evo",
"display_name": "Win32:Evo",
"target": null
},
{
"id": "Trojandropper:Win32/BcryptInject.B!MSR",
"display_name": "Trojandropper:Win32/BcryptInject.B!MSR",
"target": "/malware/Trojandropper:Win32/BcryptInject.B!MSR"
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": "Win32:Cleaman-K\\ [Trj]",
"display_name": "Win32:Cleaman-K\\ [Trj]",
"target": null
},
{
"id": "Asacky",
"display_name": "Asacky",
"target": null
},
{
"id": "Backdoor:Win32/Plugx.N!dha",
"display_name": "Backdoor:Win32/Plugx.N!dha",
"target": "/malware/Backdoor:Win32/Plugx.N!dha"
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [
"Media"
],
"TLP": "white",
"cloned_from": "68c73fbd85dfbb4d41006ad1",
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4746,
"hostname": 1829,
"domain": 913,
"FileHash-MD5": 249,
"FileHash-SHA1": 213,
"FileHash-SHA256": 1765,
"email": 3,
"SSLCertFingerprint": 17
},
"indicator_count": 9735,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "186 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68c73fbd85dfbb4d41006ad1",
"name": "Tucker Carlson Sam Altman YouTube Interview \u2022 Qbot | Malware with. Code Overlap",
"description": "Maybe it\u2019s a network issue. The TV I viewed interview from is in Arabic the every time. It\u2019s not\nmy\ntelevision or network, didn\u2019t get link from a logged in YouTube. Not a subscriber.. I viewed using (cc) close captioning. It\u2019s the only program n YouTube using another language for this interview. The only reason I\u2019ve visited this interview several time\u2019s since it\u2019s aired is to check for the same results. Every time only this interview uses another language for (cc).\n\nThere are related pulses by a few different users, experiencing similar personal issues. I\u2019d assume I\u2019d always get these results. Unclear\n\n* At the end of interview Tucker Carlson states YouTube is trying to suppress or delete this one interview.",
"modified": "2025-10-14T22:26:18.109000",
"created": "2025-09-14T22:20:45.617000",
"tags": [
"resolved ips",
"parent pid",
"full path",
"command line",
"cname",
"ip address",
"port",
"involved direct",
"country name",
"nxdomain",
"tcp connections",
"udp connections",
"data",
"datacrashpad",
"edge",
"passive dns",
"origin trial",
"gmt cache",
"sameorigin",
"443 ma2592000",
"ipv4 add",
"files",
"title",
"date",
"found",
"gmt content",
"hostname",
"verdict",
"error",
"code",
"present aug",
"present sep",
"aaaa",
"search",
"domain",
"present apr",
"present jun",
"address google",
"safe browsing",
"present oct",
"match info",
"mitre att",
"control ta0011",
"protocol t1071",
"protocol t1095",
"match medium",
"icmp traffic",
"port t1571",
"info",
"c0002 wininet",
"flag",
"markmonitor",
"domain address",
"contacted hosts",
"process details",
"size",
"iend ihdridatx",
"qrmf",
"qkdi",
"qiyay",
"kjtn8",
"r0x3",
"ihdridatx",
"yg6qp",
"kkrz",
"t6 ex",
"click",
"windir",
"openurl c",
"prefetch2",
"data upload",
"extraction",
"failed",
"please",
"your browser",
"learn",
"opera mozilla",
"firefox google",
"chrome remind",
"privacy policy",
"safety",
"google llc",
"youtube",
"mozilla firefox",
"safari google",
"edge opera",
"browse youtube",
"file",
"indicator",
"pattern match",
"ascii text",
"ck id",
"ck matrix",
"href",
"general",
"local",
"path",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"t1590 gather",
"victim network",
"files domain",
"files related",
"related tags",
"registrar",
"files ip",
"asn as15169",
"address domain",
"ip whois",
"service address",
"po box",
"city hayes",
"country gb",
"dnssec",
"domain name",
"emails",
"script urls",
"a domains",
"texas flyover",
"script domains",
"script script",
"trojan",
"meta",
"window",
"msie",
"chrome",
"twitter",
"unknown aaaa",
"record value",
"content type",
"united states",
"dynamicloader",
"medium",
"write c",
"high",
"show",
"digicert",
"olet",
"encrypt",
"win64",
"responder",
"write",
"next",
"unknown",
"install",
"dummy",
"entries",
"displayname",
"windows",
"united",
"tofsee",
"copy",
"stream",
"malware",
"hostile",
"body",
"hostile client",
"apollo",
"jaik",
"code overlap",
"sri lanka",
"pintuck sri",
"lanka",
"unknown ns",
"moved",
"buy apparal",
"win32",
"trojandropper",
"virtool",
"susp",
"ipv4",
"pulse pulses",
"urls",
"reverse dns",
"location united",
"installer"
],
"references": [
"https://www.youtube.com/watch?v=5KmpT-BoVf4",
"https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4",
"critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade",
"http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net",
"canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com",
"docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com",
"ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net",
"malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -",
"Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login",
"Yara Detections: RansomWin32Apollo \u2022 216.239.32.27"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Malware + Code Overlap",
"display_name": "Malware + Code Overlap",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Trojandownloader:Win32/Upatre",
"display_name": "Trojandownloader:Win32/Upatre",
"target": "/malware/Trojandownloader:Win32/Upatre"
},
{
"id": "Trojan:BAT/Musecador",
"display_name": "Trojan:BAT/Musecador",
"target": "/malware/Trojan:BAT/Musecador"
},
{
"id": "Win32:Trojan",
"display_name": "Win32:Trojan",
"target": null
},
{
"id": "Bancos",
"display_name": "Bancos",
"target": null
},
{
"id": "Hematite",
"display_name": "Hematite",
"target": null
},
{
"id": "Trojanspy:Win32/Banker.LY",
"display_name": "Trojanspy:Win32/Banker.LY",
"target": "/malware/Trojanspy:Win32/Banker.LY"
},
{
"id": "Trojan:Win32/Vflooder!rfn",
"display_name": "Trojan:Win32/Vflooder!rfn",
"target": "/malware/Trojan:Win32/Vflooder!rfn"
},
{
"id": "Win32:MalwareX",
"display_name": "Win32:MalwareX",
"target": null
},
{
"id": "Malwarex",
"display_name": "Malwarex",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.AKZ!bit",
"display_name": "Virtool:Win32/CeeInject.AKZ!bit",
"target": "/malware/Virtool:Win32/CeeInject.AKZ!bit"
},
{
"id": "Win32:Dropper",
"display_name": "Win32:Dropper",
"target": null
},
{
"id": "Ymacco",
"display_name": "Ymacco",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "Trojandownloader:Win32/Upatre.A",
"display_name": "Trojandownloader:Win32/Upatre.A",
"target": "/malware/Trojandownloader:Win32/Upatre.A"
},
{
"id": "Win32:Evo",
"display_name": "Win32:Evo",
"target": null
},
{
"id": "Trojandropper:Win32/BcryptInject.B!MSR",
"display_name": "Trojandropper:Win32/BcryptInject.B!MSR",
"target": "/malware/Trojandropper:Win32/BcryptInject.B!MSR"
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": "Win32:Cleaman-K\\ [Trj]",
"display_name": "Win32:Cleaman-K\\ [Trj]",
"target": null
},
{
"id": "Asacky",
"display_name": "Asacky",
"target": null
},
{
"id": "Backdoor:Win32/Plugx.N!dha",
"display_name": "Backdoor:Win32/Plugx.N!dha",
"target": "/malware/Backdoor:Win32/Plugx.N!dha"
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [
"Media"
],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4746,
"hostname": 1829,
"domain": 913,
"FileHash-MD5": 249,
"FileHash-SHA1": 213,
"FileHash-SHA256": 1765,
"email": 3,
"SSLCertFingerprint": 17
},
"indicator_count": 9735,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "187 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68c6026160a826c170a8ce93",
"name": "Mira - Targeted attacks that demolished victim/s Media Platforms",
"description": "Targeted attacks that demolished victim/s Media Platforms. \nDangerous crowd, bullied till the end, murder attempted hit by a vehicle many times on a one way. 22 year old who walked after attempting to drive her off I-25 Denver. Suffered more life threatening injuries. \nMonitored target. Crime: unwilling female trapped under nasty physical therapists crotch. No charges, no questions. No treatments except one SCI surgery that was 5 years too late. \nDenver is nuts. Denver law enforcement , quasi government , CBI & attorneys are corrupted. There\u2019s something to the wicked DIA theories. I wonder how many others have been silenced to death behind corporate greed. The PT who caused all\nof this is thoroughly treated as a victim. Family moved to safety? She was never the threat. TLB will always rest assured sheltered in the arms of God like she believed.\n#theft #rip #paypal #drive-by_compromise #mira #spotify #youtube #trulymissed",
"modified": "2025-10-13T22:27:44.477000",
"created": "2025-09-13T23:46:41.355000",
"tags": [
"http traffic",
"iframe src",
"https http",
"re att",
"access ta0001",
"t1189 severity",
"info found",
"command",
"control ta0011",
"protocol t1071",
"info",
"resolved ips",
"ip traffic",
"pattern domains",
"pattern urls",
"tls sni",
"get http",
"dns resolutions",
"windows nt",
"win64",
"khtml",
"gecko",
"response",
"user",
"rules not",
"registry keys",
"detections not",
"found mitre",
"info ids",
"sandbox",
"number",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"ip address",
"port",
"http",
"url data",
"accept",
"gmt ifnonematch",
"network dropped",
"duration cuckoo",
"version file",
"machine label",
"manager",
"shutdown",
"udp connections",
"http requests",
"cname",
"nxdomain",
"involved direct",
"country name",
"parent pid",
"full path",
"command line",
"t1055 process",
"layer protocol",
"access t1189",
"defense evasion",
"discovery t1082",
"control t1573",
"youtube",
"spotify",
"spotify",
"colorado blows"
],
"references": [
"https://forward.ro/",
"https://vtbehaviour.commondatastorage.googleapis.com/db4e2e018a3e7f1227d7ee73590290cbd2c5f85083d7d2cd2bfbfce2d86bc85b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1757802136&Signature=ZMB94nTTqlBqbckg%2Bto3APyffn72wQ8c%2BtAJCCTNE3HE7lF3WYAXyjdMPB0xKY6TVdQIXYiGj6C8cK925JJttjjW91Be%2BG5oJQ2Tkmou66cPgSgOdOAQEKXq2RNXSvvZUTKgJSbxJritEPsUDcE%2FOZrDG1fY%2FtVq7cxQdLdhKacpB%2FiFLNzlcCWDCLJtwGhyRwoESchlxvvy%2Bazy40CNs35Eiw1rci3tBqQS97F7mBV1GnSrz%2FFZKh",
"http://clients2.google.com/time/1/current?cup2key=8:ZnsjfqkCHZe8ziQKNl-PZVHX2EXyFv9m6Q0Dnd_a_t8&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"Colorado corruption will be exposed one day.",
"Discovery of targets pirated music led to her website down the next day! After 9 years?",
"These greedy people & government grifters steal money from victims, including life insurance policies",
"Stop following targets relatives everywhere , associates. Stop circling former residence..",
"Targets mother passed in 2014. So much malicious activity obituary had to be taken down when hackers put target in obituary",
"Targets mother died in her bed in Castke Rock, Douglasc County, Colorado",
"Moms body moved by Douglas County to Jefferson County after cause of death ruled natural causes.",
"Jefferson County, Coroner falsely states Mom died in car accident in Lakewood on death certificate .",
"This information was brought to target by concerned entities who handled body.",
"Off subject: Don\u2019t try to kill Tucker Carlson for asking valid questions about an apparent murder Sam.",
"First they discredit you, wear you down mentally , hunt you down , then\u2026.They have to deal with God.",
"Sorry! I can\u2019t help being upset about the unfairness of this constant cruel harassment.",
"Jeffrey Scott Reiner was considered a skilled predator by Bryan Counts MD. He later attacked target."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "All",
"display_name": "All",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [
"Government",
"Financial",
"Media",
"Targets"
],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 781,
"hostname": 339,
"FileHash-SHA256": 697,
"FileHash-MD5": 112,
"domain": 152,
"FileHash-SHA1": 2
},
"indicator_count": 2083,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "188 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68bc597c34358af14891a484",
"name": "A State: Government Financial Department affected by malware and threat actors",
"description": "A State Governmental Financial Department contacted. Lightly researched link below.\nFinal URL: https://www.palantir.com/blocked/?blocker=Envoy&ip=35.243.23.172&vpcEndpoint=&errorInstanceId=b8ae0a73-8c2d-4d81-a6ea-ee53943e9485&targetDomain=millet-usgc-1.palantirfedstart. | 403 Code - contacted |",
"modified": "2025-10-06T15:03:41.536000",
"created": "2025-09-06T15:55:40.069000",
"tags": [
"status",
"united",
"unknown ns",
"search",
"certificate",
"passive dns",
"urls",
"record value",
"emails",
"date",
"title",
"present jul",
"script urls",
"security",
"a domains",
"script domains",
"read",
"meta",
"443 ma86400",
"next associated",
"files show",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"gmt server",
"extraction f",
"enter so",
"type",
"u extraction",
"data upload",
"extraction",
"orbrop",
"present aug",
"present jun",
"present oct",
"entries",
"present apr",
"present nov",
"gtmpsl84dj",
"resolved ips",
"c0002 wininet",
"data",
"datacrashpad",
"edge",
"url data",
"accept",
"gmt ifnonematch",
"address port",
"cname",
"response",
"nxdomain",
"name n",
"creation date",
"domain add",
"pulse pulses",
"files",
"ip address",
"location united",
"asn as13335",
"whois registrar"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1785,
"domain": 710,
"hostname": 949,
"FileHash-SHA256": 864,
"email": 4,
"CVE": 3,
"FileHash-MD5": 27,
"FileHash-SHA1": 27
},
"indicator_count": 4369,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "195 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68bbf3e40e3ce8a74aa89545",
"name": "HCPF \u2022 The intricate relationships between the FIN7 group and members of the Conti gang",
"description": "",
"modified": "2025-10-06T08:03:23.285000",
"created": "2025-09-06T08:42:12.787000",
"tags": [
"present feb",
"united",
"a domains",
"present dec",
"passive dns",
"moved",
"script domains",
"script urls",
"search",
"title",
"date",
"http traffic",
"http get",
"match info",
"downloads",
"info",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"protocol t1095",
"get http",
"dns resolutions",
"number",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"corporation cus",
"algorithm",
"cnamazon rsa",
"m03 oamazon",
"thumbprint",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tlsv1",
"ascii text",
"ogoogle trust",
"cngts ca",
"execution",
"next",
"dock",
"write",
"capture",
"persistence",
"malware",
"roboto",
"android",
"known exploited",
"google",
"salesloft drift",
"sap s4hana",
"cve202542957",
"cisa",
"sitecore",
"linux",
"france",
"meta",
"rokrat",
"lizar",
"project nemesis",
"carbanak",
"cobalt strike",
"domino",
"yara detections",
"contacted",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"malicious ids",
"detections tls",
"indicator role",
"title added",
"active related",
"entries",
"role title",
"added active",
"filehashmd5",
"ipv4"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Lizar",
"display_name": "Lizar",
"target": null
},
{
"id": "Project Nemesis",
"display_name": "Project Nemesis",
"target": null
},
{
"id": "Carbanak",
"display_name": "Carbanak",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Domino",
"display_name": "Domino",
"target": null
},
{
"id": "RokRAT",
"display_name": "RokRAT",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
}
],
"industries": [
"Hospitality",
"Financial"
],
"TLP": "green",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 539,
"FileHash-SHA1": 389,
"FileHash-SHA256": 3386,
"domain": 862,
"hostname": 1155,
"URL": 4091,
"CVE": 3,
"SSLCertFingerprint": 5
},
"indicator_count": 10430,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "195 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68bbdb22e3d606ae8fb5cda8",
"name": "HCPF | Department of Health Care Policy and Financing",
"description": "Project Nemesis - Affects Department of Health Care Policy and Financing | Family representative repeatedly told past bills aren\u2019t being paid by United Healthcare. Argus Insurance (unknown entity) was Policy on record target never had. FR was given information regarding HCPF which was being viewed by past vendor seen in (https://otx.alienvault.com/pulse/68bbb31f6d91989d7fcd9592) | Issues with HCPF have been an issue for some time in isolated scenarios. It\u2019s unclear how at least one person keeps getting their name, bills and life pulled into this. Target PURCHASED a Healthcare policy via agent before major social engineering attacks. Same entity literally robs targets. Gift cards, phone services, cloud storage, account, insurance policies, bank account access, tax refunds, paid claims reversed & taken from target\u2019s account.\nMore research needed. Flaws in new system could jeopardize many. \n#trulymissed #rip #techbrohell #palantir",
"modified": "2025-10-06T05:01:18.794000",
"created": "2025-09-06T06:56:34.649000",
"tags": [
"federal changes",
"health first",
"colorado",
"child health",
"plan plus",
"newimpact",
"medicaidour",
"impact",
"medicaid page",
"medicaid",
"beware",
"text/html",
"trackers",
"iframes",
"external-resources",
"new relic",
"g1gv3h3sxc0",
"utc gcw970gh4gg",
"android",
"known exploited",
"google",
"salesloft drift",
"sap s4hana",
"cve202542957",
"cisa",
"sitecore",
"linux",
"france",
"meta",
"rokrat",
"lizar",
"project nemesis",
"carbanak",
"cobalt strike",
"domino",
"no expiration",
"url https",
"type indicator",
"role title",
"related pulses",
"hostname https",
"m4e5930",
"hostname",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tlsv1",
"ascii text",
"search",
"ogoogle trust",
"cngts ca",
"execution",
"next",
"dock",
"write",
"capture",
"persistence",
"malware",
"roboto",
"present feb",
"united",
"a domains",
"present dec",
"passive dns",
"moved",
"script domains",
"script urls",
"urls",
"title",
"date",
"resolved ips",
"http traffic",
"http get",
"match info",
"downloads",
"info",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"protocol t1095",
"endgame systems"
],
"references": [
"Researched: https://hcpf.colorado.gov/",
"www.onyx-ware.com \u2022 https://www.endgamesystems.com/",
"millet-usgc-1.palantirfedstart.com",
"https://securityaffairs.com/109671/hacking/50000-home-cameras-hacked.html",
"https://passwords.google/?utm_medium=hpp&utm_source=google&utm_campaign=sid2023aunonenms",
"https://passwords.google/?utm_medium=hpp&utm",
"https://securityaffairs.com/181338/security/google-fixed-chrome-flaw-found-by-big-sleep-ai.html",
"Researched publicly available information provided by representative of a target\u2019s estate",
"System has placed affected on multiple policies cancelling private policy without notice.",
"Paid for plan long after entity put target on a state plan. Target audited for making too much money (framed)",
"Provided documented evidence of appealed state issued plan and disclosed financials.",
"Won appeal. Denied stimulus until passing another audit showing taxable income and filed taxes",
"I hope this goes smoothly. I believe will be a nightmare as witnessed. I hope I\u2019m wrong.",
"State (or random \u2022_- hackers) erased evidence of targets insurance all paid for by target.",
"Target also owned an online brokerage & lead company, was agent & insurance marketer for years.",
"September began with false information, defaulted claims , denials from authorized services rendered years prior.",
"If someone has Medicare it\u2019s wise to check with carrier & providers to see policies generated by AI"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Lizar",
"display_name": "Lizar",
"target": null
},
{
"id": "Project Nemesis",
"display_name": "Project Nemesis",
"target": null
},
{
"id": "Carbanak",
"display_name": "Carbanak",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Domino",
"display_name": "Domino",
"target": null
}
],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [
"Hospitality",
"Financial",
"Healthcare"
],
"TLP": "white",
"cloned_from": null,
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1395,
"URL": 4304,
"CVE": 1,
"domain": 694,
"FileHash-SHA256": 1790,
"FileHash-MD5": 183,
"FileHash-SHA1": 103,
"SSLCertFingerprint": 5
},
"indicator_count": 8475,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "195 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "688ee92e23c9420f037dbfa9",
"name": "Alberta Labour Relations Board - Union matters for employees, employers and employer organizations.",
"description": "https://www.virustotal.com/gui/url/a910547247948980368531c301b6f25a529bc6f94ef4daa4180a05604adb33cc/details",
"modified": "2025-10-01T00:01:22.860000",
"created": "2025-08-03T04:44:30.433000",
"tags": [
"ssdeep",
"sha256",
"vhash",
"anchor hrefs"
],
"references": [
"http://aemadev.gov.ab.ca",
"https://crt.sh/?q=alberta.ca"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 254,
"URL": 582,
"FileHash-MD5": 24,
"FileHash-SHA1": 25,
"FileHash-SHA256": 349,
"domain": 45
},
"indicator_count": 1279,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 125,
"modified_text": "200 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68aff672de7f1b65a97c00b1",
"name": "WarzoneRAT impacts Social Media of users with compromised systems",
"description": "Injection affects compromised user/s social media accounts including YouTube. Uploads to social media accounts from infected systems divert to adversary\u2019s alt YouTube media center labeled \u2018watch\u2019 instead of YouTube . Remote access observed. Threat actor has full access , cnc , devices, personal information, images, contacts, network, private information including all financial information. \n \nAlt / adversarial Pinterest, Tumblr, YouTube, Facebook, Twitter / X, Instagram , LinkedIn",
"modified": "2025-09-27T05:00:09.125000",
"created": "2025-08-28T06:25:54.794000",
"tags": [
"d10927",
"mp41",
"mp41 connection",
"r connection",
"ip address",
"dynamicloader",
"write c",
"globalc",
"medium",
"high",
"write",
"dll read",
"trojan",
"delphi",
"win32",
"dialer",
"tracking",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"defense evasion",
"spawns",
"t1590 gather",
"mitre att",
"ck matrix",
"null",
"click",
"title",
"span",
"meta",
"general",
"local",
"path",
"strings",
"refresh",
"tools",
"virgin islands",
"united",
"unknown ns",
"a domains",
"montserrat",
"passive dns",
"ipv4",
"urls",
"files",
"hosting",
"trojandropper",
"location virgin",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"item",
"has description",
"unknown",
"explorer",
"error",
"powershell",
"yara rule",
"windows",
"t1055",
"warzonerat",
"avemaria",
"virtool",
"netwire",
"malware",
"hostile",
"autoit",
"defender",
"date",
"bq aug",
"next associated",
"ipv4 add",
"resolved ips",
"get http",
"request",
"win64",
"khtml",
"gecko",
"resolutions",
"number",
"ja3s",
"algorithm",
"cnr12 cus",
"cname",
"accept",
"port",
"gmt ifnonematch",
"screenshots no",
"involved dns",
"name response",
"nxdomain",
"tcp connections",
"involved direct",
"country name",
"moved",
"alone email",
"body doctype",
"gmt server",
"content type",
"service privacy",
"cve"
],
"references": [
"http://remote.edikamin.com/",
"http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C",
"http://deposito.hostance.net/dialer/",
"Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT",
"Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net",
"DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net",
"Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1",
"simswap.in (possible Mirai or relationship to)"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Virgin Islands, British"
],
"malware_families": [
{
"id": "Trojan:Win32/Diamin.F",
"display_name": "Trojan:Win32/Diamin.F",
"target": "/malware/Trojan:Win32/Diamin.F"
},
{
"id": "Dialer",
"display_name": "Dialer",
"target": null
},
{
"id": "Win32:CabMod\\ [Drp]",
"display_name": "Win32:CabMod\\ [Drp]",
"target": null
},
{
"id": "TrojanDropper:Win32/Hupigon.gen!A",
"display_name": "TrojanDropper:Win32/Hupigon.gen!A",
"target": "/malware/TrojanDropper:Win32/Hupigon.gen!A"
},
{
"id": "ALF:HeraklezEval:PUA:Win32/Keygen",
"display_name": "ALF:HeraklezEval:PUA:Win32/Keygen",
"target": null
},
{
"id": "Trojan:Win32/Startpage.AEA",
"display_name": "Trojan:Win32/Startpage.AEA",
"target": "/malware/Trojan:Win32/Startpage.AEA"
},
{
"id": "Banload",
"display_name": "Banload",
"target": null
},
{
"id": "TrojanDownloader:Win32/Banload.D",
"display_name": "TrojanDownloader:Win32/Banload.D",
"target": "/malware/TrojanDownloader:Win32/Banload.D"
},
{
"id": "Win32:Evo-gen",
"display_name": "Win32:Evo-gen",
"target": null
},
{
"id": "!#AddsCopy-ToStartup",
"display_name": "!#AddsCopy-ToStartup",
"target": null
},
{
"id": "VirTool:Win32/AutInject.CZ!bit",
"display_name": "VirTool:Win32/AutInject.CZ!bit",
"target": "/malware/VirTool:Win32/AutInject.CZ!bit"
},
{
"id": "Win.Trojan.Agent-316098",
"display_name": "Win.Trojan.Agent-316098",
"target": null
},
{
"id": "virtool:Win32/Injector.gen!BQ",
"display_name": "virtool:Win32/Injector.gen!BQ",
"target": "/malware/virtool:Win32/Injector.gen!BQ"
},
{
"id": "WarzoneRAT - S0670",
"display_name": "WarzoneRAT - S0670",
"target": null
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
}
],
"industries": [
"Technology",
"Telecommunications",
"Media"
],
"TLP": "white",
"cloned_from": null,
"export_count": 34,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4194,
"hostname": 1563,
"FileHash-SHA256": 2494,
"domain": 624,
"FileHash-MD5": 274,
"FileHash-SHA1": 226,
"email": 1,
"CVE": 1
},
"indicator_count": 9377,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "204 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "687f33a5ddf830e2f3e5acac",
"name": "Trojan Dropper | Espionage | Keylogger affecting medical centers",
"description": "PII and PHI at risk. Highest access spyware available infiltrates a small niche medical center. \ntrojandropper, keyloggers, advanced spyware, monitored rooms , mitre att, ||\nIDS: PROTOCOL-ICMP PATH MTU denial of service attempt \u2022 PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set\n\n\u2022 https://foundry2sdbl.dvr.dn2.n-helix.com/\n\u2022 https://www.pegasustech.net/products/mobility-barcode-scanning/Data-collector-mobile-computer\n\n\u2022 \nrobloxlogger.com\n\u2022\n\nhttps://video.welnext.com\n\u2022\nhttps://app1.oceantg.com/sta40/views/personnelscreenview.aspx",
"modified": "2025-08-21T06:00:20.607000",
"created": "2025-07-22T06:45:57.499000",
"tags": [
"pegasus",
"report spam",
"gotham foundry",
"espionage",
"spinal cord",
"injured created",
"minutes ago",
"strange",
"foundry",
"palantir",
"alexa",
"service",
"url http",
"url https",
"type indicator",
"role title",
"added active",
"related pulses",
"ipv4",
"united",
"germany",
"singapore",
"netherlands",
"iran",
"india",
"search",
"domain",
"hostname",
"filehashmd5",
"filehashsha1",
"extraction",
"data upload",
"sc type",
"dren aeu",
"extr source",
"ur data",
"include",
"review exclude",
"sugges",
"mtu denial",
"matches rule",
"needed",
"df bit",
"unique rule",
"catalog tree",
"c0002 wininet",
"ta0005 command",
"control ta0011",
"get http",
"resolved ips",
"dns resolutions",
"cloudflare",
"flag",
"server",
"date",
"contacted hosts",
"ip address",
"process details",
"t1158",
"hidden",
"t1031",
"modify existing",
"t1053",
"taskjob",
"t1060",
"run keys",
"startup",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"command",
"found",
"itre att",
"show process",
"prefetch8",
"mitre att",
"show technique",
"ck matrix",
"windows nt",
"win64",
"khtml",
"gecko",
"april",
"hybrid",
"general",
"path",
"click",
"strings",
"entries",
"unknown ns",
"creation date",
"record value",
"showing",
"gmt content",
"accept encoding",
"encrypt",
"checked url",
"hostname server",
"response ip",
"address google",
"safe browsing",
"present jan"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2628,
"domain": 472,
"hostname": 880,
"FileHash-SHA256": 805,
"FileHash-MD5": 151,
"FileHash-SHA1": 128,
"CIDR": 1,
"SSLCertFingerprint": 3,
"email": 1
},
"indicator_count": 5069,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "241 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68596260a9ca6c4cc92ca068",
"name": "Delete service | Affects Threat Research Platforms",
"description": "Delete service attacking threat researchers platforms. Deletes , blocks, scrambles , attaches to accounts like an overlord monitoring and deletion of Io\u2019s across various platforms. \n\nIDS Rules: PROTOCOL-ICMP PATH MTU denial of service attempt\n\u2022 PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set\n\u2022 Matches rule PROTOCOL-ICMP Echo Reply\nInteresting: TLS: SNI: slscr.update.microsoft.com\nSNI: nexusrules.officeapps.live.com\nSNI: login.live.com\nSNI: client.wns.windows.com",
"modified": "2025-08-20T04:13:22.641000",
"created": "2025-06-23T14:19:12.328000",
"tags": [
"ta0004 defense",
"evasion ta0005",
"command",
"control ta0011",
"oc0006",
"get http",
"resolved ips",
"dns resolutions",
"request",
"response",
"windows nt",
"win64",
"khtml",
"gecko",
"ip address",
"country name",
"cname",
"port",
"accept",
"gmt ifnonematch",
"url data",
"icmp",
"mutexes nothing",
"data",
"datacrashpad",
"edge",
"created",
"nothing",
"html internet",
"html document",
"ascii text",
"gtmkvjvztk dl"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2401,
"URL": 5856,
"FileHash-SHA256": 3473,
"domain": 2188,
"FileHash-MD5": 123,
"FileHash-SHA1": 120,
"CVE": 2
},
"indicator_count": 14163,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "242 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "687d91b1a8f414040bfba430",
"name": "Spyware",
"description": "And I've been walking, talking\nBelieving the things that are true\nAnd I've been finding\nThe difference between right and wrong, bad and good\nSee me put things together\nPut them back where they belong\nWhen I look at each other\nHave I always been singing the same song?\n\nShe said\nThis is a perfect world\nRiding on an incline\nI'm staring in your face\nYou'll photograph mine\n\nI-I-I-I-I\nWhoo, ah-ha-ha\nHa-ha-ha-ha-ha-ha\n\nSomebody said that it happens all over the world\nI do believe that it's true (\u2022o\u2022)\n#spyware #MaaS #malvertizing #bullyfor$ #unethical #dangerous_tool",
"modified": "2025-08-20T00:01:59.498000",
"created": "2025-07-21T01:02:41.049000",
"tags": [
"serving ip",
"address",
"status",
"utc na",
"utc google",
"utc facebook",
"custom audience",
"tag manager",
"ua748443502",
"utc gtmwrp73mt",
"utc gsrdlm5jnx1",
"utc aw937838002",
"adsense na",
"connect",
"file type",
"status code",
"body length",
"kb body",
"sha256",
"powershell",
"b file",
"ta0004 defense",
"evasion ta0005",
"command",
"control ta0011",
"c0002 wininet",
"number",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"corporation cus",
"algorithm",
"cndigicert sha2",
"secure server",
"ca odigicert",
"inc cus",
"subject",
"cnwe1 ogoogle",
"trust",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft",
"get http",
"request",
"windows nt",
"win64",
"khtml",
"gecko",
"response",
"united",
"search",
"creation date",
"expiration date",
"name servers",
"unknown soa",
"germany unknown",
"entries",
"pulse submit",
"url analysis",
"date"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 304,
"hostname": 796,
"URL": 2590,
"FileHash-SHA256": 2735,
"FileHash-MD5": 253,
"FileHash-SHA1": 144,
"email": 1
},
"indicator_count": 6823,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "242 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "684a93360163e8802e213158",
"name": "ELF:Mirai AMAZON-02 - Autonomous System 65.0.0.0/14",
"description": "ELF:Mirai-BHZ\\ [Trj]\t\n65.0.0.0/14\nAutonomous System Number\n16509\nAutonomous System Label\nAMAZON-02\nRelated to \u2022 103.252.236.26 | \n\u2022 sr2.reliedhosting.com | \n.\u2022 http://planitair.com/ |\n\u2022 bgptools-wildcard-confirmed.acemalibu.com | \n\u2022 https://www.anyxxxtube.net/search-porn/tsara-brashears/ | \t\t\t\n\u2022 static.ads-twitter.com\t\n\u2022 https://twitter.com/PORNO_SEXYBABES\t\n\u2022 analytics.twitter.com\n\u2022 appleupdate.org\n\u2022 apps.apple.com\n\u2022 pin.it |\n\u2022 https://pin.it/ |\n\u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian Critical issue. Cyber weaponry [Unclear] Stealth contractual US cyber defense entity, endless DGA\u2019s. India IP block.\nAdversary named by bupyeongop:\n\ubd80\ud3c9\uc624\ud53c \ucd9c\uc7a5\ub9c8\uc0ac\uc9c0\uc548\ub0b4.COM \ubd80\ud3c9OP (massage service?)\n*DoS with many OTX features",
"modified": "2025-07-12T07:04:05.635000",
"created": "2025-06-12T08:43:34.719000",
"tags": [
"thumbprint",
"apnic",
"apnic whois",
"database",
"please",
"arin whois",
"north america",
"caribbean",
"africa",
"internet",
"iana",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"algorithm",
"v3 serial",
"number",
"cbe oglobalsign",
"r6 alphassl",
"validity",
"subject public",
"key info",
"key algorithm",
"key identifier",
"link",
"search",
"united",
"a domains",
"ip address",
"creation date",
"record value",
"date",
"showing",
"india unknown",
"status",
"passive dns",
"ipv4 add",
"pulse submit",
"url analysis",
"urls",
"files",
"location india",
"india asn",
"as133296 web",
"dns resolutions"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 28,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 27,
"domain": 2499,
"hostname": 2651,
"URL": 10986,
"CIDR": 2,
"FileHash-SHA256": 3596,
"email": 1,
"FileHash-MD5": 23,
"CVE": 7
},
"indicator_count": 19792,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "281 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "682fb4c264a51bf88115b6d2",
"name": "allegro.pl/uzytkownik/adam_f. vgt.pl , sanselo.pl, bipadorno.pl",
"description": "https://www.virustotal.com/gui/file/db7d7637c8fa698616282e31b1541082751601b27a3e71ad18caf138451c346a/relations\nhttps://allegro.pl/uzytkownik/adam_f./ogrod-1532",
"modified": "2025-06-22T07:00:28.087000",
"created": "2025-05-22T23:35:30.122000",
"tags": [
"whasz"
],
"references": [
"https://allegro.pl/uzytkownik/adam_f./ogrod-1532",
"https://allegro.pl/uzytkownik/adam_f.?srsltid=AfmBOoqX6vYV4qDgCzkkJhmipZLDrarI5MuggstojVsohtfiSM_s0jdd&dd_referrer=https://www.google.com/"
],
"public": 1,
"adversary": "fac1ec40eea5a4fc05f17e019328e287.wirus",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 163,
"FileHash-SHA1": 162,
"FileHash-SHA256": 1706,
"domain": 596,
"hostname": 1278,
"URL": 6163
},
"indicator_count": 10068,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 122,
"modified_text": "301 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68202d315a0f9044d7373ea7",
"name": "rfc2616-sec15.html https://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html",
"description": "https://www.virustotal.com/gui/file/cd38afac89700b27d877192c23aa88a6ac874289f143259b862af22b0b2479fc/behavior\nhttps://www.virustotal.com/gui/url/c323c1b50bd00b3909b20761bb512040888e6af10162160748bcaf48a56824b7/details\nHere is a full list of key words and phrases used by W3.org to describe the company's latest SSL-catering technology, which has been installed in Poland, Poland and England.",
"modified": "2025-05-11T04:53:05.386000",
"created": "2025-05-11T04:53:05.386000",
"tags": [
"gospodarowanie",
"beijing gu",
"china mobile",
"facebook",
"chiska grupa",
"budynek netease",
"ke yun",
"china unicom",
"hebei mobile",
"google",
"anycast cdn",
"ssl ca",
"wygasy niegodny",
"zaufania",
"ngaa tyumen",
"root ca",
"resolved ips",
"ip traffic"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 82,
"SSLCertFingerprint": 14,
"domain": 146,
"FileHash-SHA256": 295,
"URL": 626,
"hostname": 143,
"FileHash-MD5": 3
},
"indicator_count": 1309,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 122,
"modified_text": "343 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"Alt + Google \u2018branded\u2019 search engine (monitoring targets searches) YouTube mirroring.",
"Yara Detections BackdoorWin32Simda",
"http://glare.palantirfoundry.com/ \u2022 https://woodward.palantirfoundry.com/",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips",
"Researched publicly available information provided by representative of a target\u2019s estate",
"Paid for plan long after entity put target on a state plan. Target audited for making too much money (framed)",
"spph.ca",
"pcoptimizerpro.com \u2022 www.pcoptimizerpro.com",
"https://uhsinc.palantirfoundry.com/ \u2022 https://velocityglobal.palantirfoundry.com",
"simswap.in (possible Mirai or relationship to)",
"https://hs.ecam.com/your-challenges-ecams-solutions",
"IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/",
"http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net",
"https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022",
"https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A",
"https://meumundogay-com.sexogratis.page/locker",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/",
"YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform",
"This information was brought to target by concerned entities who handled body.",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe",
"Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net",
"Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1",
"ubc.ca",
"Yara Detections: RansomWin32Apollo \u2022 216.239.32.27",
"https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://listeners.usw-16.palantirfoundry.com \u2022 https://pacificlife.palantirfoundry.com/",
"IDS: TLS Handshake Failure",
"John 12:17",
"https://m.bigwetbutts.com/ tmi",
"https://uj140.keap-link003.com/v2/render/acc9c3f6b0340c8e01d0d3d0e1662c9e/eJxtjjsLwjAUhf_LnTP0hdRspYQSWkXEwU1Ce4XUmob0Riil_90o0snxPD7OWYDQKEOyAw6-j7MIGDhstdVoqBwNqfYbprs4T3IGgzaPyo3eAl_-sVv-cbM0yfYRA5otho44FLKBddOXc1HW8ljdTvIqmgDjU5N4heEJODmPDJS1aLrfjxpn4Hc1TLi-ARRkO0Y=/pixel.png",
"Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ",
"aptia.palantirfoundry.com \u2022 palantirfoundry.com \u2022\u2019agent-infra-mojito.palantirfoundry.com",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips",
"canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com",
"Yara Detections : compromised_site_redirector_fromcharcode",
"September began with false information, defaulted claims , denials from authorized services rendered years prior.",
"ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net",
"IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master",
"Contact Information | The University of British Columbia",
"Won appeal. Denied stimulus until passing another audit showing taxable income and filed taxes",
"http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"millet-usgc-1.palantirfedstart.com",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A",
"wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87",
"Google_Chrome_64bit_v136.0.7103.49.exe",
"Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://vtbehaviour.commondatastorage.googleapis.com/db4e2e018a3e7f1227d7ee73590290cbd2c5f85083d7d2cd2bfbfce2d86bc85b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1757802136&Signature=ZMB94nTTqlBqbckg%2Bto3APyffn72wQ8c%2BtAJCCTNE3HE7lF3WYAXyjdMPB0xKY6TVdQIXYiGj6C8cK925JJttjjW91Be%2BG5oJQ2Tkmou66cPgSgOdOAQEKXq2RNXSvvZUTKgJSbxJritEPsUDcE%2FOZrDG1fY%2FtVq7cxQdLdhKacpB%2FiFLNzlcCWDCLJtwGhyRwoESchlxvvy%2Bazy40CNs35Eiw1rci3tBqQS97F7mBV1GnSrz%2FFZKh",
"Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com",
"http://aemadev.gov.ab.ca",
"admin-contact-api.uat2.white-label-dating.com \u2022 capi-sns.qa1.white-label-dating.com \u2022 http://payments.uat1.white-label-dating.com",
"First they discredit you, wear you down mentally , hunt you down , then\u2026.They have to deal with God.",
"acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
"https://allegro.pl/uzytkownik/adam_f./ogrod-1532",
"http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
"https://pegasus.pahamify.com/",
"I am very upset. Whoever is doing this is sick.",
"IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)",
"Spyware: FileHash-SHA256 035e393630953b89c602e7cfa3409da790e99309c2d916336147cf9c59ee1b89",
"https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg",
"http://deposito.hostance.net/dialer/",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"Attackers : Christopher P. Ahmann , Hall Render , Brian Sabey & Co , Foundry , Tulach , Quasi government entities.",
"Alerts : recono_fingerprint antivm_memory_available",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www.youtube.com/watch?v=5KmpT-BoVf4",
"PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23",
"DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net",
"IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)",
"1.organization.api.powerplatform.partner.microsoftonline.cn",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master",
"https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
"chinaeast2.admin.api.powerautomate.cn",
"ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com",
"https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"tv.apple.com",
"chromeshorts.com mirroring YouTube.com googlechinablog.com \u2022 www.google.com \u2022 108.177.121.105",
"If someone is believed to be a threat they have right to due process.",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!",
"malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"FileHash-SHA256 025ca2c59c26197f3c1cd746469a5b9fe219a748716abd90daee792f34037d63",
"Active - pointing: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
"http://remote.edikamin.com/",
"https://crt.sh/?q=alberta.ca",
"critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"Alerts : network_http allocates_rwx suspicious_process stealth_window uses_windows_utilities",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.afa33b71-01ea-477c-bc01-f6a3ab623e9d/master",
"https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)",
"https://buildings.hexagongeosystems.com \u2022 https://connect.hexagongeosystems.com",
"http://clients2.google.com/time/1/current?cup2key=8:ZnsjfqkCHZe8ziQKNl-PZVHX2EXyFv9m6Q0Dnd_a_t8&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"https://securityaffairs.com/109671/hacking/50000-home-cameras-hacked.html",
"equilibrium.palantirfoundry.com \u2022 kt-presales.palantirfoundry.com \u2022 paloma.palantirfoundry.com",
"Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"Pahamify Pegasus",
"ssa-gov.authorizeddns",
"Target agreed and complied with all lie detector measures.",
"Suspicious apps",
"OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist",
"https://load.ss.hexagongeosystems.com \u2022 https://rail.hexagongeosystems.com",
"http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
"www.onyx-ware.com \u2022 https://www.endgamesystems.com/",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"iamrobert.com Y.A.S.",
"Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login",
"https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV",
"usw-2-dev.palantirfoundry.com \u2022 lucyw.palantirfoundry.com \u2022 https://fegdip.palantirfoundry.com/",
"Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains",
"https://families.google/intl/pt-PT_ALL/familylink/",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://heavyfetish.com/search/CHEESE-PIZZA-porn/",
"Moms body moved by Douglas County to Jefferson County after cause of death ruled natural causes.",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net",
"https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt",
"Jefferson County, Coroner falsely states Mom died in car accident in Lakewood on death certificate .",
"www.opencandy.com",
"ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua",
"These greedy people & government grifters steal money from victims, including life insurance policies",
"https://pegasus.pahamify.com/ \u2022 https://pegasus.pahamify.com/study-plan/ \u2022 pegasus.pahamify.com",
"Off subject: Don\u2019t try to kill Tucker Carlson for asking valid questions about an apparent murder Sam.",
"http://dasima-containers.palantirfoundry.com/ \u2022 https://glare.palantirfoundry.com/",
"https://allegro.pl/uzytkownik/adam_f.?srsltid=AfmBOoqX6vYV4qDgCzkkJhmipZLDrarI5MuggstojVsohtfiSM_s0jdd&dd_referrer=https://www.google.com/",
"www.endgame.com",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"https://passwords.google/?utm_medium=hpp&utm_source=google&utm_campaign=sid2023aunonenms",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"CA-2020-01-12 05-18-26088DE56F-E544B574-D3166097-17FA11BC-45321A6D-v33.zip",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com",
"State (or random \u2022_- hackers) erased evidence of targets insurance all paid for by target.",
"https://sfmg-testing.palantirfoundry.com\t\u2022 https://signup.palantirfoundry.com/",
"https://discuss.ai.google.dev/c/gemma/10",
"66.254.114.41 \u2022 brazzersnetwork.com \u2022 brazzers.com",
"Alerts : suspicious_write_exe nids_exploit_alert process_martian injection_resumethread js_eval",
"https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4",
"http://www.dvrdns.net/BlackBox/google/googleMapKey.txt",
"hmmm\u2026http://palander.stjernstrom.se/",
"http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022",
"https://wes.palantirfoundry.com/ \u2022 http://utilities-bootcamp.palantirfoundry.com/",
"IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)",
"https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd45176426a",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"Jeffrey Scott Reiner was considered a skilled predator by Bryan Counts MD. He later attacked target.",
"remotewd.com x 34 devices",
"mastodon.social",
"Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/",
"Environment Awareness : Able to access user sensitive domai",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 www.pornhub.com",
"IDS Detections: SMB-DS IPC$ unicode share access SMB-DS IPC$ share access",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt",
"System has placed affected on multiple policies cancelling private policy without notice.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"South Africa based: remote.advisoroffice.com",
"http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx",
"www.ubc.ca",
"Colorado corruption will be exposed one day.",
"Target also owned an online brokerage & lead company, was agent & insurance marketer for years.",
"I hope this goes smoothly. I believe will be a nightmare as witnessed. I hope I\u2019m wrong.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"IDS Detections : Possible ETERNALBLUE Probe MS17-010 (MSF style)",
"Discovery of targets pirated music led to her website down the next day! After 9 years?",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/",
"https://securityaffairs.com/181338/security/google-fixed-chrome-flaw-found-by-big-sleep-ai.html",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net",
"slscr.update.microsoft.com \u2022client.wns.windows.com \u2022 c.pki.goog \u2022 login.live.com",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player",
"rmhumanservices.org",
"http://watchhers.net/index.php (espionage entity /palantir relationship - seen before with palantir and Pegasus sometimes simultaneously )",
"URL https://mailcatcher.qa2.white-label-dating.com",
"docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com",
"Targets mother died in her bed in Castke Rock, Douglasc County, Colorado",
"Sorry! I can\u2019t help being upset about the unfairness of this constant cruel harassment.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd458176426a",
"http://service.adultprovide.com/docs/records.htm?site=bigtitsboss",
"IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
"Mirai: simswap.in",
"https://es.pornhat.com/models/the-sex-creator/",
"http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545",
"Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)",
"Stop following targets relatives everywhere , associates. Stop circling former residence..",
"https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android",
"Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022 emails.redvue.com \u2022",
"IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname",
"There is fear in silence or speaking out",
"Researched: https://hcpf.colorado.gov/",
"acc.lehigtapp.com - malware",
"https://inbound-message-listener-temporary-testing.palantirfoundry.com",
"https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound",
"https://forward.ro/",
"https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7",
"pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"If someone has Medicare it\u2019s wise to check with carrier & providers to see policies generated by AI",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"Provided documented evidence of appealed state issued plan and disclosed financials.",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://www.mlkfoundation.net/ (Foundry DGA)",
"https://passwords.google/?utm_medium=hpp&utm",
"Targets mother passed in 2014. So much malicious activity obituary had to be taken down when hackers put target in obituary",
"Can the DoD no questions asked target a SA victim"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"APT 10",
"fac1ec40eea5a4fc05f17e019328e287.wirus"
],
"malware_families": [
"Malware",
"Pegasus",
"Ymacco",
"Trojan:win32/pariham.a",
"Win.trojan.agent-316098",
"Trojandownloader:win32/banload.d",
"Pua.optimizerpro/pcoptimizerpro",
"Der zugriff",
"Kanna",
"Atros.upk",
"Wannacry",
"Et",
"Trojan:win32/diamin.f",
"Onelouder",
"Trojan:win32/comisproc!gmb",
"Virus:win95/cerebrus",
"Alf:heraklezeval:trojan:win32/clipbanker",
"Bayrob",
"Apnic",
"Win32:cabmod\\ [drp]",
"Upatre",
"Malwarex",
"All",
"Virtool:win32/ceeinject.akz!bit",
"Nivdort checkin",
"Alf:pulzati:worm:win32/mydoom",
"Win32:evo",
"Virtool:win32/autinject.cz!bit",
"Sova",
"Win32:malwarex",
"Trojandownloader:win32/upatre.a",
"Trojandropper:win32/vb.il",
"Trojan:bat/musecador",
"Foundry",
"Andromeda",
"Lizar",
"Win.trojan.nanocore-5",
"Trojan:win32/qbot.r!mtb",
"Win32:trojan",
"Rokrat",
"Win.malware.jaik-9968280-0",
"Trojan:win32/vflooder!rfn",
"Win32:dropper",
"Cobalt strike",
"Carbanak",
"Banload",
"Alf:heraklezeval:pua:win32/keygen",
"Tofsee",
"Win32:cleaman-k\\ [trj]",
"Trojandropper:win32/bcryptinject.b!msr",
"Sigur",
"Trojandownloader:win32/upatre",
"Warzonerat - s0670",
"#lowfi:hstr:virtool:win32/gendecnryptalgo.s02",
"Luhe.fiha.a",
"Win32:trojanx-gen\\ [trj]",
"Koobface",
"Trojandropper:win32/hupigon.gen!a",
"!#addscopy-tostartup",
"Artro",
"Domino",
"Cve-2023-22518",
"Backdoor:win32/plugx.n!dha",
"Bancos",
"#exploit:win32/cve- 2023 - 23397",
"Dialer",
"Mydoom",
"Win.malware.installcore-6950365-0",
"Pahamify pegasus",
"Win.ransomware.bitman-9862733-0",
"Sality",
"Autorunit",
"Trojan:win32/startpage.aea",
"Win.trojan.adinstall-2",
"Target saver",
"Bible gateway",
"Project nemesis",
"Apt 10",
"Win32:evo-gen",
"Trojanspy:win32/banker.ly",
"Asacky",
"Virtool:win32/injector.gen!bq",
"Hacktool",
"Psw.generic13",
"Hematite",
"Trojanspy",
"Malware + code overlap"
],
"industries": [
"Hospitality",
"Legal",
"Media",
"Healthcare",
"Education",
"Civil society",
"Financial",
"Golfing",
"Technology",
"Telecommunications",
"Targets",
"Government"
],
"unique_indicators": 179628
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/edgesv.net",
"whois": "http://whois.domaintools.com/edgesv.net",
"domain": "edgesv.net",
"hostname": "extensionwebstorebase.edgesv.net"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 26,
"pulses": [
{
"id": "6962b68da732abc66a0c2caf",
"name": "Der Zugriff \u2022 Kanna \u2022 MyDoom \u2022 Sigur - Pahamify Pegasus",
"description": "Pahamify Pegasus | Execution Attack, Access Attack | Drive by Compromise | \nSifting through Pahamify Pegasus this is no longer your computer , injection, google connects, remote connections, remote mouse movement, remote access, Google espionage, bad traffic, Apple complicit access. This is your Google account and browser, this is your appleid. Still researching\u2026. || \n*https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_ ||\nMalware: Der Zugriff ,\nKanna ,\nMyDoom ,\nSigur \n#firebase #google_connection #bible_gateway_honeypot #crypto #hidden_users #who_else",
"modified": "2026-02-09T19:00:09.890000",
"created": "2026-01-10T20:29:01.675000",
"tags": [
"ip address",
"status code",
"kb body",
"iocs",
"deny age",
"cloudfront",
"utc google",
"tag manager",
"g8t6ln06z40",
"utc na",
"google tag",
"injection",
"t1055 malware",
"tree",
"help v",
"defense evasion",
"injection t1055",
"resolved ips",
"get http",
"dns resolutions",
"v memory",
"pattern domains",
"full reports",
"v help",
"memory pattern",
"urls https",
"hashes",
"tiktok",
"microsoft",
"dashboard falcon",
"request",
"windows nt",
"win64",
"khtml",
"gecko",
"response",
"appleid",
"united",
"name servers",
"aaaa",
"servers",
"moved",
"script urls",
"passive dns",
"urls",
"data upload",
"extraction",
"failed",
"jsvendor",
"jsapp",
"script script",
"cssapp",
"jsfirebase",
"pegasus",
"encrypt",
"title error",
"ipv4",
"files",
"reverse dns",
"united states",
"malware",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"execution att",
"t1204 user",
"script",
"beginstring",
"bad traffic",
"et info",
"null",
"title",
"refresh",
"span",
"strings",
"error",
"tools",
"meta",
"look",
"verify",
"restart",
"mitre att",
"ascii text",
"pattern match",
"ck matrix",
"tls handshake",
"hybrid",
"general",
"local",
"path",
"click",
"ck techniques",
"access att",
"div div",
"a li",
"ul div",
"record value",
"emails",
"accept",
"referen https",
"microsoft-falcon.net",
"proxy",
"status",
"certificate",
"updated date",
"whois server",
"zipcode",
"entries http",
"scans show",
"search",
"matches x",
"type",
"gmt cache",
"all ipv4",
"america flag",
"america asn",
"sameorigin",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"results jan",
"ipv4 add",
"win32mydoom jan",
"trojan",
"worm",
"expiration date",
"files show",
"date hash",
"avast avg",
"win32mydoom",
"backdoor",
"found",
"gmt connection",
"control",
"content type",
"twitter",
"dynamicloader",
"medium",
"high",
"msie",
"wow64",
"slcc2",
"media center",
"write",
"global",
"domain name",
"hostname",
"apple",
"racebook",
"mouse movement",
"remote mouse",
"domain",
"hostname add",
"url analysis",
"crlf line",
"ff d5",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"f0 ff",
"ff bb",
"music",
"push",
"autorun",
"unknown",
"present sep",
"present may",
"present jan",
"present aug",
"cname",
"present nov",
"present jun",
"apache",
"body",
"pragma",
"found registry",
"able",
"model",
"indicator",
"source",
"show technique",
"file",
"internet",
"errore",
"erreur",
"download",
"service",
"crypto",
"compiler",
"installer",
"yang",
"updater",
"shutdown",
"thunk",
"este",
"install",
"reboot",
"code",
"downloader",
"sigur",
"kanna",
"der zugriff",
"google",
"chrome",
"Pahamify Pegasus",
"christoper p. ahmann",
"law enforcement",
"retaliation",
"phone",
"espionage",
"united states",
"m brian sabey",
"quasi government",
"target",
"monitored targeting",
"aig",
"therahand (old name)",
"target: tsara brashears",
"douglas county, co",
"sheriff",
"industry and commerce",
"worker\u2019s compensation",
"crime",
"financial crime",
"danger",
"nem tih",
"amazon",
"aws",
"amazon aws",
"deal",
"deal with it lawfully",
"pay victim",
"protecting reimer"
],
"references": [
"https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com",
"https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
"Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur",
"Pahamify Pegasus",
"Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)",
"https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android",
"https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4",
"tv.apple.com",
"dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net",
"Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A",
"IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)",
"IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)",
"IDS: TLS Handshake Failure",
"Yara Detections BackdoorWin32Simda",
"Google_Chrome_64bit_v136.0.7103.49.exe",
"https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7",
"https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Pariham.A",
"display_name": "Trojan:Win32/Pariham.A",
"target": "/malware/Trojan:Win32/Pariham.A"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Virus:Win95/Cerebrus",
"display_name": "Virus:Win95/Cerebrus",
"target": "/malware/Virus:Win95/Cerebrus"
},
{
"id": "AutoRunIt",
"display_name": "AutoRunIt",
"target": null
},
{
"id": "Sigur",
"display_name": "Sigur",
"target": null
},
{
"id": "Kanna",
"display_name": "Kanna",
"target": null
},
{
"id": "Der Zugriff",
"display_name": "Der Zugriff",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1029",
"name": "Scheduled Transfer",
"display_name": "T1029 - Scheduled Transfer"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1074",
"name": "Data Staged",
"display_name": "T1074 - Data Staged"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1124",
"name": "System Time Discovery",
"display_name": "T1124 - System Time Discovery"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1213",
"name": "Data from Information Repositories",
"display_name": "T1213 - Data from Information Repositories"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1486",
"name": "Data Encrypted for Impact",
"display_name": "T1486 - Data Encrypted for Impact"
},
{
"id": "T1489",
"name": "Service Stop",
"display_name": "T1489 - Service Stop"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1529",
"name": "System Shutdown/Reboot",
"display_name": "T1529 - System Shutdown/Reboot"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1559",
"name": "Inter-Process Communication",
"display_name": "T1559 - Inter-Process Communication"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1569",
"name": "System Services",
"display_name": "T1569 - System Services"
},
{
"id": "T1570",
"name": "Lateral Tool Transfer",
"display_name": "T1570 - Lateral Tool Transfer"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1569.002",
"name": "Service Execution",
"display_name": "T1569.002 - Service Execution"
},
{
"id": "T1543.003",
"name": "Windows Service",
"display_name": "T1543.003 - Windows Service"
},
{
"id": "T1546.015",
"name": "Component Object Model Hijacking",
"display_name": "T1546.015 - Component Object Model Hijacking"
},
{
"id": "T1055.003",
"name": "Thread Execution Hijacking",
"display_name": "T1055.003 - Thread Execution Hijacking"
},
{
"id": "T1134.001",
"name": "Token Impersonation/Theft",
"display_name": "T1134.001 - Token Impersonation/Theft"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1134.002",
"name": "Create Process with Token",
"display_name": "T1134.002 - Create Process with Token"
},
{
"id": "T1070.006",
"name": "Timestomp",
"display_name": "T1070.006 - Timestomp"
},
{
"id": "T1564.003",
"name": "Hidden Window",
"display_name": "T1564.003 - Hidden Window"
},
{
"id": "T1497.003",
"name": "Time Based Evasion",
"display_name": "T1497.003 - Time Based Evasion"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1497.002",
"name": "User Activity Based Checks",
"display_name": "T1497.002 - User Activity Based Checks"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1027.005",
"name": "Indicator Removal from Tools",
"display_name": "T1027.005 - Indicator Removal from Tools"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1074.001",
"name": "Local Data Staging",
"display_name": "T1074.001 - Local Data Staging"
},
{
"id": "T1560.002",
"name": "Archive via Library",
"display_name": "T1560.002 - Archive via Library"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
}
],
"industries": [
"Civil Society",
"Legal",
"Government",
"Technology",
"Telecommunications",
"Financial"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6094,
"domain": 1195,
"hostname": 2001,
"FileHash-SHA256": 2598,
"FileHash-MD5": 546,
"FileHash-SHA1": 403,
"email": 16,
"CVE": 2,
"SSLCertFingerprint": 3
},
"indicator_count": 12858,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "69 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69612a0df518040b20932bef",
"name": "Pahamify Pegasus | Palantir Malicious delivery via Bible app downloaded from iOS App Store",
"description": "Pahamify Pegasus | Requires much further research.\nWorking backwards: Targeted device had a Bible Gateway app download by target from both iOS and Android devices. As per report each time app was accessed, iOS became glitched, passwords stolen, drive by compromise on lock screen prompted target to review app. She found the app login was changed to an unknown users name. I tested a (Bible Gateway) URI to see if her belief BG was a honey pot was true. \nThis may take 2-3 more rounds of research. \nIs Pegasus. Is Palantir. Is intrusive and malicious.\n\n[OTC auto generated Title: 2 Timothy 3 NIV - But mark this: There will be terrible - Bible Gateway]",
"modified": "2026-02-08T15:00:50.749000",
"created": "2026-01-09T16:17:17.632000",
"tags": [
"defense evasion",
"cor ta0011",
"techni process",
"application l",
"encrypted ch",
"christ jesus",
"just",
"final charge",
"timothy10",
"antioch",
"iconium",
"lystra",
"lord",
"holy scriptures",
"scripture",
"bible gateway",
"no expiration",
"expiration",
"a domains",
"present sep",
"united",
"present jun",
"meta",
"present oct",
"present aug",
"servers",
"title",
"data upload",
"extraction",
"palantir foundry",
"listeners",
"dev",
"redirects",
"redirect health",
"health data",
"utc google",
"utc na",
"script",
"utc amazon",
"bible",
"meta tags",
"read",
"bible reading",
"trackers google",
"anchor",
"analyse headers",
"contenttype",
"transferenco",
"connection",
"date fri",
"server",
"read c",
"as16509",
"rgba",
"unicode",
"execution",
"dock",
"write",
"persistence",
"jsvendor",
"jsapp",
"script script",
"cssapp",
"jsfirebase",
"moved",
"urls",
"pegasus",
"encrypt",
"script urls",
"record value",
"tls handshake",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tlsv1",
"next",
"capture",
"malware",
"unknown",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"spawns",
"access att",
"t1189 driveby",
"html",
"mitre att",
"ck matrix",
"ascii text",
"pattern match",
"et info",
"bad traffic",
"hybrid",
"general",
"local",
"path",
"click",
"adversaries",
"execution att",
"t1204 user",
"t1480 execution",
"null",
"refresh",
"span",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"timothy",
"search",
"tag manager",
"g8t6ln06z40",
"code",
"css",
"js",
"router",
"cloudfront",
"John 12:17",
"port",
"yara rule",
"high",
"tofsee",
"rndhex",
"rndchar",
"destination",
"loaderid",
"lidfileupd",
"stream"
],
"references": [
"https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV",
"https://pegasus.pahamify.com/",
"aptia.palantirfoundry.com \u2022 palantirfoundry.com \u2022\u2019agent-infra-mojito.palantirfoundry.com",
"equilibrium.palantirfoundry.com \u2022 kt-presales.palantirfoundry.com \u2022 paloma.palantirfoundry.com",
"usw-2-dev.palantirfoundry.com \u2022 lucyw.palantirfoundry.com \u2022 https://fegdip.palantirfoundry.com/",
"http://dasima-containers.palantirfoundry.com/ \u2022 https://glare.palantirfoundry.com/",
"https://inbound-message-listener-temporary-testing.palantirfoundry.com",
"https://listeners.usw-16.palantirfoundry.com \u2022 https://pacificlife.palantirfoundry.com/",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.afa33b71-01ea-477c-bc01-f6a3ab623e9d/master",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master",
"https://sfmg-testing.palantirfoundry.com\t\u2022 https://signup.palantirfoundry.com/",
"https://uhsinc.palantirfoundry.com/ \u2022 https://velocityglobal.palantirfoundry.com",
"https://wes.palantirfoundry.com/ \u2022 http://utilities-bootcamp.palantirfoundry.com/",
"http://glare.palantirfoundry.com/ \u2022 https://woodward.palantirfoundry.com/",
"https://sfmg-testing.palantirfoundry.com\t\u2022 https://signup.palantirfoundry.com/",
"https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd45176426a",
"https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd458176426a",
"https://pegasus.pahamify.com/ \u2022 https://pegasus.pahamify.com/study-plan/ \u2022 pegasus.pahamify.com",
"John 12:17"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Bible Gateway",
"display_name": "Bible Gateway",
"target": null
},
{
"id": "Pahamify Pegasus",
"display_name": "Pahamify Pegasus",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1608.004",
"name": "Drive-by Target",
"display_name": "T1608.004 - Drive-by Target"
},
{
"id": "T1608.005",
"name": "Link Target",
"display_name": "T1608.005 - Link Target"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1115",
"name": "Clipboard Data",
"display_name": "T1115 - Clipboard Data"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6527,
"hostname": 2450,
"FileHash-SHA256": 1716,
"FileHash-MD5": 245,
"FileHash-SHA1": 134,
"domain": 1101,
"email": 3,
"SSLCertFingerprint": 8
},
"indicator_count": 12184,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "70 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "102 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "693596f8cd50958de6e9415c",
"name": "Eternal Blue Probe - YouTube - GSE",
"description": "EternalBlue is an exploit that targets a critical vulnerability (CVE-2017-0144, part of the larger MS17-010 security bulletin) in Microsoft's implementation of the Server Message Block (SMB) version 1 (SMBv1) protocol, which is used for file and printer sharing on Windows networks. \nVulnerability: The flaw allows an unauthenticated, remote attacker to execute arbitrary code on a vulnerable system by sending specially crafted packets to the SMBv1 server.\nOrigin: The exploit was developed by the NSA but was stolen and publicly leaked in April 2017 by a hacker group known as the Shadow Brokers.\nMajor Attacks: Shortly after its leak, EternalBlue was used in major, widespread cyberattacks, most notably the WannaCry and NotPetya ransomware outbreaks, which caused massive global disruption. The self-propagating \"wormable\" nature of the exploit allowed malware to spread rapidly across networks.",
"modified": "2026-01-06T00:03:32.099000",
"created": "2025-12-07T15:02:16.840000",
"tags": [
"asn as8068",
"cloud provider",
"reverse dns",
"america flag",
"united",
"america asn",
"as8068",
"united states",
"avast avg",
"ids detections",
"yara detections",
"probe ms17010",
"smbds ipc",
"av detections",
"alerts",
"read c",
"medium",
"rgba",
"unicode",
"msf style",
"dock",
"write",
"execution",
"malware",
"eternal blue",
"check in",
"file score",
"medium risk",
"generic flags",
"ms17010",
"none alerts",
"less ip",
"contacted",
"matches",
"mirroring",
"chromeshorts",
"gse",
"google",
"youtube",
"dating apps",
"suspicious apps",
"search engine",
"redirect",
"eternalblue"
],
"references": [
"chromeshorts.com mirroring YouTube.com googlechinablog.com \u2022 www.google.com \u2022 108.177.121.105",
"IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010",
"IDS Detections : Possible ETERNALBLUE Probe MS17-010 (MSF style)",
"IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)",
"IDS Detections: SMB-DS IPC$ unicode share access SMB-DS IPC$ share access",
"Environment Awareness : Able to access user sensitive domai",
"Alerts : suspicious_write_exe nids_exploit_alert process_martian injection_resumethread js_eval",
"Alerts : network_http allocates_rwx suspicious_process stealth_window uses_windows_utilities",
"Alerts : recono_fingerprint antivm_memory_available",
"www.endgame.com",
"admin-contact-api.uat2.white-label-dating.com \u2022 capi-sns.qa1.white-label-dating.com \u2022 http://payments.uat1.white-label-dating.com",
"URL https://mailcatcher.qa2.white-label-dating.com",
"Attackers : Christopher P. Ahmann , Hall Render , Brian Sabey & Co , Foundry , Tulach , Quasi government entities.",
"Alt + Google \u2018branded\u2019 search engine (monitoring targets searches) YouTube mirroring.",
"Suspicious apps"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 449,
"FileHash-MD5": 26,
"FileHash-SHA1": 6,
"FileHash-SHA256": 169,
"URL": 719,
"domain": 86,
"SSLCertFingerprint": 1
},
"indicator_count": 1456,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68db395368d6c4042517f3f3",
"name": "Target Saver M1 Agent TSA Spy \u2022 Mastadon - Hit Tip! Thanks!",
"description": "Hot Tip! I would love to give a shout out to the person who provided this information, I\u2019m not sure if they want to remain anonymous or not. Thank SO Much!\n\nSpyware and a source for distributing malicious media. Complete foothold\non networks, browsers, phones, search history and everything, massive streaming pornography distributed, members and contributors. \n\nVery important tip. I will analyze and break down into digestible pulse sizes.",
"modified": "2025-12-27T15:01:22.545000",
"created": "2025-09-30T01:58:43.592000",
"tags": [
"http traffic",
"match info",
"http get",
"info performs",
"dns query",
"https http",
"mitre att",
"evasion ta0005",
"creates",
"info",
"oc0006 http",
"wininet c0005",
"resolved ips",
"get http",
"html document",
"unicode text",
"dynamicloader",
"fe ff",
"medium",
"x00bx00",
"uswv",
"k uswv",
"search",
"high",
"delete c",
"yara detections",
"redline",
"guard",
"write",
"united",
"present sep",
"aaaa",
"passive dns",
"urls",
"next associated",
"found",
"x content",
"hacktool",
"trojan",
"error",
"lowfi",
"win32",
"worm",
"ip address",
"mtb apr",
"ransom",
"virtool",
"ain add",
"directui",
"element",
"classinfobase",
"ccbase",
"hwndhost",
"yara rule",
"hpavvalue",
"qaejh",
"name servers",
"cryp",
"emails",
"next related",
"domain related",
"no expiration",
"url http",
"url https",
"indicator role",
"hostname",
"email",
"present jun",
"present aug",
"present jul",
"servers",
"title",
"encrypt",
"altsvc h3",
"date tue",
"acceptranges",
"reportto",
"server",
"gmt expires",
"gmt contenttype",
"script",
"expiresthu",
"maxage63072000",
"pragma",
"google safe",
"unknown ns",
"files",
"location united",
"asn as15169",
"trojandropper",
"susp",
"creation date",
"asn as133618",
"tags",
"related tags",
"indicator facts",
"backdoor",
"ipv4 add",
"click",
"artro",
"target saver",
"trojanspy",
"reverse dns",
"america flag",
"443 ma2592000",
"hostname add",
"verdict",
"present mar",
"present jan",
"present dec",
"present apr",
"ipv4",
"type indicator",
"role title",
"related pulses",
"iocs",
"moved",
"downloads",
"apple",
"microsoft",
"hexagonsystem",
"mastadon",
"status",
"twitter",
"gmt content",
"easyredir cache",
"v4 add",
"redacted for",
"privacy tech",
"privacy admin",
"registrar abuse",
"available from",
"algorithm",
"key identifier",
"x509v3 subject",
"entity",
"code",
"date",
"dnssec",
"showing",
"unknown aaaa",
"sha256",
"sha1",
"ascii text",
"ck id",
"show technique",
"ck matrix",
"meta",
"hybrid",
"general",
"local",
"path",
"strings",
"copy md5",
"copy sha1",
"copy sha256",
"certificate"
],
"references": [
"FileHash-SHA256 025ca2c59c26197f3c1cd746469a5b9fe219a748716abd90daee792f34037d63",
"mastodon.social",
"https://families.google/intl/pt-PT_ALL/familylink/",
"http://service.adultprovide.com/docs/records.htm?site=bigtitsboss",
"slscr.update.microsoft.com \u2022client.wns.windows.com \u2022 c.pki.goog \u2022 login.live.com",
"https://discuss.ai.google.dev/c/gemma/10",
"https://uj140.keap-link003.com/v2/render/acc9c3f6b0340c8e01d0d3d0e1662c9e/eJxtjjsLwjAUhf_LnTP0hdRspYQSWkXEwU1Ce4XUmob0Riil_90o0snxPD7OWYDQKEOyAw6-j7MIGDhstdVoqBwNqfYbprs4T3IGgzaPyo3eAl_-sVv-cbM0yfYRA5otho44FLKBddOXc1HW8ljdTvIqmgDjU5N4heEJODmPDJS1aLrfjxpn4Hc1TLi-ARRkO0Y=/pixel.png",
"https://m.bigwetbutts.com/ tmi",
"Spyware: FileHash-SHA256 035e393630953b89c602e7cfa3409da790e99309c2d916336147cf9c59ee1b89",
"Mirai: simswap.in",
"66.254.114.41 \u2022 brazzersnetwork.com \u2022 brazzers.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 www.pornhub.com",
"https://buildings.hexagongeosystems.com \u2022 https://connect.hexagongeosystems.com",
"https://load.ss.hexagongeosystems.com \u2022 https://rail.hexagongeosystems.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "#Lowfi:HSTR:VirTool:Win32/GenDecnryptAlgo.S02",
"display_name": "#Lowfi:HSTR:VirTool:Win32/GenDecnryptAlgo.S02",
"target": null
},
{
"id": "Win.Ransomware.Bitman-9862733-0",
"display_name": "Win.Ransomware.Bitman-9862733-0",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
},
{
"id": "Target Saver",
"display_name": "Target Saver",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Hacktool",
"display_name": "Hacktool",
"target": null
}
],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [
"Media",
"Legal",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2964,
"hostname": 1164,
"URL": 4334,
"domain": 956,
"FileHash-MD5": 476,
"FileHash-SHA1": 451,
"CVE": 1,
"email": 20,
"SSLCertFingerprint": 2
},
"indicator_count": 10368,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "113 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "690e8b773dc39921d88abd44",
"name": "Nanocore - Affected",
"description": "- wmsspacer.gif\n| Photography: WMSspacer.gif, |[wmstransparent.org,]\n* YARA Detections : \nDotNET_Reactor\nSystem.Security.Cryptography.AesCryptoServiceProvider\nSystem.Security.Cryptography\nSystem.Security.Cryptography ~\nI CryptoTransform |\n Wmsspacer, i.g.sg.js..png.com, on-screen.|",
"modified": "2025-12-07T23:02:29.645000",
"created": "2025-11-08T00:14:47.600000",
"tags": [
"hgnvastlaiz",
"read c",
"medium",
"rgba",
"memcommit",
"delete",
"png image",
"unicode",
"dock",
"execution",
"malware",
"crlf line",
"speichermedium",
"productversion",
"fileversion",
"engine dll",
"internalname",
"einstellungen",
"comodo ca",
"limited st",
"yara detections",
"next pe",
"eula",
"policy",
"direct",
"opencandy",
"suspicious_write_exe",
"network_icmp",
"process_martian",
"present jun",
"present jul",
"domain",
"united",
"ip address",
"unknown ns",
"ms windows",
"intel",
"verisign",
"time stamping",
"unknown",
"class",
"write",
"markus",
"temple",
"msie",
"windows nt",
"get http",
"lehash",
"av detections",
"ids detections",
"alerts",
"file score",
"low risk",
"compromised_site_redirector_fromcharcode",
"present aug",
"passive dns",
"all ipv4",
"urls",
"files",
"hosting",
"america flag",
"win32",
"ipv4 add",
"signed file, valid signature. revoked.",
"united states",
"pws",
"atros",
"fiha",
"search",
"entries",
"present oct",
"next associated",
"show",
"high",
"wow64",
"slcc2",
"next",
"domain add",
"poland",
"poland unknown",
"ipv4",
"location poland",
"poland asn",
"et policy",
"pe exe",
"dll windows",
"amazon s3",
"location united",
"associated urls",
"date checked",
"url hostname",
"server response",
"google safe",
"results feb",
"nanocore",
"url add",
"http",
"related nids",
"files location",
"flag united",
"malicious image",
"files domain",
"files related",
"pulses otx",
"related tags",
"resources whois",
"virustotal",
"present sep",
"status",
"present nov",
"present mar",
"trojan",
"script script",
"div div",
"link",
"a li",
"meta",
"sweden",
"invalid url",
"head title",
"title head",
"reference",
"bad request",
"server",
"netherlands",
"creation date",
"date",
"running server",
"ahmann",
"christopher",
"p",
"tam",
"legal",
"treece",
"alfrey",
"muscat",
"adversaries",
"cyber crime",
"quasi",
"government"
],
"references": [
"wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87",
"ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua",
"http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022",
"www.opencandy.com",
"http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022",
"Yara Detections : compromised_site_redirector_fromcharcode",
"Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx",
"pcoptimizerpro.com \u2022 www.pcoptimizerpro.com",
"PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23",
"YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform",
"https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg",
"https://heavyfetish.com/search/CHEESE-PIZZA-porn/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Nanocore-5",
"display_name": "Win.Trojan.Nanocore-5",
"target": null
},
{
"id": "Win.Trojan.Adinstall-2",
"display_name": "Win.Trojan.Adinstall-2",
"target": null
},
{
"id": "PSW.Generic13",
"display_name": "PSW.Generic13",
"target": null
},
{
"id": "Atros.UPK",
"display_name": "Atros.UPK",
"target": null
},
{
"id": "Luhe.Fiha.A",
"display_name": "Luhe.Fiha.A",
"target": null
},
{
"id": "Pua.Optimizerpro/PCOptimizerPro",
"display_name": "Pua.Optimizerpro/PCOptimizerPro",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1491.001",
"name": "Internal Defacement",
"display_name": "T1491.001 - Internal Defacement"
},
{
"id": "T1204.003",
"name": "Malicious Image",
"display_name": "T1204.003 - Malicious Image"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 753,
"FileHash-SHA1": 622,
"FileHash-SHA256": 4336,
"URL": 2448,
"domain": 300,
"hostname": 788,
"CVE": 1,
"email": 4
},
"indicator_count": 9252,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "133 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68feb98a8c1b75b4431a3e8e",
"name": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator?",
"description": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator? 1.) (userlolxxl) is also disable_duck, has an unhealthy interest in the Tsara Brashears \u2018dead yet\u2019 theory , has many profiles. His issues are self made by grabbing vulnerabilities found and linking them to a fake University website. We checked. Profile belongs to a group causing needless distraction and hooking users into the \u2018No Problems\u2019 group. \n\nWe swiftly got Regis University to take notice of Palantirs Prometheus Intelligence Technology tracking. Dean let semester begin putting students at risk despite warnings from Tsara Brashears of owa canary cookie in server, to replace computers , halt school , deal with issue. RU ignored issues, Brashears didn\u2019t. They went black , blacklisted Tsara warning of credible death threats on dark web.",
"modified": "2025-11-25T20:05:31.749000",
"created": "2025-10-27T00:15:06.191000",
"tags": [
"html internet",
"html document",
"ascii text",
"language",
"cve202323397",
"iframe tags",
"tag manager",
"gtmkvjvztk",
"anchor hrefs",
"info ta0011",
"protocol",
"layer protocol",
"port",
"t1571 encrypted",
"channel",
"t1573 malware",
"tree",
"oc0006 http",
"c0014",
"get http",
"dns resolutions",
"resolved ips",
"user",
"data",
"datacrashpad",
"edge",
"v full",
"reports v",
"chrome u",
"appdata local",
"googlechrome u",
"u ser",
"cname",
"ip address",
"http",
"accept",
"network dropped",
"duration cuckoo",
"version file",
"machine label",
"shutdown",
"extraction",
"suggested iocs",
"data upload",
"cry dee",
"stop",
"type",
"url indicator",
"enter",
"failed",
"se share",
"extrac",
"enter so",
"passive dns",
"urls",
"hostname add",
"pulse pulses",
"files",
"domain",
"files ip",
"address",
"location united",
"asn as20473",
"dynamicloader",
"directui",
"write c",
"intel",
"ms windows",
"pe32",
"element",
"delete c",
"document file",
"v2 document",
"explorer",
"trojandropper",
"write",
"markus",
"august",
"movie",
"insert",
"pulse submit",
"url analysis",
"asn as8068",
"united",
"entries",
"body",
"please",
"x msedge",
"ipv4 add",
"present sep",
"present oct",
"present feb",
"status",
"unknown ns",
"search",
"name servers",
"present jul",
"aaaa",
"present apr",
"trojan",
"medium",
"high",
"yara rule",
"globalc",
"june",
"malware",
"win64",
"unknown",
"america flag",
"twitter",
"hostname",
"domain add",
"reverse dns",
"america asn",
"present aug",
"a domains",
"moved",
"first pqc",
"unknown aaaa",
"title",
"meta",
"window",
"encrypt",
"pulse indicator",
"body doctype",
"welcome",
"ok server",
"gmt content",
"atlanta",
"abuse",
"agent",
"service",
"present jun",
"present may",
"creation date",
"record value",
"servers",
"libretv meta",
"certificate",
"value",
"whois lookup",
"loopia ab",
"userlolxxl"
],
"references": [
"http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist",
"It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!",
"pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz",
"Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com",
"docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips",
"https://hs.ecam.com/your-challenges-ecams-solutions",
"https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022",
"https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/",
"Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Wannacry",
"display_name": "Wannacry",
"target": null
},
{
"id": "Foundry",
"display_name": "Foundry",
"target": null
},
{
"id": "Trojan:Win32/Comisproc!gmb",
"display_name": "Trojan:Win32/Comisproc!gmb",
"target": "/malware/Trojan:Win32/Comisproc!gmb"
},
{
"id": "Trojandropper:Win32/VB.IL",
"display_name": "Trojandropper:Win32/VB.IL",
"target": "/malware/Trojandropper:Win32/VB.IL"
},
{
"id": "#Exploit:Win32/CVE- 2023 - 23397",
"display_name": "#Exploit:Win32/CVE- 2023 - 23397",
"target": "/malware/#Exploit:Win32/CVE- 2023 - 23397"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "ALF:PulZati:Worm:Win32/Mydoom",
"display_name": "ALF:PulZati:Worm:Win32/Mydoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 8,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 248,
"FileHash-SHA1": 134,
"FileHash-SHA256": 2661,
"URL": 6257,
"domain": 682,
"email": 8,
"hostname": 2077,
"CVE": 1
},
"indicator_count": 12068,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "145 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68fd0cc422cea2fd989581fd",
"name": "LevelBlue - Open Threat Exchange (Malicious Attacks)",
"description": "I\u2019ll\nrefer to these bad actors as the .lol .fun group. London, Australia , South Africa with US base External resources. With this group, you e probably met though attackers.. OTX errors! Difficult to pulse. There are some profiles in here that are shady and attempt or do co connect to your products. They usually begin social engineering by saying that you have a \u2018problem\u2019 just like they do. Say they are from Canada or\nFrance , somewhere abroad when they are down the street using your services. There was user \u2018Merkd\u2019 whose entire system seem to become infected by someone or someone about this platform. Check the IP address at all\nTo see if it matches or is on the same block as OTC, region will show as well. Hackers may potentially cnc / move your profile on their own block. What happened today was weird. Alien Vault became a PHP and turned bright pink and black, requesting I download page. Keep your systems locked down if you\u2019re researching not reporting vulnerabilities.",
"modified": "2025-11-24T17:02:12.441000",
"created": "2025-10-25T17:45:40.291000",
"tags": [
"ipv4",
"levelblue",
"open threat",
"date sat",
"connection",
"etag w",
"cloudfront",
"sameorigin age",
"vary",
"ip address",
"kb body",
"gtmkvjvztk",
"utc gcfezl5ynvb",
"utc na",
"utc google",
"analytics na",
"utc linkedin",
"insight tag",
"learn",
"exchange og",
"levelblue open",
"threat exchange",
"exchange",
"google tag",
"iocs",
"search otx",
"included iocs",
"review iocs",
"data upload",
"extraction",
"layer protocol",
"v full",
"reports v",
"port t1571",
"t1573",
"oc0006 http",
"c0014",
"get http",
"dns resolutions",
"user",
"data",
"datacrashpad",
"edge",
"tag manager",
"us er",
"help files",
"shell",
"html",
"cve202323397",
"iframe tags",
"community score",
"url http",
"url https",
"united",
"united kingdom",
"netherlands",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"indicator role",
"title added",
"active related",
"otc oct",
"report spam",
"week ago",
"scan",
"learn more",
"filehashmd5",
"filehashsha1",
"domain",
"australia",
"does",
"josh",
"created",
"filehashsha256",
"present jul",
"present oct",
"date",
"a domains",
"script urls",
"for privacy",
"moved",
"script domains",
"meta",
"title",
"body",
"pragma",
"encrypt",
"ck ids",
"t1060",
"run keys",
"startup",
"folder",
"t1027",
"files",
"information",
"t1055",
"injection",
"capture",
"south korea",
"malaysia",
"pulses",
"fatal error",
"hacker known",
"name",
"unknown",
"risk",
"weeks ago",
"scary",
"sova",
"colorado",
"wire",
"name unknown",
"thursday",
"denver",
"types of",
"indicators hong",
"kong",
"tsara brashears",
"african",
"ethiopia",
"b8reactjs",
"india",
"america",
"x ua",
"hostname",
"dicator role",
"pulses url",
"airplane",
"icator role",
"t1432",
"access contact",
"list",
"t1525",
"image",
"security scan",
"heuristic oct",
"discovery",
"t1069",
"t1071",
"protocol",
"t1105",
"tool transfer",
"t1114",
"t1480",
"internal image",
"brian sabey",
"month ago",
"modified",
"days ago",
"green well",
"sabey stash",
"service",
"t1040",
"sniffing",
"t1045",
"packing",
"t1053",
"taskjob"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Sova",
"display_name": "Sova",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1022",
"name": "Data Encrypted",
"display_name": "T1022 - Data Encrypted"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1525",
"name": "Implant Internal Image",
"display_name": "T1525 - Implant Internal Image"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1448",
"name": "Carrier Billing Fraud",
"display_name": "T1448 - Carrier Billing Fraud"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 956,
"FileHash-SHA1": 906,
"FileHash-SHA256": 2651,
"URL": 4450,
"domain": 708,
"hostname": 2403,
"CVE": 1,
"email": 5
},
"indicator_count": 12080,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "146 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68dff573cf17000ebca4e63f",
"name": "The University of British Columbia",
"description": "https://www.virustotal.com/gui/domain/ubc.ca\nhttps://www.virustotal.com/gui/file/2849292fde24ca7833a3fcde7852e6e76df178ea271e271d2d2b551c10033a09/details",
"modified": "2025-11-02T15:02:38.292000",
"created": "2025-10-03T16:10:27.760000",
"tags": [
"university",
"research",
"strong",
"ubc search",
"teaching",
"okanagan",
"bc canada",
"contact",
"skip",
"search ubc",
"find",
"back",
"user",
"cape sandbox",
"medium",
"http",
"matches rule",
"tls sni",
"memory pattern",
"size",
"date",
"info",
"shell",
"vhash",
"ssdeep",
"jjwad5 tlsh"
],
"references": [
"Contact Information | The University of British Columbia",
"spph.ca",
"www.ubc.ca",
"ubc.ca",
"CA-2020-01-12 05-18-26088DE56F-E544B574-D3166097-17FA11BC-45321A6D-v33.zip"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 29,
"FileHash-SHA256": 742,
"FileHash-MD5": 89,
"FileHash-SHA1": 42,
"URL": 243,
"hostname": 98
},
"indicator_count": 1243,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 124,
"modified_text": "168 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://extensionwebstorebase.edgesv.net",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://extensionwebstorebase.edgesv.net",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776642348.2165082
}