{
"type": "URL",
"indicator": "https://factis.my3cx.es",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://factis.my3cx.es",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4185837991,
"indicator": "https://factis.my3cx.es",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 6,
"pulses": [
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d69ecbc0497f97e28618",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:10.502000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "95 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d6a601f06adcd1ed22fc",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:18.022000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "95 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d6afd744c55bd596ed6e",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:27.248000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "95 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6975c5cd4db6104ea1a3d69b",
"name": "The Blender Foundation BouncyCastle-Virut | Malware /Stealer Empty FileHash | Eternal7 (Shadow Broker) Related",
"description": "Empty FileHash isn\u2019t benign. Interesting relationships to the Eternal 7. Malware, Stealer and Suspicious History File Operation. BouncyCastle-Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys / Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"modified": "2026-02-24T06:02:43.853000",
"created": "2026-01-25T07:27:09.640000",
"tags": [
"empty",
"blender",
"eurostile",
"augustin",
"butterfield",
"cook",
"drummer",
"erickson",
"fjsv",
"flynn",
"gorman",
"holmes",
"easy",
"rada",
"xanadu",
"config",
"reboot",
"screen",
"microsoft",
"commerce server",
"edition",
"draw",
"exchange server",
"tools",
"linux",
"ideal link",
"nsrl test",
"nist",
"file",
"cultureneutral",
"fix pack",
"free download",
"bouncycastle",
"read c",
"search",
"et trojan",
"w32kegotip cnc",
"whitelisted",
"ids detections",
"intel",
"write",
"trojan",
"malware",
"yara detections",
"productversion",
"fileversion",
"av detections",
"alerts",
"analysis date",
"file score",
"united",
"aaaa",
"passive dns",
"ip address",
"present dec",
"body html",
"head meta",
"title",
"urls",
"url https",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"beacon",
"et",
"ipv4",
"files",
"dns resolutions",
"domains top",
"level",
"unique tlds",
"related pulses",
"show",
"win32virut",
"destination",
"port",
"ms windows",
"pe32",
"medium",
"suspicious",
"virustotal",
"startul",
"shadowbrokers",
"total",
"delete",
"artemis",
"win32.injector",
"trendmicro",
"data upload",
"extraction",
"included iocs"
],
"references": [
"The Blender Foundation",
"website \u2022 http://oldapps.com/blender.php?old_blender=7584",
"oldapps \u2022 http://oldapps.com/blender.php?old_blender=7584?download",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"android-cts-7.1_r6-linux_x86-arm.zip [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]",
"Empty FileHash - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"Empty FileHash -Matches rule Suspicious History File Operations by Mikhail Larin, oscd.community",
"Empty FileHash - Malware,Stealer, Related to ShadowBrokers EternalRocks",
"ET TROJAN W32/Kegotip CnC Beacon",
"IDS Detections ET POLICY Suspicious User-Agent Containing .exe",
"Extensions,.Trojan Age Win Version=4.2.0.168 Win32/1 Culture=neutral, amnit",
"Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys /",
"Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"Secure Protocols: Provides APIs for TLS 1.3, S/MIME, OpenPGP & CMS (Cryptographic Message Syntax)"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "BouncyCastle",
"display_name": "BouncyCastle",
"target": null
},
{
"id": "Sf:ShellCode-AU",
"display_name": "Sf:ShellCode-AU",
"target": null
},
{
"id": "Win.Trojan.Fareit-82",
"display_name": "Win.Trojan.Fareit-82",
"target": null
},
{
"id": "Win.Trojan.Agent-245901",
"display_name": "Win.Trojan.Agent-245901",
"target": null
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "W32/Kegotip CnC",
"display_name": "W32/Kegotip CnC",
"target": null
},
{
"id": "W32.Virut.ci",
"display_name": "W32.Virut.ci",
"target": null
},
{
"id": "Downloader.Generic13.CMTW",
"display_name": "Downloader.Generic13.CMTW",
"target": null
},
{
"id": "Downloader.Generic13.BOBZ",
"display_name": "Downloader.Generic13.BOBZ",
"target": null
},
{
"id": "Win.Trojan.Injector-12138",
"display_name": "Win.Trojan.Injector-12138",
"target": null
},
{
"id": "Generic36.ADTY",
"display_name": "Generic36.ADTY",
"target": null
},
{
"id": "Generic36.AIAA.Dropper",
"display_name": "Generic36.AIAA.Dropper",
"target": null
},
{
"id": "Generic36.AJSM",
"display_name": "Generic36.AJSM",
"target": null
},
{
"id": "Win32/Virut",
"display_name": "Win32/Virut",
"target": null
},
{
"id": "Win32/Ramnit.A",
"display_name": "Win32/Ramnit.A",
"target": null
},
{
"id": "Worm.Autorun-6180",
"display_name": "Worm.Autorun-6180",
"target": null
},
{
"id": "Hider.BIY",
"display_name": "Hider.BIY",
"target": null
},
{
"id": "Win.Trojan.Rootkit-4532",
"display_name": "Win.Trojan.Rootkit-4532",
"target": null
},
{
"id": "Win32/Blacked",
"display_name": "Win32/Blacked",
"target": null
},
{
"id": "Win32.Injector",
"display_name": "Win32.Injector",
"target": null
},
{
"id": "TrendMicro",
"display_name": "TrendMicro",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 71,
"FileHash-SHA256": 853,
"URL": 1639,
"domain": 288,
"FileHash-MD5": 78,
"hostname": 545
},
"indicator_count": 3474,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69754a5dd138f73f5cfdf78c",
"name": "EternalRocks (SHADOW BROKERS) MicroBotMassiveNet - NSA Exploits",
"description": "Exploited | Active | Continuous \n\u201cEternalRocks\u201d (also known as MicroBotMassiveNet) is a sophisticated computer worm discovered in May 2017 that targets Windows machines, utilizing seven different NSA-leaked exploits\u2014far more than the two used by the infamous WannaCry ransomware. Trend Micro and other security researchers highlighted the danger of this malware because, unlike WannaCry, it does not have a \"kill switch\" and is designed to create a backdoor for future, more severe, and adaptable attacks * While initially, it appeared to only act as a downloader for other tools, the danger lay in its potential to be weaponized for launching ransomware, Remote Access Trojans (RATs), or other malware at a later date. \nThank you Winston & Vogt",
"modified": "2026-02-23T19:02:00.548000",
"created": "2026-01-24T22:40:29.680000",
"tags": [
"regsetvalueexa",
"default",
"regdword",
"regbinary",
"module download",
"tls handshake",
"high",
"regsetvalueexw",
"malware",
"write",
"win32",
"ids detections",
"download tls",
"eternalrocks",
"nsa exploits",
"worm",
"cryptojackers",
"shadow brokers",
"ransom",
"ingress tool",
"channel",
"udp a83f8110",
"get http",
"get https",
"dns resolutions",
"root path",
"encrypted",
"native",
"required.exe",
"stolen toolset",
"cyber weapons",
"cyber warfare",
"autonomous",
"tor",
"dark web",
"black paper",
"nsa weapons",
"2017",
"tao?",
"targeting",
"breach",
"equation group tools",
"installer",
"stealer",
"apt",
"empty",
"not an exit node",
"empty file",
"tor relay router",
"traffic groups",
"traffic group 815",
"el tor",
"tor relay",
"traffic group 778",
"traffic group 238",
"traffic group 333",
"traffic group 333",
"node",
"traffic group 252",
"open_source_tool",
"confuserex",
"susp_net_name_confuserex",
"eternalrocks",
"svchost",
"eternalrocks_svchost_fr",
"obfuscated",
"susp_confuserex_obfuscated",
"encryption",
"module",
"msil",
"net",
"bing",
"android",
"libre",
"mcsf",
"microsoft",
"active attack",
"financial crimes",
"EternalBlue",
"EternalChampion",
"EternalRocks",
"Stealth",
"EternalSynergy",
"EternalRomance",
"checks-network-adapters",
"checks-user-input",
"crypto",
"detect-deb",
"environment",
"direct-cpu-clock-access",
"long-sleeps",
"runtime-modules"
],
"references": [
"EternalRocks MALWARE RANSOM TROJAN EVADER",
"The 2017 timeline accurately fits victim\u2019s major financial and other continuous First attacks began in 10/2013. Upgraded",
"With so many \u2018officials\u2019 involved, it\u2019s hard to believe \u2018 The Shadow Brokers\u2019 isnt a government entity.",
"Strangely NSO Group The Lazarus Group The Shadow Brokers and others attack an individual",
"Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,TrojanDownloader:Win32/Eterock.A",
"IDS Detections: Possible ETERNALROCKS .Net Module Download TLS Handshake Failure",
"Yara Detections: SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost ,",
"Yara Detections: EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS",
"Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad",
"Alerts: network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_i",
"NSA Exploits Used: The malware uses seven Shadow Brokers-leaked tools, including EternalBlue, EternalChampion,",
"EternalRomance, and EternalSynergy. Stealth",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Yara Matches",
"Matches rule EternalRocks_svchost from ruleset crime_eternalrocks by Florian Roth (Nextron Systems)",
"Matches rule SUSP_NET_NAME_ConfuserEx from ruleset gen_github_net_redteam_tools_names by Arnim Rupp",
"Matches rule INDICATOR_EXE_Packed_ConfuserEx from ruleset indicator_packed",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Sigma Matches",
"Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)",
"Matches rule Uncommon Svchost Command Line Parameter by Liran Ravich",
"Matches rule Uncommon Schost Parent Process by Florian Roth (Nextron Systems)",
"Matches rule Files With System Process Name In Unsuspected Locations by Sander Wiebing, Shelton, Nasreddine Bencherchali (Nextron stems",
"Matches rule Windows Processes Suspicious Parent Directory by vburov",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced IDS rules",
"Matches rule DELETED SERVER-OTHER Microsoft Forefront Threat Management Gateway remote code execution attempt",
"Matches rule MALWARE-CNC DNS Fast Flux attempt",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 252",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 333",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 778",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 815",
"Matches rule ET POLICY TLS possible TOR SSL traffic",
"Matches rule ET JA3 Hash - Possible Malwar RigEK/Cryptowall/Dridex",
"Matches rule ET JA3 Hash - [Abuse.ch] Possible Ransomware",
"Matches rule SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Ransomware)",
"Matches rule POLICY-OTHER TOR Project domain request",
"Dynamic sandbox CZAE flags this file as: STEALER",
"https://github.com/stamparm/EternalRocks",
"(The Shadow Brokers NSA dump) SMB exploits: ETERNALBLUE, ETERNALCHAMPION,",
"ETERNALROMANCE and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH.",
"REFERENCE: https://twitter.com/stamparm/status/864865144748298242 RULE_AUTHOR: Florian Roth",
"RULE_LINK: https://valhalla.nextron-systems.com/info/rule/EternalRocks_svchost_FR",
"DESCRIPTION: Detects EternalRocks Malware - file taskhost.exe",
"TNULL: unknown empty EMPTY FILEHASH-MD5 d41d8cd98f00b204e9800998ecf8427e",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"Matches rule Suspicious History File Operat Mikhail Larin, oscd.community",
"Matches rule SURICATA STREAM Packet with invalid timestamp"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "EternalRocks",
"display_name": "EternalRocks",
"target": null
},
{
"id": "CVE-2017-0148",
"display_name": "CVE-2017-0148",
"target": null
},
{
"id": "Exploit:PowerShell/CVE-2017-0143",
"display_name": "Exploit:PowerShell/CVE-2017-0143",
"target": "/malware/Exploit:PowerShell/CVE-2017-0143"
},
{
"id": "trojan.eternalrocks/shadowbrokers",
"display_name": "trojan.eternalrocks/shadowbrokers",
"target": null
}
],
"attack_ids": [
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1408",
"name": "Disguise Root/Jailbreak Indicators",
"display_name": "T1408 - Disguise Root/Jailbreak Indicators"
},
{
"id": "T1054",
"name": "Indicator Blocking",
"display_name": "T1054 - Indicator Blocking"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
}
],
"industries": [
"Finance",
"Government",
"Insurance",
"Civilians",
"Health"
],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 82,
"FileHash-SHA1": 76,
"FileHash-SHA256": 700,
"URL": 280,
"domain": 46,
"hostname": 233,
"CVE": 2
},
"indicator_count": 1419,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 147,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)",
"Matches rule ET JA3 Hash - [Abuse.ch] Possible Ransomware",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"website \u2022 http://oldapps.com/blender.php?old_blender=7584",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 815",
"Secure Protocols: Provides APIs for TLS 1.3, S/MIME, OpenPGP & CMS (Cryptographic Message Syntax)",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"div>
",
"https://github.com/stamparm/EternalRocks",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"Empty FileHash - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"EternalRocks MALWARE RANSOM TROJAN EVADER",
"Matches rule Windows Processes Suspicious Parent Directory by vburov",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,TrojanDownloader:Win32/Eterock.A",
"Matches rule Files With System Process Name In Unsuspected Locations by Sander Wiebing, Shelton, Nasreddine Bencherchali (Nextron stems",
"Matches rule MALWARE-CNC DNS Fast Flux attempt",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"supply.qld.gov.au",
"Yara Detections: EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad",
"Scanning Host: 13.107.246.70",
"Matches rule SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Ransomware)",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"verify.gov.tl",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"It appears there are 5-7 known affected that I was able to find",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"ET TROJAN W32/Kegotip CnC Beacon",
"Same legal , and quasi governmental pattern identified",
"Matches rule ET POLICY TLS possible TOR SSL traffic",
"(The Shadow Brokers NSA dump) SMB exploits: ETERNALBLUE, ETERNALCHAMPION,",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"Matches rule INDICATOR_EXE_Packed_ConfuserEx from ruleset indicator_packed",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"iot.insitemaxdev.gov2x.com",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"Extensions,.Trojan Age Win Version=4.2.0.168 Win32/1 Culture=neutral, amnit",
"DESCRIPTION: Detects EternalRocks Malware - file taskhost.exe",
"EternalRomance, and EternalSynergy. Stealth",
"Matches rule POLICY-OTHER TOR Project domain request",
"Requires further research.",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"Alerts: network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_i",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"https://jviwczq.zc-apple.com/",
"http://wonporn.com/top/Pakistani_Sucking",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"android-cts-7.1_r6-linux_x86-arm.zip [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"ETERNALROMANCE and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH.",
"api.optimizer.insitemaxdev.gov2x.com",
"I apologize for the lack of reference.",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"NSA Exploits Used: The malware uses seven Shadow Brokers-leaked tools, including EternalBlue, EternalChampion,",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"The Blender Foundation",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 252",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"Empty FileHash - Malware,Stealer, Related to ShadowBrokers EternalRocks",
"TNULL: unknown empty EMPTY FILEHASH-MD5 d41d8cd98f00b204e9800998ecf8427e",
"Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys /",
"Sprouts Farmers Market",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"Matches rule EternalRocks_svchost from ruleset crime_eternalrocks by Florian Roth (Nextron Systems)",
"freedns.afraid.org",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"Matches rule DELETED SERVER-OTHER Microsoft Forefront Threat Management Gateway remote code execution attempt",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"Sabey , Ahmann, Quasi Government, Government",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Yara Matches",
"Yara Detections: SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost ,",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"The 2017 timeline accurately fits victim\u2019s major financial and other continuous First attacks began in 10/2013. Upgraded",
"Malware Hosting: 13.107.226.70",
"http://blackrock.work.gd/",
"sprouts@em.sprouts.com?",
"IDS Detections ET POLICY Suspicious User-Agent Containing .exe",
"IDS Detections: Possible ETERNALROCKS .Net Module Download TLS Handshake Failure",
"RULE_LINK: https://valhalla.nextron-systems.com/info/rule/EternalRocks_svchost_FR",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"ConventionEngine_Anomaly_MultiPDB_Double",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Sigma Matches",
"Matches rule SUSP_NET_NAME_ConfuserEx from ruleset gen_github_net_redteam_tools_names by Arnim Rupp",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: drive.usercontent.google.com",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"REFERENCE: https://twitter.com/stamparm/status/864865144748298242 RULE_AUTHOR: Florian Roth",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"Matches rule SURICATA STREAM Packet with invalid timestamp",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced IDS rules",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238",
"Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"Strangely NSO Group The Lazarus Group The Shadow Brokers and others attack an individual",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 333",
"Empty FileHash -Matches rule Suspicious History File Operations by Mikhail Larin, oscd.community",
"https://l.us-1.a.mimecastprotect.com/l",
"Matches rule Uncommon Svchost Command Line Parameter by Liran Ravich",
"okta-dev.gov2x.com",
"Matches rule ET JA3 Hash - Possible Malwar RigEK/Cryptowall/Dridex",
"oldapps \u2022 http://oldapps.com/blender.php?old_blender=7584?download",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Alerts: cape_detected_threat https_ urls",
"With so many \u2018officials\u2019 involved, it\u2019s hard to believe \u2018 The Shadow Brokers\u2019 isnt a government entity.",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 778",
"Pegasus | A targets devices are obviously infiltrated",
"Matches rule Uncommon Schost Parent Process by Florian Roth (Nextron Systems)",
"supplierportal.gov2x.com",
"Matches rule Suspicious History File Operat Mikhail Larin, oscd.community",
"Dynamic sandbox CZAE flags this file as: STEALER"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Exploit:powershell/cve-2017-0143",
"Win32.injector",
"Worm:win32/mofksys.rnd!mtb",
"Win.trojan.agent-245901",
"#lowfi:hookwowlow",
"Win.trojan.injector-12138",
"Et",
"Trendmicro",
"Worm.autorun-6180",
"Downloader.generic13.cmtw",
"Win32/blacked",
"Trojandownloader:win32/cutwail.bs",
"W32/kegotip cnc",
"Win32/virut",
"Alf:program:win32/webcompanion",
"Slf:win64/cobpipe.a",
"Win.trojan.rootkit-4532",
"Icedid",
"Win.trojan.emotet-9850453-0",
"Eternalrocks",
"Alf:trojan:win32/anorocuriv.a",
"#lowfienabledtcontinueafterunpacking",
"Cve-2017-0148",
"Bouncycastle",
"Generic36.ajsm",
"Pegasus",
"Sf:shellcode-au",
"Downloader.generic13.bobz",
"W32.virut.ci",
"Win32:evo-gen\\ [susp]",
"Win32:trojano-chf\\ [trj]",
"Generic36.aiaa.dropper",
"Virtool:win32/ceeinject.gen!ah",
"Win.trojan.fareit-82",
"Hider.biy",
"Win.trojan.vbgeneric-6735875-0",
"Generic36.adty",
"Win.downloader.3867-1",
"Win.trojan.cobaltstrike-9044898-1",
"Sf:shellcode-au\\ [trj]",
"Win.trojan.pushdo-15",
"Worm:win32/autorun!atmn",
"Trojan:win32/smkldr.h!mtb",
"Win32/ramnit.a",
"Trojan.eternalrocks/shadowbrokers",
"#lowfi:lua:dllsuspiciousexport.a",
"Mydoom"
],
"industries": [
"Retail",
"Insurance",
"Health",
"Telecom",
"Government",
"Civilians",
"Legal",
"Technology",
"Finance"
],
"unique_indicators": 36743
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/my3cx.es",
"whois": "http://whois.domaintools.com/my3cx.es",
"domain": "my3cx.es",
"hostname": "factis.my3cx.es"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 6,
"pulses": [
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d69ecbc0497f97e28618",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:10.502000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "95 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d6a601f06adcd1ed22fc",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:18.022000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "95 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d6afd744c55bd596ed6e",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:27.248000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "95 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6975c5cd4db6104ea1a3d69b",
"name": "The Blender Foundation BouncyCastle-Virut | Malware /Stealer Empty FileHash | Eternal7 (Shadow Broker) Related",
"description": "Empty FileHash isn\u2019t benign. Interesting relationships to the Eternal 7. Malware, Stealer and Suspicious History File Operation. BouncyCastle-Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys / Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"modified": "2026-02-24T06:02:43.853000",
"created": "2026-01-25T07:27:09.640000",
"tags": [
"empty",
"blender",
"eurostile",
"augustin",
"butterfield",
"cook",
"drummer",
"erickson",
"fjsv",
"flynn",
"gorman",
"holmes",
"easy",
"rada",
"xanadu",
"config",
"reboot",
"screen",
"microsoft",
"commerce server",
"edition",
"draw",
"exchange server",
"tools",
"linux",
"ideal link",
"nsrl test",
"nist",
"file",
"cultureneutral",
"fix pack",
"free download",
"bouncycastle",
"read c",
"search",
"et trojan",
"w32kegotip cnc",
"whitelisted",
"ids detections",
"intel",
"write",
"trojan",
"malware",
"yara detections",
"productversion",
"fileversion",
"av detections",
"alerts",
"analysis date",
"file score",
"united",
"aaaa",
"passive dns",
"ip address",
"present dec",
"body html",
"head meta",
"title",
"urls",
"url https",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"beacon",
"et",
"ipv4",
"files",
"dns resolutions",
"domains top",
"level",
"unique tlds",
"related pulses",
"show",
"win32virut",
"destination",
"port",
"ms windows",
"pe32",
"medium",
"suspicious",
"virustotal",
"startul",
"shadowbrokers",
"total",
"delete",
"artemis",
"win32.injector",
"trendmicro",
"data upload",
"extraction",
"included iocs"
],
"references": [
"The Blender Foundation",
"website \u2022 http://oldapps.com/blender.php?old_blender=7584",
"oldapps \u2022 http://oldapps.com/blender.php?old_blender=7584?download",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"android-cts-7.1_r6-linux_x86-arm.zip [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]",
"Empty FileHash - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"Empty FileHash -Matches rule Suspicious History File Operations by Mikhail Larin, oscd.community",
"Empty FileHash - Malware,Stealer, Related to ShadowBrokers EternalRocks",
"ET TROJAN W32/Kegotip CnC Beacon",
"IDS Detections ET POLICY Suspicious User-Agent Containing .exe",
"Extensions,.Trojan Age Win Version=4.2.0.168 Win32/1 Culture=neutral, amnit",
"Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys /",
"Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"Secure Protocols: Provides APIs for TLS 1.3, S/MIME, OpenPGP & CMS (Cryptographic Message Syntax)"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "BouncyCastle",
"display_name": "BouncyCastle",
"target": null
},
{
"id": "Sf:ShellCode-AU",
"display_name": "Sf:ShellCode-AU",
"target": null
},
{
"id": "Win.Trojan.Fareit-82",
"display_name": "Win.Trojan.Fareit-82",
"target": null
},
{
"id": "Win.Trojan.Agent-245901",
"display_name": "Win.Trojan.Agent-245901",
"target": null
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "W32/Kegotip CnC",
"display_name": "W32/Kegotip CnC",
"target": null
},
{
"id": "W32.Virut.ci",
"display_name": "W32.Virut.ci",
"target": null
},
{
"id": "Downloader.Generic13.CMTW",
"display_name": "Downloader.Generic13.CMTW",
"target": null
},
{
"id": "Downloader.Generic13.BOBZ",
"display_name": "Downloader.Generic13.BOBZ",
"target": null
},
{
"id": "Win.Trojan.Injector-12138",
"display_name": "Win.Trojan.Injector-12138",
"target": null
},
{
"id": "Generic36.ADTY",
"display_name": "Generic36.ADTY",
"target": null
},
{
"id": "Generic36.AIAA.Dropper",
"display_name": "Generic36.AIAA.Dropper",
"target": null
},
{
"id": "Generic36.AJSM",
"display_name": "Generic36.AJSM",
"target": null
},
{
"id": "Win32/Virut",
"display_name": "Win32/Virut",
"target": null
},
{
"id": "Win32/Ramnit.A",
"display_name": "Win32/Ramnit.A",
"target": null
},
{
"id": "Worm.Autorun-6180",
"display_name": "Worm.Autorun-6180",
"target": null
},
{
"id": "Hider.BIY",
"display_name": "Hider.BIY",
"target": null
},
{
"id": "Win.Trojan.Rootkit-4532",
"display_name": "Win.Trojan.Rootkit-4532",
"target": null
},
{
"id": "Win32/Blacked",
"display_name": "Win32/Blacked",
"target": null
},
{
"id": "Win32.Injector",
"display_name": "Win32.Injector",
"target": null
},
{
"id": "TrendMicro",
"display_name": "TrendMicro",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 71,
"FileHash-SHA256": 853,
"URL": 1639,
"domain": 288,
"FileHash-MD5": 78,
"hostname": 545
},
"indicator_count": 3474,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69754a5dd138f73f5cfdf78c",
"name": "EternalRocks (SHADOW BROKERS) MicroBotMassiveNet - NSA Exploits",
"description": "Exploited | Active | Continuous \n\u201cEternalRocks\u201d (also known as MicroBotMassiveNet) is a sophisticated computer worm discovered in May 2017 that targets Windows machines, utilizing seven different NSA-leaked exploits\u2014far more than the two used by the infamous WannaCry ransomware. Trend Micro and other security researchers highlighted the danger of this malware because, unlike WannaCry, it does not have a \"kill switch\" and is designed to create a backdoor for future, more severe, and adaptable attacks * While initially, it appeared to only act as a downloader for other tools, the danger lay in its potential to be weaponized for launching ransomware, Remote Access Trojans (RATs), or other malware at a later date. \nThank you Winston & Vogt",
"modified": "2026-02-23T19:02:00.548000",
"created": "2026-01-24T22:40:29.680000",
"tags": [
"regsetvalueexa",
"default",
"regdword",
"regbinary",
"module download",
"tls handshake",
"high",
"regsetvalueexw",
"malware",
"write",
"win32",
"ids detections",
"download tls",
"eternalrocks",
"nsa exploits",
"worm",
"cryptojackers",
"shadow brokers",
"ransom",
"ingress tool",
"channel",
"udp a83f8110",
"get http",
"get https",
"dns resolutions",
"root path",
"encrypted",
"native",
"required.exe",
"stolen toolset",
"cyber weapons",
"cyber warfare",
"autonomous",
"tor",
"dark web",
"black paper",
"nsa weapons",
"2017",
"tao?",
"targeting",
"breach",
"equation group tools",
"installer",
"stealer",
"apt",
"empty",
"not an exit node",
"empty file",
"tor relay router",
"traffic groups",
"traffic group 815",
"el tor",
"tor relay",
"traffic group 778",
"traffic group 238",
"traffic group 333",
"traffic group 333",
"node",
"traffic group 252",
"open_source_tool",
"confuserex",
"susp_net_name_confuserex",
"eternalrocks",
"svchost",
"eternalrocks_svchost_fr",
"obfuscated",
"susp_confuserex_obfuscated",
"encryption",
"module",
"msil",
"net",
"bing",
"android",
"libre",
"mcsf",
"microsoft",
"active attack",
"financial crimes",
"EternalBlue",
"EternalChampion",
"EternalRocks",
"Stealth",
"EternalSynergy",
"EternalRomance",
"checks-network-adapters",
"checks-user-input",
"crypto",
"detect-deb",
"environment",
"direct-cpu-clock-access",
"long-sleeps",
"runtime-modules"
],
"references": [
"EternalRocks MALWARE RANSOM TROJAN EVADER",
"The 2017 timeline accurately fits victim\u2019s major financial and other continuous First attacks began in 10/2013. Upgraded",
"With so many \u2018officials\u2019 involved, it\u2019s hard to believe \u2018 The Shadow Brokers\u2019 isnt a government entity.",
"Strangely NSO Group The Lazarus Group The Shadow Brokers and others attack an individual",
"Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,TrojanDownloader:Win32/Eterock.A",
"IDS Detections: Possible ETERNALROCKS .Net Module Download TLS Handshake Failure",
"Yara Detections: SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost ,",
"Yara Detections: EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS",
"Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad",
"Alerts: network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_i",
"NSA Exploits Used: The malware uses seven Shadow Brokers-leaked tools, including EternalBlue, EternalChampion,",
"EternalRomance, and EternalSynergy. Stealth",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Yara Matches",
"Matches rule EternalRocks_svchost from ruleset crime_eternalrocks by Florian Roth (Nextron Systems)",
"Matches rule SUSP_NET_NAME_ConfuserEx from ruleset gen_github_net_redteam_tools_names by Arnim Rupp",
"Matches rule INDICATOR_EXE_Packed_ConfuserEx from ruleset indicator_packed",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Sigma Matches",
"Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)",
"Matches rule Uncommon Svchost Command Line Parameter by Liran Ravich",
"Matches rule Uncommon Schost Parent Process by Florian Roth (Nextron Systems)",
"Matches rule Files With System Process Name In Unsuspected Locations by Sander Wiebing, Shelton, Nasreddine Bencherchali (Nextron stems",
"Matches rule Windows Processes Suspicious Parent Directory by vburov",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced IDS rules",
"Matches rule DELETED SERVER-OTHER Microsoft Forefront Threat Management Gateway remote code execution attempt",
"Matches rule MALWARE-CNC DNS Fast Flux attempt",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 252",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 333",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 778",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 815",
"Matches rule ET POLICY TLS possible TOR SSL traffic",
"Matches rule ET JA3 Hash - Possible Malwar RigEK/Cryptowall/Dridex",
"Matches rule ET JA3 Hash - [Abuse.ch] Possible Ransomware",
"Matches rule SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Ransomware)",
"Matches rule POLICY-OTHER TOR Project domain request",
"Dynamic sandbox CZAE flags this file as: STEALER",
"https://github.com/stamparm/EternalRocks",
"(The Shadow Brokers NSA dump) SMB exploits: ETERNALBLUE, ETERNALCHAMPION,",
"ETERNALROMANCE and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH.",
"REFERENCE: https://twitter.com/stamparm/status/864865144748298242 RULE_AUTHOR: Florian Roth",
"RULE_LINK: https://valhalla.nextron-systems.com/info/rule/EternalRocks_svchost_FR",
"DESCRIPTION: Detects EternalRocks Malware - file taskhost.exe",
"TNULL: unknown empty EMPTY FILEHASH-MD5 d41d8cd98f00b204e9800998ecf8427e",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"Matches rule Suspicious History File Operat Mikhail Larin, oscd.community",
"Matches rule SURICATA STREAM Packet with invalid timestamp"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "EternalRocks",
"display_name": "EternalRocks",
"target": null
},
{
"id": "CVE-2017-0148",
"display_name": "CVE-2017-0148",
"target": null
},
{
"id": "Exploit:PowerShell/CVE-2017-0143",
"display_name": "Exploit:PowerShell/CVE-2017-0143",
"target": "/malware/Exploit:PowerShell/CVE-2017-0143"
},
{
"id": "trojan.eternalrocks/shadowbrokers",
"display_name": "trojan.eternalrocks/shadowbrokers",
"target": null
}
],
"attack_ids": [
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1408",
"name": "Disguise Root/Jailbreak Indicators",
"display_name": "T1408 - Disguise Root/Jailbreak Indicators"
},
{
"id": "T1054",
"name": "Indicator Blocking",
"display_name": "T1054 - Indicator Blocking"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
}
],
"industries": [
"Finance",
"Government",
"Insurance",
"Civilians",
"Health"
],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 82,
"FileHash-SHA1": 76,
"FileHash-SHA256": 700,
"URL": 280,
"domain": 46,
"hostname": 233,
"CVE": 2
},
"indicator_count": 1419,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 147,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://factis.my3cx.es",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://factis.my3cx.es",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780241725.5154738
}