{ "type": "URL", "indicator": "https://fonts.googleapis.com/css", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://fonts.googleapis.com/css", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #5790", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain googleapis.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain googleapis.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2298287843, "indicator": "https://fonts.googleapis.com/css", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "69d967590f40c612c90ce84f", "name": "TTB-Chained (Tehran-Transversal Belasco Chain) - Clone of My Own Post. Updated", "description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion. The conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. TTB-chained executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root hosted in IP {53.xxx] is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos. See Belasco Chain for more.", "modified": "2026-04-19T09:05:10.432000", "created": "2026-04-10T21:10:49.749000", "tags": [ "malicious", "Microsoft", "intent: reckless", "wiper", "Transip", "bankers document gone rogue", "Tehran", "pdfkit.net", "United", "broken Docusign seal", "esign violation", "us lawyers", "Iran", "IP Abuse US", "Spreader", "corruption that spread", "52.123.250.180", "Mass Data Loss and exfiltration", "Docusign exploited by insecure workflows", "Adobe exploited by insecure workflows", "threat map", "Infra / healthcare / more at risk from this negligence", "remediation: long. expire the certs. block 53..", "accountability, NOW.", "Burned", "Kitplay", "iOS", "Watering hole", "Webkit", "Religious Regime", "MS Office", "Compliance Hold Purgatory", "WIN EXE.32", "Firmware neutral", "Trusted Insider", "DKIM, SPF, DMARC Failures", "APKmirror", "ILOVEYOUBABY", "No Problems", "Christmas Tree EXEC Code Red worm Computer virus Nimda", "Wanna Cry", "APK", "DC RAT", "Emotnet", "Redline Swiper", "Open Door", "Bankers Document", "Y2K", "wsscript.exe, VBE", "Compliance Lock Trap", "Globalsign 2020 (potentially exploited)", "Heuristic Smear", "Gatsby Library Loader DLL", "w31999", "UofA" ], "references": [ "The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.", "People who exploit this put the US at risk. Bottom line.", "Further threat mapping indicates the root of this lies at 52.123.250.[180]. The", "For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.", "This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader", "", "IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815", "This document might expose someone, more than another.", "Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.", "Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there.", "Micro - Dates to look for specific: April/May/June 2025", "Sectigo- Check abnormal patterns Sept 8, 2025 and ADT check alarms that went off", "Amazon- Check new cert subscribers on or around Sept 15 2025", "Entrust to Sectigo- Review vendors", "Apple: Look at Devs around Aug 20-sept 15 2025 abnormalities", "CA DMV- 2020 exploits, if even exist in your records, may be related.", "Digi/Global Sign - audit 2020 digital intersect", "Proton.me/Zenbox: Audit July 2025", "Google- look at 202 to Icloud docs likely feb 2025 but possible Dec 24, jan 25 up until June 2025", "APKMirror https://www.apkmirror.com", "Google Docs 1.25.202.02 APK Download by Google LLC", "The ILOVEYOU virus, released on May 4, 2000, - PDKIT.net May 4, 2025.", "Y2K", "US, Philippines, Ukraine, Iran, China. Alberta.", "France", "Germany, Austria, and Switzerland GmbH", "Gatsby Library Loader, DLL", "Spellbinding! Indeed. SpellEditor.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Telecommunications" ], "TLP": "green", "cloned_from": "69a82c54067ca1d502b1eb6c", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3516, "hostname": 1614, "CVE": 7, "URL": 1806, "domain": 1416, "IPv4": 888, "FileHash-MD5": 731, "FileHash-SHA1": 787, "CIDR": 6, "email": 27, "IPv6": 10, "JA3": 2 }, "indicator_count": 10810, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "2 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "3 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-13T23:46:20.071000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 107, "CIDR": 6 }, "indicator_count": 33117, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dc04c12782d2d76c111a93", "name": "VirusTotal \u2022 PsBanker \u2022 Attacked / Blocked", "description": "", "modified": "2026-04-12T20:46:57.338000", "created": "2026-04-12T20:46:57.338000", "tags": [ "indicator role", "active related", "ck ids", "files", "information", "discovery", "mitre att", "pattern match", "ck id", "ck matrix", "ascii text", "united", "binary file", "april", "hybrid", "apikey", "general", "local", "path", "iframe", "click", "protocol", "learn", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "related pulses", "dll read", "function read", "icmp traffic", "machineguid", "systembiosdate", "total", "read", "write", "network_icmp", "js_eval", "recon_fingerprint", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "tls handshake", "execution", "dock", "persistence", "malware", "unknown", "neue", "certificate", "error", "scans show", "record value", "title site", "servers", "emails", "all hostname", "dnsadmin", "data upload", "extraction", "failed", "include review", "exclude sugges", "find s", "typ no", "active", "urls", "ip address", "asn as54113", "registrar", "wscript", "united states", "stcalifornia", "lmountain view", "ogoogle llc", "ogoogle trust", "cngts ca", "whitelisted", "as15169", "hostile", "crash", "contacted", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "detections alf", "hostile yara", "detections none", "less ip", "domains", "ms windows", "intel", "pe32", "regsetvalueexa", "langturkish", "sublangdefault", "port", "destination", "entries", "worm", "delphi", "win32", "body", "explorer", "defender", "regdword", "false", "true", "end sub", "object", "createobject", "sheetschanged", "private sub", "string", "boolean", "cancel", "trojan", "copy", "query", "dns update", "useragent", "myapp", "delphi alerts", "alerts deadhost", "women who code", "tulach", "114.114.114.114", "samuel", "brian sabey" ], "references": [ "https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file", "this.target", "c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1", "amazon.com \u2022 pki.goog \u2022 google-analytics.com", "authrootstl.cab common file extension", "dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell", "https://securityaffairs.com/144927/cyber-crime~#", "https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html", "virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com", "https://clockoutbox.es/password", "http://cr-malware.testpanw.com/url", "IDS Detections: Query to a *.pw domain - Likely Hostile", "Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer", "Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows", "Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_", "Alerts: windows_utilities antivm_memory_available pe_features raises_exception", "IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227", "IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94", "Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog", "Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com", "Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw", "Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections compromised_site_redirector_fromcharcode , Delphi", "Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad", "Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx", "IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29", "Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org", "Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com", "114.114.114.114 = Tulach" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:Trojan:Win64/PsBanker", "display_name": "ALF:Trojan:Win64/PsBanker", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Trojan:O97M/Madeba.A!det", "display_name": "Trojan:O97M/Madeba.A!det", "target": "/malware/Trojan:O97M/Madeba.A!det" }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1114, "hostname": 594, "domain": 200, "FileHash-SHA256": 2379, "FileHash-MD5": 426, "FileHash-SHA1": 259, "IPv4": 322, "SSLCertFingerprint": 24, "email": 2, "IPv6": 1 }, "indicator_count": 5321, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69db4f2dc509a1e8210f1b68", "name": "CAPE Sandbox", "description": "CivicPlus, LLC (ICONE-2) is a US-based company with a name that includes the word \"CIVICPLUS\", \"civicplus\", and \"icon Enterprises, Inc\".", "modified": "2026-04-12T08:36:17.724000", "created": "2026-04-12T07:52:13.594000", "tags": [ "network admin", "civicplus", "net192", "net1920000", "houston", "suite e", "city", "server", "select contact", "domain holder", "date", "form", "submission", "ssdeep", "file type", "text text", "magic unicode", "utf8", "crlf line", "trid text", "magika txt", "file size", "chatgpt", "doctype html", "meta", "ai system", "research", "preview", "gmt server", "self", "dynamic", "html info", "title chatgpt", "meta tags", "thumbprint" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/528831360d5c49743bf0dcf9cb0af1f76c694de9dfff79b32098d68c3c592f8a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775980441&Signature=QefJtz2s096UJTV1NljpeJrvdFWJBbHJre5UDOJQeemvu9EGI8UaxLTPvZxejJToeSgqCCu4zCWniB2V9Xer1ozcM5Vy2xhgRO%2BaFeWFRkjfd5yRyZIGLi65ORYA2oyDhTBUZuQco3NNHZWaS0mWYOpAI662c%2BecYNp5SJTXMB4oKzu9bstiszUfM1HNlWjSpySaxCD4j34gZFgiv5xZGW34IcBSvzfQUWECgUu6jW5Pu4Rr%2FH5TJS%2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 602, "domain": 166, "email": 37, "hostname": 837, "FileHash-MD5": 125, "FileHash-SHA1": 136, "FileHash-SHA256": 1230, "IPv4": 399 }, "indicator_count": 3534, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d45ab2e634e02113fd7435", "name": "SkyDog Con 2016 CTF", "description": "< SkyDog Con 2016 CTF has been revealed in a series of hex-h hashes, revealing the names of the participants, Bots, and other key characters, as well as details of how the challenge was organised.>", "modified": "2026-04-07T03:49:17.647000", "created": "2026-04-07T01:15:30.623000", "tags": [ "plain text", "found", "javascript file", "ssh service", "ssl certificate", "skydog con", "legend begins", "earlier", "welcome home", "context", "md5 hash" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 32, "domain": 13, "FileHash-SHA1": 2, "URL": 77, "hostname": 26, "FileHash-SHA256": 40, "CVE": 2 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "12 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ca434ee788ab3d090e6013", "name": "PDFKIT.NET - Trust Bypass Continued Concerns", "description": "A complete list of key facts and statistics:..3-magnitude-based data-sharing platform, which was first created in 2003, has been published by the University of Oxford.<-- Pretext. Msudosos: Ongoing concerns persist regarding the use of the pdfkit.net library in specific DMV versions, which may allow for trust bypass across multiple platforms. Research indicates that isolating affected areas or voiding certificates will not remediate this issue, as the corrupted trusted root persists even after firmware-level restores.", "modified": "2026-04-07T02:11:33.275000", "created": "2026-03-30T09:33:02.363000", "tags": [ "fcc", "trust bypass", "pi", "hollow-root", "pdfkit.net", "cryptographically-invalid", "Docusign as an exploit", "gov / infra / healthcare / mun", "education", "US", "globalsign2020", "noend--point.", "null" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "Italy", "United States of America" ], "malware_families": [ { "id": "Stefan", "display_name": "Stefan", "target": null } ], "attack_ids": [ { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [ "Telecommunications", "Education", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 77, "IPv4": 8, "domain": 39, "email": 4, "hostname": 60, "FileHash-SHA1": 47, "FileHash-SHA256": 209, "FileHash-MD5": 42, "CVE": 1 }, "indicator_count": 487, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "12 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d1396bb42208f8aa25b8ae", "name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable", "description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.", "modified": "2026-04-04T16:16:43.680000", "created": "2026-04-04T16:16:43.680000", "tags": [ "binary", "yara rule", "binary file", "yara", "pe section", "av detections", "ip address", "url analysis", "urls", "singapore", "singapore asn", "as14061", "edgeview drive", "suite", "broomfield", "colorado", "key usage", "handle", "v3 serial", "number", "cert validity", "asia pacific", "traefik default", "cert", "thumbprint", "name", "all filehash", "learn", "adversaries", "calls", "ck id", "name tactics", "suspicious", "informative", "reads", "defense evasion", "loads", "model", "call", "getprocaddress", "span", "path", "mitre att", "ck matrix", "access type", "value", "windir", "open", "error", "click", "contact", "meta", "april", "hybrid", "format", "strings", "united", "b778b1", "div div", "d9e4f4", "edf2f8", "status", "fastest privacy", "first dns", "trojan", "pegasus", "title", "dynamicloader", "ms windows", "intel", "pe32 executable", "win32", "medium", "pe32", "high", "mozilla", "delphi", "injectdll", "write", "malware", "observer", "stream", "unknown", "lredmond", "stwa", "omicrosoft", "stwashington", "server ca", "https domain", "accept", "read c", "ogoogle trust", "worm", "code", "td td", "td tr", "a td", "dynamic dns", "name servers", "arial", "zeppelin", "null", "enough", "hosts", "fast", "tls sni", "cloudflare dns", "google dns", "showing", "get icarus", "show", "ascii text", "global", "next", "cc fd", "d4 dc", "a3 ad", "a8 c7", "bb c7", "f0 f1", "f4 ca", "bc a1", "win64", "local", "otx logo", "hostname", "passive dns", "files", "less", "related tags", "servers", "certificate", "domain", "cloudflare", "khtml", "gecko", "ids detections", "yara detections", "ip lookup", "encrypt", "elf executable", "sysv", "linux", "elf64 operation", "unix", "exec amd6464", "elf geomi", "modify system", "process l", "t1543", "systemd service", "ta0004", "techniques", "process create", "modify syst", "t1036 indicator", "remc t1070", "file", "directoi t1222", "t1027 masquerac", "t1070", "data upload", "extraction", "failed", "ta0005", "t1027", "memory pattern", "domains", "dns resolutions", "full reports", "v ip", "traffic tcp", "g sh", "c tmpsample", "binrm f", "usrbinid id", "usrbinsystemctl", "proc1environ", "proccpuinfo", "include", "review exclude", "sample", "https", "performs dns", "tls version", "mitre attack", "network info", "file type", "persistence", "include review", "exclude sugges", "find s", "unique ru", "review occ", "exclude data", "alvoes", "include data", "suggest", "find c", "typ filet", "filet ce", "layer protocol", "http performs", "reads cpu", "proc indicative", "filet filet", "pulse", "file hach", "h1256", "filer data", "typ data", "filer filehuon", "filet filer", "exchange all", "typ no", "no entri", "exclude", "suggested ocs", "manualy", "hua muicalul", "find", "indicatore", "typ innicatad", "new threat", "dive into", "zergeca botnet", "reference", "report publish", "zergeca", "all se", "matches edolavd", "matches data", "matches matches", "type", "extr", "tico data", "get hello", "mirai variant", "useragent", "hello", "outbound", "world", "search", "hackingtrio ua", "inbound", "mirai", "info", "shell", "pulse pulses", "files ip", "address domain", "ip related", "labs pulses", "pulses", "post", "http traffic", "tocstut", "reference id", "xor key", "canada", "america", "germany", "doh", "ddos", "botnet", "en", "xor", "twitter", "stop", "loader", "downloader", "zerg", "mirai", "golang", "c2 resolution", "germany", "c2 ip", "virustotal", "smux", "ck ids", "t1082", "applescript", "t1190", "application", "private server", "t1609", "command", "unix shell", "software supply", "service", "chain", "t1499", "entries", "otx telemetry", "next associated", "backdoor", "detections", "sha256 add", "alerts", "heur", "all domain", "creation date", "record value", "aaaa", "date", "unknown ns", "ponmocup post", "infection dns", "mtb nov", "ipv4 add", "external ip", "copy" ], "references": [ "www.joewa.com", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "Loads modules at runtime Looks up procedures from modules", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "Crowdsourced SIGMA Below:", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS Below:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Unique rule identifier: This rule belongs to a private collection.", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "crypto-pool.fr", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "IDS: Observed Suspicious UA (Hello, World)", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: cape_detected_threat", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "https://dns.google/resolve?name=SELECT", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Address shows an place of origin: Broomfield , Co", "Believed to be originating from Germany and Russia", "BGP Hurricane Electric seen", "Potentially Pegasus related . Found to be affecting an IOS device", "Indicators seen may have affected a few OTX users. Is ongoing", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "This pulse is so huge it\u2019s a mess. Will break down." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Thailand", "Germany", "Canada" ], "malware_families": [ { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Trojan.Sagnt/R011c0dfs24", "display_name": "Trojan.Sagnt/R011c0dfs24", "target": null }, { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "Unix.Trojan.Mirai", "display_name": "Unix.Trojan.Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-7669677-0", "display_name": "Unix.Trojan.Mirai-7669677-0", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 795, "FileHash-SHA1": 648, "FileHash-SHA256": 3708, "IPv4": 294, "URL": 2587, "domain": 739, "hostname": 1129, "email": 14, "CIDR": 15, "IPv6": 27, "SSLCertFingerprint": 18, "CVE": 4 }, "indicator_count": 9978, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d1395ab63bf8e8d2c384eb", "name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable", "description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.", "modified": "2026-04-04T16:16:26.128000", "created": "2026-04-04T16:16:26.128000", "tags": [ "binary", "yara rule", "binary file", "yara", "pe section", "av detections", "ip address", "url analysis", "urls", "singapore", "singapore asn", "as14061", "edgeview drive", "suite", "broomfield", "colorado", "key usage", "handle", "v3 serial", "number", "cert validity", "asia pacific", "traefik default", "cert", "thumbprint", "name", "all filehash", "learn", "adversaries", "calls", "ck id", "name tactics", "suspicious", "informative", "reads", "defense evasion", "loads", "model", "call", "getprocaddress", "span", "path", "mitre att", "ck matrix", "access type", "value", "windir", "open", "error", "click", "contact", "meta", "april", "hybrid", "format", "strings", "united", "b778b1", "div div", "d9e4f4", "edf2f8", "status", "fastest privacy", "first dns", "trojan", "pegasus", "title", "dynamicloader", "ms windows", "intel", "pe32 executable", "win32", "medium", "pe32", "high", "mozilla", "delphi", "injectdll", "write", "malware", "observer", "stream", "unknown", "lredmond", "stwa", "omicrosoft", "stwashington", "server ca", "https domain", "accept", "read c", "ogoogle trust", "worm", "code", "td td", "td tr", "a td", "dynamic dns", "name servers", "arial", "zeppelin", "null", "enough", "hosts", "fast", "tls sni", "cloudflare dns", "google dns", "showing", "get icarus", "show", "ascii text", "global", "next", "cc fd", "d4 dc", "a3 ad", "a8 c7", "bb c7", "f0 f1", "f4 ca", "bc a1", "win64", "local", "otx logo", "hostname", "passive dns", "files", "less", "related tags", "servers", "certificate", "domain", "cloudflare", "khtml", "gecko", "ids detections", "yara detections", "ip lookup", "encrypt", "elf executable", "sysv", "linux", "elf64 operation", "unix", "exec amd6464", "elf geomi", "modify system", "process l", "t1543", "systemd service", "ta0004", "techniques", "process create", "modify syst", "t1036 indicator", "remc t1070", "file", "directoi t1222", "t1027 masquerac", "t1070", "data upload", "extraction", "failed", "ta0005", "t1027", "memory pattern", "domains", "dns resolutions", "full reports", "v ip", "traffic tcp", "g sh", "c tmpsample", "binrm f", "usrbinid id", "usrbinsystemctl", "proc1environ", "proccpuinfo", "include", "review exclude", "sample", "https", "performs dns", "tls version", "mitre attack", "network info", "file type", "persistence", "include review", "exclude sugges", "find s", "unique ru", "review occ", "exclude data", "alvoes", "include data", "suggest", "find c", "typ filet", "filet ce", "layer protocol", "http performs", "reads cpu", "proc indicative", "filet filet", "pulse", "file hach", "h1256", "filer data", "typ data", "filer filehuon", "filet filer", "exchange all", "typ no", "no entri", "exclude", "suggested ocs", "manualy", "hua muicalul", "find", "indicatore", "typ innicatad", "new threat", "dive into", "zergeca botnet", "reference", "report publish", "zergeca", "all se", "matches edolavd", "matches data", "matches matches", "type", "extr", "tico data", "get hello", "mirai variant", "useragent", "hello", "outbound", "world", "search", "hackingtrio ua", "inbound", "mirai", "info", "shell", "pulse pulses", "files ip", "address domain", "ip related", "labs pulses", "pulses", "post", "http traffic", "tocstut", "reference id", "xor key", "canada", "america", "germany", "doh", "ddos", "botnet", "en", "xor", "twitter", "stop", "loader", "downloader", "zerg", "mirai", "golang", "c2 resolution", "germany", "c2 ip", "virustotal", "smux", "ck ids", "t1082", "applescript", "t1190", "application", "private server", "t1609", "command", "unix shell", "software supply", "service", "chain", "t1499", "entries", "otx telemetry", "next associated", "backdoor", "detections", "sha256 add", "alerts", "heur", "all domain", "creation date", "record value", "aaaa", "date", "unknown ns", "ponmocup post", "infection dns", "mtb nov", "ipv4 add", "external ip", "copy" ], "references": [ "www.joewa.com", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "Loads modules at runtime Looks up procedures from modules", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "Crowdsourced SIGMA Below:", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS Below:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Unique rule identifier: This rule belongs to a private collection.", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "crypto-pool.fr", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "IDS: Observed Suspicious UA (Hello, World)", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: cape_detected_threat", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "https://dns.google/resolve?name=SELECT", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Address shows an place of origin: Broomfield , Co", "Believed to be originating from Germany and Russia", "BGP Hurricane Electric seen", "Potentially Pegasus related . Found to be affecting an IOS device", "Indicators seen may have affected a few OTX users. Is ongoing", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "This pulse is so huge it\u2019s a mess. Will break down." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Thailand", "Germany", "Canada" ], "malware_families": [ { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Trojan.Sagnt/R011c0dfs24", "display_name": "Trojan.Sagnt/R011c0dfs24", "target": null }, { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "Unix.Trojan.Mirai", "display_name": "Unix.Trojan.Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-7669677-0", "display_name": "Unix.Trojan.Mirai-7669677-0", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 795, "FileHash-SHA1": 648, "FileHash-SHA256": 3708, "IPv4": 294, "URL": 2587, "domain": 739, "hostname": 1129, "email": 14, "CIDR": 15, "IPv6": 27, "SSLCertFingerprint": 18, "CVE": 4 }, "indicator_count": 9978, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69aa41b0d714318bf8937184", "name": "W.Vashti .Net obfuscator clone", "description": "", "modified": "2026-04-04T00:06:41.423000", "created": "2026-03-06T02:53:36.216000", "tags": [ "no expiration", "domain", "name", "control flow", "dlls", "method parent", "declarative", "ms build", "core", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "dock", "write", "execution", "capture", "endgame", "united", "moved", "ip address", "record value", "gate software", "newnham house", "expiration date", "urls", "url add", "http", "related nids", "files location", "flag united", "present aug", "present sep", "present nov", "present oct", "name servers", "emails", "present dec", "meta", "passive dns", "next associated", "ipv4", "url analysis", "files", "cookie", "subscribe", "unsubscribe", "s paris", "englewood", "state", "skip", "espaol", "summary", "filing history", "ireland", "title", "united states", "certificate", "colorado", "ipv4 add", "america flag", "showing", "pulse submit", "size", "pattern match", "mitre att", "ck id", "path", "hybrid", "general", "local", "iframe", "click", "strings", "cece", "mult", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "sha1", "sha256", "njmk", "kwruymy", "mime", "submitted", "process details", "calls", "apis", "reads", "defense evasion", "model", "getprocaddress", "show technique", "ck matrix", "access type", "value", "api call", "open", "august", "format", "typeof symbol", "typeof s", "typeof c", "function", "symbol", "comenabled", "image path", "ndex", "ndroleextdll", "f0f0f0", "ff4b55", "stop", "span", "show process", "binary file", "file", "network traffic", "encrypt", "date", "found", "ssl certificate", "creation date", "hostname add", "pulse pulses", "files ip", "address domain", "data upload", "extraction", "ge6 mira", "failed", "ascii text", "development att", "hostname", "files domain", "files related", "pulses otx", "pulses", "unknown aaaa", "unknown ns", "united states", "urls show", "date checked", "url hostname", "server response", "google safe", "results may", "a domains", "search", "germany unknown", "win32", "lowfi", "chrome", "susp", "trojan", "backdoor", "twitter", "virtool", "worm", "exploit", "trojandropper", "win32upatre dec", "mtb dec", "reverse dns", "body", "location united", "asn as14618", "less whois", "files show", "date hash", "avast avg", "initial access", "javascript", "root", "enterprise", "form", "desktop", "command decode", "suricata ipv4", "spycloud", "robots", "bots", "chatbot", "bot network", "spy", "mixb", "a2fryx", "therahand", "typosquating" ], "references": [ "https://www.red-gate.com/products/smartassembly", "spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud", "https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=", "https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0", "dasima-containers.palantirfoundry.com \u2022 blitzrobots.com", "https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com", "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/", "https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3", "Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-", "Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" } ], "industries": [], "TLP": "green", "cloned_from": "6952d4fc6910b0b866746d8a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 343, "FileHash-SHA256": 1332, "domain": 1062, "hostname": 1969, "URL": 5700, "email": 10, "SSLCertFingerprint": 21, "CVE": 1 }, "indicator_count": 10779, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a552fd9d101a62085afa08", "name": "48f3d614d7a5bb1d98de0387af6f48fb8d08f892982821bbe9fd7dc867185454", "description": "More to come. #acoupleofbadapples", "modified": "2026-04-01T09:17:38.908000", "created": "2026-03-02T09:06:05.279000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 45, "FileHash-SHA256": 202, "CIDR": 2, "URL": 24, "domain": 121, "hostname": 23, "email": 6 }, "indicator_count": 462, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c1e12737e9fbfd330fdc22", "name": "alphamountain.ai", "description": "DGA domain", "modified": "2026-03-25T02:48:08.520000", "created": "2026-03-24T00:56:07.456000", "tags": [ "united", "unknown", "asnone country", "aaaa", "present jun", "present jul", "present sep", "moved", "a domains", "passive dns", "title", "date", "zeppelin", "accept", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 275, "FileHash-MD5": 8, "FileHash-SHA1": 12, "FileHash-SHA256": 4, "IPv4": 48, "IPv6": 203, "domain": 19, "hostname": 137 }, "indicator_count": 706, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c06ca9341d6c063f652e33", "name": "ETERNALBLUE Probe MS17-010 | Wannacry Ransomware Domain - related to NSO Group Pegasus", "description": "Quasi governmental, Healthcare Law Firms , legal entities , as well as direct safety threats such as NSO Group Pegasus, Enterprise Cellebrite (in references) and other dangerous intimidation and life endangering tactics directed against a crime victim. Continuous harassment and threats of violence against victims family including 83 yo father. Veteran & hand picked Sr Systems Analyst and Engineer for Aegis Weapon System Team of 24. You\u2019re welcome America.. Victim left zero evidence with family. Documents shredded. Data stolen by parties named. She isn\u2019t the only one. These people do this for a living. Abuse of Palantir & Foundry tools.", "modified": "2026-03-22T22:26:49.205000", "created": "2026-03-22T22:26:49.205000", "tags": [ "ransomware", "united", "search", "asnone", "regsetvalueexa", "service", "regdword", "medium", "get na", "malware", "dock", "push", "write", "win32", "playgame", "unknown", "exploit", "cve", "wncry", "wannacry", "passive dns", "urls", "british virgin", "all url", "http", "ip address", "related nids", "files location", "virgin islands", "islands", "bgp", "virgin islands", "hijacked", "data upload", "extraction", "failed", "review iocs", "include ovo", "tovary review", "ids detec", "yara dete", "trior texarag", "drop or", "rrowse", "type", "extra data", "hurricane electric", "p2404", "p11629470400", "p11629107633", "artifacts v", "full reports", "v help", "info", "low l", "high ta0002", "techniques", "t1053", "command", "scripting inte", "low ta0003", "techniques high", "t1053 ite", "modify system", "pl t1543", "boot", "logon autostart", "ex t1547", "checks-disk-space", "checks-network-adapters", "detect-debug-environment", "direct-cpu-clock-access", "long-sleeps", "runtime-modules", "get http", "head http", "dns resolutions", "ip traffic", "53 tcp", "tls sni", "apple id", "webdisk", "expiration", "url http", "hostname", "no expiration", "iocs", "url https", "es included", "win32 exe", "pe32 executable", "ms windows", "intel", "ms visual", "win32 dynamic", "link library", "win16 ne", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "t1204 user", "defense evasion", "over", "mitre att", "ck matrix", "ascii text", "hybrid", "general", "local", "path", "click", "strings", "javascript", "ssl certificate", "encrypt", "accept", "russia unknown", "meta", "record value", "aaaa", "link", "present jun", "apple", "remote access", "otx logo", "all ipv4", "url analysis", "files", "accept ch", "present dec", "content type", "x pcrew", "name servers", "present may", "body doctype", "title", "all domain", "servers", "china unknown", "found content", "gmt p3p", "cp oti", "dsp cor", "iva our", "ind com", "domain", "cname", "entries", "brian sabey", "hallrender", "christopher ahmann", "t1480 execution", "discovery att", "heur", "virtool", "win64", "mtb win32", "backdoor", "location china", "hangzhou", "china asn", "ransom", "wannadecryptor", "filehash", "yara detections", "msvisualcpp60", "related tags", "none file", "type pexe", "copy", "beginstring", "null", "refresh", "body", "span", "error", "tools", "look", "verify", "restart", "expl", "unknown cname", "hacktool", "domain address", "contacted hosts", "process details", "flag", "ipv4 add", "location united", "america flag", "exploit", "show", "all filehash", "expiration date", "gmt location", "gmt max", "domain add", "elite", "date", "cowboy", "United States", "present feb", "present oct", "creation date", "present nov", "moved", "emails" ], "references": [ "http://ww17.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/", "Win32:CVE-2017-0147-B\\ [Expl] , Win.Ransomware.WannaCry-6313787-0 , Exploit:Win32/CVE-2017-0147.A", "IDS Detections: Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style) ETERNALBLUE Probe Vulnerable System Response MS17-010", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection SMB-DS", "IDS Detections: IPC$ share access \u2022 SMB-DS IPC$ unicode share access \u2022 403 Forbidden", "Yara Detections: WannaCry_Ransomware , Wanna_Cry_Ransomware_Generic , WannaDecryptor", "Yara Detections: MS17_010_WanaCry_worm , stack_string , MS_Visual_Cpp_6_0 , Armadillov1xxv2xx", "Alerts: network_icmp nolookup_communication persistence_autorun modifies_proxy_wpad", "Alerts: network_cnc_http network_http allocates_rwx creates_exe creates_hidden_file", "Alerts: creates_service stealth_window antivm_network_adapters checks_debugger", "Alerts: peid_packer pe_unknown_resource_name", "IP\u2019s Contacted: 103.224.212.220 105.242.60.208 117.13.61.219 117.180.208.83 12.105.46.122", "IP\u2019s Contacted: 121.105.233.189 128.251.173.246 13.248.148.254 132.124.155.52 139.246.30.108", "Domains Contacted: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com", "Domains Contacted: ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com", "FileHash-SHA256 002dee2db8b07b98b543ad99d0dd4e3e0ba7624f956d719ba803f57b426e30e7", "Names: Photo.scr \u2022 85115B0142902832C864B3009CAB1A00.RS (names of FileHash above)", "Crowdsourced IDS: Matches rule MALWARE-CNC DNS", "Crowdsourced IDS: Fast Flux attempt Matches rule ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)", "Crowdsourced IDS: Matches rule ET POLICY PE EXE or DLL Windows file download HTTP", "apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn", "apple.com-verify.account.manage.test2.aptaforum.com.cn", "appleid.apple.com-signin-8491e.test2.aptaforum.com.cn", "appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn", "web-secure-appleid-login.com.test2.aptaforum.com.cn", "http://apple.com-verify.account.manage.test2.aptaforum.com.cn/", "http://appleid.apple.com-signin-8491e.test2.aptaforum.com.cn/", "http://apple.sweetycat.com/ \u2022 https://apple.sweetycat.com/", "findmy.apple-uk.live", "apple.haipaoapp.com \u2022 http://apple.haipaoapp.com \u2022 http://apple.haipaoapp.com/ \u2022 https://apple.haipaoapp.com/", "http://apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn/", "http://appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn/", "http://web-secure-appleid-login.com.test2.aptaforum.com.cn/", "Trojan/JS.Redirector.QNO SHA256:9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc", "VO7MU1HA.htm : https://hybrid-analysis.com/sample/9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc", "https://hybrid-analysis.com/sample/a638ece11c81bcac0002363eb3f75de35a46ce0e080b5de41162093181079a6b/69c018efcb875e4fb30cdfcc", "https://hybrid-analysis.com/sample/09610b7c855ef132a31f2e0136b4d62b9dbb04c6fcb42160d6d8409ef6394e40/69c0189c5e0483a78907cc39", "KeenDNS | keendnsaclremote805717135272048.qeenetic.link", "https://fonts.googleapis.com/css", "http://e7.c.lencr.org/74.crl \u2022 http://e7.i.lencr.org/", "Quasi Gov - Law firms stole victims clouds. Evidence, $Intellectual property, Memories of & victims family. Merciless", "www.remoteaccess.allied-media.com", "apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn", "aptaforum.com.cn 182.61.201.90 , 182.61.201.91 China ASN AS38365 beijing baidu netcom science and technology co. ltd", "Emails:yejun.shou@yxips.com Name:\u7ebd\u8fea\u5e0c\u4e9a\u751f\u547d\u65e9\u671f\u8425\u517b\u54c1\u7ba1\u7406(\u4e0a\u6d77)\u6709\u9650\u516c\u53f8 Name Servers: dns17.hichina.com", "*unsigned Domain: aptaforum.com.cn Name Servers: dns18.hichina.com Registrar: \u963f\u91cc\u4e91\u8ba1\u7b97\u6709\u9650\u516c\u53f8\uff08\u4e07\u7f51\uff09Status: ok", "dns17.hichina.com", "dropbox.com - deleted victims DB post assault. Sabey + Ahmann repeatedly erased DB (ILLEGAL)", "Protected:SA\u2019r Jeffrey Scott Reimer, Mark Montano MD, John T. Sasha MD, Frederick P. Scherr , others.", "https://otx.alienvault.com/indicator/domain/qeenetic.link", "okg.and.googletagmanagers.com", "pcy.and.googletagmanagers.com", "pgj.and.googletagmanagers.com", "prb.and.googletagmanagers.com", "lkp.and.googletagmanagers.com", "jgw.and.googletagmanagers.com", "bzx.and.googletagmanagers.com", "msedge.b.tlu.dl.delivery.mp.microsoft.com", "http://prtests.ru/test.html?15%0Ahttp://profetest.ru/test.html?2%0Ahttp://qptest.ru/test.html?5%0Ahttp://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/3cf71a18-f999-4372-beac-67715d51bb62?P1=1629470400&P2=404&P3=2&P4=d%2520arRdiatcalmlQRKq2gm1LlFitNgIcLpnyzCIHYtf%2520ByXQF0JNptZ0rBDMKlLL%2520qsOzZdPICJjC7MWkkdm1Hg==%0Ahttp://stafftest.ru/test.html?0%0Ahttp://iqtesti.ru/test.html?17%0Ahttp://hrtests.ru/test.html?1%0Ahttp://pstests.ru/test.html?4%0Ahttp://prtests.ru/test.html?6%0Ahttp:/", "HallRender.com | Law Firm M. Brian Sabey Esq. | Pegasus related", "TAM Legal\u2019s Christopher P. \u2018Buzz\u2019 Ahmann Esq works for State Quasi Government in tandem w/ Hall Render", "https://otx.alienvault.com/pulse/69bf8e2663d5480917ddb699", "https://otx.alienvault.com/pulse/69bf261cc4e399447d78776c", "https://otx.alienvault.com/pulse/69bea426487bffa5384c6f38", "(?) https://living-sun.com/applescript/68281-is-there-a-way-to-disable-force-quit-while-applescript-application-is-still-running-applescript-quit.html", "https://otx.alienvault.com/pulse/69bf261cc4e399447d78776c", "https://otx.alienvault.com/pulse/69b49ad5dd40a24d83cd6a72" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Win.Ransomware.WannaCry-6313787-0", "display_name": "Win.Ransomware.WannaCry-6313787-0", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147.A", "display_name": "Exploit:Win32/CVE-2017-0147.A", "target": "/malware/Exploit:Win32/CVE-2017-0147.A" }, { "id": "Trojan/JS.Redirector.QNO", "display_name": "Trojan/JS.Redirector.QNO", "target": null }, { "id": "Win.Trojan.Application-1955.", "display_name": "Win.Trojan.Application-1955.", "target": null }, { "id": "Win32:Banker-LAA\\ [Trj]", "display_name": "Win32:Banker-LAA\\ [Trj]", "target": null }, { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null }, { "id": "Win32:Evo-gen\\ [Trj]", "display_name": "Win32:Evo-gen\\ [Trj]", "target": null }, { "id": "Win64:Expiro-AJ\\ [Inf]", "display_name": "Win64:Expiro-AJ\\ [Inf]", "target": null }, { "id": "Win.Trojan.Fugrafa-9733007-0", "display_name": "Win.Trojan.Fugrafa-9733007-0", "target": null }, { "id": "Win32:TrojanX-gen\\ [Trj]", "display_name": "Win32:TrojanX-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.VBGeneric-6989114-0", "display_name": "Win.Trojan.VBGeneric-6989114-0", "target": null }, { "id": "VirTool:Win32/VBInject.YA!MTB", "display_name": "VirTool:Win32/VBInject.YA!MTB", "target": "/malware/VirTool:Win32/VBInject.YA!MTB" }, { "id": "Win32:Dh-A\\ [Win32:FileInfector-C\\ [Heur]", "display_name": "Win32:Dh-A\\ [Win32:FileInfector-C\\ [Heur]", "target": null }, { "id": "#VirTool:Win32/Obfuscator", "display_name": "#VirTool:Win32/Obfuscator", "target": "/malware/#VirTool:Win32/Obfuscator" }, { "id": "Backdoor:Win32/Small.IR", "display_name": "Backdoor:Win32/Small.IR", "target": "/malware/Backdoor:Win32/Small.IR" }, { "id": "Win64:Expiro-AJ\\ [Inf]", "display_name": "Win64:Expiro-AJ\\ [Inf]", "target": null }, { "id": "Win32:Dh-A\\", "display_name": "Win32:Dh-A\\", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "Ransom:Win32/CVE-2017-0147.A", "display_name": "Ransom:Win32/CVE-2017-0147.A", "target": "/malware/Ransom:Win32/CVE-2017-0147.A" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Malware.Flystudio-6738927-0", "display_name": "Win.Malware.Flystudio-6738927-0", "target": null }, { "id": "ALF:SpikeAexR.PEVPOPC", "display_name": "ALF:SpikeAexR.PEVPOPC", "target": null }, { "id": "Sf:WNCryLdr-A\\ [Trj]", "display_name": "Sf:WNCryLdr-A\\ [Trj]", "target": null }, { "id": "Win.Ransomware.WannaCry-6313787-0", "display_name": "Win.Ransomware.WannaCry-6313787-0", "target": null }, { "id": "ransom:Win32/WannaCrypt.H", "display_name": "ransom:Win32/WannaCrypt.H", "target": "/malware/ransom:Win32/WannaCrypt.H" } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" } ], "industries": [ "Government", "Legal", "Technology", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3779, "FileHash-MD5": 422, "FileHash-SHA1": 411, "FileHash-SHA256": 1824, "IPv4": 666, "domain": 979, "hostname": 2082, "CVE": 1, "BitcoinAddress": 3, "SSLCertFingerprint": 6, "email": 8 }, "indicator_count": 10181, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "27 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf864a324c12b2898c18e5", "name": "fastly/trafficmgr", "description": "A look at some of the key facts and statistics that have been reported to the internet service provider (icann) over the past seven years:. and how they have affected the web.<<>><<<< pretext i didnt write - refer to my double umbrella post for big IP data", "modified": "2026-03-22T04:18:56.895000", "created": "2026-03-22T03:22:11.640000", "tags": [ "script urls", "present jun", "present jul", "a domains", "status", "present aug", "date", "united", "present feb", "meta", "title", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 298, "FileHash-SHA1": 280, "FileHash-SHA256": 336, "IPv4": 31, "URL": 327, "domain": 548, "email": 8, "hostname": 136 }, "indicator_count": 1964, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf65566ad1032d77814945", "name": "Double Umbrella Wixc2 Followup Iocs [cloned pulse by msudosos]", "description": "", "modified": "2026-03-22T03:43:18.431000", "created": "2026-03-22T03:43:18.431000", "tags": [ "script urls", "present jun", "present jul", "a domains", "status", "present aug", "date", "united", "present feb", "meta", "title", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69bf6063da146ed025a8890f", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 148, "FileHash-SHA1": 130, "FileHash-SHA256": 186, "IPv4": 31, "URL": 324, "domain": 545, "email": 8, "hostname": 136 }, "indicator_count": 1508, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "28 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf19eaf07fe8e7478c0d85", "name": "Behavior Iocs", "description": "", "modified": "2026-03-21T23:54:08.118000", "created": "2026-03-21T22:21:30.218000", "tags": [ "html document", "unicode text", "utf8 text", "crlf", "lf line" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 106, "FileHash-SHA1": 59, "FileHash-SHA256": 663, "URL": 572, "domain": 311, "hostname": 698, "IPv4": 272, "IPv6": 12, "email": 7 }, "indicator_count": 2700, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b76c9a490b69b6a085b3", "name": "Exodus/cellbrite clone by Q Vashti", "description": "", "modified": "2026-03-12T12:54:04.160000", "created": "2026-03-12T12:54:04.160000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "6916e098df39114161354b23", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4295, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3255, "domain": 2911, "hostname": 2894, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13986, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "37 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697cdce9ec418c422eee2054", "name": "Device Isolation: Lumen Technologies | Palantir and \u2018Boots on the Ground Operations\u2019", "description": "Device Isolation: Lumen Technologies (formerly CenturyLink) deployed as an admin on iOS devices. Standard factory resets may prove ineffective. Complete hardware \"air-gap\" or clean devices that have never touched your home network may be best option for deeply monitored targets.\n\nSummary of the Campaign:\nThe involvement of Lumen Technologies (as an unwanted admin), Foundry (Palantir) for data mapping, and Mirai Botnet for network disruption represents a \"scorched earth\" approach to digital destruction. Target treated as a criminal through Cellebrite, implicates specific attackers attempted to legalize what was actually a predatory stalking campaign/s.\n\n\nSurveillance Overlap: The use of Lumen Technologies and Palantir, tools allows for real-time tracking of a target's physical location\u2014explains how \u2018boots on the ground\u2019 offenders can stalk , surveillance , confront, assault and engage in various damaging attacks of specific monitored targets.", "modified": "2026-03-01T16:05:57.375000", "created": "2026-01-30T16:31:37.011000", "tags": [ "url https", "url http", "tlsv1", "whitelisted", "united", "read c", "as15169", "stcalifornia", "execution", "dock", "write", "persistence", "malware", "encrypt", "active", "lumen technologies", "number", "error", "regexp", "sxa0", "amptoken", "optout", "retrieving", "notfound", "unknown", "form", "flash", "backdoor", "writeconsolew", "yara detections", "command line", "pdb path", "pe resource", "internalname", "windows command", "A", "aws", "name servers", "url analysis", "passive dns", "urls", "data upload", "extraction", "palantir", "c2", "aerospace", "tracking", "spywatchdog", "palapa-c2", "communications satellite", "amazon", "hughesnet", "icmp traffic", "washington c", "washington ou", "mopr", "mon jul", "local", "dynamic", "apple", "network", "t1057", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1480", "guardrails", "t1566", "present jan", "unknown ns", "ip address", "dnssec", "domain", "dynamic dns", "government", "pcup", "germany unknown", "link", "dns hosting", "cloudns", "cloud dns", "a domains", "ipv4 add", "title", "meta", "class", "servers", "present aug", "aaaa", "present sep", "present nov", "present jul", "present may", "moved", "canada unknown", "begin", "record value", "gmt content", "type", "hostname add", "files", "ascii text", "pattern match", "href", "mitre att", "ck id", "ck matrix", "network traffic", "et info", "general", "path", "click", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "input url", "defense evasion", "france", "ireland", "netherlands", "denmark", "united kingdom", "type indicator", "role title", "added active", "savvis", "centurylinktechnology", "hybrid analysis", "monitoring tools", "monitored target", "triangulation", "worm", "intel", "ms windows", "pe32", "write c", "delete c", "show", "russia as47764", "unix", "lsan jose", "odigicert inc", "markus", "url add", "http", "related nids", "files location", "russia flag", "russia hostname", "russia", "russia unknown", "hosting", "federation flag", "body", "gmt vary", "accept encoding", "gmt cache", "certificate", "pulse submit", "unknown aaaa", "search", "entries", "script domains", "script urls", "pdx cf" ], "references": [ "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "Yare: compromised_site_redirector_fromcharcode", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "Alerts: console_output has_pdb pe_unknown_resource_name", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "Tipped: A targets AI and other cyber research findings.", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "https://palapa.c.id\t (c.id)", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "cedevice.io \u2022 decagonsoftware.com", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "pcup.gov.ph:", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "https://elegantcosmedampyeah.pages.dev/", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "inst.govelopscold.com", "https://feedback.ptv.vic.gov.au/360", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "https://brand.centurylinktechnology.com", "https://prod.centurylinktechnology.com", "https://brand2.centurylinktechnology.com", "https://mobile-pocket-guide.centurylinktechnology.com", "UPX_OEP_place", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "ASP. NET", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "7box.vip" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan.Tofsee/Botx", "display_name": "Trojan.Tofsee/Botx", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "PWS:Win32/Axespec.A", "display_name": "PWS:Win32/Axespec.A", "target": "/malware/PWS:Win32/Axespec.A" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1069.003", "name": "Cloud Groups", "display_name": "T1069.003 - Cloud Groups" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 102, "FileHash-SHA1": 59, "FileHash-SHA256": 1929, "domain": 854, "hostname": 2156, "URL": 4475, "SSLCertFingerprint": 9, "email": 7, "CVE": 1 }, "indicator_count": 9592, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "48 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6962f12c2578ca1d1f8e212f", "name": "Google_Chrome Attack related to Pahamify Pegasus Intrusive Monitoring of a Crime.Victim", "description": "Pahamify Pegasus: Google_Chrome_64bit_v136.0.7103.49.exe \nIsolated IOC\u2019s || Related to the targeting of a crime victim.\nDrive by compromise seen on old iPhone locked screen in past. Glitched Bible Gateway app access stuttered entire phone (new and updated at the time) | add pop\nups began, finally an early morning drive by compromise on locked screen \u2018Do you have a Starbucks App?) |[Issue: can only access phone if you answer. Easy mistake , powering off device may or may not have cleared screen] victim checks Bible gateway app believing it to be a malicious app DLL from Apple App Store.\n\nFirebase apps remotely installed, can access via email. other apps corrupted. Google Translate and Notepad linked directly to threat actors.\nNotepad linked to and FBI website in Loudon County, Va. Acted as fake content scraper constantly creating websites.", "modified": "2026-02-09T23:00:37.530000", "created": "2026-01-11T00:39:08.048000", "tags": [ "ipv4", "url https", "url http", "ipv6", "indicator role", "title added", "active related", "type indicator", "related pulses", "discovery", "gather victim", "information", "tool transfer", "capture", "hijacking", "t1055", "injection", "service", "manipulation", "impact", "execution", "timestomp", "tools", "usercitynewyork", "bannerid682713", "landingid702316", "countryid774749", "chrome", "google", "yahoo", "active", "indicator", "source", "ck id", "show technique", "mitre att", "ck matrix", "file", "pattern match", "internet", "error", "errore", "crypto", "compiler", "installer", "download", "hybrid", "shutdown", "strings", "erreur", "updater", "install", "yang", "downloader", "learn", "adversaries", "name tactics", "suspicious", "informative", "defense evasion", "found", "found registry", "able", "model", "united", "et trojan", "show", "search", "as15169", "get http", "intel", "ms windows", "write", "read c", "malware", "trojan", "possible", "sha1", "rgba", "size", "ascii text", "png image", "sha256", "span", "core", "date", "title", "meta", "format", "august", "general", "local", "encrypt", "root", "click", "form", "refresh", "jsme", "qsnw4im", "high", "artemis", "virustotal", "generic", "mcafee", "baidu", "drweb", "vipre", "panda", "malsinowaa", "less see", "all yara", "detections none", "mebroot", "contacted", "domains", "all related", "pulses otx", "pulses", "tags", "related tags", "file type", "pexe", "targeting", "monitored target", "pegasus" ], "references": [ "Gen:Trojan.Heur.wq5@QsnW4Im , Backdoor.Win32.Sinowal.fac , Mal/Sinowa-A ,", "Trojan.Mebroot , a variant of Win32/Mebroot.BM , Trojan:W32/Mebroot.gen!A , Trojan.Packed.2447", "Detections PSW.Sinowal.X , Win.Trojan.Sinowal-13971 , Artemis!0DF9D8682EFA ,", "Alerts: stealth_network antivirus_virustotal static_pe_anomaly", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_(64bit)_v136.0.7103.49.exe", "Google_Chrome_64bit_v136.0.7103.49.exe", "https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7", "IDS Detections: ET WEB_CLIENT SUSPICIOUS Possible automated connectivity check (www.google.com)", "ET TROJAN Possible VirLock Connectivity Check" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Mebroot", "display_name": "Mebroot", "target": null }, { "id": "PSW.Sinowal.X", "display_name": "PSW.Sinowal.X", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2126, "domain": 492, "hostname": 913, "email": 3, "FileHash-SHA256": 953, "FileHash-MD5": 78, "FileHash-SHA1": 61, "SSLCertFingerprint": 14 }, "indicator_count": 4640, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6962b68da732abc66a0c2caf", "name": "Der Zugriff \u2022 Kanna \u2022 MyDoom \u2022 Sigur - Pahamify Pegasus", "description": "Pahamify Pegasus | Execution Attack, Access Attack | Drive by Compromise | \nSifting through Pahamify Pegasus this is no longer your computer , injection, google connects, remote connections, remote mouse movement, remote access, Google espionage, bad traffic, Apple complicit access. This is your Google account and browser, this is your appleid. Still researching\u2026. || \n*https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_ ||\nMalware: Der Zugriff ,\nKanna ,\nMyDoom ,\nSigur \n#firebase #google_connection #bible_gateway_honeypot #crypto #hidden_users #who_else", "modified": "2026-02-09T19:00:09.890000", "created": "2026-01-10T20:29:01.675000", "tags": [ "ip address", "status code", "kb body", "iocs", "deny age", "cloudfront", "utc google", "tag manager", "g8t6ln06z40", "utc na", "google tag", "injection", "t1055 malware", "tree", "help v", "defense evasion", "injection t1055", "resolved ips", "get http", "dns resolutions", "v memory", "pattern domains", "full reports", "v help", "memory pattern", "urls https", "hashes", "tiktok", "microsoft", "dashboard falcon", "request", "windows nt", "win64", "khtml", "gecko", "response", "appleid", "united", "name servers", "aaaa", "servers", "moved", "script urls", "passive dns", "urls", "data upload", "extraction", "failed", "jsvendor", "jsapp", "script script", "cssapp", "jsfirebase", "pegasus", "encrypt", "title error", "ipv4", "files", "reverse dns", "united states", "malware", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "t1204 user", "script", "beginstring", "bad traffic", "et info", "null", "title", "refresh", "span", "strings", "error", "tools", "meta", "look", "verify", "restart", "mitre att", "ascii text", "pattern match", "ck matrix", "tls handshake", "hybrid", "general", "local", "path", "click", "ck techniques", "access att", "div div", "a li", "ul div", "record value", "emails", "accept", "referen https", "microsoft-falcon.net", "proxy", "status", "certificate", "updated date", "whois server", "zipcode", "entries http", "scans show", "search", "matches x", "type", "gmt cache", "all ipv4", "america flag", "america asn", "sameorigin", "urls show", "date checked", "url hostname", "server response", "google safe", "results jan", "ipv4 add", "win32mydoom jan", "trojan", "worm", "expiration date", "files show", "date hash", "avast avg", "win32mydoom", "backdoor", "found", "gmt connection", "control", "content type", "twitter", "dynamicloader", "medium", "high", "msie", "wow64", "slcc2", "media center", "write", "global", "domain name", "hostname", "apple", "racebook", "mouse movement", "remote mouse", "domain", "hostname add", "url analysis", "crlf line", "ff d5", "unicode text", "utf8", "ee fc", "yara rule", "f0 ff", "ff bb", "music", "push", "autorun", "unknown", "present sep", "present may", "present jan", "present aug", "cname", "present nov", "present jun", "apache", "body", "pragma", "found registry", "able", "model", "indicator", "source", "show technique", "file", "internet", "errore", "erreur", "download", "service", "crypto", "compiler", "installer", "yang", "updater", "shutdown", "thunk", "este", "install", "reboot", "code", "downloader", "sigur", "kanna", "der zugriff", "google", "chrome", "Pahamify Pegasus", "christoper p. ahmann", "law enforcement", "retaliation", "phone", "espionage", "united states", "m brian sabey", "quasi government", "target", "monitored targeting", "aig", "therahand (old name)", "target: tsara brashears", "douglas county, co", "sheriff", "industry and commerce", "worker\u2019s compensation", "crime", "financial crime", "danger", "nem tih", "amazon", "aws", "amazon aws", "deal", "deal with it lawfully", "pay victim", "protecting reimer" ], "references": [ "https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur", "Pahamify Pegasus", "Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)", "https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android", "https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4", "tv.apple.com", "dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net", "Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A", "IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)", "IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)", "IDS: TLS Handshake Failure", "Yara Detections BackdoorWin32Simda", "Google_Chrome_64bit_v136.0.7103.49.exe", "https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022", "https://wallpapers-nature.com/tsara-brashears/urlscan-io" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "Virus:Win95/Cerebrus", "display_name": "Virus:Win95/Cerebrus", "target": "/malware/Virus:Win95/Cerebrus" }, { "id": "AutoRunIt", "display_name": "AutoRunIt", "target": null }, { "id": "Sigur", "display_name": "Sigur", "target": null }, { "id": "Kanna", "display_name": "Kanna", "target": null }, { "id": "Der Zugriff", "display_name": "Der Zugriff", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1134.002", "name": "Create Process with Token", "display_name": "T1134.002 - Create Process with Token" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1560.002", "name": "Archive via Library", "display_name": "T1560.002 - Archive via Library" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" } ], "industries": [ "Civil Society", "Legal", "Government", "Technology", "Telecommunications", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6094, "domain": 1195, "hostname": 2001, "FileHash-SHA256": 2598, "FileHash-MD5": 546, "FileHash-SHA1": 403, "email": 16, "CVE": 2, "SSLCertFingerprint": 3 }, "indicator_count": 12858, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69612a0df518040b20932bef", "name": "Pahamify Pegasus | Palantir Malicious delivery via Bible app downloaded from iOS App Store", "description": "Pahamify Pegasus | Requires much further research.\nWorking backwards: Targeted device had a Bible Gateway app download by target from both iOS and Android devices. As per report each time app was accessed, iOS became glitched, passwords stolen, drive by compromise on lock screen prompted target to review app. She found the app login was changed to an unknown users name. I tested a (Bible Gateway) URI to see if her belief BG was a honey pot was true. \nThis may take 2-3 more rounds of research. \nIs Pegasus. Is Palantir. Is intrusive and malicious.\n\n[OTC auto generated Title: 2 Timothy 3 NIV - But mark this: There will be terrible - Bible Gateway]", "modified": "2026-02-08T15:00:50.749000", "created": "2026-01-09T16:17:17.632000", "tags": [ "defense evasion", "cor ta0011", "techni process", "application l", "encrypted ch", "christ jesus", "just", "final charge", "timothy10", "antioch", "iconium", "lystra", "lord", "holy scriptures", "scripture", "bible gateway", "no expiration", "expiration", "a domains", "present sep", "united", "present jun", "meta", "present oct", "present aug", "servers", "title", "data upload", "extraction", "palantir foundry", "listeners", "dev", "redirects", "redirect health", "health data", "utc google", "utc na", "script", "utc amazon", "bible", "meta tags", "read", "bible reading", "trackers google", "anchor", "analyse headers", "contenttype", "transferenco", "connection", "date fri", "server", "read c", "as16509", "rgba", "unicode", "execution", "dock", "write", "persistence", "jsvendor", "jsapp", "script script", "cssapp", "jsfirebase", "moved", "urls", "pegasus", "encrypt", "script urls", "record value", "tls handshake", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "next", "capture", "malware", "unknown", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "access att", "t1189 driveby", "html", "mitre att", "ck matrix", "ascii text", "pattern match", "et info", "bad traffic", "hybrid", "general", "local", "path", "click", "adversaries", "execution att", "t1204 user", "t1480 execution", "null", "refresh", "span", "strings", "error", "tools", "look", "verify", "restart", "timothy", "search", "tag manager", "g8t6ln06z40", "code", "css", "js", "router", "cloudfront", "John 12:17", "port", "yara rule", "high", "tofsee", "rndhex", "rndchar", "destination", "loaderid", "lidfileupd", "stream" ], "references": [ "https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV", "https://pegasus.pahamify.com/", "aptia.palantirfoundry.com \u2022 palantirfoundry.com \u2022\u2019agent-infra-mojito.palantirfoundry.com", "equilibrium.palantirfoundry.com \u2022 kt-presales.palantirfoundry.com \u2022 paloma.palantirfoundry.com", "usw-2-dev.palantirfoundry.com \u2022 lucyw.palantirfoundry.com \u2022 https://fegdip.palantirfoundry.com/", "http://dasima-containers.palantirfoundry.com/ \u2022 https://glare.palantirfoundry.com/", "https://inbound-message-listener-temporary-testing.palantirfoundry.com", "https://listeners.usw-16.palantirfoundry.com \u2022 https://pacificlife.palantirfoundry.com/", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.afa33b71-01ea-477c-bc01-f6a3ab623e9d/master", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master", "https://sfmg-testing.palantirfoundry.com\t\u2022 https://signup.palantirfoundry.com/", "https://uhsinc.palantirfoundry.com/ \u2022 https://velocityglobal.palantirfoundry.com", "https://wes.palantirfoundry.com/ \u2022 http://utilities-bootcamp.palantirfoundry.com/", "http://glare.palantirfoundry.com/ \u2022 https://woodward.palantirfoundry.com/", "https://sfmg-testing.palantirfoundry.com\t\u2022 https://signup.palantirfoundry.com/", "https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd45176426a", "https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd458176426a", "https://pegasus.pahamify.com/ \u2022 https://pegasus.pahamify.com/study-plan/ \u2022 pegasus.pahamify.com", "John 12:17" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Bible Gateway", "display_name": "Bible Gateway", "target": null }, { "id": "Pahamify Pegasus", "display_name": "Pahamify Pegasus", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6527, "hostname": 2450, "FileHash-SHA256": 1716, "FileHash-MD5": 245, "FileHash-SHA1": 134, "domain": 1101, "email": 3, "SSLCertFingerprint": 8 }, "indicator_count": 12184, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "69 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6952d4fc6910b0b866746d8a", "name": ".NET Obfuscator, Error Reporting, DLL Merging | SmartAssembly | Spycloud", "description": "*Mirai | Currently being used maliciously. Mirai botnet work in place. Obfuscation, call redirection, evasion , chatbots, spyware , cal retrieval , typosquating , and other tactics used against victim. Red hats being unethical is expected.. This team is attacking in this instance. Screen Capture 24/7. Malicious media +++ from Englewood, Co. \n\nWhen used ethically SmartAssembly protects your code and Intellectual Property with powerful obfuscation features, and provides error reports when your application crashes in the wild, as well as a range of other tools for database management and data management.\n#palantir #foundry #denver #englewood #colorado #spycloud #mirai #botnet", "modified": "2026-01-28T18:03:54.589000", "created": "2025-12-29T19:22:36.103000", "tags": [ "no expiration", "domain", "name", "control flow", "dlls", "method parent", "declarative", "ms build", "core", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "dock", "write", "execution", "capture", "endgame", "united", "moved", "ip address", "record value", "gate software", "newnham house", "expiration date", "urls", "url add", "http", "related nids", "files location", "flag united", "present aug", "present sep", "present nov", "present oct", "name servers", "emails", "present dec", "meta", "passive dns", "next associated", "ipv4", "url analysis", "files", "cookie", "subscribe", "unsubscribe", "s paris", "englewood", "state", "skip", "espaol", "summary", "filing history", "ireland", "title", "united states", "certificate", "colorado", "ipv4 add", "america flag", "showing", "pulse submit", "size", "pattern match", "mitre att", "ck id", "path", "hybrid", "general", "local", "iframe", "click", "strings", "cece", "mult", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "sha1", "sha256", "njmk", "kwruymy", "mime", "submitted", "process details", "calls", "apis", "reads", "defense evasion", "model", "getprocaddress", "show technique", "ck matrix", "access type", "value", "api call", "open", "august", "format", "typeof symbol", "typeof s", "typeof c", "function", "symbol", "comenabled", "image path", "ndex", "ndroleextdll", "f0f0f0", "ff4b55", "stop", "span", "show process", "binary file", "file", "network traffic", "encrypt", "date", "found", "ssl certificate", "creation date", "hostname add", "pulse pulses", "files ip", "address domain", "data upload", "extraction", "ge6 mira", "failed", "ascii text", "development att", "hostname", "files domain", "files related", "pulses otx", "pulses", "unknown aaaa", "unknown ns", "united states", "urls show", "date checked", "url hostname", "server response", "google safe", "results may", "a domains", "search", "germany unknown", "win32", "lowfi", "chrome", "susp", "trojan", "backdoor", "twitter", "virtool", "worm", "exploit", "trojandropper", "win32upatre dec", "mtb dec", "reverse dns", "body", "location united", "asn as14618", "less whois", "files show", "date hash", "avast avg", "initial access", "javascript", "root", "enterprise", "form", "desktop", "command decode", "suricata ipv4", "spycloud", "robots", "bots", "chatbot", "bot network", "spy", "mixb", "a2fryx", "therahand", "typosquating" ], "references": [ "https://www.red-gate.com/products/smartassembly", "spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud", "https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=", "https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0", "dasima-containers.palantirfoundry.com \u2022 blitzrobots.com", "https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com", "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/", "https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3", "Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-", "Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 343, "FileHash-SHA256": 1332, "domain": 1062, "hostname": 1967, "URL": 5699, "email": 10, "SSLCertFingerprint": 21, "CVE": 1 }, "indicator_count": 10776, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "80 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6952febb1dbcf05ee601f050", "name": "Pegasus Ongoing l Cellbrite | Exodus | Brian Sabey | HallRender | Tulach (1.29.24)", "description": "", "modified": "2025-12-29T22:20:43.238000", "created": "2025-12-29T22:20:43.238000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "65b80a20bbcd0eb305a740ec", "export_count": 28995, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4101, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3155, "domain": 2894, "hostname": 2847, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13628, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "110 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6928f8d9e4222a6a219d785e", "name": "ClipBanker Spy & Information stealer | Crazy Frost | MaaS | Chrome & Cloudflare attacks", "description": "It appears that entity CrazyFrost provides MasS among other things that include major smear campaigns.| Likely quasi government , and Law Firm contractors.. Domestic terrorizing isn\u2019t a stretch.\nClipBanker: A form of banking trojan information stealer and spy that specifically monitors and steals information, likely by modifying the clipboard contents to redirect financial transactions (e.g., changing a copied bank account number to the attacker's).\n\n[OTX populated - HOSTNAME: CloudFlare.com.., a company owned by the US government, has been added to Pulse, an anti-virus database. (Pulses) created by users.]", "modified": "2025-12-28T00:04:06.179000", "created": "2025-11-28T01:20:25.401000", "tags": [ "dynamicloader", "json", "ascii text", "high", "data", "x90uxa4xf8", "cape", "stream", "guard", "write", "trojan", "redline", "malware", "push", "local", "injection_inter_process", "recon_fingerprint", "persistence_ads", "process_creation_suspicious_location", "infostealer_browser", "infostealer_cookies", "stealth_file", "cape_detected_threat", "antivm_generic_bios", "cape_extracted_content", "united", "mtb jul", "a domains", "aaaa", "443 ma86400", "servers", "win32upatre jul", "virtool", "b778b1", "div div", "d9e4f4", "edf2f8", "present mar", "fastest privacy", "first dns", "win32", "trojandropper", "passive dns", "mtb nov", "ipv4 add", "asn as13335", "dns resolutions", "domain", "data upload", "extraction", "yara", "troja yara", "trojar data", "virto", "worn data", "included iocs", "manually add", "resolved ips", "ta0002", "evasion ta0005", "tr shared", "modules", "files", "infor", "t1027", "process t1057", "community score", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "defense evasion", "spawns", "flag", "name server", "date", "cloudflare", "data protected", "misc activity", "et info", "dns requests", "domain address", "gmt flag", "techtarget", "server", "et policy", "prefetch2", "t1179 hooking", "access windows", "installs", "mitre att", "ck techniques", "click", "windir", "country", "contacted hosts", "ip address", "process details", "contacted", "http traffic", "suricata alerts", "event category", "found" ], "references": [ "Malware : ClipBanker Entity: Crazy Frost", "www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Services : GoogleChromeElevationService = Delete", "Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap", "Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap", "Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap", "Yara: TrojanWin32Kredbegg CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj", "Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap", "Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake", "Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", "CS IDS: Matches rule (http_inspect) invalid status line", "CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.", "jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube/" ], "public": 1, "adversary": "Crazy Frost", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Trojan.Disfa/downloader10", "display_name": "Trojan.Disfa/downloader10", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "Rozena", "display_name": "Rozena", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1464", "name": "Jamming or Denial of Service", "display_name": "T1464 - Jamming or Denial of Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 295, "FileHash-SHA1": 217, "FileHash-SHA256": 1887, "URL": 3263, "domain": 597, "hostname": 1085, "email": 2, "CVE": 1 }, "indicator_count": 7347, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "112 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6916e098df39114161354b23", "name": "Exodus l Cellbrite \u2022 Pegasus | Brian Sabey | HallRender | Tulach ", "description": "", "modified": "2025-12-14T07:05:42.106000", "created": "2025-11-14T07:56:08.872000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "65a76c2901b34c79a681596d", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4295, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3255, "domain": 2911, "hostname": 2894, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13986, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fc1ecf2b0215ed954eb099", "name": "Nework Bind -GoBot", "description": "Coda Systems Test Probes Interfacing Components | Network Attack: \nStarts servers listening on 0.0.0.0:113\t,\nnetwork_icmp : Generates some ICMP traffic ,\nsuricata_alert : Created network traffic indicative of malicious activity ,\ndead_connect : Attempts to connect to a dead IP:Port (1449 unique times)\t,\npowershell_request: is sending data to a remote host ,\nenumerates_running_processes :Enumerates running processes ,\nprocess_needed: Repeatedly searches for a not-found process, may want to run with startbrowser=1 option\t,\nreads_self : Reads data out of its own binary image ,\nnetwork_multiple_direct_ip_connections\tMultiple dire ,\n\n [OTX auto populated - The following is the full text of the report on the findings from the Coda-systems.co.uk project, which aims to identify and identify the names of all the UK's web addresses.]", "modified": "2025-11-24T00:03:55.362000", "created": "2025-10-25T00:50:23.782000", "tags": [ "united kingdom", "unknown a", "script domains", "script urls", "passive dns", "great britain", "backdoor", "entries", "next associated", "script script", "date", "msie", "chrome", "urls", "type", "media type", "gmt content", "certificate", "pulse submit", "title", "body", "encrypt", "search", "unknown ns", "coda", "present sep", "meta", "present oct", "a domains", "test probes", "qax00x8bxc0xff", "potential scan", "medium", "infection", "port", "unusual port", "x00xc3x8d", "high", "ghost bot", "alerts", "copy", "powershell", "write", "delphi", "win32", "malware", "enumerates", "reads", "multiple", "medium ids", "exploits" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2173, "FileHash-MD5": 13, "FileHash-SHA1": 14, "FileHash-SHA256": 459, "domain": 191, "hostname": 307, "CVE": 3 }, "indicator_count": 3160, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9288e0d98f3b44c2cb90c", "name": "Ultrasounds attack - South African criminal group-Denver, Vo affects critical infrastructure , Oil and public safety", "description": "South African and Ethiopian crime group with Denver , Co presence is not only infiltrating infrastructure from banking to oil, they are human traffickers, hitmen and yes, I received this tip from team member Pheona who a \u2018sassa.gov.za\u2018 South African link recurrently as a top search suggestion in a \u2018targets\u2019 browser. The most frightening piece is that a name listed is of an Ethiopian man who attempted to force a very targeted victim to go somewhere with him,, be his girlfriend and did show up outside of her residence in a different City & County. He also knew the exact name of where she purchased specific items. If you can see this. Please help the best way you can. Something is incredibly wrong. [OTX auto populated Title: We can\u2019t rely on goodwill to protect our critical infrastructure - Help Net Security]", "modified": "2025-11-21T18:02:11.054000", "created": "2025-10-22T18:55:10.527000", "tags": [ "server nginx", "date fri", "etag w", "urls", "passive dns", "acceptranges", "contentlength", "date thu", "gmt expires", "server", "code", "link", "script script", "south africa", "ipv4", "files", "location south", "accept", "present aug", "certificate", "hostname add", "domain", "files ip", "unknown a", "script urls", "ip address", "unknown soa", "unknown ns", "reverse dns", "africa flag", "asn as16637", "dns resolutions", "domains top", "level", "unique tld", "related pulses", "tags none", "indicator facts", "title", "ipv4 add", "opinion", "netacea", "lockbit", "wannacry attack", "nhs trusts", "council", "uk government", "protect", "cni safe", "acls", "praio", "prink", "prsc", "prla", "lg2en", "cti98", "search", "seiko epson", "corporation", "arc file", "malware", "delete c", "default", "show", "write", "next", "unknown", "united", "tlsv1", "msie", "windows nt", "wow64", "slcc2", "media center", "as15169", "port", "execution", "dock", "capture", "persistence", "yara detections", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "cabinet archive", "microsoft", "read c", "dynamicloader", "medium", "ltda me", "high", "write c", "entries", "checks", "delphi", "win32", "url pulse", "data upload", "extraction", "find suggested", "type", "domain hostname", "url add", "http", "related nids", "files location", "ireland flag", "files domain", "chrome", "ireland unknown", "pulse submit", "url analysis", "body", "date", "status", "name servers", "creation date", "expiration date", "flag united", "destination", "systemdrive", "html document", "crlf line", "updater", "copy", "unknown aaaa", "moved", "domain add", "extri data", "enter sc", "extr include", "review exclude", "sugges", "present jul", "saudi arabia", "present mar", "present oct", "present jun", "present feb", "present nov", "present may", "eeee", "eeeeeee", "eeeeee", "eefe", "ebeee", "ee eme", "eeheee", "eeefee e", "eeeee e", "vmprotect", "push", "local", "defender", "regsetvalueexa", "utf8 unicode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lockbit", "display_name": "Lockbit", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "target": null }, { "id": "Other Dangerous Malware", "display_name": "Other Dangerous Malware", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Oil" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 648, "hostname": 1604, "FileHash-SHA256": 1826, "URL": 4153, "FileHash-MD5": 102, "FileHash-SHA1": 60, "SSLCertFingerprint": 18, "CVE": 2, "email": 5 }, "indicator_count": 8418, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f93b1cebf80f48450bd517", "name": "Yuner - File deletion and Disk Wiping / Cyberstalking ", "description": "", "modified": "2025-11-21T18:02:11.054000", "created": "2025-10-22T20:14:20.632000", "tags": [ "server nginx", "date fri", "etag w", "urls", "passive dns", "acceptranges", "contentlength", "date thu", "gmt expires", "server", "code", "link", "script script", "south africa", "ipv4", "files", "location south", "accept", "present aug", "certificate", "hostname add", "domain", "files ip", "unknown a", "script urls", "ip address", "unknown soa", "unknown ns", "reverse dns", "africa flag", "asn as16637", "dns resolutions", "domains top", "level", "unique tld", "related pulses", "tags none", "indicator facts", "title", "ipv4 add", "opinion", "netacea", "lockbit", "wannacry attack", "nhs trusts", "council", "uk government", "protect", "cni safe", "acls", "praio", "prink", "prsc", "prla", "lg2en", "cti98", "search", "seiko epson", "corporation", "arc file", "malware", "delete c", "default", "show", "write", "next", "unknown", "united", "tlsv1", "msie", "windows nt", "wow64", "slcc2", "media center", "as15169", "port", "execution", "dock", "capture", "persistence", "yara detections", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "cabinet archive", "microsoft", "read c", "dynamicloader", "medium", "ltda me", "high", "write c", "entries", "checks", "delphi", "win32", "url pulse", "data upload", "extraction", "find suggested", "type", "domain hostname", "url add", "http", "related nids", "files location", "ireland flag", "files domain", "chrome", "ireland unknown", "pulse submit", "url analysis", "body", "date", "status", "name servers", "creation date", "expiration date", "flag united", "destination", "systemdrive", "html document", "crlf line", "updater", "copy", "unknown aaaa", "moved", "domain add", "extri data", "enter sc", "extr include", "review exclude", "sugges", "present jul", "saudi arabia", "present mar", "present oct", "present jun", "present feb", "present nov", "present may", "eeee", "eeeeeee", "eeeeee", "eefe", "ebeee", "ee eme", "eeheee", "eeefee e", "eeeee e", "vmprotect", "push", "local", "defender", "regsetvalueexa", "utf8 unicode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lockbit", "display_name": "Lockbit", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "target": null }, { "id": "Other Dangerous Malware", "display_name": "Other Dangerous Malware", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Oil" ], "TLP": "green", "cloned_from": "68f9288e0d98f3b44c2cb90c", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 648, "hostname": 1604, "FileHash-SHA256": 1826, "URL": 4153, "FileHash-MD5": 102, "FileHash-SHA1": 60, "SSLCertFingerprint": 18, "CVE": 2, "email": 5 }, "indicator_count": 8418, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d7d8ee2caff74a1759380a", "name": "Quasar - DiabloFans.com ( packed) how a YouTube follow turned into a 12 year campaign of fear & intimidation", "description": "Packed with malware, rats, droppers, bots, info stealers diablofans.com matches targets description of how attack began in 10.2013. Egregious patient abuse led national medical corporation and / or quasi entity involved to attack / silence victim. Within 48 hours of disclosure\nof events causing victim to stop treating a Guy Fawkes profile with satanic name became\nvictims YouTube follower beginning 12 year + cyber warfare attack against crime victim. Overseeing MD prompted an investigation, told target she would be targeted and to hide. The website appears to be a front for very malicious activities. Several network attack began a destructive campaign against target. Many attacks and websites , parking crews involved. All tags auto populated. Many fear tactics & attempts. . | Description: For years, DiabloFans served as a major community hub for discussing Diablo III, posting news, and sharing character builds. (shutdown? sold to curse.llc?)", "modified": "2025-10-27T11:02:05.642000", "created": "2025-09-27T12:30:38.161000", "tags": [ "diablo", "builds", "sanctuary", "season", "diablo immortal", "forums", "interactive map", "diablo iii", "environ", "trier par", "hunt", "chaos", "altar", "facebook", "hunter", "data redacted", "server", "registrar abuse", "registrant fax", "contact phone", "registrar url", "admin city", "admin country", "record type", "ttl value", "thumbprint", "gandi sas", "gandi", "cloudflare", "span", "pattern match", "getprocaddress", "script", "found https", "path", "ck id", "magic", "life", "astaroth", "damage", "meta", "lucky", "open", "footer", "ladder", "rogue", "iframe", "title", "hell", "blizzard", "fear", "class", "nightmare", "june", "comment", "reload", "twitch", "hawk", "hydra", "energy", "school", "pass", "beast", "maker", "corpse", "chat", "hatred", "critical", "mephisto", "back", "form", "druid", "shadow", "scoundrel", "core", "stone", "freeze", "light", "speed", "poison", "conduit", "charm", "lightning", "close", "fury", "steam", "blast", "raven", "wave", "horn", "team", "knight", "elite", "warp", "premium", "realm", "skull", "general", "tracker", "arcane", "basilisk", "prayer", "black", "soul", "saboteur", "bone", "exploit", "carnage", "hellspawn", "ultimate", "spark", "slow", "frozen", "immortal", "feast", "entropy", "crazy", "dead", "heat", "explosive", "blaze", "solar", "harmony", "attack", "stealth", "shell", "mother", "overkill", "rage", "werewolf", "service", "anomaly", "drop", "eclipse", "android", "wind", "spirit", "face", "fractured", "pandora", "strange", "demon", "eternal", "crystal", "cold", "false", "window", "format", "click", "strings", "comi", "sector", "learn", "adversaries", "calls", "name tactics", "suspicious", "informative", "defense evasion", "reads", "command", "model", "stop", "spawns", "development att", "flag", "name server", "canada canada", "united", "enom", "redacted for", "privacy name", "organization", "script urls", "name servers", "a domains", "emails", "unknown ns", "sweet heart", "sec ch", "media", "encrypt", "passive dns", "next associated", "ipv4 add", "urls", "files", "hosting", "reverse dns", "dynamicloader", "high", "medium", "windows", "displayname", "tofsee", "yara rule", "loaderid", "startsrv", "lidfileupd", "stream", "port", "destination", "win64", "write", "malware", "ip address", "domain", "hostname add", "search", "packing t1045", "module load", "delete", "write c", "trojan", "win32", "next", "dns query", "icmp traffic", "moved", "servers", "germany unknown", "present mar", "accept", "gmt content", "a li", "main", "error", "lowfi", "present aug", "present sep", "present jul", "unknown aaaa", "record value", "content type", "htm align", "param", "gmt server", "france", "france unknown", "url analysis", "location france", "langchinese", "rticon", "pe resource", "t1045", "ascii text", "cape", "delete c", "redline malware", "guard", "redline", "defender", "push", "backdoor", "present apr", "trojandropper", "dns resolutions", "smoke loader", "hacktool", "windows auto", "attempts", "explorer", "win32autoit mar", "location united", "ip whois", "verdict", "entries", "aaaa", "domain add", "present feb", "present oct", "users", "yara detections", "recycle bin", "pe section", "as54113", "read", "copy", "ufffduf1a3", "looks", "xrat1", "quasar", "powershell", "code", "ids detections", "tls sni", "contacted", "installs", "checks", "windows startup", "vendor finding", "notes clamav", "files matching", "number", "http request", "post", "url host", "port method", "user agent", "internalsapiip", "okrnserver", "ubuntu", "hash", "alerts", "present jun", "mtb jun", "date", "cname", "creation date", "ukraine" ], "references": [ "DiabloFans.com", "Every tag OTC auto populated . Crazy talk. Please see Mitre ATT&CK", "twitter.com \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 www.pornhub.com \u2022 oriental-porno.lat", "https://pin.it/ \u2022 pin.it a fake Pinterest for Tsara Brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language:", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "http://www.sweetheartvideo.com/tsara-brashears \u2022 https://www.sweetheartvideo.com/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing \u2022 www.anyxxxtube.net", "init.ess.apple.com \u2022otc.greatcall.com (phone manipulators) \u2022 mailtrack.io \u2022 https://trackacourier.net", "https://www.youtube-nocookie.com/embed/6w5ukhqvtmq", "https://www.youtube.com \u2022 https://www.youtube.com/user/CurseDiablofans", "https://www.youtube-nocookie.com/embed/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win32:CrypterX-gen\\ [Trj]", "display_name": "Win32:CrypterX-gen\\ [Trj]", "target": null }, { "id": "ALF:Trojan:Win32/VTFlooder", "display_name": "ALF:Trojan:Win32/VTFlooder", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Smoke Loader", "display_name": "Smoke Loader", "target": null }, { "id": "Win.Dropper.Vbclone-10036195-0", "display_name": "Win.Dropper.Vbclone-10036195-0", "target": null }, { "id": "ALF:HeraklezEval:Worm:Win32/Vobfus", "display_name": "ALF:HeraklezEval:Worm:Win32/Vobfus", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" }, { "id": "ALF:Trojan:Win32/G3nasom!imp", "display_name": "ALF:Trojan:Win32/G3nasom!imp", "target": null }, { "id": "Unidentified 083 (AutoIT Stealer)", "display_name": "Unidentified 083 (AutoIT Stealer)", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null } ], "attack_ids": [ { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1201", "name": "Password Policy Discovery", "display_name": "T1201 - Password Policy Discovery" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 656, "FileHash-SHA256": 2354, "hostname": 499, "URL": 1319, "email": 21, "FileHash-MD5": 766, "FileHash-SHA1": 748, "SSLCertFingerprint": 10 }, "indicator_count": 6373, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "174 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d40c9a87988555c2e23626", "name": "Described as \u2018Haunted\u2019 - Ransom & espionage continues to plague residential communities | HighMark Residential", "description": "A national apartment apartment and townhome community that describes itself as luxury has developed such a poor reputation for poor conditions, communication, discrimination, a belief legal entities are running communities some which have been converted hospitals has a terrible spyware , ransom problem they seem unwilling to address. Compromised to the hilt & famously known to have its own Reddit thread dedicated to a haunted\u2019 Denver community our team has researched in the past. Denver community had a compromise that likely brought attention to or spearheaded the AT&T outage. whitesky.us or the outage was a coincidence.\n\nConcerns about espionage, passwords, outages, ransomware. \ntips from former residents from Phoenix, Texas and Utah in on weekend. Broad research required.\nThailand live?", "modified": "2025-10-24T14:04:50.784000", "created": "2025-09-24T15:22:02.262000", "tags": [ "encrypt", "residential", "benefits", "contact us", "email", "denver highmark", "windows nt", "dynamicloader", "generic http", "exe upload", "medium", "host", "inbound", "trojan", "write", "markus", "malware", "checkin", "trojandropper", "mtb sep", "united", "passive dns", "win32upatre sep", "ipv4", "reverse dns", "alerts", "av detections", "ids detections", "yara detections", "high", "dynamic", "reads", "pe file", "checks system", "write c", "a domains", "gmt server", "certificate", "hostname add", "url analysis", "title", "apache", "name servers", "ip address", "emails", "servers", "users", "recycle bin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "t1480 execution", "windir", "openurl c", "eregec4", "kl0hsy", "pattern match", "ascii text", "mitre att", "ck matrix", "t1057", "prefetch2", "yara signature", "general", "local", "path", "click", "ipv4 add", "urls", "files", "outbound", "cname", "apache x", "powered", "modified", "moved", "body doctype", "content type", "accept", "script script", "script urls", "queue security", "script begin", "url add", "http", "hostname", "files domain", "files related", "related tags", "dominet", "record value", "domain", "meta", "gmt etag", "pulse submit", "alive thailand", "xml title", "x tec", "html public", "show", "copy", "pe section", "contacted", "md5 add", "pulse pulses", "analysis date", "file score", "search", "win64", "khtml", "gecko", "json", "themida", "download", "next", "public folder", "windows", "highest", "a file", "checks adapter", "mpgph131 hr", "hourly rl", "mpgph131 lg", "onlogon rl", "entries", "checks", "high automated", "ollydbg", "gbdyllo", "file monitor", "process monitor", "cape", "related nids", "files location", "flag united", "pulses none", "next associated", "hosting", "33", "customercare" ], "references": [ "IDS Detections: Win32/Vflooder.B Checkin | Virus Total vtapi DOS" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "Trojandownloader:Win32/Upatre", "display_name": "Trojandownloader:Win32/Upatre", "target": "/malware/Trojandownloader:Win32/Upatre" }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "ALF:Trojan:Win32/G3nasom!imp", "display_name": "ALF:Trojan:Win32/G3nasom!imp", "target": null }, { "id": "Trojandropper:Win32/Muldrop.V!MTB", "display_name": "Trojandropper:Win32/Muldrop.V!MTB", "target": "/malware/Trojandropper:Win32/Muldrop.V!MTB" }, { "id": "Themida", "display_name": "Themida", "target": null }, { "id": "TEL:CreateScheduledTask.A!Sigattr", "display_name": "TEL:CreateScheduledTask.A!Sigattr", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1595.001", "name": "Scanning IP Blocks", "display_name": "T1595.001 - Scanning IP Blocks" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3081, "FileHash-MD5": 756, "FileHash-SHA1": 724, "FileHash-SHA256": 3089, "domain": 1476, "email": 8, "hostname": 1198, "SSLCertFingerprint": 3 }, "indicator_count": 10335, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c5e45fc1d3140ac91158ec", "name": "Drive by Compromise adversely impacted Social Media accounts", "description": "Exploitation to control at least one targeted users Social Media accounts, photo albums, clouds. Many deleted accounts, family photos, digital media, financial data, views, followers, intellectual property deleted and distributed to other artists , redirects. YouTube, Google, Spotify, Meta , Facebook.\n\nMonitored target. Crime: in the receiving end of an assaulters uncontrolled pelvis.\n\nRequires further research.\n#tag #framing #intellectual_property #theft #digital_attack", "modified": "2025-10-13T21:18:10.129000", "created": "2025-09-13T21:38:39.818000", "tags": [ "tries indicator", "loading", "script urls", "present sep", "meta", "script domains", "443 ma2592000", "certificate", "response ip", "address google", "present jun", "body", "encrypt", "utc na", "utc facebook", "custom audience", "utc google", "tag manager", "gtmnf34hh2d", "utc gb4qwskls89", "language", "html internet", "html document", "unicode text", "utf8 text", "crlf", "lf line", "doctype", "algorithm", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus olet", "encrypt cnr10", "validity", "subject public", "resolved ips", "http traffic", "iframe src", "https http", "access ta0001", "t1189 severity", "info found", "command", "control ta0011", "protocol t1071", "match low", "info", "talents", "get http", "dns resolutions", "mitre att", "ip traffic", "pattern domains", "pattern urls", "tls sni", "youtube", "spotify", "social media", "google", "sabey type", "rexx type", "foundry type", "initial access", "paypal", "monitored target", "hallrender resources", "brian sabey charge", "quasi" ], "references": [ "https://forward.ro/talents/mira/ redirects to forward.ro", "Resolves to a suspicious TLD - \t encore.scdn.co", "Iframe src: https://www.youtube.com/embed/nuxT76ndwYY", "Iframe src: https://open.spotify.com/embed/artist/2nMFC7hWK0haX8ilvRpb59?utm_source=generator", "Iframe src: https://www.youtube.com/embed/SEBW2mh1jvY", "Iframe src: https://www.youtube.com/embed/o8_jPaXfxWY", "Dates back to a malicious ongoing Brian Sabey HallRender attacks using various malicious resources", "partnerapi.spotify.net \u2022 youtube.ru" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1413", "name": "Access Sensitive Data in Device Logs", "display_name": "T1413 - Access Sensitive Data in Device Logs" }, { "id": "T1463", "name": "Manipulate Device Communication", "display_name": "T1463 - Manipulate Device Communication" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Media", "Technology", "Government", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 179, "domain": 55, "hostname": 121, "FileHash-SHA1": 3, "FileHash-SHA256": 560, "FileHash-MD5": 112, "email": 4 }, "indicator_count": 1034, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "187 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689cc89e77327602780be49e", "name": "Remotewd Devices \u2022 Spectrum / Charter Communications & AT&T", "description": "Remotewd Devices expanded \u2022 Spectrum / Charter Communications & AT&T.\nAdvesarial. Polymorphic.", "modified": "2025-09-12T16:05:33.542000", "created": "2025-08-13T17:17:18.456000", "tags": [ "url https", "domain", "types of", "united kingdom", "sweden", "virgin islands", "china", "germany", "date", "status", "ip address", "search", "domain add", "passive dns", "urls", "files", "error sep", "present jul", "address google", "safe browsing", "united", "unknown ns", "moved", "body", "cloudfront x", "hio52 p1", "certificate", "win32", "trojan", "entries", "next associated", "title error", "ipv4", "host gh", "secure path", "httponly cache", "x github", "request id", "accept", "encrypt", "formbook cnc", "checkin", "a domains", "lowfi", "mtb jun", "github pages", "as11427", "us note", "route", "ptr record", "hostname add", "url analysis", "verdict", "general info", "geo mckinney", "texas", "spectrum", "charter communications", "charter collection", "auth", "files ip", "address", "asn as16509", "record value", "germany unknown", "meta", "gmt cache", "sans400", "condensed300", "feel lost", "h1 div", "server", "gmt connection", "keep alive", "pragma", "ipv4 add", "url add", "http", "related nids", "files location", "flag united", "unknown aaaa", "china unknown", "beijing", "unknown soa", "hostname", "present aug", "name servers", "aaaa", "windows nt", "dynamicloader", "generic http", "exe upload", "inbound", "outbound", "host", "medium", "write", "markus", "malware", "files domain", "files related", "related tags", "none google", "showing", "error", "extraction", "se enter", "sc type", "data upload", "failed", "extr data", "ox sunnort", "include review", "exclude data", "iocs", "pdf report", "pcap", "stix", "openloc", "pul data", "move", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "pattern match", "ascii text", "show technique", "null", "refresh", "span", "august", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "class", "adversaries", "defense evasion", "initial access", "msie", "chrome", "gmt content", "main", "virtool", "idran anv", "exti", "concor referen", "running webserver", "review iocs", "suggested iocs", "show", "http traffic", "intel", "ms windows", "pe32", "high", "write c", "explorer", "unknown", "worm", "next", "comman_and_control", "et", "vtapi", "dos", "persistence", "polymorphic", "virus", "device", "script", "style", "endcolorstr", "regexp", "link", "powershell", "form", "push", "active", "remote_access", "general full", "protocol h2", "security tls", "austin", "asn7018", "attinternet4", "reverse dns", "software", "domains", "hashes", "at&t", "injection", "rwx", "hackers", "attack", "cape", "stealth hidden extension", "antivm generic", "cape detected", "threat stealth", "public folder", "deletes", "files anomalous", "disables system", "restore dead", "mail procmem", "yara suricata", "queries user name" ], "references": [ "Remotewd.com research - Devices under command and control. Malicious / adversarial | 3000 + devices in Pulse", "https://hybrid-analysis.com/sample/713944cb1accb541622bf99d55f34876b5ff13d042c6c203bab89632a15b9248/689c0eca8dd0033cbb064d12", "device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com TWC-11427-TEXAS, US \u2022 Spectrum", "Geo\tMcKinney, Texas, United States (US) \u2014 AS \u2022AS11427 - TWC-11427-TEXAS, US", "Note: An IP might be announced by multiple ASs.Spectrum | Charter Communications", "This is not shown. Route \u2022 184.92.0.0/16 (Route of ASN) PTR", "syn-184-092-221-096.res.spectrum.com(PTR record of primary IP) IPv4\t184.92.221.96", "https://urlscan.io/domain/device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com", "truist.palantirfoundry.com \u2022 nissansandbox.palantirfoundry.com", "device-7de2fab7-44a1-494e-8f36-8d135628c33a.remotewd.com 104.190.139.162 AT&T", "Stealth Hiddenreg Cape Detected Threat Stealth Timeout Accesses Public Folder Deletes", "Executed Files Anomalous Deletefile Dropper Disables System Restore Dead Connect", "Infostealer Cookies Infostealer Mail Procmem Yara Suricata Alert Modify Proxy Powershell", "Ransomware File Modifications Exec Crash", "Location Antisandbox Sleep Antidebug Setunhandledexceptionfilter Packer Unknown Pe Section Name Packer Entropy Network Bind Antivm Network Adapters Http Request Infostealer Browser Recon Fingerprint Antivm Checks Available Memory Antivm Generic Bios Reads Self Polymorphic Enumerates Physical Drives Network Http Network Cnc Http Antivm Bochs Keys", "Request Queries Keyboard Layout Antivm Generic Disk Resumethread", "Remote Process Static Pe Anomaly Https Urls Virus Process Creation Suspicious", "Contains Pe Overlay Queries Locale Api Language Check Registry" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" }, { "id": "VirTool:Win32/Obfuscator.JM", "display_name": "VirTool:Win32/Obfuscator.JM", "target": "/malware/VirTool:Win32/Obfuscator.JM" }, { "id": "Win.Trojan.Cycbot-1584", "display_name": "Win.Trojan.Cycbot-1584", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6171, "domain": 1823, "hostname": 3155, "email": 8, "FileHash-SHA256": 950, "FileHash-MD5": 345, "FileHash-SHA1": 317, "CVE": 1, "CIDR": 1, "SSLCertFingerprint": 1 }, "indicator_count": 12772, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "218 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689af6a1704fa2745bc8c2a3", "name": "Hijacked Twitter / X.com account. Phishing | Abnormal use", "description": "Hijacked phishing Twitter/ X.com.\nWin32/Unruy.C Activity\n#phishing #hijacked #intercoms #unruy #trojan #VTflood #malware #attack", "modified": "2025-09-11T08:02:36.759000", "created": "2025-08-12T08:09:05.642000", "tags": [ "log id", "gmtn", "secure", "tls web", "passive dns", "urls", "path", "self", "encrypt", "ca issuers", "false", "search", "read c", "united", "entries", "show", "showing", "msie", "windows nt", "wow64", "slcc2", "copy", "write", "suspicious", "malware", "unknown", "process32nextw", "shellexecuteexw", "medium process", "discovery t1057", "t1057", "discovery", "medium", "locally unique", "identifier", "veailmboprd", "next associated", "ipv4 add", "pulse pulses", "files", "asn as13335", "dns resolutions", "domains top", "smoke loader", "trojan", "body", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "show process", "programfiles", "command decode", "flag", "suricata ipv4", "mitre att", "show technique", "ck matrix", "date", "comspec", "model", "twitter", "august", "hybrid", "general", "click", "strings" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1504, "FileHash-SHA256": 1232, "SSLCertFingerprint": 14, "domain": 245, "hostname": 526, "FileHash-MD5": 43, "FileHash-SHA1": 38 }, "indicator_count": 3602, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "220 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68923ea4efbf58b7ba48acec", "name": "Hosted App", "description": "", "modified": "2025-09-04T16:03:17.037000", "created": "2025-08-05T17:25:56.454000", "tags": [ "issuer wr3", "log id", "gmtn", "abn timestamp", "ad180b80", "full name", "extensionsstr", "web server", "ca issuers", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "mitre att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "ascii text", "pattern match", "show technique", "date", "format", "august", "hybrid", "local", "path", "click", "strings", "flag", "usa windows", "hwp support", "march", "december", "united", "markmonitor", "overview dns", "requests domain", "country", "contacted hosts", "ip address", "process details", "t1179 hooking", "access windows", "installs", "control att", "found", "development att", "name server", "show process", "programfiles", "command decode", "suricata ipv4", "ck matrix", "comspec", "model", "general", "dynamicloader", "unknown", "as16509", "whitelisted", "medium", "write c", "as15169", "search", "high", "write", "android", "malware", "copy", "next", "formbook cnc", "checkin", "entries", "passive dns", "next associated", "site", "neue", "ipv4", "pulse pulses", "exploit", "trojan", "virtool", "body", "refer", "present dec", "epub", "present jan", "present nov", "present oct", "showing", "urls show", "win32", "win64", "date checked", "url hostname", "server response", "google safe", "prefetch8", "localappdata", "prefetch1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3409, "hostname": 4127, "URL": 8408, "SSLCertFingerprint": 9, "FileHash-SHA256": 1175, "FileHash-MD5": 144, "FileHash-SHA1": 134, "CVE": 2 }, "indicator_count": 17408, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6891980740656e8b21b31d0a", "name": "Tracker | Mirai | Virtool | Tofsee | Phishing +", "description": "Tracker found in \u2018alleged \u2018 Jefferson County, Co website also a single link was found in a collection of phishing websites by a OTX researcher in 2023. \nI can\u2019t comment much. \n#overreach\n#https://reviewable.io/reviews/palantir/godel-conjure-plugin/549", "modified": "2025-09-04T05:03:13.563000", "created": "2025-08-05T05:35:03.786000", "tags": [ "url https", "passive dns", "urls", "url add", "pulse pulses", "http", "hostname", "files domain", "files related", "pulses none", "related tags", "date", "for privacy", "redacted for", "status", "hostname add", "pulse submit", "url analysis", "files", "united", "entries", "search", "unknown aaaa", "overview ip", "address", "location united", "asn as35916", "whois registrar", "showing", "next associated", "meta http", "content", "index", "th th", "443 ma2592000", "body", "ip address", "asn as54113", "name servers", "expiration date", "resources whois", "urlvoid", "related", "comments", "whois show", "present jun", "script urls", "enom", "record value", "certificate", "formbook cnc", "checkin", "neue", "ipv4", "exploit", "trojan", "virtool", "ransom", "win32", "ipv4 add", "unknown cname", "unknown ns", "script domains", "meta", "config", "associated urls", "show", "date checked", "url hostname", "server response", "google safe", "results jul", "next http", "present may", "present oct", "present jul", "aaaa", "present sep", "domain", "creation date", "expiration", "url http", "present dec", "present jan", "reverse dns", "present mar", "present nov", "a domains", "verdict", "files ip", "next related", "domains show", "domain related", "cryp", "date hash", "avast avg", "entries related", "mtb may", "trojandropper", "lowfi", "gmt cache", "sameorigin", "files show", "none google", "safe browsing", "death", "indicator facts", "historical otx", "twitter running", "open ports", "memcommit", "medium", "read c", "post http", "delete", "windows nt", "malware", "copy", "write", "msie", "chrome", "backdoor", "junkpoly", "worm" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4488, "hostname": 1442, "domain": 746, "email": 6, "FileHash-SHA256": 1122, "FileHash-MD5": 345, "FileHash-SHA1": 337, "CVE": 2 }, "indicator_count": 8488, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68919fdceabd582b8502932b", "name": "Reviewable.io w/ Palantir plugin - Malicious IoC\u2019s", "description": "", "modified": "2025-09-04T05:03:13.563000", "created": "2025-08-05T06:08:28.757000", "tags": [ "united", "formbook cnc", "checkin", "entries", "passive dns", "next associated", "neue", "ipv4 add", "pulse pulses", "urls", "exploit", "trojan", "virtool", "body", "files", "ip address", "location united", "asn as54113", "less whois", "registrar", "gandi sas", "creation date", "pulses", "present aug", "unknown ns", "search", "showing", "record value", "domain id", "files show", "date hash", "avast avg", "win32", "win64", "certificate", "error", "present showing", "next http", "scans show", "france unknown", "name servers", "date", "hostname", "pulse submit", "url analysis", "dynamicloader", "show", "vwu codeoverlap", "yara detections", "medium", "delete", "default", "copy", "write", "dupzom", "malware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 366, "domain": 161, "hostname": 253, "FileHash-MD5": 204, "FileHash-SHA1": 201, "FileHash-SHA256": 328, "CVE": 2 }, "indicator_count": 1515, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6888768d35eb54a4565a6dcb", "name": "Ransomware & Espionage continues to affect Residential Community", "description": "Multi block Residential Community in Denver Colorado is affected by frequent outages. Reports of unlocked iPhones, young men running around with circuit boards. There is some type of crime operation going on. I\u2019ve been advised that f Adverary in the Middle attacks as well as law firm spying on??? #LowFiObscureDllRead\nTrojanspy:Win32/Banker.LY", "modified": "2025-08-28T07:00:53.019000", "created": "2025-07-29T07:21:49.809000", "tags": [ "type indicator", "role title", "added active", "related pulses", "url https", "entries", "united", "unknown aaaa", "script urls", "a domains", "present jul", "date", "passive dns", "ip address", "search", "pragma", "encrypt", "port", "rule generator", "zeppelin", "pe32", "intel", "ms windows", "show", "delphi", "trojanspy", "win32", "copy", "write", "malware", "example intl", "setup file", "regsetvalueexa", "writeconsolew", "medium", "example setup", "regdword", "high", "windows", "fjlsedauv", "ransom", "ransomware", "persistence", "execution", "service" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1067", "name": "Bootkit", "display_name": "T1067 - Bootkit" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 110, "FileHash-SHA1": 112, "FileHash-SHA256": 299, "URL": 127, "domain": 119, "hostname": 41 }, "indicator_count": 808, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "675a22ff1990233e1767b19a", "name": "http://www.vgt.pl/fontfafontawesomewebfont.woffv_4.7.0.html 9cdbd0924ba143b32f330a35d6fd3e3ab5294b93c83fc5702532afeed730fa20", "description": "https://www.vgt.pl/font/fa/fontawesome-webfont.woff2?v=4.7.0\nhttp://www.vgt.pl/fontfafontawesomewebfont.woffv_4.7.0.html", "modified": "2025-08-27T04:01:15.048000", "created": "2024-12-11T23:40:47.437000", "tags": [ "skrt md5", "typ mime", "nazwa pliku", "rozmiar pliku", "skrt sha256", "skrt sha3384", "skrt sha1", "pierwszy raz", "utc ostatnio", "nigdy typ", "mozilla", "meta nazwa" ], "references": [ "https://app.threat.zone/submission/b6f70460-ccaf-4acb-8bf0-f0e03", "https://report.netcraft.com/submission/S0M8EqQONEulzSL3S9osDrxbx", "https://app.threat.zone/submission/6f654ad8-9723-4a3e-9977-4b953", "https://viz.greynoise.io/ip/analysis/582cd318-1d3f-47bc-9b07-8cf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 143, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 40, "FileHash-SHA256": 361, "domain": 1872, "hostname": 1642, "URL": 2470 }, "indicator_count": 6534, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "235 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686a1f2dab47342691c71bec", "name": "Lumma Stealer attacking Telegram (t.me) & Dropbox", "description": "Lumma Stealer, CNC, critical multiple malware IoC\u2019s attack. Telegram, remote Dropbox stealing among multiple targeted attacks. Dropbox spyware. \nNitrogen ransomware present.\n#apple_webkit #chrome #steam #lumma #ransom #stealer", "modified": "2025-08-05T06:03:08.761000", "created": "2025-07-06T07:01:01.459000", "tags": [ "server response", "petya", "ransom", "lumma", "rozena", "dynamicloader", "domain", "dns lookup", "related cnc", "et malware", "medium", "search", "tls sni", "stealer related", "show", "write", "win64", "suspicious", "wave", "unknown", "malware", "path", "desktop", "copy", "next", "nitrogen", "snake", "learn", "command", "ck id", "name tactics", "informative", "spawns", "found", "defense evasion", "t1480 execution", "united", "flag", "server", "date", "contacted hosts", "ip address", "process details", "austria austria", "show technique", "mitre att", "ck matrix", "pattern match", "ascii text", "show process", "network traffic", "utf8", "crlf line", "general", "local", "present jul", "aaaa", "virgin islands", "antigua", "status", "org domains", "proxy", "code", "present apr", "date checked", "url hostname", "server response", "google safe", "results apr", "files show", "date hash", "avast avg", "msil", "trojandropper", "themida jun", "win32", "entries", "passive dns", "urls", "files", "barbuda asn", "multiple attacks", "tls handshake", "failure", "high", "windows", "dropbox", "telegram", "connections dropped", "a domains", "servers", "certificate", "moved", "dropbox", "lutimanisdk", "trojan", "body", "present jun", "error", "bad traffic", "redirects", "creation date", "showing", "next associated", "spyware", "link", "meta", "script", "gmt contenttype", "lowfi", "hookwowlow jun", "a li", "ul div", "dropbox plus", "div div", "span span", "erreur", "span", "window", "adobe systems", "stock photos", "adobe stock", "photos cs3", "yara detections", "april", "synapse", "installer", "apple", "steam community", "apple webkit", "dropbox 4xx" ], "references": [ "146.112.61.107 (146.112.48.0/20) AS 36692 ( CISCO UMBRELLA ) US", "IDS Detections: Win32/Lumma Stealer Related \u2022 CnC Domain in DNS Lookup (pacwpw .xyz)", "Lumma Stealer CNC {FILEHASH SHA256 bc9c5c8dfdcf0d2a321478207b0870274fba25b93075fc987768623237973646} t.me / Dropbox", "Win32/Lumma Stealer Related CnC Domain in DNS Lookup (comkxjs .xyz) (unurew .xyz) (trsuv .xyz)", "Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sqgzl .xyz) (cexpxg .xyz) (cexpxg .xyz) (urarfx .xyz)", "Win.Exploit.Rozena {FileHash-SHA256 21fb4fdce85ab75430e18d9362a35f61dcaeb628c28836403472c054d6ceab8c}", "Lumma Stealer https://t.me/pizdenka202020 / t.me", "Query to a *.top domain - Likely Hostile\t192.168.122.95\t1.1.1.1\t\t\t\t SHOWING 1 TO 22 OF 22 ENTRIES HTTP Request Get 1 Post 2 Put 0 Delete 0 URL HOST PORT METHOD USER AGENT https://steamcommunity.com/profiles/76561199863199067\tsteamcommunity.com\t443\tGET\tN/A { \"src\": \"192.168.122.95\", \"sport\": 49227, \"dst\": \"23.59.52.127\", \"dport\":, \"protocol\": \"https\", \"method\": \"GET\", \"host\": \"steamcommunity.com\", \"uri\": \"/profiles/76561199863199067\", \"status\": 200, \"request\": \"GET /profiles/7656119986319", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Safari/537.36", "(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 30038 Host: accsrf.top" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Exploit.Rozena", "display_name": "Win.Exploit.Rozena", "target": null }, { "id": "ALF:Ransom:Win32/Petya.SIB!MTB", "display_name": "ALF:Ransom:Win32/Petya.SIB!MTB", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Nitrogen Loader", "display_name": "Nitrogen Loader", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "Themida.", "display_name": "Themida.", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1036.003", "name": "Rename System Utilities", "display_name": "T1036.003 - Rename System Utilities" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1590.002", "name": "DNS", "display_name": "T1590.002 - DNS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [ "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 130, "FileHash-SHA1": 110, "FileHash-SHA256": 119, "URL": 237, "domain": 64, "SSLCertFingerprint": 5, "hostname": 63, "email": 2 }, "indicator_count": 730, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "257 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688b0fbceab364a2b84b1124", "name": "Busybox MIORI Hackers - ongoing Aurora , Medical Campus -Mirai [by scoreblue -Team 8]", "description": "", "modified": "2025-07-31T06:39:56.204000", "created": "2025-07-31T06:39:56.204000", "tags": [ "idnischdr http", "computer", "america asn", "as7018 att", "url https", "america", "united states", "united", "germany", "italy", "trojan", "all scoreblue", "report spam", "created", "trojanspy", "worm", "trojanclicker", "virtool", "service", "all search", "author avatar", "miori hackers", "file score", "detections elf", "path", "busybox busybox", "brute force", "attack bad", "login yara", "detections", "sid name", "malware cve", "suspicious path", "busybox", "activity", "system", "malware beacon", "bad login", "attack", "port", "destination", "show", "search", "exif data", "property value", "elf info", "key value", "x86 baddr", "elf64 crypto", "final url", "ip address", "status code", "body", "kb body", "sha256", "server", "gmt connection", "date sun", "gmt contenttype", "filehashsha256", "crazy doll", "next", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "cus stcolorado", "info", "director", "orgtechhandle", "orgtechref", "university", "whois lookup", "netrange", "nethandle", "net168", "net1680000", "ucha", "network", "registry arin", "country us", "continent na", "meta", "script script", "lance mueller", "mueller", "unknown", "script urls", "photography", "passive dns", "urls", "model", "creation date", "hostname", "pulse submit", "url analysis", "files", "domain", "status", "http", "record value", "emails", "dnssec", "domain name", "backdoor", "bad request", "entries", "title style", "f2f2f2 color", "helvetica neue", "exploit", "browse scan", "endpoints all", "search otx", "related pulses", "file samples", "files matching", "as44273 host", "showing", "telper", "date hash", "copyright", "url http", "win64", "as53665 bodis", "aaaa", "as206834 team", "canada unknown", "read c", "create c", "write c", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "dock", "write", "execution", "copy", "xport", "1575038779", "medium", "capture", "malware", "february", "as61969 team", "servers", "domain robot", "expiration date", "as714 apple", "as42 woodynet", "nxdomain", "name servers", "a nxdomain", "ipv4", "found", "control", "content type", "as20940", "asnone united", "as701 verizon", "as2914 ntt", "win32", "certificate", "date", "dynamicloader", "high", "t1055", "attempts", "yara detections", "bitcoinaltcoin", "code injection", "high defense", "ip related", "pulses otx", "pulses", "overview domain", "files ip", "address domain", "related tags", "pulse pulses", "div div", "as49505", "span", "form", "as6185 apple", "china", "as4812 china", "as17816 china", "as4134 chinanet", "scan endpoints", "trojan features", "enigmaprotector", "dynamic", "powershell", "filehash", "for privacy", "ltd dba", "com laude", "cname", "cve20170147 sep", "verdict", "as63949 linode", "https", "as8075", "united kingdom", "whitelisted", "as25825", "moved", "aurora", "redacted for", "whois lookups", "orgid", "east", "seen", "update date", "cidr", "netname uch", "parent net168", "nettype direct", "contacted", "tulach", "brian sabey" ], "references": [ "ELF:Mirai-TO\\ [Trj] UCH/PU_Log_ID/Locked_Scr [168.200.5.63] || http://itsupport.uchealth.org/ || [Trj] http://itsupport.uchealth.org/", "ELF:Mirai-TO\\ [Trj] 12.111.210.191 | United States of America ASN AS7018 att services inc", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256. 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "ELF:Mirai-TO\\ [Trj] tulach.cc", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "IDS Detections: busybox MIORI Hackers - Infected System SUSPICIOUS Path to BusyBox", "IDS Detections: busybox MIORI Hackers - Possible Brute Force Attack Bad Login", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "Yara Detections: is__elf", "168.200.5.0/24: Autonomous System Number :18693 || Autonomous System Label UCH-CENTRAL Regional Internet Registry: ARIN: Country US", "www.proxydocker.com Yvmc.org is hosted in United States ip detail \u00c9tats Unis (US) , (Aurora , Colorado ) links to network IP address: 168.200.5.63", "Computer Forensics Malware Analysis Digital Investigations | www.forensickb.com |", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "webcam.sopris.net || https://www.chietimeteo.it/webcamabruzzo.htm savethemalesdenver.com", "girlsandtheir.webcam - suspicious_write_exe network_icmp infostealer_keylogger process_martian injection_resumethread | parkingcrew.net ns2.parkingcrew.net", "http://serafinipelletteria.it/riparazioni/13-borse-restauro/22-spy-bag-%C3%83%C2%A2%C3%A2%C2%82%C2%AC%C3%A2%C2%80%C2%9C-fend", "Title The page title. Chieti Meteo - Webcam Abruzzo", "Final URL contacted when you try to visit the URL under study, after any potential redirects. https://www.chietimeteo.it/webcamabruzzo.htm Serving IP Address: 89.46.110.55", "savethemalesdenver.com | brasville.com.br?", "168.200.45.168 Original IP- UCHealth is jacking accounts | University of Colorado Hospital Scot.MacCabe@uchealth.org", "Basic Properties Regional Internet Registry ARIN Country US Continent NA Whois Lookup NetRange: 168.200.0.0 - 168.200.255.255 US", "CIDR: 168.200.0.0/16 NetName: UCH NetHandle: NET-168-200-0-0-1 Parent: NET168 (NET-168-0-0-0-0) NetType: Direct Allocation Organization: University of Colorado Hospital (UCHA) RegDate: 1994-06-22 Updated: 2021-12-14 Ref: https://rdap.arin.net/registry/ip/168.200.0.0 OrgName: University of Colorado Hospital OrgId: UCHA Address: 13001 East 17th Place Address: UH Fitzsimons bldg 500 5th floor east Address: Information Services City: Aurora StateProv: CO PostalCode: 80045-0505 Country:", "Address 198.185.159.144 , 198.185.159.145 , 198.49.23.144 , 198.49.23.145", "Lance Mueller Photography Artistic Portraiture || Domains || lancemueller.com/https://www.lancemueller.com/ www.instagram.com", "IP: 198.185.159.144 Backdoor:Linux/Mirai.B || TELPER:HSTR:DotCisOffer || TrojanSpy:Win32/Nivdort || Bladabindi || TrojanDownloader:Win32/Bulilit", "IDS Detections: Win32.Renos/Artro Trojan Checkin M1 Fakealert.ATQ/Renos.GNC Checkin AlphaCrypt CnC Beacon 5 Win32.Meredrop Checkin", "IDS Detections: CryptoWall Check-in Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 6 Koobface HTTP Request", "IDS Detections: Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) FormBook CnC Checkin (GET)", "Crypt3.BWVY \u00bb forums.girlsandtheir.webcam | http://girlsandtheir.webcam/&_=1642807476815 | http://girlsandtheir.webcam/&_=1677944772349", "http://girlsandtheir.webcam/&_=1678440394065 | http://girlsandtheir.webcam/&_=1678605911170 | http://girlsandtheir.webcam/&_=1678901115584", "http://girlsandtheir.webcam/&_=1727668914786 | http://girlsandtheir.webcam/&_=1727684361432 | http://girlsandtheir.webcam/&_=1678620676912", "http://girlsandtheir.webcam/&_=167922487756 | http://girlsandtheir.webcam/&_=1678764409894 | http://girlsandtheir.webcam/&_=1679002803910", "http://girlsandtheir.webcam/&_=1679275226198 | http://girlsandtheir.webcam/&_=1679338009770| http://girlsandtheir.webcam/&_=1679628920449 No Expira http://girlsandtheir.webcam/&_=1727448919580\t | http://girlsandtheir.webcam/&_=1727487291351 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727511329381 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727586798507 | http://girlsandtheir.webcam/&_=1727595333556 | http://girlsandtheir.webcam/&_=1727665483552", "chatluongvn.tk - use of targeted surveillance intended to spy on members of civil society, suppress dissent, crime victims & monitor journalists.", "Apple ID: 17.253.142.4 | Reverse DNS www.applesports.webcam", "Associated w/Apple ID: http://www.ripmixburn.com/| www.ripmixburn.com | 17.253.142.4 | http://www.qttv.net |www.qttv.net | 17.253.142.4", "Associated w/Apple ID: http://qumoteze.apple-hk.com\tqumoteze.apple-hk.com | 17.253.142.4 | http://identity.appke.com | identity.appke.com", "Associated w/Apple ID: 17.253.142.4 |\thttp://xn--8mrw5wsjh2jt.top | xn--8mrw5wsjh2jt.top | 17.253.142.4 | https://www.qttv.net | www.qttv.net", "Associated w.Apple ID: 17.253.142.4 | https://qumoteze.apple-hk.com | http://applegiftcard.apple/ | https://identity.appke.com", "Win.Packed.Enigma-10023199-0: FileHash - SHA256 2753cb6cd4b034d91a1361d5d4f643e3f45abbe249a1563e2e3bf6e7b6001cd3", "Trojan:Win32/Mydoom | apple.com | IP Address 17.253.144.10: Yara Detections EnigmaProtector , xor_0x8_This_program Alerts network_bind persistence_autorun antivm_generic_diskreg", "Win.Malware.Midie-9950743-0 Apple IP 17.253.144.10: SHA256 8b3170934dd8efaf4335f752d4a1a1816f8be3cdba963d897b93f308fa4ab644", "Win.Malware.Midie Alerts: injection_inter_process injection_create_remote_thread antisandbox_sleep persistence_autorun browser_security", "Win.Malware.Midie Alerts: antisandbox_unhook infostealer_cookies deletes_executed_files infostealer_bitcoin injection_createremotethread", "Win.Malware.Midie-9950743-0: Domains Contacted microsoft.com dropbox.com twitter.com sendspace.com etrade.com", "Win.Malware.Midie-9950743-0: Domains Contacted instagram.com github.com icloud.com python.org facebook.com" ], "public": 1, "adversary": "busybox MIORI Hackers", "targeted_countries": [ "United States of America", "Mexico" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Bulilit", "display_name": "TrojanDownloader:Win32/Bulilit", "target": "/malware/TrojanDownloader:Win32/Bulilit" }, { "id": "ELF:Mirai-TO\\ [Trj]", "display_name": "ELF:Mirai-TO\\ [Trj]", "target": null }, { "id": "Backdoor:Linux/Mirai.B", "display_name": "Backdoor:Linux/Mirai.B", "target": "/malware/Backdoor:Linux/Mirai.B" }, { "id": "TELPER:HSTR:DotCisOffer", "display_name": "TELPER:HSTR:DotCisOffer", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Backdoor:Win32/Bladabindi", "display_name": "Backdoor:Win32/Bladabindi", "target": "/malware/Backdoor:Win32/Bladabindi" }, { "id": "ALF:E5", "display_name": "ALF:E5", "target": null }, { "id": "Win.Malware.Midie-9950743-0", "display_name": "Win.Malware.Midie-9950743-0", "target": null }, { "id": "Trojan:Win32/Emotet.ARJ!MTB", "display_name": "Trojan:Win32/Emotet.ARJ!MTB", "target": "/malware/Trojan:Win32/Emotet.ARJ!MTB" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": "66fb3c4e8a2593134641f3c0", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 459, "FileHash-MD5": 1228, "FileHash-SHA1": 1163, "FileHash-SHA256": 2243, "domain": 876, "hostname": 1088, "CIDR": 2, "email": 17, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 7083, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "262 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68743733a69ce827f6156f5c", "name": "W3.org | Google Spy engine | Tracking, Malware Repository | www.W3.org https://www.searchw3.com/ > ww.google.com.uy", "description": "", "modified": "2025-07-13T22:46:11.685000", "created": "2025-07-13T22:46:11.685000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "network", "fakedout threat", "urls http", "maltiverse safe", "malicious url", "team", "phishtank", "services", "botnet command", "control server", "mining", "betabot", "team malware", "engineering", "stealer", "service", "vawtrak", "virut", "emotet", "simda", "redline", "fri oct", "media sharing", "known infection source", "bot networks", "malware", "malware repository", "spyware" ], "references": [ "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IP\u2019s Contacted: 192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6688e0ffb31d4881f3238713", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4080, "URL": 11952, "hostname": 4638, "domain": 4301, "FileHash-MD5": 2236, "FileHash-SHA1": 1140, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1 }, "indicator_count": 28384, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "279 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68451577ada8bb0aa0834edb", "name": "X - Business Social Media Account used to attack victim", "description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.", "modified": "2025-07-08T04:03:04.386000", "created": "2025-06-08T04:45:43.423000", "tags": [ "trojan", "ids detections", "yara detections", "alerts", "analysis date", "file score", "upxoepplace", "pulses none", "related tags", "none file", "markus", "april", "win32", "copy", "usvwu", "usvw", "high", "medium", "show", "uss c", "binary file", "yara", "write", "delphi", "enigma", "present mar", "aaaa", "united", "passive dns", "date", "present nov", "moved", "urls", "creation date", "entries", "body", "trojandropper", "susp", "msr jul", "next associated", "pulse pulses", "mtb jun", "backdoor", "content length", "html document", "ascii text", "search", "internalname", "entries pe", "showing", "filehash", "md5 add", "av detections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "encrypt", "june", "hybrid", "local", "path", "click", "twitter", "strings", "url https", "url http", "report spam", "created", "hours ago", "bad actor", "ck ids", "t1057", "discovery", "t1071", "amer", "ipv4", "indicator role", "title added", "active related", "pulses", "china", "hong kong", "russia", "type indicator", "role title", "added active", "related pulses", "pulses url", "filehashsha256", "url add", "http", "ip address", "related nids", "files location", "flag united", "domain", "hostname", "next", "filehashmd5", "protocol", "t1105", "tool transfer", "t1480" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 637, "FileHash-SHA1": 639, "FileHash-SHA256": 5380, "domain": 676, "hostname": 1120, "URL": 1031, "SSLCertFingerprint": 4 }, "indicator_count": 9487, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "285 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6843fe89793d0ef8e2afc34d", "name": "Deleted SocialMedia", "description": "Bad Actor Deleted SocialMedia account found in breach forum.", "modified": "2025-07-07T08:03:42.325000", "created": "2025-06-07T08:55:37.612000", "tags": [ "body", "secure", "self", "path", "date sat", "gmt contenttype", "connection", "accept", "gmt pragma", "deny", "maxage34214400", "learn", "spawns", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "ssl certificate", "found", "copy sha256", "copy md5", "copy sha1", "sha1", "sha256", "size", "type data", "ascii text", "pattern match", "mitre att", "show technique", "ck matrix", "file", "indicator", "show process", "encrypt", "june", "hybrid", "local" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1628, "domain": 58, "URL": 390, "hostname": 204, "FileHash-MD5": 84, "FileHash-SHA1": 88, "SSLCertFingerprint": 4 }, "indicator_count": 2456, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "286 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "681386d75c34469176686756", "name": "x.com/KulinskiArkadi", "description": "", "modified": "2025-05-31T14:01:10.044000", "created": "2025-05-01T14:36:07.422000", "tags": [ "script", "etag", "sharing", "cors", "mediatype", "mediasubtype", "contenttype", "header", "combination", "compression", "encrypt", "cookie", "critical", "twitter", "iframe", "insert", "info", "error", "suspicious", "find", "screen", "grok", "body" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 471, "CIDR": 34, "FileHash-MD5": 9, "FileHash-SHA1": 5, "FileHash-SHA256": 1177, "domain": 214, "hostname": 430, "email": 2 }, "indicator_count": 2342, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "322 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6759e015bddb89de26c4219a", "name": "fonts.gstatic.com/s/opensans/v15/mem8YaGs126MiZpBA-UFVZ0b.woff2", "description": "The full text of the text above the line of this page, which has been published by BBC Radio 5 live, can be viewed by the BBC iPlayer, iplayer, app and website.", "modified": "2025-05-14T21:24:40.387000", "created": "2024-12-11T18:55:17.578000", "tags": [ "callnexthookex", "callwindowprocw", "createbitmap", "createfilea", "createwindowexw", "decodepointer", "defwindowprocw", "destroywindow", "enablewindow", "encodepointer", "cachebuster", "or requesturl", "url praca", "opswatreputacja", "ssdeep", "brak", "blob", "indie", "hetzner online", "gmbh", "helsinki", "niemcy", "finlandia", "globe telecoms", "ovh hosting", "zredagowano dla", "prywatnoci" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "FileHash-SHA1": 3, "URL": 378, "domain": 43, "hostname": 151, "FileHash-MD5": 2, "IPv4": 36 }, "indicator_count": 616, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67576b4cdaafecfac733fac4", "name": "http://pit.waw.pl skrypt w pliku://C:/28f67ac2f4875f36aeb31e181e2d2d50f84b5c0791afa4b7bd6987cf00e95186.html.html http://ww53.cookiesinfo.com/", "description": "MS Office Excel 2016\n0x2491:$h_raw1: /javascript\n0x289d:$h_raw1: /javascript\n0x2dd0:$h_raw1: /javascript\n0x182a6:$h_raw1: /javascript\n0x18dc0:$h_raw1: /javascript\n0x1a072:$h_raw1: /javascript\n0x1ad72:$h_raw1: /javascript\n0x222e6:$h_raw1: /javascript\n0x22870:$h_raw1: /javascript\n0x23lut:$h_raw1: /javascript\nskrypt w pliku://C:/28f67ac2f4875f36aeb31e181e2d2d50f84b5c0791afa4b7bd6987cf00e95186.html.html", "modified": "2025-05-14T20:46:38.021000", "created": "2024-12-09T22:12:28.252000", "tags": [ "grudzie", "typ zawartoci", "linux x8664", "khtml", "gecko", "metoda", "adres url", "poczenie", "dugo treci", "dostawa artnet", "sha1", "sha256", "microsoft", "microsoft store", "office", "robisz", "zakupy w", "dla firm", "family", "internetem", "kliknij tutaj", "microsoft i", "bony", "jaka", "android", "utc1 html", "utc1", "utc1 gif", "plik", "utc1 popieprzy", "javascript", "or requesturl", "or filehash", "maxradlinklen50", "type3", "june", "copyright", "t1027", "warto", "muid warto", "mr warto", "warto clid", "anonchk warto" ], "references": [ "http://office.microsoft.com/pl-pl/try/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 56, "hostname": 96, "URL": 348, "FileHash-SHA256": 313, "FileHash-MD5": 22, "FileHash-SHA1": 12, "IPv4": 11, "YARA": 2 }, "indicator_count": 860, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67589cffab570632158afa59", "name": "RFC 7230 - Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing", "description": "The full text of the RFC 7230, which describes the Hypertext Transfer Protocol (HTP), has been published online for the first time and is currently being used by users across the world.", "modified": "2025-01-09T19:02:14.511000", "created": "2024-12-10T19:56:47.749000", "tags": [ "datatracker rfc", "standard", "engineering steering", "moore" ], "references": [ "https://tools.ietf.org/html/rfc7230#section-3.2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Engineering Steering", "display_name": "Engineering Steering", "target": null }, { "id": "Moore", "display_name": "Moore", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 37, "domain": 5, "email": 2, "hostname": 13, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "464 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap", "https://wes.palantirfoundry.com/ \u2022 http://utilities-bootcamp.palantirfoundry.com/", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "CIDR: 168.200.0.0/16 NetName: UCH NetHandle: NET-168-200-0-0-1 Parent: NET168 (NET-168-0-0-0-0) NetType: Direct Allocation Organization: University of Colorado Hospital (UCHA) RegDate: 1994-06-22 Updated: 2021-12-14 Ref: https://rdap.arin.net/registry/ip/168.200.0.0 OrgName: University of Colorado Hospital OrgId: UCHA Address: 13001 East 17th Place Address: UH Fitzsimons bldg 500 5th floor east Address: Information Services City: Aurora StateProv: CO PostalCode: 80045-0505 Country:", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake", "cedevice.io \u2022 decagonsoftware.com", "Yara Detections: MS17_010_WanaCry_worm , stack_string , MS_Visual_Cpp_6_0 , Armadillov1xxv2xx", "People who exploit this put the US at risk. Bottom line.", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Proton.me/Zenbox: Audit July 2025", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "The ILOVEYOU virus, released on May 4, 2000, - PDKIT.net May 4, 2025.", "sabey.com", "http://girlsandtheir.webcam/&_=1678440394065 | http://girlsandtheir.webcam/&_=1678605911170 | http://girlsandtheir.webcam/&_=1678901115584", "Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022", "www.joewa.com", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com", "apple.com-verify.account.manage.test2.aptaforum.com.cn", "Apple ID: 17.253.142.4 | Reverse DNS www.applesports.webcam", "Geo\tMcKinney, Texas, United States (US) \u2014 AS \u2022AS11427 - TWC-11427-TEXAS, US", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "Win.Malware.Midie Alerts: injection_inter_process injection_create_remote_thread antisandbox_sleep persistence_autorun browser_security", "Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer", "Entrust to Sectigo- Review vendors", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube", "Alerts: stealth_network antivirus_virustotal static_pe_anomaly", "IP\u2019s Contacted: 103.224.212.220 105.242.60.208 117.13.61.219 117.180.208.83 12.105.46.122", "114.114.114.114", "Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn", "Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style) ETERNALBLUE Probe Vulnerable System Response MS17-010", "https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd45176426a", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "Crowdsourced IDS: Matches rule ET POLICY PE EXE or DLL Windows file download HTTP", "msedge.b.tlu.dl.delivery.mp.microsoft.com", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "https://dns.google/resolve?name=SELECT", "Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad", "Crowdsourced IDS: Fast Flux attempt Matches rule ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)", "Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com", "Pahamify Pegasus", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "Win.Malware.Midie-9950743-0: Domains Contacted microsoft.com dropbox.com twitter.com sendspace.com etrade.com", "CS IDS: Matches rule (http_inspect) invalid status line", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "https://viz.greynoise.io/ip/analysis/582cd318-1d3f-47bc-9b07-8cf", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Safari/537.36", "https://brand2.centurylinktechnology.com", "Potentially Pegasus related . Found to be affecting an IOS device", "CA DMV- 2020 exploits, if even exist in your records, may be related.", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "girlsandtheir.webcam - suspicious_write_exe network_icmp infostealer_keylogger process_martian injection_resumethread | parkingcrew.net ns2.parkingcrew.net", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "https://otx.alienvault.com/indicator/domain/qeenetic.link", "Yare: compromised_site_redirector_fromcharcode", "114.114.114.114 = Tulach", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "dropbox.com - deleted victims DB post assault. Sabey + Ahmann repeatedly erased DB (ILLEGAL)", "Amazon- Check new cert subscribers on or around Sept 15 2025", "Win32/Lumma Stealer Related CnC Domain in DNS Lookup (comkxjs .xyz) (unurew .xyz) (trsuv .xyz)", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "https://prod.centurylinktechnology.com", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Obfuscation: XOR-based String Encryption (0x20)", "Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29", "Quasi Gov - Law firms stole victims clouds. Evidence, $Intellectual property, Memories of & victims family. Merciless", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "http://office.microsoft.com/pl-pl/try/", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Trojan.Mebroot , a variant of Win32/Mebroot.BM , Trojan:W32/Mebroot.gen!A , Trojan.Packed.2447", "Alerts: windows_utilities antivm_memory_available pe_features raises_exception", "ASP. NET", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256. 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "Yara: TrojanWin32Kredbegg CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "This document might expose someone, more than another.", "Lumma Stealer CNC {FILEHASH SHA256 bc9c5c8dfdcf0d2a321478207b0870274fba25b93075fc987768623237973646} t.me / Dropbox", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "FileHash-SHA256 002dee2db8b07b98b543ad99d0dd4e3e0ba7624f956d719ba803f57b426e30e7", "Ransomware File Modifications Exec Crash", "https://urlscan.io/domain/device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com", "https://www.youtube.com \u2022 https://www.youtube.com/user/CurseDiablofans", "IDS Detections: busybox MIORI Hackers - Possible Brute Force Attack Bad Login", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "pcup.gov.ph:", "Gatsby Library Loader, DLL", "https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file", "https://tools.ietf.org/html/rfc7230#section-3.2", "IDS Detections: ET WEB_CLIENT SUSPICIOUS Possible automated connectivity check (www.google.com)", "T1110.001 (Brute Force: Password Guessing)", "Win.Exploit.Rozena {FileHash-SHA256 21fb4fdce85ab75430e18d9362a35f61dcaeb628c28836403472c054d6ceab8c}", "Protected:SA\u2019r Jeffrey Scott Reimer, Mark Montano MD, John T. Sasha MD, Frederick P. Scherr , others.", "7box.vip", "www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost", "jgw.and.googletagmanagers.com", "Yara Detections: is__elf", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_", "https://pegasus.pahamify.com/ \u2022 https://pegasus.pahamify.com/study-plan/ \u2022 pegasus.pahamify.com", "Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw", "http://ww17.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/", "https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language:", "okg.and.googletagmanagers.com", "Request Queries Keyboard Layout Antivm Generic Disk Resumethread", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html", "apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn", "pcy.and.googletagmanagers.com", "ET TROJAN Possible VirLock Connectivity Check", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "http://girlsandtheir.webcam/&_=167922487756 | http://girlsandtheir.webcam/&_=1678764409894 | http://girlsandtheir.webcam/&_=1679002803910", "ELF:Mirai-TO\\ [Trj] 12.111.210.191 | United States of America ASN AS7018 att services inc", "Tipped: A targets AI and other cyber research findings.", "Iframe src: https://open.spotify.com/embed/artist/2nMFC7hWK0haX8ilvRpb59?utm_source=generator", "Sectigo- Check abnormal patterns Sept 8, 2025 and ADT check alarms that went off", "Yara Detections: WannaCry_Ransomware , Wanna_Cry_Ransomware_Generic , WannaDecryptor", "equilibrium.palantirfoundry.com \u2022 kt-presales.palantirfoundry.com \u2022 paloma.palantirfoundry.com", "Lumma Stealer https://t.me/pizdenka202020 / t.me", "IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)", "https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3", "https://twitter.com/PORNO_SEXYBABES", "Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)", "Iframe src: https://www.youtube.com/embed/nuxT76ndwYY", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "http://prtests.ru/test.html?15%0Ahttp://profetest.ru/test.html?2%0Ahttp://qptest.ru/test.html?5%0Ahttp://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/3cf71a18-f999-4372-beac-67715d51bb62?P1=1629470400&P2=404&P3=2&P4=d%2520arRdiatcalmlQRKq2gm1LlFitNgIcLpnyzCIHYtf%2520ByXQF0JNptZ0rBDMKlLL%2520qsOzZdPICJjC7MWkkdm1Hg==%0Ahttp://stafftest.ru/test.html?0%0Ahttp://iqtesti.ru/test.html?17%0Ahttp://hrtests.ru/test.html?1%0Ahttp://pstests.ru/test.html?4%0Ahttp://prtests.ru/test.html?6%0Ahttp:/", "Indicators seen may have affected a few OTX users. Is ongoing", "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "Win32:CVE-2017-0147-B\\ [Expl] , Win.Ransomware.WannaCry-6313787-0 , Exploit:Win32/CVE-2017-0147.A", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master", "Germany, Austria, and Switzerland GmbH", "http://apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn/", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Executed Files Anomalous Deletefile Dropper Disables System Restore Dead Connect", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "Crowdsourced SIGMA Below:", "This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader", "pgj.and.googletagmanagers.com", "findmy.apple-uk.live", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "UPX_OEP_place", "APKMirror https://www.apkmirror.com", "Google Docs 1.25.202.02 APK Download by Google LLC", "dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell", "jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com", "Crypt3.BWVY \u00bb forums.girlsandtheir.webcam | http://girlsandtheir.webcam/&_=1642807476815 | http://girlsandtheir.webcam/&_=1677944772349", "web-secure-appleid-login.com.test2.aptaforum.com.cn", "http://web-secure-appleid-login.com.test2.aptaforum.com.cn/", "Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "https://sfmg-testing.palantirfoundry.com\t\u2022 https://signup.palantirfoundry.com/", "Computer Forensics Malware Analysis Digital Investigations | www.forensickb.com |", "https://listeners.usw-16.palantirfoundry.com \u2022 https://pacificlife.palantirfoundry.com/", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "syn-184-092-221-096.res.spectrum.com(PTR record of primary IP) IPv4\t184.92.221.96", "https://otx.alienvault.com/pulse/69bea426487bffa5384c6f38", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "Alerts: console_output has_pdb pe_unknown_resource_name", "https://forward.ro/talents/mira/ redirects to forward.ro", "www-stage40.pornhub.com", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "Gen:Trojan.Heur.wq5@QsnW4Im , Backdoor.Win32.Sinowal.fac , Mal/Sinowa-A ,", "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "IDS Detections: IPC$ share access \u2022 SMB-DS IPC$ unicode share access \u2022 403 Forbidden", "KeenDNS | keendnsaclremote805717135272048.qeenetic.link", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "VO7MU1HA.htm : https://hybrid-analysis.com/sample/9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc", "This is not shown. Route \u2022 184.92.0.0/16 (Route of ASN) PTR", "cellebrite.com | https://cellebrite.com/en/federal-government/", "Query to a *.top domain - Likely Hostile\t192.168.122.95\t1.1.1.1\t\t\t\t SHOWING 1 TO 22 OF 22 ENTRIES HTTP Request Get 1 Post 2 Put 0 Delete 0 URL HOST PORT METHOD USER AGENT https://steamcommunity.com/profiles/76561199863199067\tsteamcommunity.com\t443\tGET\tN/A { \"src\": \"192.168.122.95\", \"sport\": 49227, \"dst\": \"23.59.52.127\", \"dport\":, \"protocol\": \"https\", \"method\": \"GET\", \"host\": \"steamcommunity.com\", \"uri\": \"/profiles/76561199863199067\", \"status\": 200, \"request\": \"GET /profiles/7656119986319", "https://tulach.cc/", "work.a-poster.info", "Names: Photo.scr \u2022 85115B0142902832C864B3009CAB1A00.RS (names of FileHash above)", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "https://fonts.googleapis.com/css", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "http://serafinipelletteria.it/riparazioni/13-borse-restauro/22-spy-bag-%C3%83%C2%A2%C3%A2%C2%82%C2%AC%C3%A2%C2%80%C2%9C-fend", "https://pegasus.pahamify.com/", "http://apple.com-verify.account.manage.test2.aptaforum.com.cn/", "Basic Properties Regional Internet Registry ARIN Country US Continent NA Whois Lookup NetRange: 168.200.0.0 - 168.200.255.255 US", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "Lance Mueller Photography Artistic Portraiture || Domains || lancemueller.com/https://www.lancemueller.com/ www.instagram.com", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset.", "DiabloFans.com", "Win.Malware.Midie Alerts: antisandbox_unhook infostealer_cookies deletes_executed_files infostealer_bitcoin injection_createremotethread", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815", "http://dasima-containers.palantirfoundry.com/ \u2022 https://glare.palantirfoundry.com/", "https://pin.it/ \u2022 pin.it a fake Pinterest for Tsara Brashears", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "Loads modules at runtime Looks up procedures from modules", "device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com TWC-11427-TEXAS, US \u2022 Spectrum", "Micro - Dates to look for specific: April/May/June 2025", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Unique rule identifier: This rule belongs to a private collection.", "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Trojan:Win32/Mydoom | apple.com | IP Address 17.253.144.10: Yara Detections EnigmaProtector , xor_0x8_This_program Alerts network_bind persistence_autorun antivm_generic_diskreg", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "Final URL contacted when you try to visit the URL under study, after any potential redirects. https://www.chietimeteo.it/webcamabruzzo.htm Serving IP Address: 89.46.110.55", "IDS Detections: Win32/Lumma Stealer Related \u2022 CnC Domain in DNS Lookup (pacwpw .xyz)", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "Associated w.Apple ID: 17.253.142.4 | https://qumoteze.apple-hk.com | http://applegiftcard.apple/ | https://identity.appke.com", "https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "IDS Detections: Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)", "IDS Detections: busybox MIORI Hackers - Infected System SUSPICIOUS Path to BusyBox", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Digi/Global Sign - audit 2020 digital intersect", "dasima-containers.palantirfoundry.com \u2022 blitzrobots.com", "IDS: TLS Handshake Failure", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "webcam.sopris.net || https://www.chietimeteo.it/webcamabruzzo.htm savethemalesdenver.com", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Alerts: network_cnc_http network_http allocates_rwx creates_exe creates_hidden_file", "savethemalesdenver.com | brasville.com.br?", "https://otx.alienvault.com/pulse/69bf261cc4e399447d78776c", "Location Antisandbox Sleep Antidebug Setunhandledexceptionfilter Packer Unknown Pe Section Name Packer Entropy Network Bind Antivm Network Adapters Http Request Infostealer Browser Recon Fingerprint Antivm Checks Available Memory Antivm Generic Bios Reads Self Polymorphic Enumerates Physical Drives Network Http Network Cnc Http Antivm Bochs Keys", "Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.", "TAM Legal\u2019s Christopher P. \u2018Buzz\u2019 Ahmann Esq works for State Quasi Government in tandem w/ Hall Render", "IDS: Observed Suspicious UA (Hello, World)", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "https://www.youtube-nocookie.com/embed/", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "appleid.apple.com-signin-8491e.test2.aptaforum.com.cn", "For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.", "Title The page title. Chieti Meteo - Webcam Abruzzo", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "aptia.palantirfoundry.com \u2022 palantirfoundry.com \u2022\u2019agent-infra-mojito.palantirfoundry.com", "Malware : ClipBanker Entity: Crazy Frost", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.afa33b71-01ea-477c-bc01-f6a3ab623e9d/master", "http://www.anyxxxtube/", "init.ess.apple.com \u2022otc.greatcall.com (phone manipulators) \u2022 mailtrack.io \u2022 https://trackacourier.net", "CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.", "Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "Domains Contacted: ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com", "https://feedback.ptv.vic.gov.au/360", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Resolves to a suspicious TLD - \t encore.scdn.co", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "http://e7.c.lencr.org/74.crl \u2022 http://e7.i.lencr.org/", "IP\u2019s Contacted: 192.124.249.187", "Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sqgzl .xyz) (cexpxg .xyz) (cexpxg .xyz) (urarfx .xyz)", "168.200.5.0/24: Autonomous System Number :18693 || Autonomous System Label UCH-CENTRAL Regional Internet Registry: ARIN: Country US", "IDS Detections: Win32/Vflooder.B Checkin | Virus Total vtapi DOS", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd458176426a", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing \u2022 www.anyxxxtube.net", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "BGP Hurricane Electric seen", "Win.Malware.Midie-9950743-0 Apple IP 17.253.144.10: SHA256 8b3170934dd8efaf4335f752d4a1a1816f8be3cdba963d897b93f308fa4ab644", "(?) https://living-sun.com/applescript/68281-is-there-a-way-to-disable-force-quit-while-applescript-application-is-still-running-applescript-quit.html", "Spellbinding! Indeed. SpellEditor.exe", "http://girlsandtheir.webcam/&_=1679275226198 | http://girlsandtheir.webcam/&_=1679338009770| http://girlsandtheir.webcam/&_=1679628920449 No Expira http://girlsandtheir.webcam/&_=1727448919580\t | http://girlsandtheir.webcam/&_=1727487291351 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727511329381 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727586798507 | http://girlsandtheir.webcam/&_=1727595333556 | http://girlsandtheir.webcam/&_=1727665483552", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "usw-2-dev.palantirfoundry.com \u2022 lucyw.palantirfoundry.com \u2022 https://fegdip.palantirfoundry.com/", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "Crowdsourced IDS: Matches rule MALWARE-CNC DNS", "(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 30038 Host: accsrf.top", "Y2K", "c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1", "Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows", "https://www.pornhub.com/video/search?search=tsara+brashears", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "bzx.and.googletagmanagers.com", "Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur", "device-7de2fab7-44a1-494e-8f36-8d135628c33a.remotewd.com 104.190.139.162 AT&T", "https://hybrid-analysis.com/sample/713944cb1accb541622bf99d55f34876b5ff13d042c6c203bab89632a15b9248/689c0eca8dd0033cbb064d12", "http://apple.sweetycat.com/ \u2022 https://apple.sweetycat.com/", "Dates back to a malicious ongoing Brian Sabey HallRender attacks using various malicious resources", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "Remotewd.com research - Devices under command and control. Malicious / adversarial | 3000 + devices in Pulse", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "twitter.com \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 www.pornhub.com \u2022 oriental-porno.lat", "https://vtbehaviour.commondatastorage.googleapis.com/528831360d5c49743bf0dcf9cb0af1f76c694de9dfff79b32098d68c3c592f8a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775980441&Signature=QefJtz2s096UJTV1NljpeJrvdFWJBbHJre5UDOJQeemvu9EGI8UaxLTPvZxejJToeSgqCCu4zCWniB2V9Xer1ozcM5Vy2xhgRO%2BaFeWFRkjfd5yRyZIGLi65ORYA2oyDhTBUZuQco3NNHZWaS0mWYOpAI662c%2BecYNp5SJTXMB4oKzu9bstiszUfM1HNlWjSpySaxCD4j34gZFgiv5xZGW34IcBSvzfQUWECgUu6jW5Pu4Rr%2FH5TJS%2", "www.remoteaccess.allied-media.com", "Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://mobile-pocket-guide.centurylinktechnology.com", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Services : GoogleChromeElevationService = Delete", "168.200.45.168 Original IP- UCHealth is jacking accounts | University of Colorado Hospital Scot.MacCabe@uchealth.org", "Infostealer Cookies Infostealer Mail Procmem Yara Suricata Alert Modify Proxy Powershell", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_(64bit)_v136.0.7103.49.exe", "https://palapa.c.id\t (c.id)", "virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com", "hanmail.net", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94", "Associated w/Apple ID: http://qumoteze.apple-hk.com\tqumoteze.apple-hk.com | 17.253.142.4 | http://identity.appke.com | identity.appke.com", "authrootstl.cab common file extension", "Address shows an place of origin: Broomfield , Co", "crypto-pool.fr", "Stealth Hiddenreg Cape Detected Threat Stealth Timeout Accesses Public Folder Deletes", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "http://appleid.apple.com-signin-8491e.test2.aptaforum.com.cn/", "https://elegantcosmedampyeah.pages.dev/", "Address 198.185.159.144 , 198.185.159.145 , 198.49.23.144 , 198.49.23.145", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "chatluongvn.tk - use of targeted surveillance intended to spy on members of civil society, suppress dissent, crime victims & monitor journalists.", "https://hybrid-analysis.com/sample/09610b7c855ef132a31f2e0136b4d62b9dbb04c6fcb42160d6d8409ef6394e40/69c0189c5e0483a78907cc39", "Verification failure observed in automated verification handlers during sandbox replay.", "IP: 198.185.159.144 Backdoor:Linux/Mirai.B || TELPER:HSTR:DotCisOffer || TrojanSpy:Win32/Nivdort || Bladabindi || TrojanDownloader:Win32/Bulilit", "http://girlsandtheir.webcam/&_=1727668914786 | http://girlsandtheir.webcam/&_=1727684361432 | http://girlsandtheir.webcam/&_=1678620676912", "https://app.threat.zone/submission/b6f70460-ccaf-4acb-8bf0-f0e03", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "This pulse is so huge it\u2019s a mess. Will break down.", "IDS Detections: CryptoWall Check-in Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 6 Koobface HTTP Request", "tv.apple.com", "Win.Packed.Enigma-10023199-0: FileHash - SHA256 2753cb6cd4b034d91a1361d5d4f643e3f45abbe249a1563e2e3bf6e7b6001cd3", "*unsigned Domain: aptaforum.com.cn Name Servers: dns18.hichina.com Registrar: \u963f\u91cc\u4e91\u8ba1\u7b97\u6709\u9650\u516c\u53f8\uff08\u4e07\u7f51\uff09Status: ok", "https://report.netcraft.com/submission/S0M8EqQONEulzSL3S9osDrxbx", "Trojan/JS.Redirector.QNO SHA256:9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc", "https://otx.alienvault.com/pulse/69bf8e2663d5480917ddb699", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master", "https://brand.centurylinktechnology.com", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "France", "Crowdsourced IDS Below:", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "truist.palantirfoundry.com \u2022 nissansandbox.palantirfoundry.com", "dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net", "prb.and.googletagmanagers.com", "IP\u2019s Contacted: 121.105.233.189 128.251.173.246 13.248.148.254 132.124.155.52 139.246.30.108", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "dns17.hichina.com", "https://otx.alienvault.com/pulse/69b49ad5dd40a24d83cd6a72", "https://www.youtube-nocookie.com/embed/6w5ukhqvtmq", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn", "www.proxydocker.com Yvmc.org is hosted in United States ip detail \u00c9tats Unis (US) , (Aurora , Colorado ) links to network IP address: 168.200.5.63", "Note: An IP might be announced by multiple ASs.Spectrum | Charter Communications", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "Associated w/Apple ID: http://www.ripmixburn.com/| www.ripmixburn.com | 17.253.142.4 | http://www.qttv.net |www.qttv.net | 17.253.142.4", "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "https://app.threat.zone/submission/6f654ad8-9723-4a3e-9977-4b953", "Emails:yejun.shou@yxips.com Name:\u7ebd\u8fea\u5e0c\u4e9a\u751f\u547d\u65e9\u671f\u8425\u517b\u54c1\u7ba1\u7406(\u4e0a\u6d77)\u6709\u9650\u516c\u53f8 Name Servers: dns17.hichina.com", "ELF:Mirai-TO\\ [Trj] UCH/PU_Log_ID/Locked_Scr [168.200.5.63] || http://itsupport.uchealth.org/ || [Trj] http://itsupport.uchealth.org/", "Believed to be originating from Germany and Russia", "Further threat mapping indicates the root of this lies at 52.123.250.[180]. The", "https://hybrid-analysis.com/sample/a638ece11c81bcac0002363eb3f75de35a46ce0e080b5de41162093181079a6b/69c018efcb875e4fb30cdfcc", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "146.112.61.107 (146.112.48.0/20) AS 36692 ( CISCO UMBRELLA ) US", "US, Philippines, Ukraine, Iran, China. Alberta.", "Apple: Look at Devs around Aug 20-sept 15 2025 abnormalities", "ELF:Mirai-TO\\ [Trj] tulach.cc", "inst.govelopscold.com", "https://securityaffairs.com/144927/cyber-crime~#", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=", "this.target", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "IDS Detections: Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) FormBook CnC Checkin (GET)", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "https://clockoutbox.es/password", "http://appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn/", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "Iframe src: https://www.youtube.com/embed/o8_jPaXfxWY", "IDS Detections: Query to a *.pw domain - Likely Hostile", "HallRender.com | Law Firm M. Brian Sabey Esq. | Pegasus related", "amazon.com \u2022 pki.goog \u2022 google-analytics.com", "Google- look at 202 to Icloud docs likely feb 2025 but possible Dec 24, jan 25 up until June 2025", "https://www.red-gate.com/products/smartassembly", "Alerts: network_icmp nolookup_communication persistence_autorun modifies_proxy_wpad", "Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap", "https://uhsinc.palantirfoundry.com/ \u2022 https://velocityglobal.palantirfoundry.com", "http://www.sweetheartvideo.com/tsara-brashears \u2022 https://www.sweetheartvideo.com/tsara-brashears", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "John 12:17", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "Detections PSW.Sinowal.X , Win.Trojan.Sinowal-13971 , Artemis!0DF9D8682EFA ,", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "Yara Detections BackdoorWin32Simda", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "Alerts: creates_service stealth_window antivm_network_adapters checks_debugger", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "Remote Process Static Pe Anomaly Https Urls Virus Process Creation Suspicious", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "IDS Detections: Win32.Renos/Artro Trojan Checkin M1 Fakealert.ATQ/Renos.GNC Checkin AlphaCrypt CnC Beacon 5 Win32.Meredrop Checkin", "spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7", "Alerts: cape_detected_threat", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "Iframe src: https://www.youtube.com/embed/SEBW2mh1jvY", "lkp.and.googletagmanagers.com", "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection SMB-DS", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://inbound-message-listener-temporary-testing.palantirfoundry.com", "apple.haipaoapp.com \u2022 http://apple.haipaoapp.com \u2022 http://apple.haipaoapp.com/ \u2022 https://apple.haipaoapp.com/", "Google_Chrome_64bit_v136.0.7103.49.exe", "Contains Pe Overlay Queries Locale Api Language Check Registry", "https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "http://glare.palantirfoundry.com/ \u2022 https://woodward.palantirfoundry.com/", "Win.Malware.Midie-9950743-0: Domains Contacted instagram.com github.com icloud.com python.org facebook.com", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Yara Detections compromised_site_redirector_fromcharcode , Delphi", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "http://cr-malware.testpanw.com/url", "Associated w/Apple ID: 17.253.142.4 |\thttp://xn--8mrw5wsjh2jt.top | xn--8mrw5wsjh2jt.top | 17.253.142.4 | https://www.qttv.net | www.qttv.net", "IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)", "aptaforum.com.cn 182.61.201.90 , 182.61.201.91 China ASN AS38365 beijing baidu netcom science and technology co. ltd", "Every tag OTC auto populated . Crazy talk. Please see Mitre ATT&CK", "Domains Contacted: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com", "partnerapi.spotify.net \u2022 youtube.ru", "https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com", "Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org", "go.sabey.com", "Alerts: peid_packer pe_unknown_resource_name" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Crazy Frost", "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "busybox MIORI Hackers" ], "malware_families": [ "Mebroot", "Trojan:o97m/madeba.a!det", "Alf:ransom:win32/petya.sib!mtb", "Cve-2023-22518", "Win32:crypterx-gen\\ [trj]", "Cl0p", "Cve-2024-6387", "Win32:evo-gen\\ [trj]", "Win.trojan.vbgeneric-6989114-0", "Alf:heraklezeval:pua:win32/ultradownloads", "Lumma stealer", "Quasar rat", "Lockbit", "Rozena", "Alf:trojan:win32/g3nasom!imp", "Moore", "Sf:wncryldr-a\\ [trj]", "#lowfidetectsvmware", "Pahamify pegasus", "Backdoor:win32/bladabindi", "Alf:e5", "Trojandownloader:win32/bulilit", "Unix.trojan.mirai", "Smoke loader", "#virtool:win32/obfuscator", "Autorunit", "Win.trojan.application-1955.", "Alf:spikeaexr.pevpopc", "Win.malware.snojan-6775202-0", "Win.malware.salat-10058846-0", "Tulach", "Trojan:win32/zusy", "Der zugriff", "Tel:createscheduledtask.a!sigattr", "Virtool:win32/tofsee", "Pws:win32/axespec.a", "Alf:trojan:win64/psbanker", "Pws:win32/raven", "Virtool:win32/obfuscator.jm", "Telper:hstr:dotcisoffer", "Quasar", "Cve-2017-0147", "Trojan:win32/glupteba.mt!mtb", "Win32:dh-a\\", "Malware family: stealthworker / gobrut", "Win32:banker-laa\\ [trj]", "Exploit:win32/cve-2017-0147.a", "Tofsee", "Win32:dh-a\\ [win32:fileinfector-c\\ [heur]", "Win.malware.flystudio-6738927-0", "Mydoom", "Alf:jasyp:trojan:win32/ircbot!atmn", "Trojanspy:win32/nivdort", "Win.trojan.vbgeneric-6735875-0", "Ransomware", "Themida.", "Virus:win95/cerebrus", "Psw.sinowal.x", "Sigur", "Win.trojan.agent", "Unidentified 083 (autoit stealer)", "Alf:heraklezeval:trojan:win32/clipbanker", "Nitrogen ransomware", "Trojandownloader:win32/upatre", "Elf:mirai-gh\\ [trj]", "Alf:heraklezeval:worm:win32/vobfus", "Other dangerous malware", "Win.trojan.emotet-9850453-0", "Redline", "Win.trojan.tofsee-7102058-0", "Win.trojan.fugrafa-9733007-0", "Themida", "Win.trojan.cycbot-1584", "Backdoor:linux/mirai.b", "Trojanspy", "Nitrogen loader", "Trojan:win32/pariham.a", "Other malware", "Alf:jasyp:trojandownloader:win32/smallagent!atmn", "Cve-2025-20393", "Win.malware.midie-9950743-0", "Backdoor:win32/small.ir", "Win.ransomware.wannacry-6313787-0", "Win.dropper.vbclone-10036195-0", "Elf:mirai-to\\ [trj]", "Ransom:win32/wannacrypt.h", "Cve-2018-10562", "Ransom:win32/cve-2017-0147.a", "Kanna", "Win64:expiro-aj\\ [inf]", "Unix.trojan.mirai-7669677-0", "Trojan.disfa/downloader10", "Win32:trojanx-gen\\ [trj]", "Trojan/js.redirector.qno", "Kimsuky", "Worm:win32/lightmoon.h", "Alf:trojan:win32/vtflooder", "Worm:win32/autorun!atmn", "Trojandropper:win32/muldrop.v!mtb", "Zergeca", "Virtool:win32/vbinject.ya!mtb", "Bible gateway", "Trojan.sagnt/r011c0dfs24", "Engineering steering", "Md5 hash: f8add7e7161460ea2b1970cf4ca535bf", "Exodus", "Trojan.tofsee/botx", "Trojan:win32/danabot", "Hacktool", "Unix.dropper.mirai-7135870-0", "Stefan", "Worm:win32/mofksys.rnd!mtb", "Backdoor:win32/tofsee.t", "Trojan:win32/emotet.arj!mtb", "Win32:malware-gen", "Trojan:win32/vflooder", "Win.exploit.rozena", "Et" ], "industries": [ "Telecommunications", "Technology", "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in", "Government", "Financial", "Legal", "Civil society", "Education", "Media", "Healthcare", "Oil" ], "unique_indicators": 357278 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/googleapis.com", "whois": "http://whois.domaintools.com/googleapis.com", "domain": "googleapis.com", "hostname": "fonts.googleapis.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "69d967590f40c612c90ce84f", "name": "TTB-Chained (Tehran-Transversal Belasco Chain) - Clone of My Own Post. Updated", "description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion. The conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. TTB-chained executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root hosted in IP {53.xxx] is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos. See Belasco Chain for more.", "modified": "2026-04-19T09:05:10.432000", "created": "2026-04-10T21:10:49.749000", "tags": [ "malicious", "Microsoft", "intent: reckless", "wiper", "Transip", "bankers document gone rogue", "Tehran", "pdfkit.net", "United", "broken Docusign seal", "esign violation", "us lawyers", "Iran", "IP Abuse US", "Spreader", "corruption that spread", "52.123.250.180", "Mass Data Loss and exfiltration", "Docusign exploited by insecure workflows", "Adobe exploited by insecure workflows", "threat map", "Infra / healthcare / more at risk from this negligence", "remediation: long. expire the certs. block 53..", "accountability, NOW.", "Burned", "Kitplay", "iOS", "Watering hole", "Webkit", "Religious Regime", "MS Office", "Compliance Hold Purgatory", "WIN EXE.32", "Firmware neutral", "Trusted Insider", "DKIM, SPF, DMARC Failures", "APKmirror", "ILOVEYOUBABY", "No Problems", "Christmas Tree EXEC Code Red worm Computer virus Nimda", "Wanna Cry", "APK", "DC RAT", "Emotnet", "Redline Swiper", "Open Door", "Bankers Document", "Y2K", "wsscript.exe, VBE", "Compliance Lock Trap", "Globalsign 2020 (potentially exploited)", "Heuristic Smear", "Gatsby Library Loader DLL", "w31999", "UofA" ], "references": [ "The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.", "People who exploit this put the US at risk. Bottom line.", "Further threat mapping indicates the root of this lies at 52.123.250.[180]. The", "For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.", "This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader", "", "IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815", "This document might expose someone, more than another.", "Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.", "Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there.", "Micro - Dates to look for specific: April/May/June 2025", "Sectigo- Check abnormal patterns Sept 8, 2025 and ADT check alarms that went off", "Amazon- Check new cert subscribers on or around Sept 15 2025", "Entrust to Sectigo- Review vendors", "Apple: Look at Devs around Aug 20-sept 15 2025 abnormalities", "CA DMV- 2020 exploits, if even exist in your records, may be related.", "Digi/Global Sign - audit 2020 digital intersect", "Proton.me/Zenbox: Audit July 2025", "Google- look at 202 to Icloud docs likely feb 2025 but possible Dec 24, jan 25 up until June 2025", "APKMirror https://www.apkmirror.com", "Google Docs 1.25.202.02 APK Download by Google LLC", "The ILOVEYOU virus, released on May 4, 2000, - PDKIT.net May 4, 2025.", "Y2K", "US, Philippines, Ukraine, Iran, China. Alberta.", "France", "Germany, Austria, and Switzerland GmbH", "Gatsby Library Loader, DLL", "Spellbinding! Indeed. SpellEditor.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Telecommunications" ], "TLP": "green", "cloned_from": "69a82c54067ca1d502b1eb6c", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3516, "hostname": 1614, "CVE": 7, "URL": 1806, "domain": 1416, "IPv4": 888, "FileHash-MD5": 731, "FileHash-SHA1": 787, "CIDR": 6, "email": 27, "IPv6": 10, "JA3": 2 }, "indicator_count": 10810, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "2 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "3 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-13T23:46:20.071000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 107, "CIDR": 6 }, "indicator_count": 33117, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dc04c12782d2d76c111a93", "name": "VirusTotal \u2022 PsBanker \u2022 Attacked / Blocked", "description": "", "modified": "2026-04-12T20:46:57.338000", "created": "2026-04-12T20:46:57.338000", "tags": [ "indicator role", "active related", "ck ids", "files", "information", "discovery", "mitre att", "pattern match", "ck id", "ck matrix", "ascii text", "united", "binary file", "april", "hybrid", "apikey", "general", "local", "path", "iframe", "click", "protocol", "learn", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "related pulses", "dll read", "function read", "icmp traffic", "machineguid", "systembiosdate", "total", "read", "write", "network_icmp", "js_eval", "recon_fingerprint", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "tls handshake", "execution", "dock", "persistence", "malware", "unknown", "neue", "certificate", "error", "scans show", "record value", "title site", "servers", "emails", "all hostname", "dnsadmin", "data upload", "extraction", "failed", "include review", "exclude sugges", "find s", "typ no", "active", "urls", "ip address", "asn as54113", "registrar", "wscript", "united states", "stcalifornia", "lmountain view", "ogoogle llc", "ogoogle trust", "cngts ca", "whitelisted", "as15169", "hostile", "crash", "contacted", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "detections alf", "hostile yara", "detections none", "less ip", "domains", "ms windows", "intel", "pe32", "regsetvalueexa", "langturkish", "sublangdefault", "port", "destination", "entries", "worm", "delphi", "win32", "body", "explorer", "defender", "regdword", "false", "true", "end sub", "object", "createobject", "sheetschanged", "private sub", "string", "boolean", "cancel", "trojan", "copy", "query", "dns update", "useragent", "myapp", "delphi alerts", "alerts deadhost", "women who code", "tulach", "114.114.114.114", "samuel", "brian sabey" ], "references": [ "https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file", "this.target", "c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1", "amazon.com \u2022 pki.goog \u2022 google-analytics.com", "authrootstl.cab common file extension", "dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell", "https://securityaffairs.com/144927/cyber-crime~#", "https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html", "virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com", "https://clockoutbox.es/password", "http://cr-malware.testpanw.com/url", "IDS Detections: Query to a *.pw domain - Likely Hostile", "Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer", "Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows", "Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_", "Alerts: windows_utilities antivm_memory_available pe_features raises_exception", "IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227", "IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94", "Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog", "Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com", "Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw", "Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections compromised_site_redirector_fromcharcode , Delphi", "Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad", "Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx", "IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29", "Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org", "Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com", "114.114.114.114 = Tulach" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:Trojan:Win64/PsBanker", "display_name": "ALF:Trojan:Win64/PsBanker", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Trojan:O97M/Madeba.A!det", "display_name": "Trojan:O97M/Madeba.A!det", "target": "/malware/Trojan:O97M/Madeba.A!det" }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1114, "hostname": 594, "domain": 200, "FileHash-SHA256": 2379, "FileHash-MD5": 426, "FileHash-SHA1": 259, "IPv4": 322, "SSLCertFingerprint": 24, "email": 2, "IPv6": 1 }, "indicator_count": 5321, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69db4f2dc509a1e8210f1b68", "name": "CAPE Sandbox", "description": "CivicPlus, LLC (ICONE-2) is a US-based company with a name that includes the word \"CIVICPLUS\", \"civicplus\", and \"icon Enterprises, Inc\".", "modified": "2026-04-12T08:36:17.724000", "created": "2026-04-12T07:52:13.594000", "tags": [ "network admin", "civicplus", "net192", "net1920000", "houston", "suite e", "city", "server", "select contact", "domain holder", "date", "form", "submission", "ssdeep", "file type", "text text", "magic unicode", "utf8", "crlf line", "trid text", "magika txt", "file size", "chatgpt", "doctype html", "meta", "ai system", "research", "preview", "gmt server", "self", "dynamic", "html info", "title chatgpt", "meta tags", "thumbprint" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/528831360d5c49743bf0dcf9cb0af1f76c694de9dfff79b32098d68c3c592f8a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775980441&Signature=QefJtz2s096UJTV1NljpeJrvdFWJBbHJre5UDOJQeemvu9EGI8UaxLTPvZxejJToeSgqCCu4zCWniB2V9Xer1ozcM5Vy2xhgRO%2BaFeWFRkjfd5yRyZIGLi65ORYA2oyDhTBUZuQco3NNHZWaS0mWYOpAI662c%2BecYNp5SJTXMB4oKzu9bstiszUfM1HNlWjSpySaxCD4j34gZFgiv5xZGW34IcBSvzfQUWECgUu6jW5Pu4Rr%2FH5TJS%2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 602, "domain": 166, "email": 37, "hostname": 837, "FileHash-MD5": 125, "FileHash-SHA1": 136, "FileHash-SHA256": 1230, "IPv4": 399 }, "indicator_count": 3534, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d45ab2e634e02113fd7435", "name": "SkyDog Con 2016 CTF", "description": "< SkyDog Con 2016 CTF has been revealed in a series of hex-h hashes, revealing the names of the participants, Bots, and other key characters, as well as details of how the challenge was organised.>", "modified": "2026-04-07T03:49:17.647000", "created": "2026-04-07T01:15:30.623000", "tags": [ "plain text", "found", "javascript file", "ssh service", "ssl certificate", "skydog con", "legend begins", "earlier", "welcome home", "context", "md5 hash" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 32, "domain": 13, "FileHash-SHA1": 2, "URL": 77, "hostname": 26, "FileHash-SHA256": 40, "CVE": 2 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "12 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ca434ee788ab3d090e6013", "name": "PDFKIT.NET - Trust Bypass Continued Concerns", "description": "A complete list of key facts and statistics:..3-magnitude-based data-sharing platform, which was first created in 2003, has been published by the University of Oxford.<-- Pretext. Msudosos: Ongoing concerns persist regarding the use of the pdfkit.net library in specific DMV versions, which may allow for trust bypass across multiple platforms. Research indicates that isolating affected areas or voiding certificates will not remediate this issue, as the corrupted trusted root persists even after firmware-level restores.", "modified": "2026-04-07T02:11:33.275000", "created": "2026-03-30T09:33:02.363000", "tags": [ "fcc", "trust bypass", "pi", "hollow-root", "pdfkit.net", "cryptographically-invalid", "Docusign as an exploit", "gov / infra / healthcare / mun", "education", "US", "globalsign2020", "noend--point.", "null" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "Italy", "United States of America" ], "malware_families": [ { "id": "Stefan", "display_name": "Stefan", "target": null } ], "attack_ids": [ { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [ "Telecommunications", "Education", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 77, "IPv4": 8, "domain": 39, "email": 4, "hostname": 60, "FileHash-SHA1": 47, "FileHash-SHA256": 209, "FileHash-MD5": 42, "CVE": 1 }, "indicator_count": 487, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "12 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d1396bb42208f8aa25b8ae", "name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable", "description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.", "modified": "2026-04-04T16:16:43.680000", "created": "2026-04-04T16:16:43.680000", "tags": [ "binary", "yara rule", "binary file", "yara", "pe section", "av detections", "ip address", "url analysis", "urls", "singapore", "singapore asn", "as14061", "edgeview drive", "suite", "broomfield", "colorado", "key usage", "handle", "v3 serial", "number", "cert validity", "asia pacific", "traefik default", "cert", "thumbprint", "name", "all filehash", "learn", "adversaries", "calls", "ck id", "name tactics", "suspicious", "informative", "reads", "defense evasion", "loads", "model", "call", "getprocaddress", "span", "path", "mitre att", "ck matrix", "access type", "value", "windir", "open", "error", "click", "contact", "meta", "april", "hybrid", "format", "strings", "united", "b778b1", "div div", "d9e4f4", "edf2f8", "status", "fastest privacy", "first dns", "trojan", "pegasus", "title", "dynamicloader", "ms windows", "intel", "pe32 executable", "win32", "medium", "pe32", "high", "mozilla", "delphi", "injectdll", "write", "malware", "observer", "stream", "unknown", "lredmond", "stwa", "omicrosoft", "stwashington", "server ca", "https domain", "accept", "read c", "ogoogle trust", "worm", "code", "td td", "td tr", "a td", "dynamic dns", "name servers", "arial", "zeppelin", "null", "enough", "hosts", "fast", "tls sni", "cloudflare dns", "google dns", "showing", "get icarus", "show", "ascii text", "global", "next", "cc fd", "d4 dc", "a3 ad", "a8 c7", "bb c7", "f0 f1", "f4 ca", "bc a1", "win64", "local", "otx logo", "hostname", "passive dns", "files", "less", "related tags", "servers", "certificate", "domain", "cloudflare", "khtml", "gecko", "ids detections", "yara detections", "ip lookup", "encrypt", "elf executable", "sysv", "linux", "elf64 operation", "unix", "exec amd6464", "elf geomi", "modify system", "process l", "t1543", "systemd service", "ta0004", "techniques", "process create", "modify syst", "t1036 indicator", "remc t1070", "file", "directoi t1222", "t1027 masquerac", "t1070", "data upload", "extraction", "failed", "ta0005", "t1027", "memory pattern", "domains", "dns resolutions", "full reports", "v ip", "traffic tcp", "g sh", "c tmpsample", "binrm f", "usrbinid id", "usrbinsystemctl", "proc1environ", "proccpuinfo", "include", "review exclude", "sample", "https", "performs dns", "tls version", "mitre attack", "network info", "file type", "persistence", "include review", "exclude sugges", "find s", "unique ru", "review occ", "exclude data", "alvoes", "include data", "suggest", "find c", "typ filet", "filet ce", "layer protocol", "http performs", "reads cpu", "proc indicative", "filet filet", "pulse", "file hach", "h1256", "filer data", "typ data", "filer filehuon", "filet filer", "exchange all", "typ no", "no entri", "exclude", "suggested ocs", "manualy", "hua muicalul", "find", "indicatore", "typ innicatad", "new threat", "dive into", "zergeca botnet", "reference", "report publish", "zergeca", "all se", "matches edolavd", "matches data", "matches matches", "type", "extr", "tico data", "get hello", "mirai variant", "useragent", "hello", "outbound", "world", "search", "hackingtrio ua", "inbound", "mirai", "info", "shell", "pulse pulses", "files ip", "address domain", "ip related", "labs pulses", "pulses", "post", "http traffic", "tocstut", "reference id", "xor key", "canada", "america", "germany", "doh", "ddos", "botnet", "en", "xor", "twitter", "stop", "loader", "downloader", "zerg", "mirai", "golang", "c2 resolution", "germany", "c2 ip", "virustotal", "smux", "ck ids", "t1082", "applescript", "t1190", "application", "private server", "t1609", "command", "unix shell", "software supply", "service", "chain", "t1499", "entries", "otx telemetry", "next associated", "backdoor", "detections", "sha256 add", "alerts", "heur", "all domain", "creation date", "record value", "aaaa", "date", "unknown ns", "ponmocup post", "infection dns", "mtb nov", "ipv4 add", "external ip", "copy" ], "references": [ "www.joewa.com", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "Loads modules at runtime Looks up procedures from modules", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "Crowdsourced SIGMA Below:", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS Below:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Unique rule identifier: This rule belongs to a private collection.", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "crypto-pool.fr", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "IDS: Observed Suspicious UA (Hello, World)", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: cape_detected_threat", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "https://dns.google/resolve?name=SELECT", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Address shows an place of origin: Broomfield , Co", "Believed to be originating from Germany and Russia", "BGP Hurricane Electric seen", "Potentially Pegasus related . Found to be affecting an IOS device", "Indicators seen may have affected a few OTX users. Is ongoing", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "This pulse is so huge it\u2019s a mess. Will break down." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Thailand", "Germany", "Canada" ], "malware_families": [ { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Trojan.Sagnt/R011c0dfs24", "display_name": "Trojan.Sagnt/R011c0dfs24", "target": null }, { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "Unix.Trojan.Mirai", "display_name": "Unix.Trojan.Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-7669677-0", "display_name": "Unix.Trojan.Mirai-7669677-0", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 795, "FileHash-SHA1": 648, "FileHash-SHA256": 3708, "IPv4": 294, "URL": 2587, "domain": 739, "hostname": 1129, "email": 14, "CIDR": 15, "IPv6": 27, "SSLCertFingerprint": 18, "CVE": 4 }, "indicator_count": 9978, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d1395ab63bf8e8d2c384eb", "name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable", "description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.", "modified": "2026-04-04T16:16:26.128000", "created": "2026-04-04T16:16:26.128000", "tags": [ "binary", "yara rule", "binary file", "yara", "pe section", "av detections", "ip address", "url analysis", "urls", "singapore", "singapore asn", "as14061", "edgeview drive", "suite", "broomfield", "colorado", "key usage", "handle", "v3 serial", "number", "cert validity", "asia pacific", "traefik default", "cert", "thumbprint", "name", "all filehash", "learn", "adversaries", "calls", "ck id", "name tactics", "suspicious", "informative", "reads", "defense evasion", "loads", "model", "call", "getprocaddress", "span", "path", "mitre att", "ck matrix", "access type", "value", "windir", "open", "error", "click", "contact", "meta", "april", "hybrid", "format", "strings", "united", "b778b1", "div div", "d9e4f4", "edf2f8", "status", "fastest privacy", "first dns", "trojan", "pegasus", "title", "dynamicloader", "ms windows", "intel", "pe32 executable", "win32", "medium", "pe32", "high", "mozilla", "delphi", "injectdll", "write", "malware", "observer", "stream", "unknown", "lredmond", "stwa", "omicrosoft", "stwashington", "server ca", "https domain", "accept", "read c", "ogoogle trust", "worm", "code", "td td", "td tr", "a td", "dynamic dns", "name servers", "arial", "zeppelin", "null", "enough", "hosts", "fast", "tls sni", "cloudflare dns", "google dns", "showing", "get icarus", "show", "ascii text", "global", "next", "cc fd", "d4 dc", "a3 ad", "a8 c7", "bb c7", "f0 f1", "f4 ca", "bc a1", "win64", "local", "otx logo", "hostname", "passive dns", "files", "less", "related tags", "servers", "certificate", "domain", "cloudflare", "khtml", "gecko", "ids detections", "yara detections", "ip lookup", "encrypt", "elf executable", "sysv", "linux", "elf64 operation", "unix", "exec amd6464", "elf geomi", "modify system", "process l", "t1543", "systemd service", "ta0004", "techniques", "process create", "modify syst", "t1036 indicator", "remc t1070", "file", "directoi t1222", "t1027 masquerac", "t1070", "data upload", "extraction", "failed", "ta0005", "t1027", "memory pattern", "domains", "dns resolutions", "full reports", "v ip", "traffic tcp", "g sh", "c tmpsample", "binrm f", "usrbinid id", "usrbinsystemctl", "proc1environ", "proccpuinfo", "include", "review exclude", "sample", "https", "performs dns", "tls version", "mitre attack", "network info", "file type", "persistence", "include review", "exclude sugges", "find s", "unique ru", "review occ", "exclude data", "alvoes", "include data", "suggest", "find c", "typ filet", "filet ce", "layer protocol", "http performs", "reads cpu", "proc indicative", "filet filet", "pulse", "file hach", "h1256", "filer data", "typ data", "filer filehuon", "filet filer", "exchange all", "typ no", "no entri", "exclude", "suggested ocs", "manualy", "hua muicalul", "find", "indicatore", "typ innicatad", "new threat", "dive into", "zergeca botnet", "reference", "report publish", "zergeca", "all se", "matches edolavd", "matches data", "matches matches", "type", "extr", "tico data", "get hello", "mirai variant", "useragent", "hello", "outbound", "world", "search", "hackingtrio ua", "inbound", "mirai", "info", "shell", "pulse pulses", "files ip", "address domain", "ip related", "labs pulses", "pulses", "post", "http traffic", "tocstut", "reference id", "xor key", "canada", "america", "germany", "doh", "ddos", "botnet", "en", "xor", "twitter", "stop", "loader", "downloader", "zerg", "mirai", "golang", "c2 resolution", "germany", "c2 ip", "virustotal", "smux", "ck ids", "t1082", "applescript", "t1190", "application", "private server", "t1609", "command", "unix shell", "software supply", "service", "chain", "t1499", "entries", "otx telemetry", "next associated", "backdoor", "detections", "sha256 add", "alerts", "heur", "all domain", "creation date", "record value", "aaaa", "date", "unknown ns", "ponmocup post", "infection dns", "mtb nov", "ipv4 add", "external ip", "copy" ], "references": [ "www.joewa.com", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "Loads modules at runtime Looks up procedures from modules", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "Crowdsourced SIGMA Below:", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS Below:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Unique rule identifier: This rule belongs to a private collection.", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "crypto-pool.fr", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "IDS: Observed Suspicious UA (Hello, World)", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: cape_detected_threat", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "https://dns.google/resolve?name=SELECT", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Address shows an place of origin: Broomfield , Co", "Believed to be originating from Germany and Russia", "BGP Hurricane Electric seen", "Potentially Pegasus related . Found to be affecting an IOS device", "Indicators seen may have affected a few OTX users. Is ongoing", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "This pulse is so huge it\u2019s a mess. Will break down." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Thailand", "Germany", "Canada" ], "malware_families": [ { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Trojan.Sagnt/R011c0dfs24", "display_name": "Trojan.Sagnt/R011c0dfs24", "target": null }, { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "Unix.Trojan.Mirai", "display_name": "Unix.Trojan.Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-7669677-0", "display_name": "Unix.Trojan.Mirai-7669677-0", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 795, "FileHash-SHA1": 648, "FileHash-SHA256": 3708, "IPv4": 294, "URL": 2587, "domain": 739, "hostname": 1129, "email": 14, "CIDR": 15, "IPv6": 27, "SSLCertFingerprint": 18, "CVE": 4 }, "indicator_count": 9978, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69aa41b0d714318bf8937184", "name": "W.Vashti .Net obfuscator clone", "description": "", "modified": "2026-04-04T00:06:41.423000", "created": "2026-03-06T02:53:36.216000", "tags": [ "no expiration", "domain", "name", "control flow", "dlls", "method parent", "declarative", "ms build", "core", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "dock", "write", "execution", "capture", "endgame", "united", "moved", "ip address", "record value", "gate software", "newnham house", "expiration date", "urls", "url add", "http", "related nids", "files location", "flag united", "present aug", "present sep", "present nov", "present oct", "name servers", "emails", "present dec", "meta", "passive dns", "next associated", "ipv4", "url analysis", "files", "cookie", "subscribe", "unsubscribe", "s paris", "englewood", "state", "skip", "espaol", "summary", "filing history", "ireland", "title", "united states", "certificate", "colorado", "ipv4 add", "america flag", "showing", "pulse submit", "size", "pattern match", "mitre att", "ck id", "path", "hybrid", "general", "local", "iframe", "click", "strings", "cece", "mult", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "sha1", "sha256", "njmk", "kwruymy", "mime", "submitted", "process details", "calls", "apis", "reads", "defense evasion", "model", "getprocaddress", "show technique", "ck matrix", "access type", "value", "api call", "open", "august", "format", "typeof symbol", "typeof s", "typeof c", "function", "symbol", "comenabled", "image path", "ndex", "ndroleextdll", "f0f0f0", "ff4b55", "stop", "span", "show process", "binary file", "file", "network traffic", "encrypt", "date", "found", "ssl certificate", "creation date", "hostname add", "pulse pulses", "files ip", "address domain", "data upload", "extraction", "ge6 mira", "failed", "ascii text", "development att", "hostname", "files domain", "files related", "pulses otx", "pulses", "unknown aaaa", "unknown ns", "united states", "urls show", "date checked", "url hostname", "server response", "google safe", "results may", "a domains", "search", "germany unknown", "win32", "lowfi", "chrome", "susp", "trojan", "backdoor", "twitter", "virtool", "worm", "exploit", "trojandropper", "win32upatre dec", "mtb dec", "reverse dns", "body", "location united", "asn as14618", "less whois", "files show", "date hash", "avast avg", "initial access", "javascript", "root", "enterprise", "form", "desktop", "command decode", "suricata ipv4", "spycloud", "robots", "bots", "chatbot", "bot network", "spy", "mixb", "a2fryx", "therahand", "typosquating" ], "references": [ "https://www.red-gate.com/products/smartassembly", "spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud", "https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=", "https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0", "dasima-containers.palantirfoundry.com \u2022 blitzrobots.com", "https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com", "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/", "https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3", "Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-", "Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" } ], "industries": [], "TLP": "green", "cloned_from": "6952d4fc6910b0b866746d8a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 343, "FileHash-SHA256": 1332, "domain": 1062, "hostname": 1969, "URL": 5700, "email": 10, "SSLCertFingerprint": 21, "CVE": 1 }, "indicator_count": 10779, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://fonts.googleapis.com/css", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://fonts.googleapis.com/css", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776597710.5436265 }