{
"type": "URL",
"indicator": "https://fonts.googleapis.com/css2",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://fonts.googleapis.com/css2",
"type": "url",
"type_title": "URL",
"validation": [
{
"source": "akamai",
"message": "Akamai rank: #5790",
"name": "Akamai Popular Domain"
},
{
"source": "whitelist",
"message": "Whitelisted domain googleapis.com",
"name": "Whitelisted domain"
},
{
"source": "majestic",
"message": "Whitelisted domain googleapis.com",
"name": "Whitelisted domain"
}
],
"base_indicator": {
"id": 3156044951,
"indicator": "https://fonts.googleapis.com/css2",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 50,
"pulses": [
{
"id": "69e4b26998e73fb434180bcb",
"name": "7896e02054066e7810763b441b4b7ffc2aa755064fc9ef531f267c5cc8c837e5",
"description": "7896e02054066e7810763b441b4b7ffc2aa755064fc9ef531f267c5cc8c837e5",
"modified": "2026-04-19T12:34:18.786000",
"created": "2026-04-19T10:46:01.609000",
"tags": [
"ip address"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 180,
"IPv4": 16,
"domain": 68,
"URL": 181,
"hostname": 130,
"FileHash-SHA1": 9,
"JA3": 1,
"FileHash-MD5": 13,
"IPv6": 2,
"email": 7
},
"indicator_count": 607,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "19 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d4619c47e294ad9f6488e5",
"name": "27d40d40d00040d1dc42d43d00041d6183ff1bfae51ebd88d70384363d525c",
"description": "The full text of this page, which contains the name, \"Whois\", is published on the website of Google.com, the firm that owns the search giant's search engine, its parent site.",
"modified": "2026-04-07T04:25:21.664000",
"created": "2026-04-07T01:45:00.190000",
"tags": [
"united",
"unknown",
"as13335",
"as54113",
"aaaa",
"a domains",
"as396982",
"script urls",
"nexus category",
"code",
"date",
"title",
"encrypt",
"thumbprint",
"email",
"city",
"server",
"registrar abuse",
"us admin",
"admin postal",
"mn billing",
"milaca billing"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 64,
"FileHash-SHA1": 43,
"IPv6": 6,
"hostname": 46,
"IPv4": 110,
"domain": 36,
"email": 8,
"CIDR": 3,
"FileHash-MD5": 7,
"FileHash-SHA256": 9,
"CVE": 2
},
"indicator_count": 334,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "13 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d4619c23aeade1bd8bb97e",
"name": "27d40d40d00040d1dc42d43d00041d6183ff1bfae51ebd88d70384363d525c",
"description": "The full text of this page, which contains the name, \"Whois\", is published on the website of Google.com, the firm that owns the search giant's search engine, its parent site.",
"modified": "2026-04-07T04:25:20.672000",
"created": "2026-04-07T01:45:00.700000",
"tags": [
"united",
"unknown",
"as13335",
"as54113",
"aaaa",
"a domains",
"as396982",
"script urls",
"nexus category",
"code",
"date",
"title",
"encrypt",
"thumbprint",
"email",
"city",
"server",
"registrar abuse",
"us admin",
"admin postal",
"mn billing",
"milaca billing"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 29,
"FileHash-SHA1": 33,
"IPv6": 6,
"hostname": 14,
"IPv4": 18,
"domain": 8,
"email": 4,
"CVE": 2
},
"indicator_count": 114,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "13 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69a53036e5895c8b352ff5fc",
"name": "www.com.apple.gamecontroller.driver.xboxgamepad.com",
"description": "Artifacts",
"modified": "2026-04-01T13:51:25.078000",
"created": "2026-03-02T06:37:42.626000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1953,
"domain": 299,
"URL": 198,
"email": 11,
"FileHash-MD5": 69,
"FileHash-SHA1": 73,
"FileHash-SHA256": 699,
"CIDR": 6
},
"indicator_count": 3308,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "18 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69c1e12737e9fbfd330fdc22",
"name": "alphamountain.ai",
"description": "DGA domain",
"modified": "2026-03-25T02:48:08.520000",
"created": "2026-03-24T00:56:07.456000",
"tags": [
"united",
"unknown",
"asnone country",
"aaaa",
"present jun",
"present jul",
"present sep",
"moved",
"a domains",
"passive dns",
"title",
"date",
"zeppelin",
"accept",
"encrypt"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 275,
"FileHash-MD5": 8,
"FileHash-SHA1": 12,
"FileHash-SHA256": 4,
"IPv4": 48,
"IPv6": 203,
"domain": 19,
"hostname": 137
},
"indicator_count": 706,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "26 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69640c0afc9805a6fa2da07b",
"name": "MUSO.AI Malware \u2018Incredimail\u2019 Palantir in use[OTX auto populated title -Tsara Brashears]",
"description": "MUSO.Ai , Is have to do more research. Some searches on reports MUSO as an opt in resource for artist to view, sort, and manage legacy credits, MUSO also collects royalties. Research and investigation confirms no one on music team is associated with or l thinks they may have heard of MUSO. Is MUSO. AI Palantir customer or service ,spy app services by the folks at Palantir. . [otx auto pop praise: Tsara Brashears is the most popular songwriter in the world, but can you use the app to find out more about the artist and the musicians behind the tracks?] cute. \n#dembiak #palantir #muso #ai",
"modified": "2026-02-10T20:03:47.214000",
"created": "2026-01-11T20:46:02.176000",
"tags": [
"lark kdence",
"zack dare",
"zafira",
"jon bonus",
"andy flebbe",
"div div",
"present nov",
"a domains",
"united",
"script urls",
"div a",
"script domains",
"discover",
"moved",
"insert",
"x0 tw",
"urls",
"cloudfront x",
"title error",
"url analysis",
"reverse dns",
"servers",
"name servers",
"united states",
"all ipv4",
"aaaa",
"ip address",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"evasion att",
"t1480 execution",
"ascii text",
"mitre att",
"pattern match",
"null",
"error",
"click",
"hybrid",
"general",
"local",
"path",
"starfield",
"strings",
"refresh",
"tools",
"meta",
"onload",
"span",
"data upload",
"extraction",
"type",
"extra",
"referen https",
"include review",
"exclude sugges",
"stop",
"aivoes typ",
"passive dns",
"date",
"united states",
"status",
"domain add",
"files",
"hostname",
"read c",
"medium",
"search",
"show",
"memcommit",
"high",
"checks",
"windows",
"delete",
"execution",
"dock",
"write",
"persistence",
"capture",
"next",
"amazon02",
"as autonomous",
"system",
"asn16509",
"domain",
"current dns",
"a record",
"as16509",
"december",
"ip information",
"ipasns ip",
"google",
"fastly",
"googlecl",
"akamaias",
"cloudflar",
"domain tree",
"links ip",
"address as",
"cisco",
"umbrella rank",
"general full",
"url https",
"software",
"resource hash",
"protocol h2",
"security tls",
"hostname add",
"challengescript",
"captchascript",
"name",
"value",
"source level",
"url text",
"automatic",
"webgl",
"please",
"extr data",
"data",
"size",
"title",
"yara detections",
"filehash",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"low risk",
"entries",
"rgba",
"unicode",
"asnone",
"malware",
"port",
"destination",
"tlsv1",
"tls handshake",
"failure",
"roboto",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"expiration",
"url http",
"no expiration",
"present jan",
"unknown ns",
"certificate",
"body",
"present oct",
"present may",
"present dec",
"present sep",
"present feb",
"showing",
"next associated",
"all se",
"pulse pulses",
"http",
"files domain",
"files related",
"pulses none",
"debiak",
"tsara brashears",
"ai",
"palantir",
"muso ai",
"sort",
"artists",
"royalties",
"music",
"songwriter",
"collect",
"view",
"malicious app",
"false claims"
],
"references": [
"https://credits.muso.ai/profile/ad62a9c1-de4a-4b3a-91d4-8f1ca6b5ad7a",
"22.hio52.r.cloudfront.net",
"us-gov-west-1.gov.reveal-global.com",
"us-g0v-wact-1anvrav\u0645al=\u0635\u0639 \u0627\u062d\u0637\u0645\u0644\u0647",
"MD5 be5eae9bd85769bce02d6e52a4927bcd Pulses Integrations C EXIF Data: HTML:Title\tINetSim default HTML page",
"External Hosts Israel Unique Countries 2 Unique ASNs 2 IP",
"ASN 82.80.204.63 www5.incredimail.com \u2022 Israel",
"United States | ASNone 82.80.204.5 cen.incredibar.com \u2022 Israel",
"AS8551 bezeq international-Itd 3.163.24.31 www5l.incredimail.com \u2022 Israel",
"Antivirus Detections: Win.Malware.Incredimail-6804483-0 IDS Detections: Misspelled Mozilla User-Agent (Mozila)",
"IP\u2019s Contacted : 82.80.204.63 3.163.24.31 82.80.204.5",
"Domains Contacted: cen.incredibar.com www5l.incredimail.com www5.incredimail.com",
"medallion-compute.washington.palantircloud.com \u2022 graviera-compute.palantirfedstart.com",
"caerphilly-containers.palantirfedstart.com \u2022 equilibrium.palantirfoundry.com \u2022 palantirfoundry.com",
"upstreamx.palantirfoundry.com \u2022 https://usw-2-dev.palantirfoundry.com",
"https://upstreamx.palantirfoundry.com \u2022 edwards.palantirfoundry.com \u2022 stagwellmarketingcloud.palantirfoundry.com",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master",
"https://paloma.palantirfoundry.com https://lucyw.palantirfoundry.com \u2022 http://edwards.palantirfoundry.com/",
"http://dasima-containers.palantirfoundry.com \u2022 http://usw-2-dev.palantirfoundry.com",
"https://kt-presales.palantirfoundry.co \u2022 https://glare.palantirfoundry.com",
"engage.palantirfoundry.com \u2022 http://engage.palantirfoundry.com",
"https://equilibrium.palantirfoundry.com \u2022\u2019https://engage.palantirfoundry.com",
"http://upstreamx.palantirfoundry.com/ \u2022 https://equilibrium.palantirfoundry.com/",
"https://glare.pali om. \u2022 http://engage.palantirfou?",
"What? patch.virtualworldweb.com \u2022 s.palantirfoundry.com \u2022 http://u tirfoundry.co",
"(patch.virtualworldweb.com) why does this sound so creepy? DIT , simulation, OWO ,sentient weird.",
"www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t\u2022",
"www.endgame \u2022 http://battlefront.com/matrixgames.html \u2022 prometheus.services.myscript.com - Wild!",
"campdeadwood2026.com",
"http://www.mobile-connection-alert.fyi/eb/bn/bn-9-nopop/9-nopop-1.html?var=&var2=&var3=$device=MOBILE&brand=Apple&model=iPhone&city=San%20Antonio&os=IOS&osversion=IOS%2011.4&country=US&countryname=United%20States&carrier=&referrerdomain=&language=en&connectiontype=CABLE&ip=76.185.246.58®ion=Texas&cep=W-gWTncHS9Jzl2WpUnQW3DI5dgjcKdwNWM11yWj-BtNBDFNTD52Baezh0F6DNui3qOYcu9zUPktlUvTulBlF6GONqMgW0w5NXdG42lOJGAp8P79kEUkAM3xGHBcIuf2PfSpz0mTGxnhbXyAteh4g-wCUR45SdW6fMtSANbFpDDpNDCq8LpN8mLeQJjdLUA_TGOXW9mubTgOyAGy",
"Pornhub to your phone. Dumping or by request?",
"https://soerkvingo.msnstyle.dk/vaginas-escort-girl-ukraina-pure-nudisme-dyresex-noveller-sukker-pris-porno-med-norsk-tale/",
"www.killer333.club So I\u2019m right."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Incredimail-6804483-0",
"display_name": "Win.Malware.Incredimail-6804483-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "TA0028",
"name": "Persistence",
"display_name": "TA0028 - Persistence"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1017",
"name": "Application Deployment Software",
"display_name": "T1017 - Application Deployment Software"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 10686,
"hostname": 2427,
"domain": 1094,
"FileHash-MD5": 175,
"FileHash-SHA1": 65,
"FileHash-SHA256": 1118,
"email": 4,
"SSLCertFingerprint": 14
},
"indicator_count": 15583,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69519fa818f84531ce6becc9",
"name": "Cart.Guru Malware Hosting - Malware Packed _Pegasus Espionage Detected (Positive)",
"description": "I really love using this tool (LevelBlue -OTX) In all reality this information would have been sent to the government. CISA , NSA, Homeland Security, Citizens Lab, Canada based international organization would have been involved years ago. Where does this information goes. Citizens Lab would has been attempting to track 1000\u2019s of affected Pegasus targets. OTX detected and tagged Pegasus. I suspected it. This is from a Palantir Malware Hosting Honey Pot. \n\nWhen Pegasus was discovered in the wild , credited to those who found what the real team (T8) found, Citizens Lab then conducted tests in 2021\non the cell phone of Jamal Khashoggi, a Saudi dissident journalist. Pegasus is a kill list. \n\nVictims need help. There are a few people even on this platform that are on this list. Unless it\u2019s the US government who has ordered these actions, I don\u2019t know what is going on. The targets are not only innocent, some are crime victims, some are going mad. AT&T corporate easily confirms LevelBlue is legitimate.",
"modified": "2026-01-27T21:02:45.343000",
"created": "2025-12-28T21:22:48.383000",
"tags": [
"united",
"servers",
"moved",
"ip address",
"record value",
"encrypt",
"present jul",
"present jun",
"trojandropper",
"passive dns",
"ipv4 add",
"urls",
"files",
"virtool",
"united states",
"dynamicloader",
"directui",
"element",
"classinfobase",
"write c",
"medium",
"yara rule",
"msvisualbasic60",
"high",
"hwndelement",
"explorer",
"write",
"movie",
"insert",
"program",
"python",
"http traffic",
"trojan generic",
"search",
"cnc activity",
"delphi",
"win32",
"launcher",
"pony",
"fareit",
"malware",
"push",
"msie",
"windows nt",
"generic",
"checkin",
"post",
"yara detections",
"rxr",
"inject",
"memcommit",
"cryptexportkey",
"invalid pointer",
"regsetvalueexa",
"solutions ltd",
"read c",
"regdword",
"mozilla",
"persistence",
"execution",
"android",
"unknown",
"learn",
"suspicious",
"informative",
"adversaries",
"ck id",
"name tactics",
"command",
"initial access",
"defense evasion",
"spawns",
"t1590 gather",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"pattern match",
"mitre att",
"ck matrix",
"href",
"ascii text",
"starfield",
"hybrid",
"general",
"local",
"path",
"iframe",
"palantir",
"present nov",
"present oct",
"status",
"present apr",
"present dec",
"cryp",
"date",
"trojan",
"title",
"name servers",
"windows",
"t1060",
"disables proxy",
"dock",
"pegasus",
"rootkit",
"backdoor",
"susp",
"win32qqpass feb",
"worm",
"msr win32",
"win64",
"process32nextw",
"findwindowa",
"file execution",
"writeconsolea",
"procexpl",
"file v2",
"document",
"document file",
"v2 document",
"lost",
"tools",
"pecompact",
"media",
"autorun",
"service",
"post http",
"delete",
"alerts",
"emotet",
"rkt",
"autorun",
"worm",
"plugins",
"title error",
"body doctype",
"html public",
"w3cdtd html",
"html head",
"domain",
"expiration date",
"hostname add",
"pulse pulses",
"contacted hosts",
"sha1",
"sha256",
"show technique",
"strings",
"t1480 execution",
"signing defense",
"script urls",
"a domains",
"unknown ns",
"texas flyover",
"script domains",
"script script",
"meta",
"window",
"process details",
"contacted"
],
"references": [
"Cart.Guru",
"Yara Detections: Delphi",
"Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer",
"MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer",
"HTTP traffic on port 443 (POST)",
"IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query",
"Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs",
"Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http",
"Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates",
"Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http",
"Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe",
"Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check",
"Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad",
"Yara Detections: Nullsoft_NSIS ...",
"Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat",
"Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com",
"Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103",
"Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx",
"Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy",
"Emotet IDS Detections: Win32/Emotet CnC Checkin Response",
"Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users"
],
"public": 1,
"adversary": "Palantir Pegasus",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "RXR",
"display_name": "RXR",
"target": null
},
{
"id": "Pony",
"display_name": "Pony",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator",
"display_name": "VirTool:Win32/Obfuscator",
"target": "/malware/VirTool:Win32/Obfuscator"
},
{
"id": "Trojan:Win32/Bagsu!rfn",
"display_name": "Trojan:Win32/Bagsu!rfn",
"target": "/malware/Trojan:Win32/Bagsu!rfn"
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "Win32:MalOb-BX\\ [Cryp]",
"display_name": "Win32:MalOb-BX\\ [Cryp]",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "#Lowfi:Win32/SandboxProductId",
"display_name": "#Lowfi:Win32/SandboxProductId",
"target": "/malware/#Lowfi:Win32/SandboxProductId"
},
{
"id": "Win32:Backdoor",
"display_name": "Win32:Backdoor",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "ALF:Trojan:MSIL/BlackFus.C",
"display_name": "ALF:Trojan:MSIL/BlackFus.C",
"target": null
},
{
"id": "Win32:Malware",
"display_name": "Win32:Malware",
"target": null
},
{
"id": "TrojanProxy:Win32/Ceutv.A",
"display_name": "TrojanProxy:Win32/Ceutv.A",
"target": "/malware/TrojanProxy:Win32/Ceutv.A"
},
{
"id": "VirTool:Win32/Obfuscator.AHU",
"display_name": "VirTool:Win32/Obfuscator.AHU",
"target": "/malware/VirTool:Win32/Obfuscator.AHU"
},
{
"id": "ShellCode",
"display_name": "ShellCode",
"target": null
},
{
"id": "Win32:Rootkit",
"display_name": "Win32:Rootkit",
"target": null
},
{
"id": "VB Flash",
"display_name": "VB Flash",
"target": null
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Win.Packed.Razy-6847895-0",
"display_name": "Win.Packed.Razy-6847895-0",
"target": null
},
{
"id": "Backdoor:Win32/Plugx.N!",
"display_name": "Backdoor:Win32/Plugx.N!",
"target": "/malware/Backdoor:Win32/Plugx.N!"
},
{
"id": "Win.Dropper.QQpass-7194329-0",
"display_name": "Win.Dropper.QQpass-7194329-0",
"target": null
},
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Win32:Agent",
"display_name": "Win32:Agent",
"target": null
},
{
"id": "Win.Trojan.Agent",
"display_name": "Win.Trojan.Agent",
"target": null
},
{
"id": "Win.Trojan.Emotet-7545664-0",
"display_name": "Win.Trojan.Emotet-7545664-0",
"target": null
},
{
"id": "Pegasus - MOB-S0005",
"display_name": "Pegasus - MOB-S0005",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1054",
"name": "Indicator Blocking",
"display_name": "T1054 - Indicator Blocking"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2362,
"domain": 449,
"hostname": 710,
"email": 6,
"FileHash-MD5": 260,
"FileHash-SHA1": 201,
"FileHash-SHA256": 333,
"SSLCertFingerprint": 27
},
"indicator_count": 4348,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "82 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69519fa81048ad057eb9beaa",
"name": "Cart.Guru Malware Hosting - Malware Packed _Pegasus Espionage Detected (Positive)",
"description": "I really love using this tool (LevelBlue -OTX) In all reality this information would have been sent to the government. CISA , NSA, Homeland Security, Citizens Lab, Canada based international organization would have been involved years ago. | \nWhere does this information goes. Citizens Lab would has been attempting to track 1000\u2019s of affected Pegasus targets. OTX detected and tagged Pegasus. I suspected it. This is from a Palantir Malware Hosting Honey Pot. \n\nWhen Pegasus was discovered in the wild , credited to those who found what the real team (T8) found, Citizens Lab then conducted tests in 2021\non the cell phone of Jamal Khashoggi, a Saudi dissident journalist. Pegasus is a kill list. \n\nVictims need help. There are a few people even on this platform that are on this list. Unless it\u2019s the US government who has ordered these actions, I don\u2019t know what is going on. The targets are not only innocent, some are crime victims, some are going mad. AT&T corporate easily confirms LevelBlue is legitimate.",
"modified": "2026-01-27T21:02:45.343000",
"created": "2025-12-28T21:22:48.595000",
"tags": [
"united",
"servers",
"moved",
"ip address",
"record value",
"encrypt",
"present jul",
"present jun",
"trojandropper",
"passive dns",
"ipv4 add",
"urls",
"files",
"virtool",
"united states",
"dynamicloader",
"directui",
"element",
"classinfobase",
"write c",
"medium",
"yara rule",
"msvisualbasic60",
"high",
"hwndelement",
"explorer",
"write",
"movie",
"insert",
"program",
"python",
"http traffic",
"trojan generic",
"search",
"cnc activity",
"delphi",
"win32",
"launcher",
"pony",
"fareit",
"malware",
"push",
"msie",
"windows nt",
"generic",
"checkin",
"post",
"yara detections",
"rxr",
"inject",
"memcommit",
"cryptexportkey",
"invalid pointer",
"regsetvalueexa",
"solutions ltd",
"read c",
"regdword",
"mozilla",
"persistence",
"execution",
"android",
"unknown",
"learn",
"suspicious",
"informative",
"adversaries",
"ck id",
"name tactics",
"command",
"initial access",
"defense evasion",
"spawns",
"t1590 gather",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"pattern match",
"mitre att",
"ck matrix",
"href",
"ascii text",
"starfield",
"hybrid",
"general",
"local",
"path",
"iframe",
"palantir",
"present nov",
"present oct",
"status",
"present apr",
"present dec",
"cryp",
"date",
"trojan",
"title",
"name servers",
"windows",
"t1060",
"disables proxy",
"dock",
"pegasus",
"rootkit",
"backdoor",
"susp",
"win32qqpass feb",
"worm",
"msr win32",
"win64",
"process32nextw",
"findwindowa",
"file execution",
"writeconsolea",
"procexpl",
"file v2",
"document",
"document file",
"v2 document",
"lost",
"tools",
"pecompact",
"media",
"autorun",
"service",
"post http",
"delete",
"alerts",
"emotet",
"rkt",
"autorun",
"worm",
"plugins",
"title error",
"body doctype",
"html public",
"w3cdtd html",
"html head",
"domain",
"expiration date",
"hostname add",
"pulse pulses",
"contacted hosts",
"sha1",
"sha256",
"show technique",
"strings",
"t1480 execution",
"signing defense",
"script urls",
"a domains",
"unknown ns",
"texas flyover",
"script domains",
"script script",
"meta",
"window",
"process details",
"contacted"
],
"references": [
"Cart.Guru",
"Yara Detections: Delphi",
"Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer",
"MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer",
"HTTP traffic on port 443 (POST)",
"IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query",
"Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs",
"Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http",
"Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates",
"Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http",
"Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe",
"Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check",
"Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad",
"Yara Detections: Nullsoft_NSIS ...",
"Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat",
"Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com",
"Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103",
"Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx",
"Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy",
"Emotet IDS Detections: Win32/Emotet CnC Checkin Response",
"Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users"
],
"public": 1,
"adversary": "Palantir Pegasus",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "RXR",
"display_name": "RXR",
"target": null
},
{
"id": "Pony",
"display_name": "Pony",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator",
"display_name": "VirTool:Win32/Obfuscator",
"target": "/malware/VirTool:Win32/Obfuscator"
},
{
"id": "Trojan:Win32/Bagsu!rfn",
"display_name": "Trojan:Win32/Bagsu!rfn",
"target": "/malware/Trojan:Win32/Bagsu!rfn"
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "Win32:MalOb-BX\\ [Cryp]",
"display_name": "Win32:MalOb-BX\\ [Cryp]",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "#Lowfi:Win32/SandboxProductId",
"display_name": "#Lowfi:Win32/SandboxProductId",
"target": "/malware/#Lowfi:Win32/SandboxProductId"
},
{
"id": "Win32:Backdoor",
"display_name": "Win32:Backdoor",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "ALF:Trojan:MSIL/BlackFus.C",
"display_name": "ALF:Trojan:MSIL/BlackFus.C",
"target": null
},
{
"id": "Win32:Malware",
"display_name": "Win32:Malware",
"target": null
},
{
"id": "TrojanProxy:Win32/Ceutv.A",
"display_name": "TrojanProxy:Win32/Ceutv.A",
"target": "/malware/TrojanProxy:Win32/Ceutv.A"
},
{
"id": "VirTool:Win32/Obfuscator.AHU",
"display_name": "VirTool:Win32/Obfuscator.AHU",
"target": "/malware/VirTool:Win32/Obfuscator.AHU"
},
{
"id": "ShellCode",
"display_name": "ShellCode",
"target": null
},
{
"id": "Win32:Rootkit",
"display_name": "Win32:Rootkit",
"target": null
},
{
"id": "VB Flash",
"display_name": "VB Flash",
"target": null
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Win.Packed.Razy-6847895-0",
"display_name": "Win.Packed.Razy-6847895-0",
"target": null
},
{
"id": "Backdoor:Win32/Plugx.N!",
"display_name": "Backdoor:Win32/Plugx.N!",
"target": "/malware/Backdoor:Win32/Plugx.N!"
},
{
"id": "Win.Dropper.QQpass-7194329-0",
"display_name": "Win.Dropper.QQpass-7194329-0",
"target": null
},
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Win32:Agent",
"display_name": "Win32:Agent",
"target": null
},
{
"id": "Win.Trojan.Agent",
"display_name": "Win.Trojan.Agent",
"target": null
},
{
"id": "Win.Trojan.Emotet-7545664-0",
"display_name": "Win.Trojan.Emotet-7545664-0",
"target": null
},
{
"id": "Pegasus - MOB-S0005",
"display_name": "Pegasus - MOB-S0005",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1054",
"name": "Indicator Blocking",
"display_name": "T1054 - Indicator Blocking"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2362,
"domain": 449,
"hostname": 710,
"email": 6,
"FileHash-MD5": 260,
"FileHash-SHA1": 201,
"FileHash-SHA256": 333,
"SSLCertFingerprint": 27
},
"indicator_count": 4348,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "82 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "97 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6923408464566e39caf32285",
"name": "Discord- DNS | Malvertizing | Ransom/Msilzilla (sifting IoC\u2019s created by scnrscnr)",
"description": "TAGS\nActive\n443 ma2592000\nChristopher Pool\nPool's Closed\nTimothy Pool\na li\n google\namerica att\napache\napache ip\nasn as46606\nauditmode force\nbehavior\nbinary\nbinary file\nbk role\nchat\ncheck\nchrome\nck ids\ncommon stealer\ncookie\ndata upload\ndefender\ndelete c\ndirectui\ndiscord\ndns lookup\ndomain add\ndrop\ndynamicloader\neb d8\nee fc\nerror oct\nexplorer\nexternal ip\nextraction\nf0 ff\nfailed\nff bb\nff d5\nff ff\nfiles\nfoundry\ngmt content\ngmt etag\ngmt server\ngoogle chrome\nguard\nhigh\ninsert\nlolminer\nmalware\nmedia\nmeta\nmoved\nmovie\nmsie\nmsvisualbasic60\nmtb aug -present \nneversend\npowershell\nrelated nids\nresponse ip\nself\nservice domain\nsingapore\nsmartassembly\nspan\nspan a\nsx08x00x00a\ntargeting\ntls sni\ntrojan\ntrojandropper\ntwitter\ntx08x00x00n\nunique\nuser agent\nux08x00x00h\nvirtool\nvirustotal api\nvoice\nvx08x00x00j\nwrite\nwrite c\nwx08x00x00\nx08x00x00b\nx08x00x00x00\nyara\nyara rule\nyx08x00x00l\nz3je\nz3uwq7\nzx08x00x00",
"modified": "2025-12-23T16:04:54.329000",
"created": "2025-11-23T17:12:36.917000",
"tags": [
"no expiration",
"expiration",
"url https",
"url http",
"filehashsha256",
"hostname",
"domain",
"filehashmd5",
"filehashsha1",
"ipv4",
"code",
"pool",
"timothy pool",
"z3je z3uwq7",
"creation date",
"ip address",
"emails",
"expiration date",
"status",
"hostname add",
"pulse pulses",
"passive dns",
"urls",
"date"
],
"references": [
"https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba",
"Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted",
"http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com",
"https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com",
"www.techcult.com",
"http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com",
"https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N",
"https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC",
"https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE",
"truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com",
"yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com",
"lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json",
"162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/",
"http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing",
"http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site",
"2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt",
"IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)",
"IDS Detections: Observed Discord Domain (discord .com in TLS SNI)",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less",
"Yara: Detections ConventionEngine_Term_Users",
"Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents",
"Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly",
"Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc",
"Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process",
"Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name",
"Yara : MS_Visual_Basic_6_0 ,",
"Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser",
"Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly",
"Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile",
"Alerts: mouse_movement_detect",
"Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left",
"scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.",
"Foundry stalking."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "TrojanDropper:Win32/VB.IL0",
"display_name": "TrojanDropper:Win32/VB.IL0",
"target": "/malware/TrojanDropper:Win32/VB.IL0"
},
{
"id": "ALF:Trojan:Win32/Cassini_56a3061!ibt",
"display_name": "ALF:Trojan:Win32/Cassini_56a3061!ibt",
"target": null
},
{
"id": "Win.Ransomware.Msilzilla-10014498-0",
"display_name": "Win.Ransomware.Msilzilla-10014498-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1443",
"name": "Remotely Install Application",
"display_name": "T1443 - Remotely Install Application"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 773,
"FileHash-SHA1": 684,
"FileHash-SHA256": 1910,
"CVE": 2,
"SSLCertFingerprint": 4,
"URL": 3783,
"domain": 878,
"email": 7,
"hostname": 1913
},
"indicator_count": 9954,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "117 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68feb98a8c1b75b4431a3e8e",
"name": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator?",
"description": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator? 1.) (userlolxxl) is also disable_duck, has an unhealthy interest in the Tsara Brashears \u2018dead yet\u2019 theory , has many profiles. His issues are self made by grabbing vulnerabilities found and linking them to a fake University website. We checked. Profile belongs to a group causing needless distraction and hooking users into the \u2018No Problems\u2019 group. \n\nWe swiftly got Regis University to take notice of Palantirs Prometheus Intelligence Technology tracking. Dean let semester begin putting students at risk despite warnings from Tsara Brashears of owa canary cookie in server, to replace computers , halt school , deal with issue. RU ignored issues, Brashears didn\u2019t. They went black , blacklisted Tsara warning of credible death threats on dark web.",
"modified": "2025-11-25T20:05:31.749000",
"created": "2025-10-27T00:15:06.191000",
"tags": [
"html internet",
"html document",
"ascii text",
"language",
"cve202323397",
"iframe tags",
"tag manager",
"gtmkvjvztk",
"anchor hrefs",
"info ta0011",
"protocol",
"layer protocol",
"port",
"t1571 encrypted",
"channel",
"t1573 malware",
"tree",
"oc0006 http",
"c0014",
"get http",
"dns resolutions",
"resolved ips",
"user",
"data",
"datacrashpad",
"edge",
"v full",
"reports v",
"chrome u",
"appdata local",
"googlechrome u",
"u ser",
"cname",
"ip address",
"http",
"accept",
"network dropped",
"duration cuckoo",
"version file",
"machine label",
"shutdown",
"extraction",
"suggested iocs",
"data upload",
"cry dee",
"stop",
"type",
"url indicator",
"enter",
"failed",
"se share",
"extrac",
"enter so",
"passive dns",
"urls",
"hostname add",
"pulse pulses",
"files",
"domain",
"files ip",
"address",
"location united",
"asn as20473",
"dynamicloader",
"directui",
"write c",
"intel",
"ms windows",
"pe32",
"element",
"delete c",
"document file",
"v2 document",
"explorer",
"trojandropper",
"write",
"markus",
"august",
"movie",
"insert",
"pulse submit",
"url analysis",
"asn as8068",
"united",
"entries",
"body",
"please",
"x msedge",
"ipv4 add",
"present sep",
"present oct",
"present feb",
"status",
"unknown ns",
"search",
"name servers",
"present jul",
"aaaa",
"present apr",
"trojan",
"medium",
"high",
"yara rule",
"globalc",
"june",
"malware",
"win64",
"unknown",
"america flag",
"twitter",
"hostname",
"domain add",
"reverse dns",
"america asn",
"present aug",
"a domains",
"moved",
"first pqc",
"unknown aaaa",
"title",
"meta",
"window",
"encrypt",
"pulse indicator",
"body doctype",
"welcome",
"ok server",
"gmt content",
"atlanta",
"abuse",
"agent",
"service",
"present jun",
"present may",
"creation date",
"record value",
"servers",
"libretv meta",
"certificate",
"value",
"whois lookup",
"loopia ab",
"userlolxxl"
],
"references": [
"http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist",
"It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!",
"pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz",
"Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com",
"docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips",
"https://hs.ecam.com/your-challenges-ecams-solutions",
"https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022",
"https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/",
"Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Wannacry",
"display_name": "Wannacry",
"target": null
},
{
"id": "Foundry",
"display_name": "Foundry",
"target": null
},
{
"id": "Trojan:Win32/Comisproc!gmb",
"display_name": "Trojan:Win32/Comisproc!gmb",
"target": "/malware/Trojan:Win32/Comisproc!gmb"
},
{
"id": "Trojandropper:Win32/VB.IL",
"display_name": "Trojandropper:Win32/VB.IL",
"target": "/malware/Trojandropper:Win32/VB.IL"
},
{
"id": "#Exploit:Win32/CVE- 2023 - 23397",
"display_name": "#Exploit:Win32/CVE- 2023 - 23397",
"target": "/malware/#Exploit:Win32/CVE- 2023 - 23397"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "ALF:PulZati:Worm:Win32/Mydoom",
"display_name": "ALF:PulZati:Worm:Win32/Mydoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 8,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 248,
"FileHash-SHA1": 134,
"FileHash-SHA256": 2661,
"URL": 6257,
"domain": 682,
"email": 8,
"hostname": 2077,
"CVE": 1
},
"indicator_count": 12068,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "145 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68eff833ed84ceaf611521d2",
"name": "Tucker Carlson | AutInject \u2022 Zbot \u2022 CoinMiner \u2022 Zombie \u2022 Qbot affects his YouTube Channel (9.14.2025) ",
"description": "",
"modified": "2025-10-15T19:38:27.739000",
"created": "2025-10-15T19:38:27.739000",
"tags": [
"resolved ips",
"parent pid",
"full path",
"command line",
"cname",
"ip address",
"port",
"involved direct",
"country name",
"nxdomain",
"tcp connections",
"udp connections",
"data",
"datacrashpad",
"edge",
"passive dns",
"origin trial",
"gmt cache",
"sameorigin",
"443 ma2592000",
"ipv4 add",
"files",
"title",
"date",
"found",
"gmt content",
"hostname",
"verdict",
"error",
"code",
"present aug",
"present sep",
"aaaa",
"search",
"domain",
"present apr",
"present jun",
"address google",
"safe browsing",
"present oct",
"match info",
"mitre att",
"control ta0011",
"protocol t1071",
"protocol t1095",
"match medium",
"icmp traffic",
"port t1571",
"info",
"c0002 wininet",
"flag",
"markmonitor",
"domain address",
"contacted hosts",
"process details",
"size",
"iend ihdridatx",
"qrmf",
"qkdi",
"qiyay",
"kjtn8",
"r0x3",
"ihdridatx",
"yg6qp",
"kkrz",
"t6 ex",
"click",
"windir",
"openurl c",
"prefetch2",
"data upload",
"extraction",
"failed",
"please",
"your browser",
"learn",
"opera mozilla",
"firefox google",
"chrome remind",
"privacy policy",
"safety",
"google llc",
"youtube",
"mozilla firefox",
"safari google",
"edge opera",
"browse youtube",
"file",
"indicator",
"pattern match",
"ascii text",
"ck id",
"ck matrix",
"href",
"general",
"local",
"path",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"t1590 gather",
"victim network",
"files domain",
"files related",
"related tags",
"registrar",
"files ip",
"asn as15169",
"address domain",
"ip whois",
"service address",
"po box",
"city hayes",
"country gb",
"dnssec",
"domain name",
"emails",
"script urls",
"a domains",
"texas flyover",
"script domains",
"script script",
"trojan",
"meta",
"window",
"msie",
"chrome",
"twitter",
"unknown aaaa",
"record value",
"content type",
"united states",
"dynamicloader",
"medium",
"write c",
"high",
"show",
"digicert",
"olet",
"encrypt",
"win64",
"responder",
"write",
"next",
"unknown",
"install",
"dummy",
"entries",
"displayname",
"windows",
"united",
"tofsee",
"copy",
"stream",
"malware",
"hostile",
"body",
"hostile client",
"apollo",
"jaik",
"code overlap",
"sri lanka",
"pintuck sri",
"lanka",
"unknown ns",
"moved",
"buy apparal",
"win32",
"trojandropper",
"virtool",
"susp",
"ipv4",
"pulse pulses",
"urls",
"reverse dns",
"location united",
"installer"
],
"references": [
"https://www.youtube.com/watch?v=5KmpT-BoVf4",
"https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4",
"critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade",
"http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net",
"canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com",
"docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com",
"ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net",
"malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -",
"Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login",
"Yara Detections: RansomWin32Apollo \u2022 216.239.32.27"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Malware + Code Overlap",
"display_name": "Malware + Code Overlap",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Trojandownloader:Win32/Upatre",
"display_name": "Trojandownloader:Win32/Upatre",
"target": "/malware/Trojandownloader:Win32/Upatre"
},
{
"id": "Trojan:BAT/Musecador",
"display_name": "Trojan:BAT/Musecador",
"target": "/malware/Trojan:BAT/Musecador"
},
{
"id": "Win32:Trojan",
"display_name": "Win32:Trojan",
"target": null
},
{
"id": "Bancos",
"display_name": "Bancos",
"target": null
},
{
"id": "Hematite",
"display_name": "Hematite",
"target": null
},
{
"id": "Trojanspy:Win32/Banker.LY",
"display_name": "Trojanspy:Win32/Banker.LY",
"target": "/malware/Trojanspy:Win32/Banker.LY"
},
{
"id": "Trojan:Win32/Vflooder!rfn",
"display_name": "Trojan:Win32/Vflooder!rfn",
"target": "/malware/Trojan:Win32/Vflooder!rfn"
},
{
"id": "Win32:MalwareX",
"display_name": "Win32:MalwareX",
"target": null
},
{
"id": "Malwarex",
"display_name": "Malwarex",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.AKZ!bit",
"display_name": "Virtool:Win32/CeeInject.AKZ!bit",
"target": "/malware/Virtool:Win32/CeeInject.AKZ!bit"
},
{
"id": "Win32:Dropper",
"display_name": "Win32:Dropper",
"target": null
},
{
"id": "Ymacco",
"display_name": "Ymacco",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "Trojandownloader:Win32/Upatre.A",
"display_name": "Trojandownloader:Win32/Upatre.A",
"target": "/malware/Trojandownloader:Win32/Upatre.A"
},
{
"id": "Win32:Evo",
"display_name": "Win32:Evo",
"target": null
},
{
"id": "Trojandropper:Win32/BcryptInject.B!MSR",
"display_name": "Trojandropper:Win32/BcryptInject.B!MSR",
"target": "/malware/Trojandropper:Win32/BcryptInject.B!MSR"
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": "Win32:Cleaman-K\\ [Trj]",
"display_name": "Win32:Cleaman-K\\ [Trj]",
"target": null
},
{
"id": "Asacky",
"display_name": "Asacky",
"target": null
},
{
"id": "Backdoor:Win32/Plugx.N!dha",
"display_name": "Backdoor:Win32/Plugx.N!dha",
"target": "/malware/Backdoor:Win32/Plugx.N!dha"
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [
"Media"
],
"TLP": "white",
"cloned_from": "68c73fbd85dfbb4d41006ad1",
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4746,
"hostname": 1829,
"domain": 913,
"FileHash-MD5": 249,
"FileHash-SHA1": 213,
"FileHash-SHA256": 1765,
"email": 3,
"SSLCertFingerprint": 17
},
"indicator_count": 9735,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "186 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68c73fbd85dfbb4d41006ad1",
"name": "Tucker Carlson Sam Altman YouTube Interview \u2022 Qbot | Malware with. Code Overlap",
"description": "Maybe it\u2019s a network issue. The TV I viewed interview from is in Arabic the every time. It\u2019s not\nmy\ntelevision or network, didn\u2019t get link from a logged in YouTube. Not a subscriber.. I viewed using (cc) close captioning. It\u2019s the only program n YouTube using another language for this interview. The only reason I\u2019ve visited this interview several time\u2019s since it\u2019s aired is to check for the same results. Every time only this interview uses another language for (cc).\n\nThere are related pulses by a few different users, experiencing similar personal issues. I\u2019d assume I\u2019d always get these results. Unclear\n\n* At the end of interview Tucker Carlson states YouTube is trying to suppress or delete this one interview.",
"modified": "2025-10-14T22:26:18.109000",
"created": "2025-09-14T22:20:45.617000",
"tags": [
"resolved ips",
"parent pid",
"full path",
"command line",
"cname",
"ip address",
"port",
"involved direct",
"country name",
"nxdomain",
"tcp connections",
"udp connections",
"data",
"datacrashpad",
"edge",
"passive dns",
"origin trial",
"gmt cache",
"sameorigin",
"443 ma2592000",
"ipv4 add",
"files",
"title",
"date",
"found",
"gmt content",
"hostname",
"verdict",
"error",
"code",
"present aug",
"present sep",
"aaaa",
"search",
"domain",
"present apr",
"present jun",
"address google",
"safe browsing",
"present oct",
"match info",
"mitre att",
"control ta0011",
"protocol t1071",
"protocol t1095",
"match medium",
"icmp traffic",
"port t1571",
"info",
"c0002 wininet",
"flag",
"markmonitor",
"domain address",
"contacted hosts",
"process details",
"size",
"iend ihdridatx",
"qrmf",
"qkdi",
"qiyay",
"kjtn8",
"r0x3",
"ihdridatx",
"yg6qp",
"kkrz",
"t6 ex",
"click",
"windir",
"openurl c",
"prefetch2",
"data upload",
"extraction",
"failed",
"please",
"your browser",
"learn",
"opera mozilla",
"firefox google",
"chrome remind",
"privacy policy",
"safety",
"google llc",
"youtube",
"mozilla firefox",
"safari google",
"edge opera",
"browse youtube",
"file",
"indicator",
"pattern match",
"ascii text",
"ck id",
"ck matrix",
"href",
"general",
"local",
"path",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"t1590 gather",
"victim network",
"files domain",
"files related",
"related tags",
"registrar",
"files ip",
"asn as15169",
"address domain",
"ip whois",
"service address",
"po box",
"city hayes",
"country gb",
"dnssec",
"domain name",
"emails",
"script urls",
"a domains",
"texas flyover",
"script domains",
"script script",
"trojan",
"meta",
"window",
"msie",
"chrome",
"twitter",
"unknown aaaa",
"record value",
"content type",
"united states",
"dynamicloader",
"medium",
"write c",
"high",
"show",
"digicert",
"olet",
"encrypt",
"win64",
"responder",
"write",
"next",
"unknown",
"install",
"dummy",
"entries",
"displayname",
"windows",
"united",
"tofsee",
"copy",
"stream",
"malware",
"hostile",
"body",
"hostile client",
"apollo",
"jaik",
"code overlap",
"sri lanka",
"pintuck sri",
"lanka",
"unknown ns",
"moved",
"buy apparal",
"win32",
"trojandropper",
"virtool",
"susp",
"ipv4",
"pulse pulses",
"urls",
"reverse dns",
"location united",
"installer"
],
"references": [
"https://www.youtube.com/watch?v=5KmpT-BoVf4",
"https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4",
"critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade",
"http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net",
"canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com",
"docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com",
"ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net",
"malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -",
"Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login",
"Yara Detections: RansomWin32Apollo \u2022 216.239.32.27"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Malware + Code Overlap",
"display_name": "Malware + Code Overlap",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Trojandownloader:Win32/Upatre",
"display_name": "Trojandownloader:Win32/Upatre",
"target": "/malware/Trojandownloader:Win32/Upatre"
},
{
"id": "Trojan:BAT/Musecador",
"display_name": "Trojan:BAT/Musecador",
"target": "/malware/Trojan:BAT/Musecador"
},
{
"id": "Win32:Trojan",
"display_name": "Win32:Trojan",
"target": null
},
{
"id": "Bancos",
"display_name": "Bancos",
"target": null
},
{
"id": "Hematite",
"display_name": "Hematite",
"target": null
},
{
"id": "Trojanspy:Win32/Banker.LY",
"display_name": "Trojanspy:Win32/Banker.LY",
"target": "/malware/Trojanspy:Win32/Banker.LY"
},
{
"id": "Trojan:Win32/Vflooder!rfn",
"display_name": "Trojan:Win32/Vflooder!rfn",
"target": "/malware/Trojan:Win32/Vflooder!rfn"
},
{
"id": "Win32:MalwareX",
"display_name": "Win32:MalwareX",
"target": null
},
{
"id": "Malwarex",
"display_name": "Malwarex",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.AKZ!bit",
"display_name": "Virtool:Win32/CeeInject.AKZ!bit",
"target": "/malware/Virtool:Win32/CeeInject.AKZ!bit"
},
{
"id": "Win32:Dropper",
"display_name": "Win32:Dropper",
"target": null
},
{
"id": "Ymacco",
"display_name": "Ymacco",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "Trojandownloader:Win32/Upatre.A",
"display_name": "Trojandownloader:Win32/Upatre.A",
"target": "/malware/Trojandownloader:Win32/Upatre.A"
},
{
"id": "Win32:Evo",
"display_name": "Win32:Evo",
"target": null
},
{
"id": "Trojandropper:Win32/BcryptInject.B!MSR",
"display_name": "Trojandropper:Win32/BcryptInject.B!MSR",
"target": "/malware/Trojandropper:Win32/BcryptInject.B!MSR"
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": "Win32:Cleaman-K\\ [Trj]",
"display_name": "Win32:Cleaman-K\\ [Trj]",
"target": null
},
{
"id": "Asacky",
"display_name": "Asacky",
"target": null
},
{
"id": "Backdoor:Win32/Plugx.N!dha",
"display_name": "Backdoor:Win32/Plugx.N!dha",
"target": "/malware/Backdoor:Win32/Plugx.N!dha"
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [
"Media"
],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4746,
"hostname": 1829,
"domain": 913,
"FileHash-MD5": 249,
"FileHash-SHA1": 213,
"FileHash-SHA256": 1765,
"email": 3,
"SSLCertFingerprint": 17
},
"indicator_count": 9735,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "187 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68aff672de7f1b65a97c00b1",
"name": "WarzoneRAT impacts Social Media of users with compromised systems",
"description": "Injection affects compromised user/s social media accounts including YouTube. Uploads to social media accounts from infected systems divert to adversary\u2019s alt YouTube media center labeled \u2018watch\u2019 instead of YouTube . Remote access observed. Threat actor has full access , cnc , devices, personal information, images, contacts, network, private information including all financial information. \n \nAlt / adversarial Pinterest, Tumblr, YouTube, Facebook, Twitter / X, Instagram , LinkedIn",
"modified": "2025-09-27T05:00:09.125000",
"created": "2025-08-28T06:25:54.794000",
"tags": [
"d10927",
"mp41",
"mp41 connection",
"r connection",
"ip address",
"dynamicloader",
"write c",
"globalc",
"medium",
"high",
"write",
"dll read",
"trojan",
"delphi",
"win32",
"dialer",
"tracking",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"defense evasion",
"spawns",
"t1590 gather",
"mitre att",
"ck matrix",
"null",
"click",
"title",
"span",
"meta",
"general",
"local",
"path",
"strings",
"refresh",
"tools",
"virgin islands",
"united",
"unknown ns",
"a domains",
"montserrat",
"passive dns",
"ipv4",
"urls",
"files",
"hosting",
"trojandropper",
"location virgin",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"item",
"has description",
"unknown",
"explorer",
"error",
"powershell",
"yara rule",
"windows",
"t1055",
"warzonerat",
"avemaria",
"virtool",
"netwire",
"malware",
"hostile",
"autoit",
"defender",
"date",
"bq aug",
"next associated",
"ipv4 add",
"resolved ips",
"get http",
"request",
"win64",
"khtml",
"gecko",
"resolutions",
"number",
"ja3s",
"algorithm",
"cnr12 cus",
"cname",
"accept",
"port",
"gmt ifnonematch",
"screenshots no",
"involved dns",
"name response",
"nxdomain",
"tcp connections",
"involved direct",
"country name",
"moved",
"alone email",
"body doctype",
"gmt server",
"content type",
"service privacy",
"cve"
],
"references": [
"http://remote.edikamin.com/",
"http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C",
"http://deposito.hostance.net/dialer/",
"Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT",
"Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net",
"DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net",
"Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1",
"simswap.in (possible Mirai or relationship to)"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Virgin Islands, British"
],
"malware_families": [
{
"id": "Trojan:Win32/Diamin.F",
"display_name": "Trojan:Win32/Diamin.F",
"target": "/malware/Trojan:Win32/Diamin.F"
},
{
"id": "Dialer",
"display_name": "Dialer",
"target": null
},
{
"id": "Win32:CabMod\\ [Drp]",
"display_name": "Win32:CabMod\\ [Drp]",
"target": null
},
{
"id": "TrojanDropper:Win32/Hupigon.gen!A",
"display_name": "TrojanDropper:Win32/Hupigon.gen!A",
"target": "/malware/TrojanDropper:Win32/Hupigon.gen!A"
},
{
"id": "ALF:HeraklezEval:PUA:Win32/Keygen",
"display_name": "ALF:HeraklezEval:PUA:Win32/Keygen",
"target": null
},
{
"id": "Trojan:Win32/Startpage.AEA",
"display_name": "Trojan:Win32/Startpage.AEA",
"target": "/malware/Trojan:Win32/Startpage.AEA"
},
{
"id": "Banload",
"display_name": "Banload",
"target": null
},
{
"id": "TrojanDownloader:Win32/Banload.D",
"display_name": "TrojanDownloader:Win32/Banload.D",
"target": "/malware/TrojanDownloader:Win32/Banload.D"
},
{
"id": "Win32:Evo-gen",
"display_name": "Win32:Evo-gen",
"target": null
},
{
"id": "!#AddsCopy-ToStartup",
"display_name": "!#AddsCopy-ToStartup",
"target": null
},
{
"id": "VirTool:Win32/AutInject.CZ!bit",
"display_name": "VirTool:Win32/AutInject.CZ!bit",
"target": "/malware/VirTool:Win32/AutInject.CZ!bit"
},
{
"id": "Win.Trojan.Agent-316098",
"display_name": "Win.Trojan.Agent-316098",
"target": null
},
{
"id": "virtool:Win32/Injector.gen!BQ",
"display_name": "virtool:Win32/Injector.gen!BQ",
"target": "/malware/virtool:Win32/Injector.gen!BQ"
},
{
"id": "WarzoneRAT - S0670",
"display_name": "WarzoneRAT - S0670",
"target": null
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
}
],
"industries": [
"Technology",
"Telecommunications",
"Media"
],
"TLP": "white",
"cloned_from": null,
"export_count": 34,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4194,
"hostname": 1563,
"FileHash-SHA256": 2494,
"domain": 624,
"FileHash-MD5": 274,
"FileHash-SHA1": 226,
"email": 1,
"CVE": 1
},
"indicator_count": 9377,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "205 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68a956460f257cf96c454071",
"name": "Piracy \u2022 Cloudfront \u2022 Ransom \u2022 Code Overlaps \u2022 Unrelenting attacks.",
"description": "Indie songwriter , publisher, promoter, producer & her artists affected by years long copyright infringement , hacking & reputation damage. Website now downed.\n\nBrashears had been involved in music under pseudonyms for decades as a was songwriter , ghostwriter, sold catalogs , charting singles, chops was sponsored. In this instance music was grossly pirated. Initially asked for hook rights then told hook would be used without her permission. Believed dispute resolved verbally + copyright.\n\nTsara learned from an insider/s her hook was pirated & used by artists listed. Modifications make songs pirated samples.\nBrashears song written in 2010 later vaulted in a private catalog later released by her artist. YouTube audio quality tampering on pirated song. \n\nBrashears loved music, not the industry as an artist; preferring business. Always held her privacy to remain unknown. Tsara lived 10 lives at once.\n\nLikely involves male who contacted her @ by email as mentioned in earlier pulse.\n#trulymissed",
"modified": "2025-09-21T21:03:28.771000",
"created": "2025-08-23T05:48:54.534000",
"tags": [
"domains",
"hashes",
"passive dns",
"urls",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"a domains",
"entries",
"next associated",
"files show",
"date hash",
"avast avg",
"trojanspy",
"entries http",
"scans show",
"search",
"body",
"body doctype",
"dynamicloader",
"medium",
"reg add",
"regsz d",
"high",
"windows",
"audio drivers",
"write c",
"virtool",
"copy",
"write",
"june",
"united",
"unknown ns",
"samsara",
"new york",
"city ny",
"ip address",
"record value",
"meta",
"date",
"music",
"encrypt",
"win32",
"dangeroussig",
"lowfi",
"msie",
"chrome",
"precondition",
"trojan",
"title",
"canada unknown",
"unknown cname",
"domain add",
"files",
"location united",
"hostname add",
"verdict",
"domain",
"files ip",
"address",
"asn as13335",
"hash avast",
"avg clamav",
"msdefender feb",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"file",
"size",
"ascii text",
"pattern match",
"august",
"hybrid",
"general",
"path",
"click",
"strings",
"roboto",
"mozilla",
"contact",
"t1179 hooking",
"installs",
"t1035 service",
"crlf line",
"runtime process",
"malicious",
"unknown",
"ssl certificate",
"defense evasion",
"amazon02",
"americachicago",
"windows nt",
"win64",
"khtml",
"gecko",
"veryhigh",
"found",
"geo menifee",
"california",
"as30148",
"us note",
"route",
"ptr record",
"information",
"t1053",
"taskjob",
"t1055",
"injection",
"t1082",
"t1112",
"modify registry",
"t1119",
"t1129",
"service",
"capture",
"url http",
"url https",
"type indicator",
"role title",
"added active",
"related pulses",
"showing",
"ipv6",
"ipv4",
"dicator role",
"title added",
"active related",
"sweden",
"netherlands",
"scan",
"iocs",
"learn more",
"types of",
"kingdom",
"united kingdom",
"denmark",
"icator role",
"malware attacks",
"find encrypted",
"t1021",
"remote",
"t1068",
"ta0043",
"t1016",
"discovery",
"t1221",
"nobody love",
"tori",
"kelley",
"dj khaled",
"justin bieber",
"sophos video",
"x rack",
"x frame",
"october",
"songculture",
"song culture",
"tsara brashears",
"jess 4",
"queryfoundry",
"beyond sampling",
"pirated",
"youtube",
"spotify",
"twitter",
"spy",
"tracking"
],
"references": [
"https://songculture.com/tsara-brashears-music | Cloudfront below was attached to body of work",
"https://d3jjg4nf4bbybe.cloudfront.net/u/210425/397f80d871fe6dla1704cela4b712e387ed8a48a/large/kedence-out-of-my-sight",
"\"Nobody Love\" Tori Kelley \"'m the One\" DJ Khaled ft Justin Bieber (Pirated Hook)",
"8-25-220-162-static.reverse.queryfoundry.net",
"http://117-114-251-162-static.reverse.queryfoundry.net/ - queryfoundry.net",
"https://www.youtube.com/watch?v=bJWJbOqg9cM - Falsely flagged to demonetize and not rank",
"Dr.Web violence/adult content (False) ThreatSeeker social web - youtube",
"music.apple.com \u2022 linktr.ee \u2022 sentient.industries? samsara has been showing up often.",
"There is money in the industry for well established , \u2018souled\u2019 out artists. It\u2019s a racket! T signed & exited early",
"Worked at some studios attacked by Lazarus Group who allegedly attacked Sony Music",
"I apologize if you don\u2019t like my background stories",
"\u2018Passin\u2019 I deleted the pulses you asked me to. Your links were malicious. I haven\u2019t weaponize anything I\u2019ve learned... yet"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Nivdort",
"display_name": "Nivdort",
"target": null
},
{
"id": "Virtool",
"display_name": "Virtool",
"target": null
},
{
"id": "Evo",
"display_name": "Evo",
"target": null
},
{
"id": "Trojanspy",
"display_name": "Trojanspy",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
},
{
"id": "Malware Gen",
"display_name": "Malware Gen",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1021",
"name": "Remote Services",
"display_name": "T1021 - Remote Services"
},
{
"id": "T1022",
"name": "Data Encrypted",
"display_name": "T1022 - Data Encrypted"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1221",
"name": "Template Injection",
"display_name": "T1221 - Template Injection"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1593.001",
"name": "Social Media",
"display_name": "T1593.001 - Social Media"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1486",
"name": "Data Encrypted for Impact",
"display_name": "T1486 - Data Encrypted for Impact"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
}
],
"industries": [
"Media",
"Technology",
"Telecommunications"
],
"TLP": "green",
"cloned_from": null,
"export_count": 33,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1833,
"hostname": 902,
"domain": 386,
"FileHash-MD5": 406,
"FileHash-SHA1": 402,
"FileHash-SHA256": 1437,
"email": 2,
"SSLCertFingerprint": 5,
"CIDR": 2
},
"indicator_count": 5375,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "210 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68958d96a43dd0d3b5a65220",
"name": "Mirai Communication Networks Inc",
"description": "BGP Mirai Communication Networks Inc. May be used for Red Hat activities considered enterprise open source solutions. Used for adversarial motives. Abuse.\nResearched a device-local-**********.remotewd.com found in last residential community a monitored target lived.",
"modified": "2025-09-07T05:03:49.633000",
"created": "2025-08-08T05:39:34.315000",
"tags": [
"united",
"unknown ns",
"moved",
"passive dns",
"ip address",
"cloudfront x",
"hio50 c1",
"a domains",
"domains",
"meta",
"mirai",
"apache",
"url hostname",
"server response",
"google safe",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"command",
"found",
"mitre att",
"ck techniques",
"sha256",
"sha1",
"ascii text",
"pattern match",
"size",
"null",
"refresh",
"body",
"span",
"august",
"hybrid",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"defense evasion",
"t1480 execution",
"file defense",
"show technique",
"ck matrix",
"adversaries",
"general",
"starfield",
"iframe",
"onload",
"status",
"urls",
"domain",
"name servers",
"hostname",
"files",
"files ip",
"certificate",
"urls show",
"results aug",
"entries",
"show process",
"utf8",
"crlf line",
"network traffic",
"title error",
"next associated",
"body doctype",
"html public",
"w3cdtd html",
"html head",
"meta http",
"equiv content",
"win32",
"trojan",
"servers",
"search",
"whois show",
"record value",
"emails",
"name legal",
"department name",
"address po",
"city seattle",
"present oct",
"present jul",
"present dec",
"present aug",
"files domain",
"files related",
"related tags",
"none google",
"safe browsing",
"external",
"data upload",
"extraction",
"include review",
"exclude sugges",
"uny inuuue",
"find s",
"extr",
"typ dom",
"failed",
"extri data",
"mirai meta",
"japan unknown",
"miraipcok meta",
"overview ip",
"address",
"location united",
"asn as15169",
"nameservers",
"less whois",
"registrar",
"overview domain",
"address domain",
"ip whois",
"title",
"create c",
"read c",
"delete",
"write",
"medium",
"create",
"showing",
"rgba",
"next",
"dock",
"execution",
"malware",
"sqlite rollback",
"jfif",
"journal",
"regsetvalueexa",
"ascii",
"regdword",
"baidu",
"url add",
"http",
"related nids",
"files location",
"flag united",
"redacted for",
"unknown aaaa",
"hostname add",
"url analysis",
"encrypt",
"date",
"germany unknown",
"ascio",
"creation date",
"alfper",
"ipv4 add",
"reverse dns",
"mozilla",
"set spray",
"pty ltd",
"date checked",
"present jun",
"present nov",
"present may",
"present mar",
"present sep",
"present jan",
"for privacy",
"lngen",
"ransom",
"virtool",
"exploit",
"as133618",
"dns resolutions",
"domains top",
"level",
"unique tlds",
"related pulses",
"asn as133618",
"whois registrar",
"ietfdtd html",
"gmt server",
"debian",
"dynamicloader",
"unknown",
"feat",
"query",
"installer",
"results oct",
"results jan",
"aaaa",
"tlsv1",
"stcalifornia",
"lmountain view",
"ogoogle llc",
"ogoogle trust",
"cngts ca",
"lowfi",
"urlshortner aug",
"urlshortner jul",
"urlshortner",
"write c",
"high",
"et exploit",
"probe ms17010",
"f codeoverlap",
"copy",
"contacted",
"w3wwhb",
"svwjh5dd u",
"uv5b usvwu",
"f us3v9",
"cu codeoverlap",
"filehash",
"sha256 add",
"monitored target",
"sloffeefoundry.com",
"apple",
"samsung",
"galaxy",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"persistence",
"edge",
"bing",
"racism",
"amazon music",
"ios",
"twitter",
"googleapis",
"denver"
],
"references": [
"Researched: 210.172.192.15 | p192015.mirai.ne.jp | sanso-mirai.jp",
"Mirai Communication Network Inc. (AS7690) Seto, Japan ASN is a BGP Network",
"*ccm-command-center.int.m1np.symetra.cloud",
"Monitored Target/s",
"https://hybrid-analysis.com/sample/ff37a006ed8677bafa412d653ce9adfe84744702f28f7dfe9f5f4ec51b599419/689505a3a647793a0300f73f",
"https://hybrid-analysis.com/sample/d30cf86f09e3ab7bb7d0a4ac2608aafb31e07c94fe77f5a264ccdb35fe153c59/689505ded9be5613900509fd",
"https://hybrid-analysis.com/sample/f6e628e57373bf795bae87c883dcaefdbb720960133edc1adacc6146d10fc88a",
"https://otx.alienvault.com/indicator/ip/210.172.192.15",
"https://otx.alienvault.com/indicator/domain/sanso-mirai.jp",
"device-local-**********. remotewd.com",
"https://sms-apple.com/login",
"https://www.exito.com/galaxy-m12-64-gb-negro-samsung-sm-m127fzkkcoo-3016108/p",
"https://4.img-dpreview.com/files/p/articles/2356747397/samsung_nv24hd_bk.jpeg",
"https://shell-gift.website/sweeps/de/amazon-voucher/question1000-agg/index.html?uclick=qdlpqnvr&uclickhash=qdlpqnvr-qdlpqnvr-pmwj-0-xsi4-hovr-hoi4-9b6533",
"api.omgpornpics.com",
"http://www.mylifelawyer.com/services/denver-affordable-lawyer-child-custody/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Crypt-142",
"display_name": "Win.Trojan.Crypt-142",
"target": null
},
{
"id": "#Lowfi:SIGATTR:URLShortner",
"display_name": "#Lowfi:SIGATTR:URLShortner",
"target": null
},
{
"id": "Win.Trojan.14278494-1",
"display_name": "Win.Trojan.14278494-1",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "ransom:Win32/WannaCrypt.H",
"display_name": "ransom:Win32/WannaCrypt.H",
"target": "/malware/ransom:Win32/WannaCrypt.H"
},
{
"id": "Ransom:Win32/WannaCrypt.H",
"display_name": "Ransom:Win32/WannaCrypt.H",
"target": "/malware/Ransom:Win32/WannaCrypt.H"
},
{
"id": "Mirai Communications",
"display_name": "Mirai Communications",
"target": null
},
{
"id": "Alfper",
"display_name": "Alfper",
"target": null
},
{
"id": "telper:HSTR:CLEAN:Ninite",
"display_name": "telper:HSTR:CLEAN:Ninite",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
}
],
"industries": [
"Technology",
"Telecommunications"
],
"TLP": "green",
"cloned_from": null,
"export_count": 47,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8962,
"domain": 1671,
"hostname": 2125,
"FileHash-SHA256": 2031,
"FileHash-MD5": 718,
"FileHash-SHA1": 523,
"SSLCertFingerprint": 12,
"email": 7,
"CVE": 1
},
"indicator_count": 16050,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "225 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6867653f0b2d5f4f1abeb55c",
"name": "Graphite Mercenary Spyware? Skynet- I failed to adequately research prior pulse. Uh\u2026.hi!",
"description": "",
"modified": "2025-08-03T04:01:39.496000",
"created": "2025-07-04T05:23:11.056000",
"tags": [
"utc ua124682679",
"google tag",
"utc gr8frkfel9k",
"utc gjycztvzbg0",
"utc gfjlg9p3ltd",
"utc g8dm6znp88p",
"utc gvev1mxhhbn",
"utc na",
"palco",
"home",
"palco og",
"palco article",
"wordpress",
"elementor",
"status code",
"body length",
"kb body",
"rdap database",
"server",
"date",
"country",
"dnssec",
"code",
"registrar abuse",
"registrar iana",
"registrar url",
"registrar whois",
"registrar",
"ttl value",
"language",
"html document",
"ascii text",
"doctype",
"network",
"solutions",
"email",
"lookups",
"for privacy",
"united",
"creation date",
"overview domain",
"passive dns",
"urls",
"files ip",
"address",
"location united",
"asn as13335",
"meta",
"accept",
"present mar",
"date checked",
"url hostname",
"server response",
"ip address",
"google safe",
"results jul",
"present jun",
"present apr",
"entries",
"urls show",
"results jun",
"script urls",
"a domains",
"moved",
"encrypt",
"search",
"body",
"sec ch",
"ch ua",
"ua full",
"ua platform",
"ua bitness",
"ua arch",
"version sec",
"mobile sec",
"model sec",
"version list",
"gmt content",
"certificate",
"results jan",
"present sep",
"present may",
"present jul",
"backdoor",
"next associated",
"win32",
"error",
"present",
"response ip",
"address google",
"safe browsing",
"associated urls",
"show",
"results may",
"virgin islands",
"unknown soa",
"unknown ns",
"domain",
"aaaa",
"status",
"record value",
"name servers",
"afe browsing",
"gmt setcookie",
"path",
"vfrbuk1",
"lefasbor1",
"formula",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"medium risk",
"yara",
"malware",
"copy",
"present showing",
"files show",
"date hash",
"avast avg",
"showing",
"present feb",
"virtool",
"datacenter",
"hosting",
"vps reverse",
"america flag",
"america asn",
"graphite",
"skynet",
"win64",
"expiration date",
"domain add",
"pulse pulses",
"files",
"present nov",
"present aug",
"kryptikxp",
"cname",
"whois registrar",
"markmonitor",
"pulses",
"tags",
"related tags",
"more indicator",
"default",
"regsetvalueexa",
"process32nextw",
"regdword",
"high",
"medium",
"todo",
"write",
"belize",
"overview ip",
"location belize",
"asn as210083",
"privex",
"alone email",
"body doctype",
"gmt server",
"content type",
"t1055",
"discovery",
"read",
"createnowindow",
"dock",
"push",
"motd",
"front",
"duster"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6867624b645b1724745d6584",
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2054,
"hostname": 368,
"domain": 251,
"CIDR": 1,
"FileHash-MD5": 492,
"FileHash-SHA1": 522,
"URL": 508,
"email": 8,
"CVE": 1
},
"indicator_count": 4205,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "260 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6867624b645b1724745d6584",
"name": "BotX | Multiple attack affects \u2018alleged\u2019 Workforce agency",
"description": "A \u2018Unnamed\u2019 workforce agency of questionable legitimacy.\nSerious social engineering. #financial. #pii #phi #gathering. \n#Win32:BotX-gen\\ [Trj]\nIDS Detections\n\u2022 TLS Handshake Failure\nAlerts:\n#dead_host\n#network_icmp\n#nolookup_communication\n#modifies_proxy_wpad\n#allocates_rwx\n#injection_process_search\n#protection_rx\n#antivm_network_adapters\n#process_interest\n#antivm_queries_computername\n#checks_debugger\n#pe_unknown_resource\n#injection #apple #remote #rat #dns #virus #malware #bot_gen #attack #masquerading #monitored_target #staged #worforce #whatstrue #withu4ever\n#hoax #banker #ransom #malvertising #innerparty #overwatch #endgame #mirai #virtool #trojans #privilege #meritless #apple \nWeirdness: \n\u2022 simswap.in (mirai)\n\u2022 twitter\n\u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\ngirlsdoporn.com\t\n\u2022 https://twitter.com/PORNO_SEXYBABES\n\u2022 apple-dns.net\n\u2022 pornhub.com \u2022 www.pornhub.com #1984\n#whatdidtargetdo? #preemptive\n#Team8 wants to know.",
"modified": "2025-08-03T04:01:39.496000",
"created": "2025-07-04T05:10:35.672000",
"tags": [
"utc ua124682679",
"google tag",
"utc gr8frkfel9k",
"utc gjycztvzbg0",
"utc gfjlg9p3ltd",
"utc g8dm6znp88p",
"utc gvev1mxhhbn",
"utc na",
"palco",
"home",
"palco og",
"palco article",
"wordpress",
"elementor",
"status code",
"body length",
"kb body",
"rdap database",
"server",
"date",
"country",
"dnssec",
"code",
"registrar abuse",
"registrar iana",
"registrar url",
"registrar whois",
"registrar",
"ttl value",
"language",
"html document",
"ascii text",
"doctype",
"network",
"solutions",
"email",
"lookups",
"for privacy",
"united",
"creation date",
"overview domain",
"passive dns",
"urls",
"files ip",
"address",
"location united",
"asn as13335",
"meta",
"accept",
"present mar",
"date checked",
"url hostname",
"server response",
"ip address",
"google safe",
"results jul",
"present jun",
"present apr",
"entries",
"urls show",
"results jun",
"script urls",
"a domains",
"moved",
"encrypt",
"search",
"body",
"sec ch",
"ch ua",
"ua full",
"ua platform",
"ua bitness",
"ua arch",
"version sec",
"mobile sec",
"model sec",
"version list",
"gmt content",
"certificate",
"results jan",
"present sep",
"present may",
"present jul",
"backdoor",
"next associated",
"win32",
"error",
"present",
"response ip",
"address google",
"safe browsing",
"associated urls",
"show",
"results may",
"virgin islands",
"unknown soa",
"unknown ns",
"domain",
"aaaa",
"status",
"record value",
"name servers",
"afe browsing",
"gmt setcookie",
"path",
"vfrbuk1",
"lefasbor1",
"formula",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"medium risk",
"yara",
"malware",
"copy",
"present showing",
"files show",
"date hash",
"avast avg",
"showing",
"present feb",
"virtool",
"datacenter",
"hosting",
"vps reverse",
"america flag",
"america asn",
"graphite",
"skynet",
"win64",
"expiration date",
"domain add",
"pulse pulses",
"files",
"present nov",
"present aug",
"kryptikxp",
"cname",
"whois registrar",
"markmonitor",
"pulses",
"tags",
"related tags",
"more indicator",
"default",
"regsetvalueexa",
"process32nextw",
"regdword",
"high",
"medium",
"todo",
"write",
"belize",
"overview ip",
"location belize",
"asn as210083",
"privex",
"alone email",
"body doctype",
"gmt server",
"content type",
"t1055",
"discovery",
"read",
"createnowindow",
"dock",
"push",
"motd",
"front",
"duster"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2054,
"hostname": 368,
"domain": 251,
"CIDR": 1,
"FileHash-MD5": 492,
"FileHash-SHA1": 522,
"URL": 508,
"email": 8,
"CVE": 1
},
"indicator_count": 4205,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "260 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6783a05fdf5dfcce431a48c8",
"name": "sklep@ginko.garden",
"description": "",
"modified": "2025-02-11T10:00:01.364000",
"created": "2025-01-12T10:58:35.161000",
"tags": [
"nazwa podmiotu",
"cieka",
"cieka d",
"pasywny dns",
"powizane",
"nagrywa warto",
"xmlns http",
"div div",
"ustaw plik",
"roliny",
"meta",
"pragma",
"unizeto"
],
"references": [
"Odpis_Aktualny_KRS_0001051191.pdf"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 19,
"email": 1,
"hostname": 44,
"URL": 88,
"FileHash-MD5": 3,
"FileHash-SHA1": 1,
"FileHash-SHA256": 76
},
"indicator_count": 232,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 122,
"modified_text": "432 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "66e87da28b9c1611223c1a6b",
"name": "Telegram - Remote install | log4shell-generic | Botnet | Pegasus Relationship",
"description": "0.0.0.0 Day: Exploiting Localhost APIs From the Browser.\nA root of device issues: \nTarget was remotely subscribed to Telegram 10/23. This phone silently made 2 calls to (380) 222-3333. An activation code for blacklisted t.me/login/***** received by text. Target remembers this occured during sleep. Pegasus relationship. Mirai relationship auto-populated. Reference to new Mirai infection. I didn't find Mirai IoC's\nBrian Hau? Lol, idk about that.\n|| SLFPER:SoftwareBundler:Win32/Dlhelper\n#Lowfi:LUA:AutoItV3CraftedOverlay\nALF:HeraklezEval:Trojan:Win32/Ymacco\nBackdoor:Win32/Tofsee\nMirai\nTEL:Exploit:O97M/CVE-2017-8570\nTofsee\nTrojan:Win32/Glupteba\nTrojan:Win32/Kryptik\nTrojan:Win32/Mydoom\nWin.Packed.Enigma-10023199-0\nWin.Packer.pkr_ce1a-9980177-0\nWin32:PWSX-gen\\ [Trj]",
"modified": "2024-10-16T15:00:45.833000",
"created": "2024-09-16T18:49:06.831000",
"tags": [
"dynamicloader",
"high",
"windows",
"medium",
"grum",
"yara detections",
"contacted",
"installs",
"windows startup",
"application",
"tofsee",
"stream",
"less see",
"copy",
"aaaa",
"virgin islands",
"whitelisted",
"antigua",
"org domains",
"proxy",
"code",
"search",
"united",
"unknown",
"msie",
"chrome",
"passive dns",
"formbook cnc",
"checkin",
"entries",
"body",
"possible",
"mozilla",
"delete c",
"windows nt",
"show",
"owotrus ca",
"limited",
"cnwotrus dv",
"server ca",
"write",
"malware",
"encrypt",
"as36647 oath",
"backdoor",
"trojan",
"all scoreblue",
"ipv4",
"urls",
"ransom",
"trojan features",
"related pulses",
"file samples",
"files matching",
"date hash",
"memcommit",
"read c",
"win32",
"icmp traffic",
"memreserve",
"showing",
"exploit",
"mirai",
"barbuda",
"barbuda unknown",
"hacktool",
"program",
"python",
"macintosh",
"intel mac",
"os x",
"khtml",
"gecko",
"bios",
"guard",
"updater",
"launcher",
"div div",
"span div",
"span svg",
"status",
"bugs",
"span",
"meta",
"path",
"div h3",
"telegram strong",
"a li",
"virtool",
"class",
"tour",
"read",
"delete",
"top source",
"top destination",
"as46606",
"change",
"moved",
"certificate",
"creation date",
"record value",
"suite",
"hostname",
"cookie",
"asnone united",
"as29873",
"cname",
"domain",
"url analysis",
"redacted for",
"script urls",
"a domains",
"as8560",
"germany unknown",
"name servers",
"for privacy",
"files",
"verdict",
"as393245 oath",
"mtb sep",
"servers",
"expiration date",
"overview domain",
"files ip",
"address",
"location united",
"asn as22612",
"whois registrar",
"namecheap inc",
"as22612",
"content type",
"apache",
"secure server",
"dnssec",
"meta http",
"content",
"gmt server",
"litespeed x",
"http scans",
"equiv cache",
"script endif",
"create c",
"wow64",
"slcc2",
"media center",
"write c",
"next",
"dock",
"execution",
"capture",
"xport",
"united kingdom",
"a nxdomain",
"as24940 hetzner",
"emails",
"script script",
"param",
"script",
"ul div",
"global domains",
"international",
"bank",
"agent",
"stack",
"life",
"win32mydoom sep",
"title",
"enigmaprotector",
"dynamic",
"powershell",
"filehash",
"worm",
"a div",
"all search",
"lowfi",
"copyright",
"as54994 quantil",
"as15169",
"virustotal",
"drweb",
"vipre",
"downloader",
"panda",
"local",
"dns replication",
"technology",
"server",
"privacy billing",
"email",
"registrar abuse",
"organization",
"privacy tech",
"privacy admin",
"algorithm",
"first",
"v3 serial",
"number",
"cus ogoogle",
"trust",
"cnwe1 validity",
"subject public",
"key info",
"key algorithm",
"scan endpoints",
"pulse pulses",
"federation asn",
"as49505",
"labs pulses",
"internet",
"iana",
"city",
"los angeles",
"orgabusephone",
"orgid",
"iana ref",
"orgtechhandle",
"iana special",
"103.28.36.182",
"pegasus",
"103.224.212.222",
"103.129.252.44",
"162.0.215.111",
"apple",
"apple-access.com",
"as8075",
"date",
"phishing",
"csam",
"pii",
"piiexposure",
"flag",
"domain address",
"llc name",
"contacted hosts",
"ip address",
"process details"
],
"references": [
"Telegram | Indicator: Query for .su TLD (Soviet Union) Often Malware Related PE EXE or DLL Windows file download HTTP",
"Telegram - https://t.me/login/***** | fFileHash-SHA256 cecaa6014e0cdc41ead0b076169175c9342a2ccc4b3e48549f88ea87ba8c034",
"Alerts: injection_inter_process creates_largekey network_bind persistence_autorun persistence_autorun_tasks",
"Alerts: spawns_dev_util cape_detected_threat injection_process_hollowing antivm_generic_services",
"Alerts: deletes_executed_files injection_runpe persistence_ads suspicious_command_tools anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading resumethread_remote_process powershell_download powershell_request",
"*WEBSITE.WS Your Internet Address For Life",
"Telegram | IP 66.235.200.146 | Indicator Possible recent Mirai infection",
"Datacenter / Hosting / VPS Reverse DNS host77.ipowerweb.com Location United States",
"IDS Detections: W32/Zbot.Variant Fake MSIE 6.0 UA FormBook CnC Checkin (GET) FormBook CnC Checkin (GET) FormBook CnC Checkin (GET)",
"User-Agent (Mozilla) - Possible Spyware Related WinHttpRequest Downloading EXE Likely Evil EXE download from WinHttpRequest non-exe extension",
"ASN AS13335 cloudflare DNS Resolutions",
"0.0.0.0 log4shell-generic-z8lrtjkgkm4zhi6necwi.r.nessus.org",
"IDS: Query for .su TLD (Soviet Union) Often Malware Related PE EXE or DLL Windows file download HTTP | Not Russia - Americans Masquerading",
"federallegionconnbot.t.me",
"thevipporn.com porn25.com lowendporn.com pz7.iqg29.cn",
"pegasusintel.com",
"appleid-support.com apple-access.com appleid-support.com demo171.apple.com apple.k8s.joewa.com w-t-blu-371ac852.cloudapp.net",
"log4shell-generic-ammqgekxvatp3a2qyw71ten.r.nessus.org play.google.com demo171.apple.com apps.apple.com",
"Alleged CSAM Alleged Phishing Alleged PIIExposure",
"https://t.me/login/36861 = GET /login/36861 | Server: nginx/1.18.0"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Packer.pkr_ce1a-9980177-0",
"display_name": "Win.Packer.pkr_ce1a-9980177-0",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
},
{
"id": "Win32:PWSX-gen\\ [Trj]",
"display_name": "Win32:PWSX-gen\\ [Trj]",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Trojan:Win32/Glupteba",
"display_name": "Trojan:Win32/Glupteba",
"target": "/malware/Trojan:Win32/Glupteba"
},
{
"id": "Trojan:Win32/Kryptik",
"display_name": "Trojan:Win32/Kryptik",
"target": "/malware/Trojan:Win32/Kryptik"
},
{
"id": "Backdoor:Win32/Tofsee",
"display_name": "Backdoor:Win32/Tofsee",
"target": "/malware/Backdoor:Win32/Tofsee"
},
{
"id": "Win.Packed.Enigma-10023199-0",
"display_name": "Win.Packed.Enigma-10023199-0",
"target": null
},
{
"id": "TEL:Exploit:O97M/CVE-2017-8570",
"display_name": "TEL:Exploit:O97M/CVE-2017-8570",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Ymacco",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco",
"target": null
},
{
"id": "SLFPER:SoftwareBundler:Win32/Dlhelper",
"display_name": "SLFPER:SoftwareBundler:Win32/Dlhelper",
"target": null
},
{
"id": "#Lowfi:LUA:AutoItV3CraftedOverlay",
"display_name": "#Lowfi:LUA:AutoItV3CraftedOverlay",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
}
],
"industries": [
"Telecommunications"
],
"TLP": "green",
"cloned_from": null,
"export_count": 40,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1226,
"FileHash-SHA256": 1691,
"FileHash-MD5": 807,
"FileHash-SHA1": 781,
"URL": 429,
"hostname": 1124,
"SSLCertFingerprint": 7,
"CVE": 1,
"email": 16,
"CIDR": 1
},
"indicator_count": 6083,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 232,
"modified_text": "550 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "66a4293d5bc5c915eac829e0",
"name": "Ransom:Win32/Crowti.A : Android Windows | Win.Trojan.Simda CnC",
"description": "",
"modified": "2024-08-25T21:00:52.039000",
"created": "2024-07-26T22:54:53.598000",
"tags": [
"united",
"unknown",
"a domains",
"accept",
"link",
"passive dns",
"encrypt",
"trmp",
"ok server",
"date",
"meta",
"whois lookup",
"create date",
"domain",
"expiry date",
"update date",
"update",
"algorithm",
"data",
"v3 serial",
"number",
"cus olet",
"encrypt cnr10",
"validity",
"public key",
"info",
"key algorithm",
"dns replication",
"subdomains",
"first",
"historical ssl",
"record type",
"ttl value",
"cname",
"certificates",
"show",
"entries",
"yara rule",
"delete",
"search",
"intel",
"ms windows",
"copy",
"binary file",
"get updates",
"write",
"as44273 host",
"redacted for",
"moved",
"record value",
"as54113",
"body",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"urls",
"files",
"ip address",
"files ip",
"address domain",
"as61969 team",
"germany unknown",
"msie",
"chrome",
"precondition",
"gmt content",
"united kingdom",
"as396982 google",
"as8075",
"ireland unknown",
"as21301",
"aaaa",
"status",
"sha1",
"windows nt",
"sha256",
"size",
"ascii text",
"pattern match",
"mitre att",
"ck id",
"show technique",
"span",
"format",
"click",
"hybrid",
"twitter",
"generator",
"tsvt",
"strings",
"download",
"path",
"contact",
"suspicious",
"invalid url",
"open ports",
"body html",
"head title",
"title head",
"body h1",
"reference",
"bad request",
"server",
"version",
"trojandropper",
"ransom",
"checkin",
"ipv4",
"trojan",
"virtool",
"http post",
"theme directory",
"without referer",
"cycbot",
"http response",
"final url",
"status code",
"body length",
"kb body",
"headers server",
"gmt etag",
"gmt date",
"referrer",
"code signing",
"serial number",
"ca valid",
"from",
"valid",
"valid usage",
"verisign time",
"stamping",
"thumbprint",
"class",
"error",
"info header",
"name md5",
"type",
"language",
"contained",
"overlay",
"gandi sas",
"dynadot",
"registrar",
"dynadot inc",
"cloudflare",
"net technology",
"corporation",
"bigrock",
"dynadot llc",
"namecheap",
"ip detections",
"country",
"contacted",
"defense evasion",
"access ta0006",
"ta0009 command",
"control ta0011",
"impact ta0034",
"impact ta0040",
"ta0040",
"samplepath",
"pattern urls",
"pattern domains",
"memory pattern",
"domains domain",
"ip traffic",
"typo squatting",
"realteck audio",
"phish",
"mr windows",
"partru",
"goog mal",
"android windows",
"maze",
"apple",
"malware",
"worm",
"skynet",
"microsoft",
"trojan evader",
"simda cnc",
"showing",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"delphi",
"network",
"crowdstrike"
],
"references": [
"43.204.54.95 AS 16509 (AMAZON-02), http://r10.i.lencr.org/, www.maketrumppresidentagain.site",
"trojan.shiz/razy: FileHash-SHA256 02ed9fac1ebab76f551f1c27c0831541a3e0a6a716b392b16f34689b8fba08d8",
"trojan.shiz/razy | CS Sigma: Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Benche",
"trojan.shiz/razy | CS IDS: Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst",
"trojan.shiz/razy | CS IDS: Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda Matches rule PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning",
"trojan.shiz/razy | CS IDS: Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan",
"trojan.shiz/razy | CS IDS: Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan",
"trojan.shiz/razy | CS IDS: Matches rule PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning",
"trojan.shiz/razy | Capabilities Collection Log keystrokes via polling",
"https://www.virustotal.com/gui/file/02ed9fac1ebab76f551f1c27c0831541a3e0a6a716b392b16f34689b8fba08d8/detection",
"https://otx.alienvault.com/indicator/file/e6f8e2706058064d8f38d12923e52cec7a128218b39ca1fe60a2dde7ac3d158f | binary_yara mpress_2_xx_x86",
"Ransom:Win32/Crowti.A: FileHash-SHA256 1ffa6a3f8844b5955fc5e7329a6fb766cc1f35b39201ceaf0bca282b5b0b8cf6",
"Ransom:Win32/Crowti.A: FileHash-MD5 d34cf3663902900ddf46b937449472b9",
"Ransom:Win32/Crowti.A: FileHash-SHA1 05a49b7502099932ff628ca5a8583397b7e2dca2",
"VirTool:Win32/Injector: FileHash-SHA256 0806653f8af2e9c2530e453f8b1fea47f62f86b5b0b65487ddcfd014eea8e9fe",
"VirTool:Win32/Injector: FileHash-MD5 baa1a920d33eee94e123f5dfb6bbe7456692e020d682ae45f0de66130f9ea0da",
"VirTool:Win32/Injector: FileHash-SHA1 3e7124373729e9ec90ea1d01222bfdd84b0484e5",
"BigRock: gadyzyh.com",
"Matches rule ET INFO Namecheap URL",
"POLICY Unsupported/Fake Internet Explorer Version MSIE 2",
"Win.Trojan.Simda: FileHash-SHA256 0187e1392266fff224de9e3d3fbbe1a05cea8b823906ad27ff577c6e348f6e3b",
"Win.Trojan.Simda: FileHash-SHA1 fec01e5e59034cafc2b1e95c23068e075f9dbe69",
"Win.Trojan.Simda: FileHash-MD5 efe12fc770fb8647e22adb7f814666e7",
"TEL:Win32/Qjwmonkey.A: FileHash-SHA256 30ffb056ad64037a918d80c120db5d0032b29feb7db97ed19824646381165a5d",
"TEL:Win32/Qjwmonkey.A: FileHash-SHA1 51efdae4ba6bfec8e6f4ae2d7f6dc8cca42db1da",
"TEL:Win32/Qjwmonkey.A: FileHash-MD5 535ce96e43fe532e1ddfd804dbde9c6a",
"Matches rule Files With System Process Name In Unsuspected Locations by Sander Wiebing, Tim Shelton, Nasreddine Bencherch",
"Matches rule Windows Processes Suspicious Parent Directory by vburov"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Australia",
"Netherlands"
],
"malware_families": [
{
"id": "TrojanDownloader:Win32/Upatre.E",
"display_name": "TrojanDownloader:Win32/Upatre.E",
"target": "/malware/TrojanDownloader:Win32/Upatre.E"
},
{
"id": "Ransom:Win32/Crowti.A",
"display_name": "Ransom:Win32/Crowti.A",
"target": "/malware/Ransom:Win32/Crowti.A"
},
{
"id": "Cycbot",
"display_name": "Cycbot",
"target": null
},
{
"id": "VirTool:Win32/Injector",
"display_name": "VirTool:Win32/Injector",
"target": "/malware/VirTool:Win32/Injector"
},
{
"id": "Win.Trojan.Simda",
"display_name": "Win.Trojan.Simda",
"target": null
},
{
"id": "TEL:Win32/Qjwmonkey.A",
"display_name": "TEL:Win32/Qjwmonkey.A",
"target": "/malware/TEL:Win32/Qjwmonkey.A"
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0034",
"name": "Impact",
"display_name": "TA0034 - Impact"
},
{
"id": "TA0040",
"name": "Impact",
"display_name": "TA0040 - Impact"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 25,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 549,
"domain": 1182,
"hostname": 590,
"URL": 961,
"FileHash-SHA256": 2466,
"FileHash-MD5": 562,
"SSLCertFingerprint": 7,
"email": 4
},
"indicator_count": 6321,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "602 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6692440efac39f5213329f13",
"name": "Mustang Panda: Oxypumper | Ransom Suspicious verifier SpyTox",
"description": "Mustang Panda is an alleged;China-based' non-governmental cyber espionage threat actor that was first observed in 2017. Targeting non-governmental civilians. Likely target is in many bot networks. Potential HoneyPot, this tool makes itself visible to target when researching the validity of an email or phone number. Notable for Gand Crane ransomware text embedded in SpyTox page image. Injection process observed. Affects most types of devices including iOS and Android. Critical issues found. IP's registrar's, domains 'not' contacted.\n\nHackers, harassment, cybercrime, cyber espionage.",
"modified": "2024-08-12T08:04:00.041000",
"created": "2024-07-13T09:08:30.431000",
"tags": [
"historical ssl",
"referrer",
"june",
"october",
"july",
"hacker",
"pe resource",
"mustang panda",
"plugx",
"cryptbot",
"threat roundup",
"december",
"process32nextw",
"regsetvalueexa",
"x00x00",
"regdword",
"memcommit",
"high",
"regbinary",
"okrnserver",
"regsetvalueexw",
"download",
"copy",
"as15169 google",
"united",
"aaaa",
"unknown",
"gmt path",
"passive dns",
"search",
"cname",
"showing",
"cookie",
"ascii text",
"pattern match",
"error",
"null",
"typeerror",
"sha1",
"mitre att",
"et tor",
"known tor",
"date",
"infinity",
"onload",
"trident",
"android",
"void",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"generator",
"third-party-cookies",
"text/html",
"trackers",
"external-resources",
"iframes",
"entries",
"status",
"name servers",
"urls",
"next",
"nxdomain",
"susp",
"a nxdomain",
"domain",
"win32",
"as62597",
"france unknown",
"for privacy",
"moved",
"a domains",
"meta",
"gmt cache",
"trojan",
"creation date",
"record value",
"script urls",
"as55293 a2",
"as44273 host",
"canada unknown",
"scan endpoints",
"all scoreblue",
"pulse pulses",
"files",
"ip address",
"location canada",
"443 ma2592000",
"code",
"trojanspy",
"type",
"ipv4",
"twitter",
"trojandropper",
"find",
"form",
"less see",
"formbook cnc",
"checkin",
"a li",
"li ul",
"cycbot",
"emails",
"as20940",
"as54113",
"asnone denmark",
"worm",
"asnone",
"as4230 claro",
"refloadapihash",
"salicode",
"div div",
"wi fi",
"orion wi",
"orion",
"a div",
"div section",
"orion logo",
"target",
"fast",
"contact",
"open",
"virtool",
"content type",
"found",
"http response",
"final url",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"ubuntu",
"accept",
"keepalive",
"site",
"find people",
"numbers",
"sptox",
"utc google",
"html info",
"title spytox",
"emails meta",
"tags viewport",
"spytox og",
"type win32",
"exe size",
"mb first",
"seen",
"file name",
"avg win32",
"fortinet",
"double click",
"solutions",
"domains",
"sneaky server",
"replacement",
"unauthorized",
"malware http",
"core",
"sim unlock",
"emotet",
"ta569",
"critical",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 protector",
"confuser",
"confuserex",
"checker",
"samplename",
"bonusbitcoin",
"xslayer",
"samplepath",
"names",
"details",
"header intel",
"name md5",
"language",
"contained",
"rticon neutral",
"ico rtgroupicon",
"neutral",
"assembly common",
"clr version",
"assembly name",
"metadata header",
"entry point",
"rva entry",
"strong name",
"streams size",
"entropy chi2",
"ip detections",
"country",
"executable",
"info header",
"allmul vbaget4",
"adjfprem ord",
"data rtversion",
"generic",
"file type",
"win32 exe",
"kb file",
"graph",
"user",
"windir",
"downloads",
"written c",
"files deleted",
"dropped c",
"process",
"logistics",
"cyber defense",
"brazzers",
"tsara brashears",
"gpt analyzer",
"apple private",
"data collection",
"twitter andor",
"snatch",
"ransomware",
"default",
"rticon english",
"type name",
"data",
"getfilesize",
"getdc copyimage",
"rticon russian",
"pe32 executable",
"borland delphi",
"delphi generic",
"dos borland",
"hkcuclsid",
"registry keys",
"hkcrclsid",
"file system",
"settings c",
"files c",
"shared c",
"sharedink c",
"hostname",
"as29791",
"as8426 claranet",
"malware",
"network",
"apple ios",
"apple",
"tmobile metro",
"apeaksoft ios",
"spybanker",
"remcos",
"adwind",
"njrat",
"guloader",
"banload",
"asyncrat",
"arkeistealer",
"danabot",
"nordvpnsetup",
"kb graph",
"summary",
"sharedinkarsa c",
"sharedinkbgbg c",
"sharedinkcscz c",
"sharedinkdadk c",
"gmt etag",
"x amz",
"body",
"body html",
"bq jul",
"et trojan",
"v4inhxvlhx0",
"medium",
"memreserve",
"checks amount",
"t1082",
"module load",
"e weowe64e",
"edelepexe",
"e rev",
"weinedoewse net",
"ransom",
"show",
"filehash",
"related",
"reverse dns",
"haut",
"servers",
"pulse submit",
"as3215 orange",
"france",
"backdoor",
"paris",
"honeypot",
"python",
"callback phishing",
"teams",
"porn related",
"harassment"
],
"references": [
"https://www.spytox.com/ | Malicious Phone number & eMail verifier. HoneyPotNetBot?",
"Alerts: disables_security network_icmp modifies_certificates modifies_proxy_wpad multiple_useragents injection_resumethread",
"Antivirus Detections: Win.Malware.Oxypumper-6900445-0",
"IDS Detections: Win32/QwertMiner CoinMiner Dropper CnC Checkin M2 | IDS Detections: Terse Named Filename EXE Download - Possibly Hostile",
"IDS Detections: HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)",
"IDS Detections: DNS Query for Suspicious .ml Domain | DNS Query for Suspicious .ga Domain | Domain External IP Lookup ip-api.com | Win32/QwertMiner Suspicious UA (jdlnb)",
"Win.Malware.Oxypumper-6900445-0: FileHash-SHA1 05e520126ee1100c98263bfbd5a6ff0ce6ace4f7",
"Win.Malware.Oxypumper-6900445-0: FileHash-MD5 2d84a619d4bd339f860cb48af0c9b6c8",
"Win.Malware.Oxypumper-6900445-0: FileHash-SHA 256365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1",
"Interesting: https://otx.alienvault.com/indicator/url/http://google.com.ge/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCoQFjAA&url=http%3A%2F%2Ft1t.us%2F&ei=9H0XU4rwPKXOygP_8IL4Bw&usg=AFQjCNEgQ29Mke-UahuBZ5wqWav04lFYvA&sig2=9-57Skjm2Hu4tg-e8iysQA&bvm=bv.62286460,d.bGQ",
"google.com.ge , google.kiteflier.top, google.pf, google.com.ht, http://philsinstallation.com/, www.orion.area120.com ?, https://degoogle.xyz/feed/",
"https://hybrid-analysis.com/sample/89fb2bccca6342d8fe50bd8b9763a6c829fd1bfe4fe2eccb251bd7e060f0d168/6691b5695751a70ec9041622",
"Ransomware Detected: text artifact in screenshot indicates file may be ransomware details \"Antivirus\" (Source: screen_11.png, Indicator: \"virus\")",
"scanning_hosts: 138.197.217.6, IPv4 142.251.18.103, IPv4 142.251.31.99",
"Backdoor:Win32/Plugx: FileHash-SHA256 a3ff97a0d338fd47e0af6822c4ee762491fc39028af984fe7ff8a1b6948fafe9",
"Backdoor:Win32/Plugx: FileHash-MD5 63ebfbad26a529929927b9b485faa18a",
"Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Malware.Generickdz-6914893-0, Backdoor:Win32/Plugx",
"Yara Detections: SUSP_NET_NAME_ConfuserEx , Delphi Alerts: network_icmp",
"iPhone: 8.0.1.iphone.com.nextradiotv.bfmtv.adsenseformobileapps.com",
"iPhone: 5.100.3.iphone.com.tranzmate.tranzmate1.adsenseformobileapps.com",
"iPhone: 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com",
"iPhone: 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com",
"iOS: http://www.au-petit-cafe-hollywood.com/guestbook/index.php?_sm_byp=iVVJNj4pQQp0ZsWB%3Eshowbox%20install%20iphone%3C/a%3E",
"Interesting: www1.xxx.ddns.info | https://sgpelvicfloor.in/wp-admin/ZDCpqfZDmM5x9MxAaxxX/",
"DotNET_Crypto_Obfuscator",
"Antivirus Detections: ALF:HSTR:Adware:Win32/iBryte!bit , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 , PWS:Win32/QQpass.B!MTB ,",
"Antivirus Detections: Trojan:Win32/Bulta!rfn , TrojanDownloader:Win32/Cutwail , TrojanDropper:Win32/Loring , TrojanSpy:Win32/Nivdort.CB ,",
"Antivirus Detections: TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA , TrojanSpy:Win32/Nivdort.DB ... , TrojanSpy:Win32/Nivdort.CB , TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA",
"IDS Detections: Adware.iBryte.Z Checkin W32/iBryte.Adware Installer Download, Kazy/Kryptor/Cycbot Trojan Checkin 2,",
"IDS Detections: FormBook CnC Checkin (GET) W32/iBryte.Adware Affiliate Campaign Executable Download ...",
"https://otx.alienvault.com/indicator/ip/216.40.34.41",
"Checker By X-SLAYER.exe: 74ca7f6f723a57dc22625eb26214f85689216859388c1f93503728dae8929b97",
"ns2.tsaratsovo.net",
"FormBook: FileHash-SHA256 d329608064b13006e73309a6f6a819b6bc1392b80ad01946d04719da0b680955",
"FormBook: FileHash-SHA1 205a7931e145b05ac6040690d7a2b862b4a1ec79",
"FormBook: FileHash-MD5 FileHash-MD5 60b8487a9ddc166fbae45d611a0b6848",
"DotNET_Crypto_Obfuscator",
"Antivirus Detections: Win32:MalwareX-gen\\ [Trj]",
"IDS Detections: FormBook CnC Checkin (GET) 403 Forbidden Yara Detections: MAL_RANSOM_COVID19_Apr20_1 , DotNET_DotFuscator",
"Alerts: nids_malware_alert injection_runpe network_icmp network_cnc_http network_http allocates_rwx",
"Alerts: antisandbox_sleep creates_exe privilege_luid_check checks_debugger",
"https://otx.alienvault.com/indicator/file/1c954b67c62b161d839434243ebe4b9dfe2b790a91eb968ecbfbfae53a414e29",
"Antivirus Detections: Win32:MalwareX-gen\\ [Trj] , Win.Ransomware.Gandcrab-9967304-0 , Ransom:Win32/GandCrab.AE",
"Yara Detections ReflectiveLoader , Win32_Ransomware_GandCrab , stack_string",
"Ransom:Win32/GandCrab.AE: FileHash-SHA256 941ea65563f1b06080075ccafa8180118f65f3c8a4cca038654f0aba5cd0f5fc",
"Ransom:Win32/GandCrab.AE: FileHash-SHA1 fe29cb8324de15bccfe5055a65ea36141fb794c9",
"Ransom:Win32/GandCrab.AE: FileHash-MD5 f72bcc0d841008c1e8250a3df1182fd5",
"1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com. 2.android.com.vance.advanced.tubevanced.adsenseformobileapps.com",
"mobileview.page, 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com,",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled",
"https://www.YouTube.com/polebote"
],
"public": 1,
"adversary": "Mustang Panda",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Oxypumper-6900445-0",
"display_name": "Win.Malware.Oxypumper-6900445-0",
"target": null
},
{
"id": "Backdoor:Win32/Plugx",
"display_name": "Backdoor:Win32/Plugx",
"target": "/malware/Backdoor:Win32/Plugx"
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cycbot",
"display_name": "Cycbot",
"target": null
},
{
"id": "Ransom:Win32/GandCrab.AE",
"display_name": "Ransom:Win32/GandCrab.AE",
"target": "/malware/Ransom:Win32/GandCrab.AE"
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "TrojanDropper:Win32/Tofsee",
"display_name": "TrojanDropper:Win32/Tofsee",
"target": "/malware/TrojanDropper:Win32/Tofsee"
}
],
"attack_ids": [
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1595",
"name": "Active Scanning",
"display_name": "T1595 - Active Scanning"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 71,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 568,
"FileHash-SHA1": 537,
"FileHash-SHA256": 4887,
"URL": 4773,
"domain": 2346,
"hostname": 1884,
"SSLCertFingerprint": 15,
"email": 16,
"CVE": 1
},
"indicator_count": 15027,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 235,
"modified_text": "616 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "66141ecabe8f1ab189351dd3",
"name": "Tofsee Botnet: Google.com.uy | Install | Injection | Pegasus Monitoring",
"description": "Installed remotely by nefarious actor by Trojan dropper. Typically not install via PlayStore/AppStore; can be with severe compromise/ VPNs will be fake. Examples: 1.1.1.1, 1.1.1.4, Proton AG or Proton.ch. Not visible: [.uy.]. All data, monitored, manipulated, tracked, location, vehicle tracking, webcams, IP track, data cryptocurrency mining, tracked 24/7, collection, DDoS attacks, ransom, full CnC.\nTweakers.net, .bv , etc., observed, pegasus related",
"modified": "2024-05-08T16:00:34.588000",
"created": "2024-04-08T16:43:54.908000",
"tags": [
"installer",
"tofsee",
"trojan",
"dropper",
"dns",
"as20940",
"united",
"aaaa",
"as15703",
"search",
"servers",
"as8455 schuberg",
"a domains",
"encrypt",
"code",
"tweakers",
"unknown",
"ransom",
"body",
"webcams",
"banker",
"location tracking",
"vehicle tracking",
"device tracking",
"exploitation",
"redirects",
"ip tracking",
"vpn nullify",
"vehicle keycodes",
"search threat",
"analyzer feeds",
"panel platform",
"search platform",
"profile user",
"iocs",
"redacted for",
"passive dns",
"all scoreblue",
"hostname",
"next",
"cnc",
"scanning host",
"milesone",
"virtual currency mining",
"crypto",
"regsetvalueexa",
"regdword",
"default",
"show",
"regbinary",
"read c",
"settingswpad",
"as15169",
"malware",
"copy",
"write",
"upatre",
"ids detections",
"scan endpoints",
"filehash",
"av detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"ransom",
"related pulses",
"entries",
"icmp traffic",
"packing t1045",
"t1045",
"pe resource",
"august",
"win32",
"for privacy",
"creation date",
"name servers",
"urls",
"date",
"status",
"as15169 google",
"as44273 host",
"ipv4",
"pulse submit",
"url analysis",
"msie",
"chrome",
"moved",
"title",
"gmt content",
"apple",
"invalidate_gift_cards",
"tulach rebranded",
"hallrender rebranded",
"as8075",
"verdana",
"td tr",
"domain",
"germany unknown",
"as34011 host",
"etag",
"medium",
"module load",
"invalidate_google_play",
"algorithm",
"v3 serial",
"number",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"x509v3 extended",
"info",
"first",
"win32 exe",
"win32 dll",
"javascript",
"mozilla firefox",
"edition",
"detections type",
"name",
"keeweb",
"setup",
"firefox setup",
"record type",
"ttl value",
"android",
"files",
"formbook",
"critical cmd",
"tracker",
"tsara brashears",
"remote",
"historical ssl",
"referrer",
"march",
"body html",
"head meta",
"moved title",
"head body",
"pegasus",
"nemtih",
"hit",
"men",
"gift_card_mining",
"google_play_card_mining",
"miner",
"htmladodb may",
"twitter",
"win64",
"as21342",
"as2914 ntt",
"as15334",
"error",
"certificate",
"checkbox",
"accept",
"record value",
"emails",
"domain name"
],
"references": [
"Virustotal - google.com.uy",
"https://hybrid-analysis.com/sample/79c5841a534b53013389ba76326a067895bdf5e41ad279d82b2002f6c8f2cda6",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key>Mercedes+benz+Key+programmer",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=webcam+models+livecambabes.webcam>korean+webcam+models",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=www.livecambabes.Webcam>sexy+girls+dildoing",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=avon+representative>50calpaintballshop.com>avon+representative+directory [Beware: redirects]",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=how+to+join+avon+uk>how+do+i+join+avon+online [redirects to fraud representatives]",
"Reports of victims meeting fraud direct sales reps in home/coffee shops. Reps store PII, financial, SSN# on device. Orders in victims name. ID theft ring",
"https://www.herbgordonsubaru.com/?ddcref=careconnect_NM102-01&utm_campaign=newsconnect&utm_medium=email&utm_source=careconnect",
"https://www.herbgordonsubaru.com/new-inventory/index?search=&model=Outback&utm_source=careconnect&utm_medium=email&utm_campaign=marketdriver-sales&ddcref=careconnect_marketdriversales",
"nr-data.net [Apple Private Data Collection]",
"checkip.dyndns.org [command and control]",
"checkip.dyndns.org Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad packer_polymorphic recon_beacon",
"144.76.108.82 [scanning host]",
"Yara Detections PEtite24",
"FormBook IP: 142.251.211.243",
"https://pegasusm2.bullsbikesusa.com",
"https://microcenterinsider.com/pub/cc?_ri_=X0Gzc2X=AQpglLjHJlTQG0amRRrN1tkKAFGSTzdEjURWMTwh5gzdnK5Wo4uRBMFITdmoHEE1NzdwpzaEqrzcUkeItzbfVXtpKX=BATA"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Netherlands"
],
"malware_families": [
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Trojan:MSIL/TrojanDropper",
"display_name": "Trojan:MSIL/TrojanDropper",
"target": "/malware/Trojan:MSIL/TrojanDropper"
},
{
"id": "Installer",
"display_name": "Installer",
"target": null
},
{
"id": "Sf:Agent-DQ\\ [Trj]",
"display_name": "Sf:Agent-DQ\\ [Trj]",
"target": null
},
{
"id": "TrojanDownloader:Win32/Upatre!rfn",
"display_name": "TrojanDownloader:Win32/Upatre!rfn",
"target": "/malware/TrojanDownloader:Win32/Upatre!rfn"
},
{
"id": "Win32:DropperX-gen\\ [Drp]",
"display_name": "Win32:DropperX-gen\\ [Drp]",
"target": null
},
{
"id": "Win.Trojan.Tofsee-9770082-1",
"display_name": "Win.Trojan.Tofsee-9770082-1",
"target": null
},
{
"id": "Ransom:Win32/StopCrypt.AK!MTB",
"display_name": "Ransom:Win32/StopCrypt.AK!MTB",
"target": "/malware/Ransom:Win32/StopCrypt.AK!MTB"
}
],
"attack_ids": [
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1574.005",
"name": "Executable Installer File Permissions Weakness",
"display_name": "T1574.005 - Executable Installer File Permissions Weakness"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1493",
"name": "Transmitted Data Manipulation",
"display_name": "T1493 - Transmitted Data Manipulation"
},
{
"id": "T1029",
"name": "Scheduled Transfer",
"display_name": "T1029 - Scheduled Transfer"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1013",
"name": "Port Monitors",
"display_name": "T1013 - Port Monitors"
},
{
"id": "T1430",
"name": "Location Tracking",
"display_name": "T1430 - Location Tracking"
},
{
"id": "T1468",
"name": "Remotely Track Device Without Authorization",
"display_name": "T1468 - Remotely Track Device Without Authorization"
},
{
"id": "T1450",
"name": "Exploit SS7 to Track Device Location",
"display_name": "T1450 - Exploit SS7 to Track Device Location"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1483",
"name": "Domain Generation Algorithms",
"display_name": "T1483 - Domain Generation Algorithms"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1448",
"name": "Carrier Billing Fraud",
"display_name": "T1448 - Carrier Billing Fraud"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 40,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 392,
"FileHash-SHA1": 468,
"FileHash-SHA256": 3233,
"URL": 8667,
"domain": 2219,
"hostname": 3480,
"email": 8
},
"indicator_count": 18467,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 232,
"modified_text": "711 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6603369ad0e38e313883c4fa",
"name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root HELP! RETALIATION HAS OCCURRED ",
"description": "",
"modified": "2024-04-23T11:04:58.191000",
"created": "2024-03-26T20:56:58.037000",
"tags": [
"referrer",
"communicating",
"contacted",
"siblings domain",
"parent domain",
"subdomains",
"execution",
"bundled",
"threat",
"paste",
"iocs",
"e4609l",
"urls http",
"blacklist http",
"cisco umbrella",
"heur",
"site",
"html",
"million",
"team",
"alexa top",
"script",
"malicious url",
"outbreak",
"downer",
"shell",
"mediamagnet",
"swrort",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"riskware",
"unsafe",
"webshell",
"exploit",
"crack",
"malware",
"phishing",
"union",
"bank",
"generic malware",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist",
"site top",
"malware site",
"site safe",
"deepscan",
"genpack",
"zbot",
"united",
"proxy",
"firehol mail",
"spammer",
"anonymizer",
"team proxy",
"firehol",
"noname057",
"alexa safe",
"maltiverse safe",
"windows nt",
"win64",
"khtml",
"gecko",
"veryhigh",
"orgabusehandle",
"route",
"appli22",
"address",
"orgtechhandle",
"appliedi abuse",
"orgnochandle",
"peter heather",
"appliedi",
"general info",
"geo united",
"as14519",
"us note",
"registrar arin",
"ptr record",
"command decode",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"traffic et",
"policy windows",
"update p2p",
"activity",
"date",
"hybrid",
"general",
"click",
"strings",
"contact",
"contacted urls",
"cert valid",
"malicious",
"phone",
"text",
"microsoft",
"uk telco",
"js tel",
"metro",
"redacted for",
"record value",
"emails abuse",
"name redacted",
"for privacy",
"name servers",
"privacy address",
"privacy city",
"privacy country",
"resolutions",
"a domains",
"canada unknown",
"div div",
"format a",
"a ul",
"models a",
"gmt path",
"search",
"unknown",
"passive dns",
"title",
"all scoreblue",
"ipv4",
"url analysis",
"body",
"next",
"port",
"destination",
"forbidden",
"high",
"tcp syn",
"telnet root",
"suspicious path",
"busybox",
"bad login",
"telnet login",
"copy",
"mirai",
"domain",
"hostname",
"script script",
"link",
"app themesskin",
"status",
"content type",
"lakeside tool",
"meta",
"find",
"tools",
"cookie",
"front",
"li ul",
"mower shop",
"creation date",
"showing",
"pragma",
"this",
"span",
"open ports",
"body doctype",
"privacy admin",
"privacy tech",
"server",
"country",
"organization",
"postal code",
"stateprovince",
"code",
"script urls",
"aaaa",
"as8068",
"cname",
"as20446",
"encrypt",
"falcon",
"name verdict",
"abuse",
"as55081",
"dnssec",
"dynamicloader",
"alerts",
"pulses",
"java",
"windows",
"guard",
"medium",
"dynamic",
"servers",
"certificate",
"as54113",
"trojan",
"neue",
"trojanspy",
"alexa",
"team google",
"maltiverse top",
"ccleaner",
"xrat",
"downldr",
"tsara brashears",
"entries",
"transactional"
],
"references": [
"174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US",
"HOSTEDBYAPPLIEDI.NET - Enom",
"www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States",
"https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e",
"Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664",
"Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7",
"Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c",
"Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598",
"[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below",
"Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections",
"IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)",
"Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e",
"Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida",
"Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |",
"Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"nr-data.net [Apple Private Data Collection]",
"Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a",
"Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT",
"smartertrack.appliedi.net, http://analytics.com/track?id=55",
"Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf",
"Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.DarkNexus-7679166-0",
"display_name": "Unix.Trojan.DarkNexus-7679166-0",
"target": null
},
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1504",
"name": "PowerShell Profile",
"display_name": "T1504 - PowerShell Profile"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "660021cdfd20f6237e3892c0",
"export_count": 4468,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2979,
"FileHash-SHA1": 406,
"FileHash-SHA256": 2293,
"URL": 1804,
"domain": 814,
"hostname": 1025,
"email": 9,
"CVE": 12,
"CIDR": 2
},
"indicator_count": 9344,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "726 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6603360b48908ae9b9835563",
"name": "IoT Dark Nexus + Mirai BotNet HELP HER PLEASE!!- Enom | TELNET Root |",
"description": "",
"modified": "2024-04-23T11:04:58.191000",
"created": "2024-03-26T20:54:35.118000",
"tags": [
"referrer",
"communicating",
"contacted",
"siblings domain",
"parent domain",
"subdomains",
"execution",
"bundled",
"threat",
"paste",
"iocs",
"e4609l",
"urls http",
"blacklist http",
"cisco umbrella",
"heur",
"site",
"html",
"million",
"team",
"alexa top",
"script",
"malicious url",
"outbreak",
"downer",
"shell",
"mediamagnet",
"swrort",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"riskware",
"unsafe",
"webshell",
"exploit",
"crack",
"malware",
"phishing",
"union",
"bank",
"generic malware",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist",
"site top",
"malware site",
"site safe",
"deepscan",
"genpack",
"zbot",
"united",
"proxy",
"firehol mail",
"spammer",
"anonymizer",
"team proxy",
"firehol",
"noname057",
"alexa safe",
"maltiverse safe",
"windows nt",
"win64",
"khtml",
"gecko",
"veryhigh",
"orgabusehandle",
"route",
"appli22",
"address",
"orgtechhandle",
"appliedi abuse",
"orgnochandle",
"peter heather",
"appliedi",
"general info",
"geo united",
"as14519",
"us note",
"registrar arin",
"ptr record",
"command decode",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"traffic et",
"policy windows",
"update p2p",
"activity",
"date",
"hybrid",
"general",
"click",
"strings",
"contact",
"contacted urls",
"cert valid",
"malicious",
"phone",
"text",
"microsoft",
"uk telco",
"js tel",
"metro",
"redacted for",
"record value",
"emails abuse",
"name redacted",
"for privacy",
"name servers",
"privacy address",
"privacy city",
"privacy country",
"resolutions",
"a domains",
"canada unknown",
"div div",
"format a",
"a ul",
"models a",
"gmt path",
"search",
"unknown",
"passive dns",
"title",
"all scoreblue",
"ipv4",
"url analysis",
"body",
"next",
"port",
"destination",
"forbidden",
"high",
"tcp syn",
"telnet root",
"suspicious path",
"busybox",
"bad login",
"telnet login",
"copy",
"mirai",
"domain",
"hostname",
"script script",
"link",
"app themesskin",
"status",
"content type",
"lakeside tool",
"meta",
"find",
"tools",
"cookie",
"front",
"li ul",
"mower shop",
"creation date",
"showing",
"pragma",
"this",
"span",
"open ports",
"body doctype",
"privacy admin",
"privacy tech",
"server",
"country",
"organization",
"postal code",
"stateprovince",
"code",
"script urls",
"aaaa",
"as8068",
"cname",
"as20446",
"encrypt",
"falcon",
"name verdict",
"abuse",
"as55081",
"dnssec",
"dynamicloader",
"alerts",
"pulses",
"java",
"windows",
"guard",
"medium",
"dynamic",
"servers",
"certificate",
"as54113",
"trojan",
"neue",
"trojanspy",
"alexa",
"team google",
"maltiverse top",
"ccleaner",
"xrat",
"downldr",
"tsara brashears",
"entries",
"transactional"
],
"references": [
"174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US",
"HOSTEDBYAPPLIEDI.NET - Enom",
"www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States",
"https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e",
"Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664",
"Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7",
"Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c",
"Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598",
"[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below",
"Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections",
"IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)",
"Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e",
"Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida",
"Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |",
"Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"nr-data.net [Apple Private Data Collection]",
"Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a",
"Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT",
"smartertrack.appliedi.net, http://analytics.com/track?id=55",
"Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf",
"Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.DarkNexus-7679166-0",
"display_name": "Unix.Trojan.DarkNexus-7679166-0",
"target": null
},
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1504",
"name": "PowerShell Profile",
"display_name": "T1504 - PowerShell Profile"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "660021cdfd20f6237e3892c0",
"export_count": 38,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2979,
"FileHash-SHA1": 406,
"FileHash-SHA256": 2293,
"URL": 1804,
"domain": 814,
"hostname": 1025,
"email": 9,
"CVE": 12,
"CIDR": 2
},
"indicator_count": 9344,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "726 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "66015553ad4633eb85c66817",
"name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Service ",
"description": "",
"modified": "2024-04-23T11:04:58.191000",
"created": "2024-03-25T10:43:31.072000",
"tags": [
"referrer",
"communicating",
"contacted",
"siblings domain",
"parent domain",
"subdomains",
"execution",
"bundled",
"threat",
"paste",
"iocs",
"e4609l",
"urls http",
"blacklist http",
"cisco umbrella",
"heur",
"site",
"html",
"million",
"team",
"alexa top",
"script",
"malicious url",
"outbreak",
"downer",
"shell",
"mediamagnet",
"swrort",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"riskware",
"unsafe",
"webshell",
"exploit",
"crack",
"malware",
"phishing",
"union",
"bank",
"generic malware",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist",
"site top",
"malware site",
"site safe",
"deepscan",
"genpack",
"zbot",
"united",
"proxy",
"firehol mail",
"spammer",
"anonymizer",
"team proxy",
"firehol",
"noname057",
"alexa safe",
"maltiverse safe",
"windows nt",
"win64",
"khtml",
"gecko",
"veryhigh",
"orgabusehandle",
"route",
"appli22",
"address",
"orgtechhandle",
"appliedi abuse",
"orgnochandle",
"peter heather",
"appliedi",
"general info",
"geo united",
"as14519",
"us note",
"registrar arin",
"ptr record",
"command decode",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"traffic et",
"policy windows",
"update p2p",
"activity",
"date",
"hybrid",
"general",
"click",
"strings",
"contact",
"contacted urls",
"cert valid",
"malicious",
"phone",
"text",
"microsoft",
"uk telco",
"js tel",
"metro",
"redacted for",
"record value",
"emails abuse",
"name redacted",
"for privacy",
"name servers",
"privacy address",
"privacy city",
"privacy country",
"resolutions",
"a domains",
"canada unknown",
"div div",
"format a",
"a ul",
"models a",
"gmt path",
"search",
"unknown",
"passive dns",
"title",
"all scoreblue",
"ipv4",
"url analysis",
"body",
"next",
"port",
"destination",
"forbidden",
"high",
"tcp syn",
"telnet root",
"suspicious path",
"busybox",
"bad login",
"telnet login",
"copy",
"mirai",
"domain",
"hostname",
"script script",
"link",
"app themesskin",
"status",
"content type",
"lakeside tool",
"meta",
"find",
"tools",
"cookie",
"front",
"li ul",
"mower shop",
"creation date",
"showing",
"pragma",
"this",
"span",
"open ports",
"body doctype",
"privacy admin",
"privacy tech",
"server",
"country",
"organization",
"postal code",
"stateprovince",
"code",
"script urls",
"aaaa",
"as8068",
"cname",
"as20446",
"encrypt",
"falcon",
"name verdict",
"abuse",
"as55081",
"dnssec",
"dynamicloader",
"alerts",
"pulses",
"java",
"windows",
"guard",
"medium",
"dynamic",
"servers",
"certificate",
"as54113",
"trojan",
"neue",
"trojanspy",
"alexa",
"team google",
"maltiverse top",
"ccleaner",
"xrat",
"downldr",
"tsara brashears",
"entries",
"transactional"
],
"references": [
"174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US",
"HOSTEDBYAPPLIEDI.NET - Enom",
"www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States",
"https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e",
"Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664",
"Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7",
"Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c",
"Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598",
"[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below",
"Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections",
"IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)",
"Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e",
"Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida",
"Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |",
"Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"nr-data.net [Apple Private Data Collection]",
"Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a",
"Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT",
"smartertrack.appliedi.net, http://analytics.com/track?id=55",
"Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf",
"Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.DarkNexus-7679166-0",
"display_name": "Unix.Trojan.DarkNexus-7679166-0",
"target": null
},
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1504",
"name": "PowerShell Profile",
"display_name": "T1504 - PowerShell Profile"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "660021cdfd20f6237e3892c0",
"export_count": 40,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2979,
"FileHash-SHA1": 406,
"FileHash-SHA256": 2293,
"URL": 1804,
"domain": 814,
"hostname": 1025,
"email": 9,
"CVE": 12,
"CIDR": 2
},
"indicator_count": 9344,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "726 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "66015551faca20cb510f9121",
"name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Service ",
"description": "",
"modified": "2024-04-23T11:04:58.191000",
"created": "2024-03-25T10:43:29.149000",
"tags": [
"referrer",
"communicating",
"contacted",
"siblings domain",
"parent domain",
"subdomains",
"execution",
"bundled",
"threat",
"paste",
"iocs",
"e4609l",
"urls http",
"blacklist http",
"cisco umbrella",
"heur",
"site",
"html",
"million",
"team",
"alexa top",
"script",
"malicious url",
"outbreak",
"downer",
"shell",
"mediamagnet",
"swrort",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"riskware",
"unsafe",
"webshell",
"exploit",
"crack",
"malware",
"phishing",
"union",
"bank",
"generic malware",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist",
"site top",
"malware site",
"site safe",
"deepscan",
"genpack",
"zbot",
"united",
"proxy",
"firehol mail",
"spammer",
"anonymizer",
"team proxy",
"firehol",
"noname057",
"alexa safe",
"maltiverse safe",
"windows nt",
"win64",
"khtml",
"gecko",
"veryhigh",
"orgabusehandle",
"route",
"appli22",
"address",
"orgtechhandle",
"appliedi abuse",
"orgnochandle",
"peter heather",
"appliedi",
"general info",
"geo united",
"as14519",
"us note",
"registrar arin",
"ptr record",
"command decode",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"traffic et",
"policy windows",
"update p2p",
"activity",
"date",
"hybrid",
"general",
"click",
"strings",
"contact",
"contacted urls",
"cert valid",
"malicious",
"phone",
"text",
"microsoft",
"uk telco",
"js tel",
"metro",
"redacted for",
"record value",
"emails abuse",
"name redacted",
"for privacy",
"name servers",
"privacy address",
"privacy city",
"privacy country",
"resolutions",
"a domains",
"canada unknown",
"div div",
"format a",
"a ul",
"models a",
"gmt path",
"search",
"unknown",
"passive dns",
"title",
"all scoreblue",
"ipv4",
"url analysis",
"body",
"next",
"port",
"destination",
"forbidden",
"high",
"tcp syn",
"telnet root",
"suspicious path",
"busybox",
"bad login",
"telnet login",
"copy",
"mirai",
"domain",
"hostname",
"script script",
"link",
"app themesskin",
"status",
"content type",
"lakeside tool",
"meta",
"find",
"tools",
"cookie",
"front",
"li ul",
"mower shop",
"creation date",
"showing",
"pragma",
"this",
"span",
"open ports",
"body doctype",
"privacy admin",
"privacy tech",
"server",
"country",
"organization",
"postal code",
"stateprovince",
"code",
"script urls",
"aaaa",
"as8068",
"cname",
"as20446",
"encrypt",
"falcon",
"name verdict",
"abuse",
"as55081",
"dnssec",
"dynamicloader",
"alerts",
"pulses",
"java",
"windows",
"guard",
"medium",
"dynamic",
"servers",
"certificate",
"as54113",
"trojan",
"neue",
"trojanspy",
"alexa",
"team google",
"maltiverse top",
"ccleaner",
"xrat",
"downldr",
"tsara brashears",
"entries",
"transactional"
],
"references": [
"174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US",
"HOSTEDBYAPPLIEDI.NET - Enom",
"www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States",
"https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e",
"Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664",
"Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7",
"Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c",
"Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598",
"[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below",
"Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections",
"IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)",
"Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e",
"Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida",
"Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |",
"Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"nr-data.net [Apple Private Data Collection]",
"Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a",
"Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT",
"smartertrack.appliedi.net, http://analytics.com/track?id=55",
"Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf",
"Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.DarkNexus-7679166-0",
"display_name": "Unix.Trojan.DarkNexus-7679166-0",
"target": null
},
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1504",
"name": "PowerShell Profile",
"display_name": "T1504 - PowerShell Profile"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "660021cdfd20f6237e3892c0",
"export_count": 37,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2979,
"FileHash-SHA1": 406,
"FileHash-SHA256": 2293,
"URL": 1804,
"domain": 814,
"hostname": 1025,
"email": 9,
"CVE": 12,
"CIDR": 2
},
"indicator_count": 9344,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "726 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "660021cdfd20f6237e3892c0",
"name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Services",
"description": "Found in web app of a targets device. Mirai, spyware, hidden user sandbox, information collection, modified services. CnC. | Redirects client from secure to insecure headers. | Downloaded 'suss' Bitdefender - White Paper report. | Apple phone along other devices making commands and requests via app.",
"modified": "2024-04-23T11:04:58.191000",
"created": "2024-03-24T12:51:25.910000",
"tags": [
"referrer",
"communicating",
"contacted",
"siblings domain",
"parent domain",
"subdomains",
"execution",
"bundled",
"threat",
"paste",
"iocs",
"e4609l",
"urls http",
"blacklist http",
"cisco umbrella",
"heur",
"site",
"html",
"million",
"team",
"alexa top",
"script",
"malicious url",
"outbreak",
"downer",
"shell",
"mediamagnet",
"swrort",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"riskware",
"unsafe",
"webshell",
"exploit",
"crack",
"malware",
"phishing",
"union",
"bank",
"generic malware",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist",
"site top",
"malware site",
"site safe",
"deepscan",
"genpack",
"zbot",
"united",
"proxy",
"firehol mail",
"spammer",
"anonymizer",
"team proxy",
"firehol",
"noname057",
"alexa safe",
"maltiverse safe",
"windows nt",
"win64",
"khtml",
"gecko",
"veryhigh",
"orgabusehandle",
"route",
"appli22",
"address",
"orgtechhandle",
"appliedi abuse",
"orgnochandle",
"peter heather",
"appliedi",
"general info",
"geo united",
"as14519",
"us note",
"registrar arin",
"ptr record",
"command decode",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"traffic et",
"policy windows",
"update p2p",
"activity",
"date",
"hybrid",
"general",
"click",
"strings",
"contact",
"contacted urls",
"cert valid",
"malicious",
"phone",
"text",
"microsoft",
"uk telco",
"js tel",
"metro",
"redacted for",
"record value",
"emails abuse",
"name redacted",
"for privacy",
"name servers",
"privacy address",
"privacy city",
"privacy country",
"resolutions",
"a domains",
"canada unknown",
"div div",
"format a",
"a ul",
"models a",
"gmt path",
"search",
"unknown",
"passive dns",
"title",
"all scoreblue",
"ipv4",
"url analysis",
"body",
"next",
"port",
"destination",
"forbidden",
"high",
"tcp syn",
"telnet root",
"suspicious path",
"busybox",
"bad login",
"telnet login",
"copy",
"mirai",
"domain",
"hostname",
"script script",
"link",
"app themesskin",
"status",
"content type",
"lakeside tool",
"meta",
"find",
"tools",
"cookie",
"front",
"li ul",
"mower shop",
"creation date",
"showing",
"pragma",
"this",
"span",
"open ports",
"body doctype",
"privacy admin",
"privacy tech",
"server",
"country",
"organization",
"postal code",
"stateprovince",
"code",
"script urls",
"aaaa",
"as8068",
"cname",
"as20446",
"encrypt",
"falcon",
"name verdict",
"abuse",
"as55081",
"dnssec",
"dynamicloader",
"alerts",
"pulses",
"java",
"windows",
"guard",
"medium",
"dynamic",
"servers",
"certificate",
"as54113",
"trojan",
"neue",
"trojanspy",
"alexa",
"team google",
"maltiverse top",
"ccleaner",
"xrat",
"downldr",
"tsara brashears",
"entries",
"transactional"
],
"references": [
"174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US",
"HOSTEDBYAPPLIEDI.NET - Enom",
"www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States",
"https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e",
"Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664",
"Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7",
"Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c",
"Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598",
"[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below",
"Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections",
"IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)",
"Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e",
"Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida",
"Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |",
"Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"nr-data.net [Apple Private Data Collection]",
"Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a",
"Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT",
"smartertrack.appliedi.net, http://analytics.com/track?id=55",
"Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf",
"Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.DarkNexus-7679166-0",
"display_name": "Unix.Trojan.DarkNexus-7679166-0",
"target": null
},
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1504",
"name": "PowerShell Profile",
"display_name": "T1504 - PowerShell Profile"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 41,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2979,
"FileHash-SHA1": 406,
"FileHash-SHA256": 2293,
"URL": 1804,
"domain": 814,
"hostname": 1025,
"email": 9,
"CVE": 12,
"CIDR": 2
},
"indicator_count": 9344,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "726 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "660021cc958e062575a9a160",
"name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Services",
"description": "Found in web app of a targets device. Mirai, spyware, hidden user sandbox, information collection, modified services. CnC. | Redirects client from secure to insecure headers. | Downloaded 'suss' Bitdefender - White Paper report. | Apple phone along other devices making commands and requests via app.",
"modified": "2024-04-23T11:04:58.191000",
"created": "2024-03-24T12:51:24.154000",
"tags": [
"referrer",
"communicating",
"contacted",
"siblings domain",
"parent domain",
"subdomains",
"execution",
"bundled",
"threat",
"paste",
"iocs",
"e4609l",
"urls http",
"blacklist http",
"cisco umbrella",
"heur",
"site",
"html",
"million",
"team",
"alexa top",
"script",
"malicious url",
"outbreak",
"downer",
"shell",
"mediamagnet",
"swrort",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"riskware",
"unsafe",
"webshell",
"exploit",
"crack",
"malware",
"phishing",
"union",
"bank",
"generic malware",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist",
"site top",
"malware site",
"site safe",
"deepscan",
"genpack",
"zbot",
"united",
"proxy",
"firehol mail",
"spammer",
"anonymizer",
"team proxy",
"firehol",
"noname057",
"alexa safe",
"maltiverse safe",
"windows nt",
"win64",
"khtml",
"gecko",
"veryhigh",
"orgabusehandle",
"route",
"appli22",
"address",
"orgtechhandle",
"appliedi abuse",
"orgnochandle",
"peter heather",
"appliedi",
"general info",
"geo united",
"as14519",
"us note",
"registrar arin",
"ptr record",
"command decode",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"traffic et",
"policy windows",
"update p2p",
"activity",
"date",
"hybrid",
"general",
"click",
"strings",
"contact",
"contacted urls",
"cert valid",
"malicious",
"phone",
"text",
"microsoft",
"uk telco",
"js tel",
"metro",
"redacted for",
"record value",
"emails abuse",
"name redacted",
"for privacy",
"name servers",
"privacy address",
"privacy city",
"privacy country",
"resolutions",
"a domains",
"canada unknown",
"div div",
"format a",
"a ul",
"models a",
"gmt path",
"search",
"unknown",
"passive dns",
"title",
"all scoreblue",
"ipv4",
"url analysis",
"body",
"next",
"port",
"destination",
"forbidden",
"high",
"tcp syn",
"telnet root",
"suspicious path",
"busybox",
"bad login",
"telnet login",
"copy",
"mirai",
"domain",
"hostname",
"script script",
"link",
"app themesskin",
"status",
"content type",
"lakeside tool",
"meta",
"find",
"tools",
"cookie",
"front",
"li ul",
"mower shop",
"creation date",
"showing",
"pragma",
"this",
"span",
"open ports",
"body doctype",
"privacy admin",
"privacy tech",
"server",
"country",
"organization",
"postal code",
"stateprovince",
"code",
"script urls",
"aaaa",
"as8068",
"cname",
"as20446",
"encrypt",
"falcon",
"name verdict",
"abuse",
"as55081",
"dnssec",
"dynamicloader",
"alerts",
"pulses",
"java",
"windows",
"guard",
"medium",
"dynamic",
"servers",
"certificate",
"as54113",
"trojan",
"neue",
"trojanspy",
"alexa",
"team google",
"maltiverse top",
"ccleaner",
"xrat",
"downldr",
"tsara brashears",
"entries",
"transactional"
],
"references": [
"174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US",
"HOSTEDBYAPPLIEDI.NET - Enom",
"www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States",
"https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e",
"Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664",
"Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7",
"Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c",
"Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598",
"[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below",
"Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections",
"IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)",
"Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e",
"Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida",
"Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |",
"Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"nr-data.net [Apple Private Data Collection]",
"Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a",
"Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT",
"smartertrack.appliedi.net, http://analytics.com/track?id=55",
"Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf",
"Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.DarkNexus-7679166-0",
"display_name": "Unix.Trojan.DarkNexus-7679166-0",
"target": null
},
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1504",
"name": "PowerShell Profile",
"display_name": "T1504 - PowerShell Profile"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 35,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2979,
"FileHash-SHA1": 406,
"FileHash-SHA256": 2293,
"URL": 1804,
"domain": 814,
"hostname": 1025,
"email": 9,
"CVE": 12,
"CIDR": 2
},
"indicator_count": 9344,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "726 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65c4a1c74cf5f1af5be6464e",
"name": " authsmtp.sabeydatacenters.com | tulach gained access to Side3 Studios Denver\t\t",
"description": "",
"modified": "2024-03-09T09:02:09.950000",
"created": "2024-02-08T09:41:27.252000",
"tags": [
"ssl certificate",
"contacted",
"historical ssl",
"february",
"referrer",
"threat roundup",
"apple ios",
"goldfinder",
"sibot",
"goldmax",
"hacktool",
"malicious",
"formbook",
"contacted urls",
"resolutions",
"malware",
"njrat",
"ransomware",
"open",
"cyber criminal",
"record type",
"ttl value",
"dropped",
"execution",
"hashes hashes",
"hashes",
"network",
"communicating",
"maui ransomware",
"type name",
"jpeg",
"ms word",
"document",
"whois record",
"january",
"october",
"december",
"april",
"august",
"crypto",
"awful",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"self",
"march",
"urls http",
"threat network",
"problems",
"whois whois",
"probe",
"startpage",
"premium",
"snatch",
"first",
"utc submissions",
"submitters",
"cloudflarenet",
"gvb gelimed",
"com laude",
"mb super",
"optimizer",
"amazonaes",
"summary iocs",
"twitter",
"united",
"as20940",
"aaaa",
"as714 apple",
"as16625 akamai",
"win32mydoom feb",
"name servers",
"trojan",
"as6185 apple",
"creation date",
"virtool",
"worm",
"date",
"win32",
"urls",
"search",
"servers",
"targeting",
"target",
"tsara brashears",
"united kingdom",
"whitelisted",
"as6453 tata",
"passive dns",
"domain",
"as46606",
"scan endpoints",
"all search",
"otx octoseek",
"pulse submit",
"url analysis",
"as54113",
"entries",
"moved",
"body",
"unknown",
"found",
"files",
"backdoor",
"expiration date",
"hallrender",
"tulach",
"all octoseek",
"url http",
"pulse pulses",
"http",
"related pulses",
"none related",
"tags none",
"file type",
"as62597 nsone",
"as62729",
"showing",
"next",
"as2914 ntt",
"ireland unknown",
"germany unknown",
"as6461 zayo",
"as7843 charter",
"as3257 gtt",
"ip address",
"location united",
"for privacy",
"record value",
"as54990",
"bouvet island",
"encrypt",
"show",
"filehash",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"june",
"copy",
"as15169 google",
"domains ii",
"sality",
"ck id",
"ck matrix",
"intellectual property theft",
"malicious file transfers",
"scheme",
"threat",
"paste",
"iocs",
"hostnames",
"urls https",
"urls url",
"j490s6lkpppw",
"lfqprnkje8dni0"
],
"references": [
"https://side3.com/",
"https://www.side3.com",
"http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting]",
"http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting]",
"http://fillmark.net/index.php [phishing]",
"https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]",
"www-temp.metrobyt-mobile.com [malicious | data collection]",
"www.icloud.com [wp-login.php]",
"webdisk.thehomemakers.nl [spyware | tracking]",
"https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team]",
"URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org",
"cs9.wac.phicdn.net.1.1.e64a8639.roksit.net",
"www.anyxxxtube.net [malicious data collection]",
"s3.amazonaws.com [targeting data collection]",
"https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/",
"nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP]",
"api.utah.edu [access apple]",
"https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media]",
"tv.apple.com",
"104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users]",
"andrewka6.pythonanywhere.com [python connection - apple]",
"http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma",
"https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign",
"sonymobilemail.com",
"https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf",
"pegahpouraseflaw.info",
"http://mouthgrave.net/index.php",
"ransomed.vc",
"Intellectual property accessed and distributed"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [
{
"id": "Cyber Criminal",
"display_name": "Cyber Criminal",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "GoldFinder",
"display_name": "GoldFinder",
"target": null
},
{
"id": "GoldMax",
"display_name": "GoldMax",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Sibot",
"display_name": "Sibot",
"target": null
},
{
"id": "NjRAT",
"display_name": "NjRAT",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Worm:Win32/Mydoom",
"display_name": "Worm:Win32/Mydoom",
"target": "/malware/Worm:Win32/Mydoom"
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "Sality",
"display_name": "Sality",
"target": null
}
],
"attack_ids": [
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1215",
"name": "Kernel Modules and Extensions",
"display_name": "T1215 - Kernel Modules and Extensions"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1027.002",
"name": "Software Packing",
"display_name": "T1027.002 - Software Packing"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Entertainment",
"Technology",
"Telecommunications",
"Recording Industry",
"Entertainers",
"Civil Society"
],
"TLP": "white",
"cloned_from": "65c4a099f6a2c8fc2bb85d4b",
"export_count": 44,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5271,
"FileHash-MD5": 899,
"FileHash-SHA1": 881,
"FileHash-SHA256": 5609,
"domain": 2199,
"hostname": 3205,
"CVE": 1,
"email": 9
},
"indicator_count": 18074,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "771 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65c4a099f6a2c8fc2bb85d4b",
"name": "Cyber espionage & ransomware attacks Denver Recording Studio",
"description": "GoldMax is used by UNC2452 as a command-and-control backdoor. It is written in the Go programming language. To hide its activities, it generates dummy traffic.\n\nSibot is a VBScript-based malware that allows attackers to download and run payloads from a remote command-and-control server. It uses file names that are similar to those used in Windows for masquerading. The VBScript is executed through a scheduled task.\n\nGoldFinder is another Go malware used by attackers to access a hardcoded command-and-control (C2) server by logging the route or hops that a packet takes like an HTTP tracer tool.",
"modified": "2024-03-09T09:02:09.950000",
"created": "2024-02-08T09:36:25.114000",
"tags": [
"ssl certificate",
"contacted",
"historical ssl",
"february",
"referrer",
"threat roundup",
"apple ios",
"goldfinder",
"sibot",
"goldmax",
"hacktool",
"malicious",
"formbook",
"contacted urls",
"resolutions",
"malware",
"njrat",
"ransomware",
"open",
"cyber criminal",
"record type",
"ttl value",
"dropped",
"execution",
"hashes hashes",
"hashes",
"network",
"communicating",
"maui ransomware",
"type name",
"jpeg",
"ms word",
"document",
"whois record",
"january",
"october",
"december",
"april",
"august",
"crypto",
"awful",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"self",
"march",
"urls http",
"threat network",
"problems",
"whois whois",
"probe",
"startpage",
"premium",
"snatch",
"first",
"utc submissions",
"submitters",
"cloudflarenet",
"gvb gelimed",
"com laude",
"mb super",
"optimizer",
"amazonaes",
"summary iocs",
"twitter",
"united",
"as20940",
"aaaa",
"as714 apple",
"as16625 akamai",
"win32mydoom feb",
"name servers",
"trojan",
"as6185 apple",
"creation date",
"virtool",
"worm",
"date",
"win32",
"urls",
"search",
"servers",
"targeting",
"target",
"tsara brashears",
"united kingdom",
"whitelisted",
"as6453 tata",
"passive dns",
"domain",
"as46606",
"scan endpoints",
"all search",
"otx octoseek",
"pulse submit",
"url analysis",
"as54113",
"entries",
"moved",
"body",
"unknown",
"found",
"files",
"backdoor",
"expiration date",
"hallrender",
"tulach",
"all octoseek",
"url http",
"pulse pulses",
"http",
"related pulses",
"none related",
"tags none",
"file type",
"as62597 nsone",
"as62729",
"showing",
"next",
"as2914 ntt",
"ireland unknown",
"germany unknown",
"as6461 zayo",
"as7843 charter",
"as3257 gtt",
"ip address",
"location united",
"for privacy",
"record value",
"as54990",
"bouvet island",
"encrypt",
"show",
"filehash",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"june",
"copy",
"as15169 google",
"domains ii",
"sality",
"ck id",
"ck matrix",
"intellectual property theft",
"malicious file transfers",
"scheme",
"threat",
"paste",
"iocs",
"hostnames",
"urls https",
"urls url",
"j490s6lkpppw",
"lfqprnkje8dni0"
],
"references": [
"https://side3.com/",
"https://www.side3.com",
"http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting]",
"http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting]",
"http://fillmark.net/index.php [phishing]",
"https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]",
"www-temp.metrobyt-mobile.com [malicious | data collection]",
"www.icloud.com [wp-login.php]",
"webdisk.thehomemakers.nl [spyware | tracking]",
"https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team]",
"URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org",
"cs9.wac.phicdn.net.1.1.e64a8639.roksit.net",
"www.anyxxxtube.net [malicious data collection]",
"s3.amazonaws.com [targeting data collection]",
"https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/",
"nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP]",
"api.utah.edu [access apple]",
"https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media]",
"tv.apple.com",
"104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users]",
"andrewka6.pythonanywhere.com [python connection - apple]",
"http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma",
"https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign",
"sonymobilemail.com",
"https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf",
"pegahpouraseflaw.info",
"http://mouthgrave.net/index.php",
"ransomed.vc",
"Intellectual property accessed and distributed"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [
{
"id": "Cyber Criminal",
"display_name": "Cyber Criminal",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "GoldFinder",
"display_name": "GoldFinder",
"target": null
},
{
"id": "GoldMax",
"display_name": "GoldMax",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Sibot",
"display_name": "Sibot",
"target": null
},
{
"id": "NjRAT",
"display_name": "NjRAT",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Worm:Win32/Mydoom",
"display_name": "Worm:Win32/Mydoom",
"target": "/malware/Worm:Win32/Mydoom"
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "Sality",
"display_name": "Sality",
"target": null
}
],
"attack_ids": [
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1215",
"name": "Kernel Modules and Extensions",
"display_name": "T1215 - Kernel Modules and Extensions"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1027.002",
"name": "Software Packing",
"display_name": "T1027.002 - Software Packing"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Entertainment",
"Technology",
"Telecommunications",
"Recording Industry",
"Entertainers",
"Civil Society"
],
"TLP": "white",
"cloned_from": null,
"export_count": 49,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5271,
"FileHash-MD5": 899,
"FileHash-SHA1": 881,
"FileHash-SHA256": 5609,
"domain": 2199,
"hostname": 3205,
"CVE": 1,
"email": 9
},
"indicator_count": 18074,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "771 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570918ad73d46901ccddc5d",
"name": "www.donaldjtrump.com 2022",
"description": "",
"modified": "2023-12-06T15:21:46.477000",
"created": "2023-12-06T15:21:46.477000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 561,
"FileHash-SHA256": 1509,
"domain": 220,
"URL": 1586,
"CIDR": 18,
"FileHash-MD5": 35,
"FileHash-SHA1": 2
},
"indicator_count": 3931,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65709180cc164d76aeb361cf",
"name": "Michigan.gov ~ Tis the season to HACK elections",
"description": "",
"modified": "2023-12-06T15:21:36.435000",
"created": "2023-12-06T15:21:36.435000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1530,
"hostname": 501,
"domain": 169,
"URL": 1060,
"CIDR": 3,
"FileHash-MD5": 129
},
"indicator_count": 3392,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570901dda87706f34dfe254",
"name": "visai.ai = KR and CN via M$ Mobile Alliance (cn) to fancybearsmetaverse.com",
"description": "",
"modified": "2023-12-06T15:15:41.328000",
"created": "2023-12-06T15:15:41.328000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 225,
"URL": 445,
"FileHash-SHA256": 732,
"domain": 84
},
"indicator_count": 1486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657089aa4b734f1efd8bd0ac",
"name": "github_trump_0x729.github.io:%22",
"description": "",
"modified": "2023-12-06T14:48:10.074000",
"created": "2023-12-06T14:48:10.074000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 347,
"FileHash-SHA256": 1183,
"domain": 145,
"URL": 582,
"CIDR": 5,
"FileHash-MD5": 32,
"FileHash-SHA1": 4
},
"indicator_count": 2298,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570807c9521659aacb5668a",
"name": "gainpower.org ~ Voting Rights Non-profit",
"description": "",
"modified": "2023-12-06T14:09:00.527000",
"created": "2023-12-06T14:09:00.527000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1159,
"hostname": 816,
"domain": 263,
"URL": 2550,
"CIDR": 5,
"FileHash-MD5": 45,
"FileHash-SHA1": 3
},
"indicator_count": 4841,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570803ac9e3a7471852fc10",
"name": "www.jasmineforus.com",
"description": "",
"modified": "2023-12-06T14:07:54.565000",
"created": "2023-12-06T14:07:54.565000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 394,
"hostname": 115,
"domain": 42,
"URL": 336,
"CIDR": 1,
"FileHash-MD5": 4
},
"indicator_count": 892,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657080378bb66724b37455be",
"name": "www.janehopehamilton.com",
"description": "",
"modified": "2023-12-06T14:07:51.583000",
"created": "2023-12-06T14:07:51.583000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 983,
"hostname": 192,
"domain": 141,
"URL": 374,
"CIDR": 3,
"FileHash-MD5": 18,
"FileHash-SHA1": 5
},
"indicator_count": 1716,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6301079ebe45cb442cae4488",
"name": "www.donaldjtrump.com 2022",
"description": "",
"modified": "2022-09-19T00:10:46.535000",
"created": "2022-08-20T16:11:10.558000",
"tags": [
"Apple's crappy FaceTime ~ Nothing has changed",
"Ransomware"
],
"references": [
"www.donaldjtrump.com.pdf"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Ransom:Win32/Wannaren.A",
"display_name": "Ransom:Win32/Wannaren.A",
"target": "/malware/Ransom:Win32/Wannaren.A"
}
],
"attack_ids": [],
"industries": [
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Kailula4",
"id": "131997",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 729,
"URL": 2072,
"domain": 252,
"FileHash-SHA256": 1985,
"CIDR": 18,
"FileHash-MD5": 37,
"FileHash-SHA1": 2
},
"indicator_count": 5095,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 406,
"modified_text": "1309 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "630030f2cdba6cf05bdcd070",
"name": "Michigan.gov ~ Tis the season to HACK elections",
"description": "",
"modified": "2022-09-18T00:03:55.814000",
"created": "2022-08-20T00:55:14.285000",
"tags": [
"Ransomware"
],
"references": [
"michigan.gov.pdf"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Ransom:Win32/Wannaren.A",
"display_name": "Ransom:Win32/Wannaren.A",
"target": "/malware/Ransom:Win32/Wannaren.A"
}
],
"attack_ids": [],
"industries": [
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Kailula4",
"id": "131997",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 501,
"domain": 169,
"URL": 1061,
"FileHash-SHA256": 1530,
"CIDR": 3,
"FileHash-MD5": 129
},
"indicator_count": 3393,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 408,
"modified_text": "1310 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "62c1a2b4c06f5d70279bd448",
"name": "visai.ai = KR and CN via M$ Mobile Alliance (cn) to fancybearsmetaverse.com",
"description": "https://www.virustotal.com/gui/collection/3850db2c9266bf22d11d310fcbd17a57f0eb6d0469f1bf40e086d45675e32b18",
"modified": "2022-08-02T00:03:03.164000",
"created": "2022-07-03T14:07:48.853000",
"tags": [
"neural netw",
"Adversary AI",
"Nubotnet",
"fancybears disguise for APT group?",
"hiding in plain sight",
"https://www.virustotal.com/gui/collection/3850db2c9266bf22d11d31"
],
"references": [
"ukraine.fancybearsmetaverse.com - urlscan.io.pdf",
"fancybearmetaverse dom tree text.pdf",
"https://offsetra.com/profile/fancy-bears https://twitter.com/beijingdou https://comparic.pl/fancy-bears-ida-jak-burza-misie-w-formie-nft-kupilo-juz-ponad-4-tys-osob/ https://www.instagram.com/jayalvarrez/ https://www.instagram.com/joannajedrzejczyk/ https://www.instagram.com/barteksibiga/ https://www.instagram.com/kgonciarz/ https://www.instagram.com/oh_anushka/ https://twitter.com/Kwebbelkop https://forbes.mc/article/fancy-bears-and-the-future-of-pfp-projects-or-how-to-survive-the-nft-bear-run-with-fancy-b",
"https://www.virustotal.com/graph/embed/g96a011279c1942f0b5644f38d156ae7107598635bfee4c6b9a7911857f50af14",
"https://www.virustotal.com/gui/collection/590cd6fd12494aea96281b5cbaded3431c79fe4956854a9aaaac3a305a50b76d",
"VirusTotal - URL - 471fa55e5431d365e506bd95e9238ce59bb42094223a47d03b54e5c2679a1.pdf"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 445,
"hostname": 225,
"domain": 84,
"FileHash-SHA256": 732
},
"indicator_count": 1486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 393,
"modified_text": "1357 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6235faa524089ec2ee1b0d18",
"name": "github_trump_0x729.github.io:%22",
"description": "",
"modified": "2022-04-18T00:07:16.048000",
"created": "2022-03-19T15:45:41.858000",
"tags": [],
"references": [
"github_trump_0x729.github.io:%22,pdf"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Kailula4",
"id": "131997",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 583,
"hostname": 347,
"domain": 145,
"FileHash-SHA256": 1183,
"CIDR": 5,
"FileHash-MD5": 32,
"FileHash-SHA1": 4
},
"indicator_count": 2299,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 407,
"modified_text": "1463 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "62316b081ee1a4902cf85a41",
"name": "discord-badges.com:%22,.",
"description": "",
"modified": "2022-04-14T00:01:40.805000",
"created": "2022-03-16T04:43:52.787000",
"tags": [
"WannaCry"
],
"references": [
"discord-badges.com:%22,.pdf"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Ransomware.WannaCry-9856297-0",
"display_name": "Win.Ransomware.WannaCry-9856297-0",
"target": null
}
],
"attack_ids": [],
"industries": [
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Kailula4",
"id": "131997",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 211,
"URL": 332,
"domain": 56,
"FileHash-SHA256": 208,
"CIDR": 1,
"FileHash-MD5": 8
},
"indicator_count": 816,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 407,
"modified_text": "1467 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "622f4574af9ba0d28f7a053c",
"name": "www.smartmatic.com:%22,_Cloudflare Wed, 02 Feb 2022",
"description": "",
"modified": "2022-04-13T00:01:48.292000",
"created": "2022-03-14T13:39:00.594000",
"tags": [
"WannaCry"
],
"references": [
"www.smartmatic.com:%22,_Cloudflare.pdf"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Ransomware.WannaCry-9856297-0",
"display_name": "Win.Ransomware.WannaCry-9856297-0",
"target": null
}
],
"attack_ids": [],
"industries": [
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Kailula4",
"id": "131997",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 472,
"hostname": 267,
"domain": 56,
"FileHash-SHA256": 630,
"CIDR": 3,
"FileHash-MD5": 11
},
"indicator_count": 1439,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 406,
"modified_text": "1468 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "622271b1360810e486ae6510",
"name": "gainpower.org ~ Voting Rights Non-profit",
"description": "",
"modified": "2022-04-03T00:00:55.161000",
"created": "2022-03-04T20:08:17.351000",
"tags": [],
"references": [
"gainpower.org.pdf"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"NGO"
],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Kailula4",
"id": "131997",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 816,
"URL": 2550,
"domain": 263,
"FileHash-SHA256": 1159,
"CIDR": 5,
"FileHash-MD5": 45,
"FileHash-SHA1": 3
},
"indicator_count": 4841,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 407,
"modified_text": "1478 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "622167b3c1d86e9eb377284b",
"name": "www.jasmineforus.com",
"description": "",
"modified": "2022-04-02T00:04:50.405000",
"created": "2022-03-04T01:13:23.296000",
"tags": [],
"references": [
"jasmineforus.pdf"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Kailula4",
"id": "131997",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 115,
"URL": 336,
"domain": 42,
"FileHash-SHA256": 394,
"CIDR": 1,
"FileHash-MD5": 4
},
"indicator_count": 892,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 406,
"modified_text": "1479 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "62215f837238c441a3293f68",
"name": "www.janehopehamilton.com",
"description": "",
"modified": "2022-04-02T00:04:50.405000",
"created": "2022-03-04T00:38:27.697000",
"tags": [],
"references": [
"www.janehopehamilton.com:%22,.pdf"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Kailula4",
"id": "131997",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 192,
"URL": 374,
"domain": 141,
"FileHash-SHA256": 983,
"CIDR": 3,
"FileHash-MD5": 18,
"FileHash-SHA1": 5
},
"indicator_count": 1716,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 406,
"modified_text": "1479 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "621c7f04c9f6fcdb5affe0c3",
"name": "discord-badges.com:%22,",
"description": "",
"modified": "2022-03-30T00:00:10.458000",
"created": "2022-02-28T07:51:32.094000",
"tags": [],
"references": [
"discord-badges.com:%22,.pdf"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Kailula4",
"id": "131997",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 159,
"URL": 194,
"domain": 37,
"FileHash-SHA256": 211,
"CIDR": 1,
"FileHash-MD5": 8
},
"indicator_count": 610,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 408,
"modified_text": "1482 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "621143633828e3a4ccd31310",
"name": "Cornerstone.cc",
"description": "",
"modified": "2022-03-21T00:02:26.523000",
"created": "2022-02-19T19:22:11.317000",
"tags": [
"div div",
"a domains",
"a li",
"li ul",
"p li",
"cedar oak",
"p div",
"merchant login",
"partner login",
"html",
"date",
"accept",
"body"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Kailula4",
"id": "131997",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 136,
"hostname": 22,
"FileHash-SHA256": 116,
"domain": 6,
"FileHash-SHA1": 1
},
"indicator_count": 281,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 406,
"modified_text": "1491 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"(patch.virtualworldweb.com) why does this sound so creepy? DIT , simulation, OWO ,sentient weird.",
"http://fillmark.net/index.php [phishing]",
"iPhone: 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted",
"Win.Trojan.Simda: FileHash-SHA1 fec01e5e59034cafc2b1e95c23068e075f9dbe69",
"Emotet IDS Detections: Win32/Emotet CnC Checkin Response",
"Win.Malware.Oxypumper-6900445-0: FileHash-MD5 2d84a619d4bd339f860cb48af0c9b6c8",
"https://www.YouTube.com/polebote",
"Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http",
"POLICY Unsupported/Fake Internet Explorer Version MSIE 2",
"Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |",
"https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf",
"Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net",
"https://sms-apple.com/login",
"If someone is believed to be a threat they have right to due process.",
"Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left",
"Ransomware Detected: text artifact in screenshot indicates file may be ransomware details \"Antivirus\" (Source: screen_11.png, Indicator: \"virus\")",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"https://soerkvingo.msnstyle.dk/vaginas-escort-girl-ukraina-pure-nudisme-dyresex-noveller-sukker-pris-porno-med-norsk-tale/",
"https://www.herbgordonsubaru.com/?ddcref=careconnect_NM102-01&utm_campaign=newsconnect&utm_medium=email&utm_source=careconnect",
"http://mouthgrave.net/index.php",
"Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer",
"upstreamx.palantirfoundry.com \u2022 https://usw-2-dev.palantirfoundry.com",
"www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t\u2022",
"Ransom:Win32/GandCrab.AE: FileHash-SHA1 fe29cb8324de15bccfe5055a65ea36141fb794c9",
"*WEBSITE.WS Your Internet Address For Life",
"Yara Detections: Delphi",
"device-local-**********. remotewd.com",
"trojan.shiz/razy | CS IDS: Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan",
"Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master",
"Backdoor:Win32/Plugx: FileHash-SHA256 a3ff97a0d338fd47e0af6822c4ee762491fc39028af984fe7ff8a1b6948fafe9",
"Reports of victims meeting fraud direct sales reps in home/coffee shops. Reps store PII, financial, SSN# on device. Orders in victims name. ID theft ring",
"truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com",
"ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net",
"us-g0v-wact-1anvrav\u0645al=\u0635\u0639 \u0627\u062d\u0637\u0645\u0644\u0647",
"2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt",
"Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad",
"federallegionconnbot.t.me",
"jasmineforus.pdf",
"22.hio52.r.cloudfront.net",
"Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e",
"IDS Detections: Win32/QwertMiner CoinMiner Dropper CnC Checkin M2 | IDS Detections: Terse Named Filename EXE Download - Possibly Hostile",
"Monitored Target/s",
"nr-data.net [Apple Private Data Collection]",
"FormBook IP: 142.251.211.243",
"Matches rule Files With System Process Name In Unsuspected Locations by Sander Wiebing, Tim Shelton, Nasreddine Bencherch",
"https://www.herbgordonsubaru.com/new-inventory/index?search=&model=Outback&utm_source=careconnect&utm_medium=email&utm_campaign=marketdriver-sales&ddcref=careconnect_marketdriversales",
"scanning_hosts: 138.197.217.6, IPv4 142.251.18.103, IPv4 142.251.31.99",
"http://deposito.hostance.net/dialer/",
"https://offsetra.com/profile/fancy-bears https://twitter.com/beijingdou https://comparic.pl/fancy-bears-ida-jak-burza-misie-w-formie-nft-kupilo-juz-ponad-4-tys-osob/ https://www.instagram.com/jayalvarrez/ https://www.instagram.com/joannajedrzejczyk/ https://www.instagram.com/barteksibiga/ https://www.instagram.com/kgonciarz/ https://www.instagram.com/oh_anushka/ https://twitter.com/Kwebbelkop https://forbes.mc/article/fancy-bears-and-the-future-of-pfp-projects-or-how-to-survive-the-nft-bear-run-with-fancy-b",
"http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting]",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"IDS Detections: DNS Query for Suspicious .ml Domain | DNS Query for Suspicious .ga Domain | Domain External IP Lookup ip-api.com | Win32/QwertMiner Suspicious UA (jdlnb)",
"https://www.virustotal.com/graph/embed/g96a011279c1942f0b5644f38d156ae7107598635bfee4c6b9a7911857f50af14",
"Alerts: nids_malware_alert injection_runpe network_icmp network_cnc_http network_http allocates_rwx",
"http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com",
"Yara Detections PEtite24",
"Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile",
"BigRock: gadyzyh.com",
"https://pegasusm2.bullsbikesusa.com",
"Checker By X-SLAYER.exe: 74ca7f6f723a57dc22625eb26214f85689216859388c1f93503728dae8929b97",
"https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing]",
"https://shell-gift.website/sweeps/de/amazon-voucher/question1000-agg/index.html?uclick=qdlpqnvr&uclickhash=qdlpqnvr-qdlpqnvr-pmwj-0-xsi4-hovr-hoi4-9b6533",
"appleid-support.com apple-access.com appleid-support.com demo171.apple.com apple.k8s.joewa.com w-t-blu-371ac852.cloudapp.net",
"mobileview.page, 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com,",
"https://otx.alienvault.com/indicator/domain/sanso-mirai.jp",
"Alerts: deletes_executed_files injection_runpe persistence_ads suspicious_command_tools anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading resumethread_remote_process powershell_download powershell_request",
"Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida",
"trojan.shiz/razy | CS IDS: Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda Matches rule PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning",
"https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com",
"Telegram - https://t.me/login/***** | fFileHash-SHA256 cecaa6014e0cdc41ead0b076169175c9342a2ccc4b3e48549f88ea87ba8c034",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"Antivirus Detections: Win.Malware.Oxypumper-6900445-0",
"sonymobilemail.com",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled",
"Win.Malware.Oxypumper-6900445-0: FileHash-SHA 256365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1",
"IDS Detections: Observed Discord Domain (discord .com in TLS SNI)",
"Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly",
"discord-badges.com:%22,.pdf",
"https://songculture.com/tsara-brashears-music | Cloudfront below was attached to body of work",
"www.janehopehamilton.com:%22,.pdf",
"Pornhub to your phone. Dumping or by request?",
"michigan.gov.pdf",
"iPhone: 5.100.3.iphone.com.tranzmate.tranzmate1.adsenseformobileapps.com",
"Interesting: www1.xxx.ddns.info | https://sgpelvicfloor.in/wp-admin/ZDCpqfZDmM5x9MxAaxxX/",
"Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103",
"Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com",
"https://otx.alienvault.com/indicator/file/e6f8e2706058064d8f38d12923e52cec7a128218b39ca1fe60a2dde7ac3d158f | binary_yara mpress_2_xx_x86",
"Antivirus Detections: Trojan:Win32/Bulta!rfn , TrojanDownloader:Win32/Cutwail , TrojanDropper:Win32/Loring , TrojanSpy:Win32/Nivdort.CB ,",
"https://www.youtube.com/watch?v=bJWJbOqg9cM - Falsely flagged to demonetize and not rank",
"https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team]",
"https://hybrid-analysis.com/sample/ff37a006ed8677bafa412d653ce9adfe84744702f28f7dfe9f5f4ec51b599419/689505a3a647793a0300f73f",
"docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com",
"Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7",
"Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT",
"OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist",
"Worked at some studios attacked by Lazarus Group who allegedly attacked Sony Music",
"https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media]",
"Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1",
"Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users",
"URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org",
"VirTool:Win32/Injector: FileHash-SHA1 3e7124373729e9ec90ea1d01222bfdd84b0484e5",
"yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com",
"IDS: Query for .su TLD (Soviet Union) Often Malware Related PE EXE or DLL Windows file download HTTP | Not Russia - Americans Masquerading",
"trojan.shiz/razy: FileHash-SHA256 02ed9fac1ebab76f551f1c27c0831541a3e0a6a716b392b16f34689b8fba08d8",
"HTTP traffic on port 443 (POST)",
"canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com",
"FormBook: FileHash-SHA1 205a7931e145b05ac6040690d7a2b862b4a1ec79",
"iOS: http://www.au-petit-cafe-hollywood.com/guestbook/index.php?_sm_byp=iVVJNj4pQQp0ZsWB%3Eshowbox%20install%20iphone%3C/a%3E",
"fancybearmetaverse dom tree text.pdf",
"Yara Detections: SUSP_NET_NAME_ConfuserEx , Delphi Alerts: network_icmp",
"us-gov-west-1.gov.reveal-global.com",
"Win.Trojan.Simda: FileHash-SHA256 0187e1392266fff224de9e3d3fbbe1a05cea8b823906ad27ff577c6e348f6e3b",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545",
"Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"IP\u2019s Contacted : 82.80.204.63 3.163.24.31 82.80.204.5",
"Researched: 210.172.192.15 | p192015.mirai.ne.jp | sanso-mirai.jp",
"http://upstreamx.palantirfoundry.com/ \u2022 https://equilibrium.palantirfoundry.com/",
"Odpis_Aktualny_KRS_0001051191.pdf",
"Alerts: injection_inter_process creates_largekey network_bind persistence_autorun persistence_autorun_tasks",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"s3.amazonaws.com [targeting data collection]",
"Domains Contacted: cen.incredibar.com www5l.incredimail.com www5.incredimail.com",
"https://microcenterinsider.com/pub/cc?_ri_=X0Gzc2X=AQpglLjHJlTQG0amRRrN1tkKAFGSTzdEjURWMTwh5gzdnK5Wo4uRBMFITdmoHEE1NzdwpzaEqrzcUkeItzbfVXtpKX=BATA",
"lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json",
"1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com. 2.android.com.vance.advanced.tubevanced.adsenseformobileapps.com",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=avon+representative>50calpaintballshop.com>avon+representative+directory [Beware: redirects]",
"Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a",
"ransomed.vc",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less",
"VirTool:Win32/Injector: FileHash-MD5 baa1a920d33eee94e123f5dfb6bbe7456692e020d682ae45f0de66130f9ea0da",
"https://otx.alienvault.com/indicator/ip/216.40.34.41",
"MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer",
"Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"IDS Detections: Adware.iBryte.Z Checkin W32/iBryte.Adware Installer Download, Kazy/Kryptor/Cycbot Trojan Checkin 2,",
"Antivirus Detections: Win.Malware.Incredimail-6804483-0 IDS Detections: Misspelled Mozilla User-Agent (Mozila)",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=how+to+join+avon+uk>how+do+i+join+avon+online [redirects to fraud representatives]",
"pegahpouraseflaw.info",
"Virustotal - google.com.uy",
"api.omgpornpics.com",
"https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign",
"United States | ASNone 82.80.204.5 cen.incredibar.com \u2022 Israel",
"Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e",
"174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US",
"www-temp.metrobyt-mobile.com [malicious | data collection]",
"TEL:Win32/Qjwmonkey.A: FileHash-SHA1 51efdae4ba6bfec8e6f4ae2d7f6dc8cca42db1da",
"0.0.0.0 log4shell-generic-z8lrtjkgkm4zhi6necwi.r.nessus.org",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"Antivirus Detections: ALF:HSTR:Adware:Win32/iBryte!bit , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 , PWS:Win32/QQpass.B!MTB ,",
"Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598",
"ukraine.fancybearsmetaverse.com - urlscan.io.pdf",
"ns2.tsaratsovo.net",
"Ransom:Win32/GandCrab.AE: FileHash-SHA256 941ea65563f1b06080075ccafa8180118f65f3c8a4cca038654f0aba5cd0f5fc",
"Win.Malware.Oxypumper-6900445-0: FileHash-SHA1 05e520126ee1100c98263bfbd5a6ff0ce6ace4f7",
"trojan.shiz/razy | Capabilities Collection Log keystrokes via polling",
"www.icloud.com [wp-login.php]",
"https://hybrid-analysis.com/sample/79c5841a534b53013389ba76326a067895bdf5e41ad279d82b2002f6c8f2cda6",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://hybrid-analysis.com/sample/89fb2bccca6342d8fe50bd8b9763a6c829fd1bfe4fe2eccb251bd7e060f0d168/6691b5695751a70ec9041622",
"http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/",
"Alerts: disables_security network_icmp modifies_certificates modifies_proxy_wpad multiple_useragents injection_resumethread",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"trojan.shiz/razy | CS IDS: Matches rule PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"Alerts: antisandbox_sleep creates_exe privilege_luid_check checks_debugger",
"https://es.pornhat.com/models/the-sex-creator/",
"https://hybrid-analysis.com/sample/f6e628e57373bf795bae87c883dcaefdbb720960133edc1adacc6146d10fc88a",
"8-25-220-162-static.reverse.queryfoundry.net",
"https://www.virustotal.com/gui/file/02ed9fac1ebab76f551f1c27c0831541a3e0a6a716b392b16f34689b8fba08d8/detection",
"Cart.Guru",
"https://www.youtube.com/watch?v=5KmpT-BoVf4",
"https://glare.pali om. \u2022 http://engage.palantirfou?",
"FormBook: FileHash-SHA256 d329608064b13006e73309a6f6a819b6bc1392b80ad01946d04719da0b680955",
"Yara : MS_Visual_Basic_6_0 ,",
"Can the DoD no questions asked target a SA victim",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://equilibrium.palantirfoundry.com \u2022\u2019https://engage.palantirfoundry.com",
"https://www.virustotal.com/gui/collection/590cd6fd12494aea96281b5cbaded3431c79fe4956854a9aaaac3a305a50b76d",
"Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check",
"docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com",
"IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query",
"http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting]",
"http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing",
"Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664",
"https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/",
"IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Antivirus Detections: Win32:MalwareX-gen\\ [Trj] , Win.Ransomware.Gandcrab-9967304-0 , Ransom:Win32/GandCrab.AE",
"https://upstreamx.palantirfoundry.com \u2022 edwards.palantirfoundry.com \u2022 stagwellmarketingcloud.palantirfoundry.com",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"TEL:Win32/Qjwmonkey.A: FileHash-MD5 535ce96e43fe532e1ddfd804dbde9c6a",
"https://paloma.palantirfoundry.com https://lucyw.palantirfoundry.com \u2022 http://edwards.palantirfoundry.com/",
"TEL:Win32/Qjwmonkey.A: FileHash-SHA256 30ffb056ad64037a918d80c120db5d0032b29feb7db97ed19824646381165a5d",
"https://4.img-dpreview.com/files/p/articles/2356747397/samsung_nv24hd_bk.jpeg",
"IDS Detections: HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)",
"Backdoor:Win32/Plugx: FileHash-MD5 63ebfbad26a529929927b9b485faa18a",
"Win.Trojan.Simda: FileHash-MD5 efe12fc770fb8647e22adb7f814666e7",
"https://kt-presales.palantirfoundry.co \u2022 https://glare.palantirfoundry.com",
"It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Malware.Generickdz-6914893-0, Backdoor:Win32/Plugx",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"\"Nobody Love\" Tori Kelley \"'m the One\" DJ Khaled ft Justin Bieber (Pirated Hook)",
"thevipporn.com porn25.com lowendporn.com pz7.iqg29.cn",
"https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC",
"VirTool:Win32/Injector: FileHash-SHA256 0806653f8af2e9c2530e453f8b1fea47f62f86b5b0b65487ddcfd014eea8e9fe",
"engage.palantirfoundry.com \u2022 http://engage.palantirfoundry.com",
"caerphilly-containers.palantirfedstart.com \u2022 equilibrium.palantirfoundry.com \u2022 palantirfoundry.com",
"Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c",
"scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.",
"Antivirus Detections: TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA , TrojanSpy:Win32/Nivdort.DB ... , TrojanSpy:Win32/Nivdort.CB , TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA",
"Dr.Web violence/adult content (False) ThreatSeeker social web - youtube",
"43.204.54.95 AS 16509 (AMAZON-02), http://r10.i.lencr.org/, www.maketrumppresidentagain.site",
"[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below",
"trojan.shiz/razy | CS Sigma: Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Benche",
"github_trump_0x729.github.io:%22,pdf",
"Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma",
"https://hs.ecam.com/your-challenges-ecams-solutions",
"malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"DotNET_Crypto_Obfuscator",
"Alerts: mouse_movement_detect",
"There is fear in silence or speaking out",
"Alleged CSAM Alleged Phishing Alleged PIIExposure",
"pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz",
"www.techcult.com",
"checkip.dyndns.org Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad packer_polymorphic recon_beacon",
"iamrobert.com Y.A.S.",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips",
"webdisk.thehomemakers.nl [spyware | tracking]",
"Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key>Mercedes+benz+Key+programmer",
"https://www.exito.com/galaxy-m12-64-gb-negro-samsung-sm-m127fzkkcoo-3016108/p",
"Datacenter / Hosting / VPS Reverse DNS host77.ipowerweb.com Location United States",
"Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"I am very upset. Whoever is doing this is sick.",
"Mirai Communication Network Inc. (AS7690) Seto, Japan ASN is a BGP Network",
"http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C",
"http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master",
"External Hosts Israel Unique Countries 2 Unique ASNs 2 IP",
"https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022",
"https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"https://t.me/login/36861 = GET /login/36861 | Server: nginx/1.18.0",
"iPhone: 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com",
"www.anyxxxtube.net [malicious data collection]",
"http://www.mylifelawyer.com/services/denver-affordable-lawyer-child-custody/",
"trojan.shiz/razy | CS IDS: Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst",
"Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |",
"Telegram | IP 66.235.200.146 | Indicator Possible recent Mirai infection",
"Interesting: https://otx.alienvault.com/indicator/url/http://google.com.ge/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCoQFjAA&url=http%3A%2F%2Ft1t.us%2F&ei=9H0XU4rwPKXOygP_8IL4Bw&usg=AFQjCNEgQ29Mke-UahuBZ5wqWav04lFYvA&sig2=9-57Skjm2Hu4tg-e8iysQA&bvm=bv.62286460,d.bGQ",
"Yara: Detections ConventionEngine_Term_Users",
"log4shell-generic-ammqgekxvatp3a2qyw71ten.r.nessus.org play.google.com demo171.apple.com apps.apple.com",
"Intellectual property accessed and distributed",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=www.livecambabes.Webcam>sexy+girls+dildoing",
"tv.apple.com",
"IDS Detections: FormBook CnC Checkin (GET) 403 Forbidden Yara Detections: MAL_RANSOM_COVID19_Apr20_1 , DotNET_DotFuscator",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"www.donaldjtrump.com.pdf",
"Ransom:Win32/Crowti.A: FileHash-MD5 d34cf3663902900ddf46b937449472b9",
"www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States",
"pegasusintel.com",
"Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)",
"music.apple.com \u2022 linktr.ee \u2022 sentient.industries? samsara has been showing up often.",
"IDS Detections: W32/Zbot.Variant Fake MSIE 6.0 UA FormBook CnC Checkin (GET) FormBook CnC Checkin (GET) FormBook CnC Checkin (GET)",
"http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net",
"What? patch.virtualworldweb.com \u2022 s.palantirfoundry.com \u2022 http://u tirfoundry.co",
"https://hybrid-analysis.com/sample/d30cf86f09e3ab7bb7d0a4ac2608aafb31e07c94fe77f5a264ccdb35fe153c59/689505ded9be5613900509fd",
"Ransom:Win32/Crowti.A: FileHash-SHA1 05a49b7502099932ff628ca5a8583397b7e2dca2",
"iPhone: 8.0.1.iphone.com.nextradiotv.bfmtv.adsenseformobileapps.com",
"MD5 be5eae9bd85769bce02d6e52a4927bcd Pulses Integrations C EXIF Data: HTML:Title\tINetSim default HTML page",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"Yara Detections: RansomWin32Apollo \u2022 216.239.32.27",
"IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed",
"Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"simswap.in (possible Mirai or relationship to)",
"Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key",
"https://d3jjg4nf4bbybe.cloudfront.net/u/210425/397f80d871fe6dla1704cela4b712e387ed8a48a/large/kedence-out-of-my-sight",
"https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"api.utah.edu [access apple]",
"Yara Detections: Nullsoft_NSIS ...",
"There is money in the industry for well established , \u2018souled\u2019 out artists. It\u2019s a racket! T signed & exited early",
"DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net",
"Alerts: spawns_dev_util cape_detected_threat injection_process_hollowing antivm_generic_services",
"Ransom:Win32/Crowti.A: FileHash-SHA256 1ffa6a3f8844b5955fc5e7329a6fb766cc1f35b39201ceaf0bca282b5b0b8cf6",
"cs9.wac.phicdn.net.1.1.e64a8639.roksit.net",
"medallion-compute.washington.palantircloud.com \u2022 graviera-compute.palantirfedstart.com",
"https://otx.alienvault.com/indicator/file/1c954b67c62b161d839434243ebe4b9dfe2b790a91eb968ecbfbfae53a414e29",
"Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT",
"checkip.dyndns.org [command and control]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site",
"Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips",
"www.killer333.club So I\u2019m right.",
"VirusTotal - URL - 471fa55e5431d365e506bd95e9238ce59bb42094223a47d03b54e5c2679a1.pdf",
"Target agreed and complied with all lie detector measures.",
"Matches rule ET INFO Namecheap URL",
"https://credits.muso.ai/profile/ad62a9c1-de4a-4b3a-91d4-8f1ca6b5ad7a",
"Telegram | Indicator: Query for .su TLD (Soviet Union) Often Malware Related PE EXE or DLL Windows file download HTTP",
"Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"google.com.ge , google.kiteflier.top, google.pf, google.com.ht, http://philsinstallation.com/, www.orion.area120.com ?, https://degoogle.xyz/feed/",
"Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=webcam+models+livecambabes.webcam>korean+webcam+models",
"smartertrack.appliedi.net, http://analytics.com/track?id=55",
"Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf",
"https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/",
"ASN 82.80.204.63 www5.incredimail.com \u2022 Israel",
"144.76.108.82 [scanning host]",
"ASN AS13335 cloudflare DNS Resolutions",
"Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc",
"http://117-114-251-162-static.reverse.queryfoundry.net/ - queryfoundry.net",
"Antivirus Detections: Win32:MalwareX-gen\\ [Trj]",
"www.endgame \u2022 http://battlefront.com/matrixgames.html \u2022 prometheus.services.myscript.com - Wild!",
"Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx",
"Matches rule Windows Processes Suspicious Parent Directory by vburov",
"Ransom:Win32/GandCrab.AE: FileHash-MD5 f72bcc0d841008c1e8250a3df1182fd5",
"IDS Detections: FormBook CnC Checkin (GET) W32/iBryte.Adware Affiliate Campaign Executable Download ...",
"https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N",
"IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login",
"https://meumundogay-com.sexogratis.page/locker",
"www.smartmatic.com:%22,_Cloudflare.pdf",
"104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users]",
"Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http",
"FormBook: FileHash-MD5 FileHash-MD5 60b8487a9ddc166fbae45d611a0b6848",
"https://side3.com/",
"https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4",
"Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name",
"HOSTEDBYAPPLIEDI.NET - Enom",
"\u2018Passin\u2019 I deleted the pulses you asked me to. Your links were malicious. I haven\u2019t weaponize anything I\u2019ve learned... yet",
"http://dasima-containers.palantirfoundry.com \u2022 http://usw-2-dev.palantirfoundry.com",
"https://www.side3.com",
"andrewka6.pythonanywhere.com [python connection - apple]",
"https://www.spytox.com/ | Malicious Phone number & eMail verifier. HoneyPotNetBot?",
"Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser",
"*ccm-command-center.int.m1np.symetra.cloud",
"Foundry stalking.",
"https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html",
"AS8551 bezeq international-Itd 3.163.24.31 www5l.incredimail.com \u2022 Israel",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"gainpower.org.pdf",
"campdeadwood2026.com",
"http://www.mobile-connection-alert.fyi/eb/bn/bn-9-nopop/9-nopop-1.html?var=&var2=&var3=$device=MOBILE&brand=Apple&model=iPhone&city=San%20Antonio&os=IOS&osversion=IOS%2011.4&country=US&countryname=United%20States&carrier=&referrerdomain=&language=en&connectiontype=CABLE&ip=76.185.246.58®ion=Texas&cep=W-gWTncHS9Jzl2WpUnQW3DI5dgjcKdwNWM11yWj-BtNBDFNTD52Baezh0F6DNui3qOYcu9zUPktlUvTulBlF6GONqMgW0w5NXdG42lOJGAp8P79kEUkAM3xGHBcIuf2PfSpz0mTGxnhbXyAteh4g-wCUR45SdW6fMtSANbFpDDpNDCq8LpN8mLeQJjdLUA_TGOXW9mubTgOyAGy",
"I apologize if you don\u2019t like my background stories",
"Yara Detections ReflectiveLoader , Win32_Ransomware_GandCrab , stack_string",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE",
"http://remote.edikamin.com/",
"User-Agent (Mozilla) - Possible Spyware Related WinHttpRequest Downloading EXE Likely Evil EXE download from WinHttpRequest non-exe extension",
"Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy",
"https://otx.alienvault.com/indicator/ip/210.172.192.15",
"nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP]"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"Mustang Panda",
"Palantir Pegasus"
],
"malware_families": [
"Virtool:win32/autinject.cz!bit",
"Trojandropper:win32/vb.il",
"Backdoor:win32/tofsee",
"Win32:evo-gen",
"Win.malware.jaik-9968280-0",
"Ransom",
"Win32:backdoor",
"Tel:exploit:o97m/cve-2017-8570",
"Formbook",
"Wannacry",
"Bancos",
"Ransomware",
"Trojandownloader:win32/cutwail",
"Tofsee",
"Malware",
"Trojandropper:win32/hupigon.gen!a",
"Sibot",
"Ransom:win32/stopcrypt.ak!mtb",
"Virtool:win32/obfuscator",
"Win32:malob-bx\\ [cryp]",
"Hacktool",
"#lowfienabledtcontinueafterunpacking",
"Pegasus",
"Cycbot",
"Trojanspy:win32/banker.ly",
"Virtool:win32/obfuscator.ahu",
"Alf:pulzati:worm:win32/mydoom",
"Shellcode",
"Trojan:win32/diamin.f",
"Win.trojan.14278494-1",
"Pegasus - mob-s0005",
"Tulach",
"Trojan:win32/bagsu!rfn",
"Win.trojan.emotet-7545664-0",
"Win32:malware",
"Emotet",
"Hematite",
"Trojandownloader:win32/banload.d",
"Trojandownloader:win32/upatre!rfn",
"Trojan:win32/kryptik",
"Trojan:win32/qqpass",
"Sf:agent-dq\\ [trj]",
"Slfper:softwarebundler:win32/dlhelper",
"Win32:agent",
"Win32:cabmod\\ [drp]",
"Trojanproxy:win32/ceutv.a",
"Alf:heraklezeval:trojan:win32/ymacco",
"Win.trojan.tofsee-9770082-1",
"Ransom:win32/wannaren.a",
"Win32:dropper",
"Mirai",
"Win.malware.incredimail-6804483-0",
"Tel:win32/qjwmonkey.a",
"#lowfi:win32/sandboxproductid",
"Malwarex",
"Ymacco",
"Win.trojan.simda",
"Cyber criminal",
"Ransom:win32/wannacrypt.h",
"Win32:evo",
"Vb flash",
"Pony",
"Trojan:win32/mydoom",
"Backdoor:win32/plugx.n!dha",
"Win.trojan.agent",
"Trojandownloader:win32/upatre",
"Backdoor:win32/plugx.n!",
"Win.dropper.qqpass-7194329-0",
"Trojandropper:win32/tofsee",
"Foundry",
"Warzonerat - s0670",
"Njrat",
"Win.malware.oxypumper-6900445-0",
"Trojandropper:win32/vb.il0",
"Alf:trojan:msil/blackfus.c",
"Upatre",
"Trojan:win32/comisproc!gmb",
"Alf:trojan:win32/cassini_56a3061!ibt",
"Win32:trojan",
"Win32:malwarex",
"Apnic",
"Win32:rootkit",
"Dialer",
"Malware gen",
"Win.packer.pkr_ce1a-9980177-0",
"Win32:cleaman-k\\ [trj]",
"Win.ransomware.msilzilla-10014498-0",
"Win32:pwsx-gen\\ [trj]",
"Trojan:win32/qbot.r!mtb",
"Win.packed.enigma-10023199-0",
"Rxr",
"Evo",
"Alf:heraklezeval:pua:win32/keygen",
"Ransom:win32/crowti.a",
"#lowfi:sigattr:urlshortner",
"Virtool:win32/ceeinject.akz!bit",
"Installer",
"Win.ransomware.wannacry-9856297-0",
"Trojanspy:win32/nivdort",
"Worm:win32/mydoom",
"Malware + code overlap",
"Virtool:win32/injector.gen!bq",
"Win.trojan.crypt-142",
"Unix.trojan.darknexus-7679166-0",
"Virtool",
"Goldmax",
"Trojan:win32/vflooder!rfn",
"Asacky",
"Trojandownloader:win32/upatre.a",
"Win32:dropperx-gen\\ [drp]",
"Win.trojan.agent-316098",
"Sality",
"Win32:evo-gen\\ [susp]",
"Win32:trojanx-gen\\ [trj]",
"#lowfi:lua:autoitv3craftedoverlay",
"Backdoor:win32/tofsee.t",
"Ransom:win32/gandcrab.ae",
"Elf:mirai-gh\\ [trj]",
"Win.packed.razy-6847895-0",
"Worm:win32/autorun",
"Maui ransomware",
"Trojanspy",
"Telper:hstr:clean:ninite",
"Trojandownloader:win32/upatre.e",
"Banload",
"Trojandropper:win32/bcryptinject.b!msr",
"Trojan:msil/trojandropper",
"Trojan:win32/glupteba",
"#exploit:win32/cve- 2023 - 23397",
"Goldfinder",
"!#addscopy-tostartup",
"Alfper",
"Trojan:win32/startpage.aea",
"Virtool:win32/injector",
"Trojan:bat/musecador",
"Backdoor:win32/plugx",
"Cve-2023-22518",
"Nivdort",
"Mirai communications"
],
"industries": [
"Telecommunications",
"Entertainment",
"Civil society",
"Entertainers",
"Technology",
"Recording industry",
"Government",
"Ngo",
"Media"
],
"unique_indicators": 191893
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/googleapis.com",
"whois": "http://whois.domaintools.com/googleapis.com",
"domain": "googleapis.com",
"hostname": "fonts.googleapis.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 50,
"pulses": [
{
"id": "69e4b26998e73fb434180bcb",
"name": "7896e02054066e7810763b441b4b7ffc2aa755064fc9ef531f267c5cc8c837e5",
"description": "7896e02054066e7810763b441b4b7ffc2aa755064fc9ef531f267c5cc8c837e5",
"modified": "2026-04-19T12:34:18.786000",
"created": "2026-04-19T10:46:01.609000",
"tags": [
"ip address"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 180,
"IPv4": 16,
"domain": 68,
"URL": 181,
"hostname": 130,
"FileHash-SHA1": 9,
"JA3": 1,
"FileHash-MD5": 13,
"IPv6": 2,
"email": 7
},
"indicator_count": 607,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "19 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d4619c47e294ad9f6488e5",
"name": "27d40d40d00040d1dc42d43d00041d6183ff1bfae51ebd88d70384363d525c",
"description": "The full text of this page, which contains the name, \"Whois\", is published on the website of Google.com, the firm that owns the search giant's search engine, its parent site.",
"modified": "2026-04-07T04:25:21.664000",
"created": "2026-04-07T01:45:00.190000",
"tags": [
"united",
"unknown",
"as13335",
"as54113",
"aaaa",
"a domains",
"as396982",
"script urls",
"nexus category",
"code",
"date",
"title",
"encrypt",
"thumbprint",
"email",
"city",
"server",
"registrar abuse",
"us admin",
"admin postal",
"mn billing",
"milaca billing"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 64,
"FileHash-SHA1": 43,
"IPv6": 6,
"hostname": 46,
"IPv4": 110,
"domain": 36,
"email": 8,
"CIDR": 3,
"FileHash-MD5": 7,
"FileHash-SHA256": 9,
"CVE": 2
},
"indicator_count": 334,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "13 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d4619c23aeade1bd8bb97e",
"name": "27d40d40d00040d1dc42d43d00041d6183ff1bfae51ebd88d70384363d525c",
"description": "The full text of this page, which contains the name, \"Whois\", is published on the website of Google.com, the firm that owns the search giant's search engine, its parent site.",
"modified": "2026-04-07T04:25:20.672000",
"created": "2026-04-07T01:45:00.700000",
"tags": [
"united",
"unknown",
"as13335",
"as54113",
"aaaa",
"a domains",
"as396982",
"script urls",
"nexus category",
"code",
"date",
"title",
"encrypt",
"thumbprint",
"email",
"city",
"server",
"registrar abuse",
"us admin",
"admin postal",
"mn billing",
"milaca billing"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 29,
"FileHash-SHA1": 33,
"IPv6": 6,
"hostname": 14,
"IPv4": 18,
"domain": 8,
"email": 4,
"CVE": 2
},
"indicator_count": 114,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "13 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69a53036e5895c8b352ff5fc",
"name": "www.com.apple.gamecontroller.driver.xboxgamepad.com",
"description": "Artifacts",
"modified": "2026-04-01T13:51:25.078000",
"created": "2026-03-02T06:37:42.626000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1953,
"domain": 299,
"URL": 198,
"email": 11,
"FileHash-MD5": 69,
"FileHash-SHA1": 73,
"FileHash-SHA256": 699,
"CIDR": 6
},
"indicator_count": 3308,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "18 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69c1e12737e9fbfd330fdc22",
"name": "alphamountain.ai",
"description": "DGA domain",
"modified": "2026-03-25T02:48:08.520000",
"created": "2026-03-24T00:56:07.456000",
"tags": [
"united",
"unknown",
"asnone country",
"aaaa",
"present jun",
"present jul",
"present sep",
"moved",
"a domains",
"passive dns",
"title",
"date",
"zeppelin",
"accept",
"encrypt"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 275,
"FileHash-MD5": 8,
"FileHash-SHA1": 12,
"FileHash-SHA256": 4,
"IPv4": 48,
"IPv6": 203,
"domain": 19,
"hostname": 137
},
"indicator_count": 706,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "26 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69640c0afc9805a6fa2da07b",
"name": "MUSO.AI Malware \u2018Incredimail\u2019 Palantir in use[OTX auto populated title -Tsara Brashears]",
"description": "MUSO.Ai , Is have to do more research. Some searches on reports MUSO as an opt in resource for artist to view, sort, and manage legacy credits, MUSO also collects royalties. Research and investigation confirms no one on music team is associated with or l thinks they may have heard of MUSO. Is MUSO. AI Palantir customer or service ,spy app services by the folks at Palantir. . [otx auto pop praise: Tsara Brashears is the most popular songwriter in the world, but can you use the app to find out more about the artist and the musicians behind the tracks?] cute. \n#dembiak #palantir #muso #ai",
"modified": "2026-02-10T20:03:47.214000",
"created": "2026-01-11T20:46:02.176000",
"tags": [
"lark kdence",
"zack dare",
"zafira",
"jon bonus",
"andy flebbe",
"div div",
"present nov",
"a domains",
"united",
"script urls",
"div a",
"script domains",
"discover",
"moved",
"insert",
"x0 tw",
"urls",
"cloudfront x",
"title error",
"url analysis",
"reverse dns",
"servers",
"name servers",
"united states",
"all ipv4",
"aaaa",
"ip address",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"evasion att",
"t1480 execution",
"ascii text",
"mitre att",
"pattern match",
"null",
"error",
"click",
"hybrid",
"general",
"local",
"path",
"starfield",
"strings",
"refresh",
"tools",
"meta",
"onload",
"span",
"data upload",
"extraction",
"type",
"extra",
"referen https",
"include review",
"exclude sugges",
"stop",
"aivoes typ",
"passive dns",
"date",
"united states",
"status",
"domain add",
"files",
"hostname",
"read c",
"medium",
"search",
"show",
"memcommit",
"high",
"checks",
"windows",
"delete",
"execution",
"dock",
"write",
"persistence",
"capture",
"next",
"amazon02",
"as autonomous",
"system",
"asn16509",
"domain",
"current dns",
"a record",
"as16509",
"december",
"ip information",
"ipasns ip",
"google",
"fastly",
"googlecl",
"akamaias",
"cloudflar",
"domain tree",
"links ip",
"address as",
"cisco",
"umbrella rank",
"general full",
"url https",
"software",
"resource hash",
"protocol h2",
"security tls",
"hostname add",
"challengescript",
"captchascript",
"name",
"value",
"source level",
"url text",
"automatic",
"webgl",
"please",
"extr data",
"data",
"size",
"title",
"yara detections",
"filehash",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"low risk",
"entries",
"rgba",
"unicode",
"asnone",
"malware",
"port",
"destination",
"tlsv1",
"tls handshake",
"failure",
"roboto",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"expiration",
"url http",
"no expiration",
"present jan",
"unknown ns",
"certificate",
"body",
"present oct",
"present may",
"present dec",
"present sep",
"present feb",
"showing",
"next associated",
"all se",
"pulse pulses",
"http",
"files domain",
"files related",
"pulses none",
"debiak",
"tsara brashears",
"ai",
"palantir",
"muso ai",
"sort",
"artists",
"royalties",
"music",
"songwriter",
"collect",
"view",
"malicious app",
"false claims"
],
"references": [
"https://credits.muso.ai/profile/ad62a9c1-de4a-4b3a-91d4-8f1ca6b5ad7a",
"22.hio52.r.cloudfront.net",
"us-gov-west-1.gov.reveal-global.com",
"us-g0v-wact-1anvrav\u0645al=\u0635\u0639 \u0627\u062d\u0637\u0645\u0644\u0647",
"MD5 be5eae9bd85769bce02d6e52a4927bcd Pulses Integrations C EXIF Data: HTML:Title\tINetSim default HTML page",
"External Hosts Israel Unique Countries 2 Unique ASNs 2 IP",
"ASN 82.80.204.63 www5.incredimail.com \u2022 Israel",
"United States | ASNone 82.80.204.5 cen.incredibar.com \u2022 Israel",
"AS8551 bezeq international-Itd 3.163.24.31 www5l.incredimail.com \u2022 Israel",
"Antivirus Detections: Win.Malware.Incredimail-6804483-0 IDS Detections: Misspelled Mozilla User-Agent (Mozila)",
"IP\u2019s Contacted : 82.80.204.63 3.163.24.31 82.80.204.5",
"Domains Contacted: cen.incredibar.com www5l.incredimail.com www5.incredimail.com",
"medallion-compute.washington.palantircloud.com \u2022 graviera-compute.palantirfedstart.com",
"caerphilly-containers.palantirfedstart.com \u2022 equilibrium.palantirfoundry.com \u2022 palantirfoundry.com",
"upstreamx.palantirfoundry.com \u2022 https://usw-2-dev.palantirfoundry.com",
"https://upstreamx.palantirfoundry.com \u2022 edwards.palantirfoundry.com \u2022 stagwellmarketingcloud.palantirfoundry.com",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master",
"https://paloma.palantirfoundry.com https://lucyw.palantirfoundry.com \u2022 http://edwards.palantirfoundry.com/",
"http://dasima-containers.palantirfoundry.com \u2022 http://usw-2-dev.palantirfoundry.com",
"https://kt-presales.palantirfoundry.co \u2022 https://glare.palantirfoundry.com",
"engage.palantirfoundry.com \u2022 http://engage.palantirfoundry.com",
"https://equilibrium.palantirfoundry.com \u2022\u2019https://engage.palantirfoundry.com",
"http://upstreamx.palantirfoundry.com/ \u2022 https://equilibrium.palantirfoundry.com/",
"https://glare.pali om. \u2022 http://engage.palantirfou?",
"What? patch.virtualworldweb.com \u2022 s.palantirfoundry.com \u2022 http://u tirfoundry.co",
"(patch.virtualworldweb.com) why does this sound so creepy? DIT , simulation, OWO ,sentient weird.",
"www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t\u2022",
"www.endgame \u2022 http://battlefront.com/matrixgames.html \u2022 prometheus.services.myscript.com - Wild!",
"campdeadwood2026.com",
"http://www.mobile-connection-alert.fyi/eb/bn/bn-9-nopop/9-nopop-1.html?var=&var2=&var3=$device=MOBILE&brand=Apple&model=iPhone&city=San%20Antonio&os=IOS&osversion=IOS%2011.4&country=US&countryname=United%20States&carrier=&referrerdomain=&language=en&connectiontype=CABLE&ip=76.185.246.58®ion=Texas&cep=W-gWTncHS9Jzl2WpUnQW3DI5dgjcKdwNWM11yWj-BtNBDFNTD52Baezh0F6DNui3qOYcu9zUPktlUvTulBlF6GONqMgW0w5NXdG42lOJGAp8P79kEUkAM3xGHBcIuf2PfSpz0mTGxnhbXyAteh4g-wCUR45SdW6fMtSANbFpDDpNDCq8LpN8mLeQJjdLUA_TGOXW9mubTgOyAGy",
"Pornhub to your phone. Dumping or by request?",
"https://soerkvingo.msnstyle.dk/vaginas-escort-girl-ukraina-pure-nudisme-dyresex-noveller-sukker-pris-porno-med-norsk-tale/",
"www.killer333.club So I\u2019m right."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Incredimail-6804483-0",
"display_name": "Win.Malware.Incredimail-6804483-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "TA0028",
"name": "Persistence",
"display_name": "TA0028 - Persistence"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1017",
"name": "Application Deployment Software",
"display_name": "T1017 - Application Deployment Software"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 10686,
"hostname": 2427,
"domain": 1094,
"FileHash-MD5": 175,
"FileHash-SHA1": 65,
"FileHash-SHA256": 1118,
"email": 4,
"SSLCertFingerprint": 14
},
"indicator_count": 15583,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69519fa818f84531ce6becc9",
"name": "Cart.Guru Malware Hosting - Malware Packed _Pegasus Espionage Detected (Positive)",
"description": "I really love using this tool (LevelBlue -OTX) In all reality this information would have been sent to the government. CISA , NSA, Homeland Security, Citizens Lab, Canada based international organization would have been involved years ago. Where does this information goes. Citizens Lab would has been attempting to track 1000\u2019s of affected Pegasus targets. OTX detected and tagged Pegasus. I suspected it. This is from a Palantir Malware Hosting Honey Pot. \n\nWhen Pegasus was discovered in the wild , credited to those who found what the real team (T8) found, Citizens Lab then conducted tests in 2021\non the cell phone of Jamal Khashoggi, a Saudi dissident journalist. Pegasus is a kill list. \n\nVictims need help. There are a few people even on this platform that are on this list. Unless it\u2019s the US government who has ordered these actions, I don\u2019t know what is going on. The targets are not only innocent, some are crime victims, some are going mad. AT&T corporate easily confirms LevelBlue is legitimate.",
"modified": "2026-01-27T21:02:45.343000",
"created": "2025-12-28T21:22:48.383000",
"tags": [
"united",
"servers",
"moved",
"ip address",
"record value",
"encrypt",
"present jul",
"present jun",
"trojandropper",
"passive dns",
"ipv4 add",
"urls",
"files",
"virtool",
"united states",
"dynamicloader",
"directui",
"element",
"classinfobase",
"write c",
"medium",
"yara rule",
"msvisualbasic60",
"high",
"hwndelement",
"explorer",
"write",
"movie",
"insert",
"program",
"python",
"http traffic",
"trojan generic",
"search",
"cnc activity",
"delphi",
"win32",
"launcher",
"pony",
"fareit",
"malware",
"push",
"msie",
"windows nt",
"generic",
"checkin",
"post",
"yara detections",
"rxr",
"inject",
"memcommit",
"cryptexportkey",
"invalid pointer",
"regsetvalueexa",
"solutions ltd",
"read c",
"regdword",
"mozilla",
"persistence",
"execution",
"android",
"unknown",
"learn",
"suspicious",
"informative",
"adversaries",
"ck id",
"name tactics",
"command",
"initial access",
"defense evasion",
"spawns",
"t1590 gather",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"pattern match",
"mitre att",
"ck matrix",
"href",
"ascii text",
"starfield",
"hybrid",
"general",
"local",
"path",
"iframe",
"palantir",
"present nov",
"present oct",
"status",
"present apr",
"present dec",
"cryp",
"date",
"trojan",
"title",
"name servers",
"windows",
"t1060",
"disables proxy",
"dock",
"pegasus",
"rootkit",
"backdoor",
"susp",
"win32qqpass feb",
"worm",
"msr win32",
"win64",
"process32nextw",
"findwindowa",
"file execution",
"writeconsolea",
"procexpl",
"file v2",
"document",
"document file",
"v2 document",
"lost",
"tools",
"pecompact",
"media",
"autorun",
"service",
"post http",
"delete",
"alerts",
"emotet",
"rkt",
"autorun",
"worm",
"plugins",
"title error",
"body doctype",
"html public",
"w3cdtd html",
"html head",
"domain",
"expiration date",
"hostname add",
"pulse pulses",
"contacted hosts",
"sha1",
"sha256",
"show technique",
"strings",
"t1480 execution",
"signing defense",
"script urls",
"a domains",
"unknown ns",
"texas flyover",
"script domains",
"script script",
"meta",
"window",
"process details",
"contacted"
],
"references": [
"Cart.Guru",
"Yara Detections: Delphi",
"Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer",
"MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer",
"HTTP traffic on port 443 (POST)",
"IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query",
"Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs",
"Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http",
"Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates",
"Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http",
"Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe",
"Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check",
"Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad",
"Yara Detections: Nullsoft_NSIS ...",
"Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat",
"Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com",
"Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103",
"Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx",
"Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy",
"Emotet IDS Detections: Win32/Emotet CnC Checkin Response",
"Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users"
],
"public": 1,
"adversary": "Palantir Pegasus",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "RXR",
"display_name": "RXR",
"target": null
},
{
"id": "Pony",
"display_name": "Pony",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator",
"display_name": "VirTool:Win32/Obfuscator",
"target": "/malware/VirTool:Win32/Obfuscator"
},
{
"id": "Trojan:Win32/Bagsu!rfn",
"display_name": "Trojan:Win32/Bagsu!rfn",
"target": "/malware/Trojan:Win32/Bagsu!rfn"
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "Win32:MalOb-BX\\ [Cryp]",
"display_name": "Win32:MalOb-BX\\ [Cryp]",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "#Lowfi:Win32/SandboxProductId",
"display_name": "#Lowfi:Win32/SandboxProductId",
"target": "/malware/#Lowfi:Win32/SandboxProductId"
},
{
"id": "Win32:Backdoor",
"display_name": "Win32:Backdoor",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "ALF:Trojan:MSIL/BlackFus.C",
"display_name": "ALF:Trojan:MSIL/BlackFus.C",
"target": null
},
{
"id": "Win32:Malware",
"display_name": "Win32:Malware",
"target": null
},
{
"id": "TrojanProxy:Win32/Ceutv.A",
"display_name": "TrojanProxy:Win32/Ceutv.A",
"target": "/malware/TrojanProxy:Win32/Ceutv.A"
},
{
"id": "VirTool:Win32/Obfuscator.AHU",
"display_name": "VirTool:Win32/Obfuscator.AHU",
"target": "/malware/VirTool:Win32/Obfuscator.AHU"
},
{
"id": "ShellCode",
"display_name": "ShellCode",
"target": null
},
{
"id": "Win32:Rootkit",
"display_name": "Win32:Rootkit",
"target": null
},
{
"id": "VB Flash",
"display_name": "VB Flash",
"target": null
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Win.Packed.Razy-6847895-0",
"display_name": "Win.Packed.Razy-6847895-0",
"target": null
},
{
"id": "Backdoor:Win32/Plugx.N!",
"display_name": "Backdoor:Win32/Plugx.N!",
"target": "/malware/Backdoor:Win32/Plugx.N!"
},
{
"id": "Win.Dropper.QQpass-7194329-0",
"display_name": "Win.Dropper.QQpass-7194329-0",
"target": null
},
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Win32:Agent",
"display_name": "Win32:Agent",
"target": null
},
{
"id": "Win.Trojan.Agent",
"display_name": "Win.Trojan.Agent",
"target": null
},
{
"id": "Win.Trojan.Emotet-7545664-0",
"display_name": "Win.Trojan.Emotet-7545664-0",
"target": null
},
{
"id": "Pegasus - MOB-S0005",
"display_name": "Pegasus - MOB-S0005",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1054",
"name": "Indicator Blocking",
"display_name": "T1054 - Indicator Blocking"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2362,
"domain": 449,
"hostname": 710,
"email": 6,
"FileHash-MD5": 260,
"FileHash-SHA1": 201,
"FileHash-SHA256": 333,
"SSLCertFingerprint": 27
},
"indicator_count": 4348,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "82 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69519fa81048ad057eb9beaa",
"name": "Cart.Guru Malware Hosting - Malware Packed _Pegasus Espionage Detected (Positive)",
"description": "I really love using this tool (LevelBlue -OTX) In all reality this information would have been sent to the government. CISA , NSA, Homeland Security, Citizens Lab, Canada based international organization would have been involved years ago. | \nWhere does this information goes. Citizens Lab would has been attempting to track 1000\u2019s of affected Pegasus targets. OTX detected and tagged Pegasus. I suspected it. This is from a Palantir Malware Hosting Honey Pot. \n\nWhen Pegasus was discovered in the wild , credited to those who found what the real team (T8) found, Citizens Lab then conducted tests in 2021\non the cell phone of Jamal Khashoggi, a Saudi dissident journalist. Pegasus is a kill list. \n\nVictims need help. There are a few people even on this platform that are on this list. Unless it\u2019s the US government who has ordered these actions, I don\u2019t know what is going on. The targets are not only innocent, some are crime victims, some are going mad. AT&T corporate easily confirms LevelBlue is legitimate.",
"modified": "2026-01-27T21:02:45.343000",
"created": "2025-12-28T21:22:48.595000",
"tags": [
"united",
"servers",
"moved",
"ip address",
"record value",
"encrypt",
"present jul",
"present jun",
"trojandropper",
"passive dns",
"ipv4 add",
"urls",
"files",
"virtool",
"united states",
"dynamicloader",
"directui",
"element",
"classinfobase",
"write c",
"medium",
"yara rule",
"msvisualbasic60",
"high",
"hwndelement",
"explorer",
"write",
"movie",
"insert",
"program",
"python",
"http traffic",
"trojan generic",
"search",
"cnc activity",
"delphi",
"win32",
"launcher",
"pony",
"fareit",
"malware",
"push",
"msie",
"windows nt",
"generic",
"checkin",
"post",
"yara detections",
"rxr",
"inject",
"memcommit",
"cryptexportkey",
"invalid pointer",
"regsetvalueexa",
"solutions ltd",
"read c",
"regdword",
"mozilla",
"persistence",
"execution",
"android",
"unknown",
"learn",
"suspicious",
"informative",
"adversaries",
"ck id",
"name tactics",
"command",
"initial access",
"defense evasion",
"spawns",
"t1590 gather",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"pattern match",
"mitre att",
"ck matrix",
"href",
"ascii text",
"starfield",
"hybrid",
"general",
"local",
"path",
"iframe",
"palantir",
"present nov",
"present oct",
"status",
"present apr",
"present dec",
"cryp",
"date",
"trojan",
"title",
"name servers",
"windows",
"t1060",
"disables proxy",
"dock",
"pegasus",
"rootkit",
"backdoor",
"susp",
"win32qqpass feb",
"worm",
"msr win32",
"win64",
"process32nextw",
"findwindowa",
"file execution",
"writeconsolea",
"procexpl",
"file v2",
"document",
"document file",
"v2 document",
"lost",
"tools",
"pecompact",
"media",
"autorun",
"service",
"post http",
"delete",
"alerts",
"emotet",
"rkt",
"autorun",
"worm",
"plugins",
"title error",
"body doctype",
"html public",
"w3cdtd html",
"html head",
"domain",
"expiration date",
"hostname add",
"pulse pulses",
"contacted hosts",
"sha1",
"sha256",
"show technique",
"strings",
"t1480 execution",
"signing defense",
"script urls",
"a domains",
"unknown ns",
"texas flyover",
"script domains",
"script script",
"meta",
"window",
"process details",
"contacted"
],
"references": [
"Cart.Guru",
"Yara Detections: Delphi",
"Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer",
"MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer",
"HTTP traffic on port 443 (POST)",
"IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query",
"Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs",
"Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http",
"Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates",
"Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http",
"Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe",
"Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check",
"Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad",
"Yara Detections: Nullsoft_NSIS ...",
"Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat",
"Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com",
"Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103",
"Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx",
"Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy",
"Emotet IDS Detections: Win32/Emotet CnC Checkin Response",
"Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users"
],
"public": 1,
"adversary": "Palantir Pegasus",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "RXR",
"display_name": "RXR",
"target": null
},
{
"id": "Pony",
"display_name": "Pony",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator",
"display_name": "VirTool:Win32/Obfuscator",
"target": "/malware/VirTool:Win32/Obfuscator"
},
{
"id": "Trojan:Win32/Bagsu!rfn",
"display_name": "Trojan:Win32/Bagsu!rfn",
"target": "/malware/Trojan:Win32/Bagsu!rfn"
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "Win32:MalOb-BX\\ [Cryp]",
"display_name": "Win32:MalOb-BX\\ [Cryp]",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "#Lowfi:Win32/SandboxProductId",
"display_name": "#Lowfi:Win32/SandboxProductId",
"target": "/malware/#Lowfi:Win32/SandboxProductId"
},
{
"id": "Win32:Backdoor",
"display_name": "Win32:Backdoor",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "ALF:Trojan:MSIL/BlackFus.C",
"display_name": "ALF:Trojan:MSIL/BlackFus.C",
"target": null
},
{
"id": "Win32:Malware",
"display_name": "Win32:Malware",
"target": null
},
{
"id": "TrojanProxy:Win32/Ceutv.A",
"display_name": "TrojanProxy:Win32/Ceutv.A",
"target": "/malware/TrojanProxy:Win32/Ceutv.A"
},
{
"id": "VirTool:Win32/Obfuscator.AHU",
"display_name": "VirTool:Win32/Obfuscator.AHU",
"target": "/malware/VirTool:Win32/Obfuscator.AHU"
},
{
"id": "ShellCode",
"display_name": "ShellCode",
"target": null
},
{
"id": "Win32:Rootkit",
"display_name": "Win32:Rootkit",
"target": null
},
{
"id": "VB Flash",
"display_name": "VB Flash",
"target": null
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Win.Packed.Razy-6847895-0",
"display_name": "Win.Packed.Razy-6847895-0",
"target": null
},
{
"id": "Backdoor:Win32/Plugx.N!",
"display_name": "Backdoor:Win32/Plugx.N!",
"target": "/malware/Backdoor:Win32/Plugx.N!"
},
{
"id": "Win.Dropper.QQpass-7194329-0",
"display_name": "Win.Dropper.QQpass-7194329-0",
"target": null
},
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Win32:Agent",
"display_name": "Win32:Agent",
"target": null
},
{
"id": "Win.Trojan.Agent",
"display_name": "Win.Trojan.Agent",
"target": null
},
{
"id": "Win.Trojan.Emotet-7545664-0",
"display_name": "Win.Trojan.Emotet-7545664-0",
"target": null
},
{
"id": "Pegasus - MOB-S0005",
"display_name": "Pegasus - MOB-S0005",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1054",
"name": "Indicator Blocking",
"display_name": "T1054 - Indicator Blocking"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2362,
"domain": 449,
"hostname": 710,
"email": 6,
"FileHash-MD5": 260,
"FileHash-SHA1": 201,
"FileHash-SHA256": 333,
"SSLCertFingerprint": 27
},
"indicator_count": 4348,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "82 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "97 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://fonts.googleapis.com/css2",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://fonts.googleapis.com/css2",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776673689.8231585
}