{ "type": "URL", "indicator": "https://forever-canadian.ca", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://forever-canadian.ca", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4378366647, "indicator": "https://forever-canadian.ca", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "6a191c2f71c868406024097f", "name": "\u0432\u0437\u043b\u043e\u043c\u0430\u043d\u043d\u044b\u0439", "description": "\u041a \u0447\u0451\u0440\u0442\u0443 \u044d\u0442\u0443 \u043f\u0440\u043e\u0432\u0438\u043d\u0446\u0438\u044e. \u0417\u0430\u0445\u043e\u0434\u0438\u0442\u0435 \u0432\u0441\u0435, \u0432\u043e\u0434\u0430 \u043e\u0442\u043b\u0438\u0447\u043d\u0430\u044f.", "modified": "2026-05-29T04:55:11.325000", "created": "2026-05-29T04:55:11.325000", "tags": [ "tuca", "sct1", "seg0", "gaz1", "p1780029305477", "sid1780029305", "euaaaaagac", "nsi1", "p1780029178835", "ccc https", "locale" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "Poland" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 543, "FileHash-MD5": 3, "FileHash-SHA256": 3, "IPv4": 119, "domain": 44, "hostname": 86 }, "indicator_count": 798, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a147a0bf4e914672a802773", "name": "forever-canadian[.]ca - 05.25.26", "description": "This is a grassroots political advocacy initiative focused on keeping Alberta in Canada, driven by Lukaszuk and volunteers in response to separatist sentiments in the province. Curiously, it appears they have fallen victim to #Cybercrime. Status of Website: Hacked. Participant Data: Active Distribution (i.e. Data in active use by Cybercriminals). Safety of visiting website: unknown (verdict by HA = Malicious).", "modified": "2026-05-25T16:46:06.153000", "created": "2026-05-25T16:34:19.519000", "tags": [ "entity", "geoip", "as13335", "cloudflarenet", "cloudflare", "as16509", "amazon02", "vercel geoip", "google llc", "as396982", "facebook", "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "please", "javascript", "sandbox", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "temp", "ansi", "translate", "downloadbubble", "webbluetooth", "passkeyauth", "fencedframes", "fledge", "pcap processing", "pcap", "win64", "date", "null", "accept", "path", "suspicious", "comspec", "cookie", "mozilla", "hybrid", "defense evasion", "close", "model", "click", "hosts", "patch", "over", "general", "encrypt", "level", "wind", "window", "strings", "contact", "url", "website", "web", "scanner", "analyze", "analyzer", "search", "search api", "make sure", "domain", "and not", "page", "home search", "live api", "blog docs", "pricing login" ], "references": [ "https://www.virustotal.com/graph/embed/g5467d8748b4f4a739e6f5d84e15a0a36c60806dc093a4a9ba27ed4a08df63187?theme=dark", "https://www.filescan.io/uploads/6a146fa8efbd399b39ccfd7b/reports/3a0b8fe6-3657-400e-9cfa-eead3847b2b6/overview", "https://www.virustotal.com/gui/collection/bc6e1feb3491c0f9e455e1f513d44afbbcfce4084e6b506c80a19e54f934adf9/summary", "https://www.virustotal.com/gui/collection/bc6e1feb3491c0f9e455e1f513d44afbbcfce4084e6b506c80a19e54f934adf9/iocs", "https://hybrid-analysis.com/sample/93395b86310fc54df817f2898de3874ff2317dce2f10b95200d1c6f73162e987", "https://hybrid-analysis.com/sample/93395b86310fc54df817f2898de3874ff2317dce2f10b95200d1c6f73162e987/6a14751933f72f34d60993b8", "https://urlscan.io/search", "https://viz.greynoise.io/ip/analysis/585ba692-65c8-4295-a308-0914d3378b41" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 94, "URL": 397, "domain": 34, "hostname": 59, "FileHash-MD5": 12, "FileHash-SHA1": 11, "FileHash-SHA256": 5, "SSLCertFingerprint": 11, "email": 4 }, "indicator_count": 627, "is_author": false, "is_subscribing": null, "subscriber_count": 19, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/graph/embed/g5467d8748b4f4a739e6f5d84e15a0a36c60806dc093a4a9ba27ed4a08df63187?theme=dark", "https://www.filescan.io/uploads/6a146fa8efbd399b39ccfd7b/reports/3a0b8fe6-3657-400e-9cfa-eead3847b2b6/overview", "https://hybrid-analysis.com/sample/93395b86310fc54df817f2898de3874ff2317dce2f10b95200d1c6f73162e987", "https://urlscan.io/search", "https://www.virustotal.com/gui/collection/bc6e1feb3491c0f9e455e1f513d44afbbcfce4084e6b506c80a19e54f934adf9/iocs", "https://www.virustotal.com/gui/collection/bc6e1feb3491c0f9e455e1f513d44afbbcfce4084e6b506c80a19e54f934adf9/summary", "https://hybrid-analysis.com/sample/93395b86310fc54df817f2898de3874ff2317dce2f10b95200d1c6f73162e987/6a14751933f72f34d60993b8", "https://viz.greynoise.io/ip/analysis/585ba692-65c8-4295-a308-0914d3378b41" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [ "Education", "Government" ], "unique_indicators": 1240 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/forever-canadian.ca", "whois": "http://whois.domaintools.com/forever-canadian.ca", "domain": "forever-canadian.ca", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "6a191c2f71c868406024097f", "name": "\u0432\u0437\u043b\u043e\u043c\u0430\u043d\u043d\u044b\u0439", "description": "\u041a \u0447\u0451\u0440\u0442\u0443 \u044d\u0442\u0443 \u043f\u0440\u043e\u0432\u0438\u043d\u0446\u0438\u044e. \u0417\u0430\u0445\u043e\u0434\u0438\u0442\u0435 \u0432\u0441\u0435, \u0432\u043e\u0434\u0430 \u043e\u0442\u043b\u0438\u0447\u043d\u0430\u044f.", "modified": "2026-05-29T04:55:11.325000", "created": "2026-05-29T04:55:11.325000", "tags": [ "tuca", "sct1", "seg0", "gaz1", "p1780029305477", "sid1780029305", "euaaaaagac", "nsi1", "p1780029178835", "ccc https", "locale" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "Poland" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 543, "FileHash-MD5": 3, "FileHash-SHA256": 3, "IPv4": 119, "domain": 44, "hostname": 86 }, "indicator_count": 798, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a147a0bf4e914672a802773", "name": "forever-canadian[.]ca - 05.25.26", "description": "This is a grassroots political advocacy initiative focused on keeping Alberta in Canada, driven by Lukaszuk and volunteers in response to separatist sentiments in the province. Curiously, it appears they have fallen victim to #Cybercrime. Status of Website: Hacked. Participant Data: Active Distribution (i.e. Data in active use by Cybercriminals). Safety of visiting website: unknown (verdict by HA = Malicious).", "modified": "2026-05-25T16:46:06.153000", "created": "2026-05-25T16:34:19.519000", "tags": [ "entity", "geoip", "as13335", "cloudflarenet", "cloudflare", "as16509", "amazon02", "vercel geoip", "google llc", "as396982", "facebook", "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "please", "javascript", "sandbox", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "temp", "ansi", "translate", "downloadbubble", "webbluetooth", "passkeyauth", "fencedframes", "fledge", "pcap processing", "pcap", "win64", "date", "null", "accept", "path", "suspicious", "comspec", "cookie", "mozilla", "hybrid", "defense evasion", "close", "model", "click", "hosts", "patch", "over", "general", "encrypt", "level", "wind", "window", "strings", "contact", "url", "website", "web", "scanner", "analyze", "analyzer", "search", "search api", "make sure", "domain", "and not", "page", "home search", "live api", "blog docs", "pricing login" ], "references": [ "https://www.virustotal.com/graph/embed/g5467d8748b4f4a739e6f5d84e15a0a36c60806dc093a4a9ba27ed4a08df63187?theme=dark", "https://www.filescan.io/uploads/6a146fa8efbd399b39ccfd7b/reports/3a0b8fe6-3657-400e-9cfa-eead3847b2b6/overview", "https://www.virustotal.com/gui/collection/bc6e1feb3491c0f9e455e1f513d44afbbcfce4084e6b506c80a19e54f934adf9/summary", "https://www.virustotal.com/gui/collection/bc6e1feb3491c0f9e455e1f513d44afbbcfce4084e6b506c80a19e54f934adf9/iocs", "https://hybrid-analysis.com/sample/93395b86310fc54df817f2898de3874ff2317dce2f10b95200d1c6f73162e987", "https://hybrid-analysis.com/sample/93395b86310fc54df817f2898de3874ff2317dce2f10b95200d1c6f73162e987/6a14751933f72f34d60993b8", "https://urlscan.io/search", "https://viz.greynoise.io/ip/analysis/585ba692-65c8-4295-a308-0914d3378b41" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 94, "URL": 397, "domain": 34, "hostname": 59, "FileHash-MD5": 12, "FileHash-SHA1": 11, "FileHash-SHA256": 5, "SSLCertFingerprint": 11, "email": 4 }, "indicator_count": 627, "is_author": false, "is_subscribing": null, "subscriber_count": 19, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://forever-canadian.ca", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://forever-canadian.ca", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780246488.0233998 }