{ "type": "URL", "indicator": "https://freedns.afraid.org/dynamic/index.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://freedns.afraid.org/dynamic/index.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4072137207, "indicator": "https://freedns.afraid.org/dynamic/index.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 15, "pulses": [ { "id": "69d586108786e7be59439809", "name": "Bot.io", "description": "", "modified": "2026-04-07T22:32:48.996000", "created": "2026-04-07T22:32:48.996000", "tags": [ "added active", "related pulses", "found", "zergeca botnet", "zergeca", "upx packer", "khtml", "gecko", "united", "ids detections", "yara detections", "https domain", "tls sni", "ip lookup", "external ip", "malware", "encrypt", "techniques", "modify system", "process", "https", "performs dns", "tls version", "reads cpu", "proc indicative", "urls", "downloads", "persistence", "data upload", "extraction", "find s", "failed", "typ don", "ipv4 url", "canreb", "type ipv4", "url domail", "domail showing", "elf conta", "typ url", "zercega", "enter sc", "type", "include", "review", "n1 exclude", "suggestedincc", "a50 typ", "ipv4", "matches yara", "dete data", "yara detectea", "cro intormation", "exclude sugges", "sc car", "extra lte", "referen", "l extraction", "droo anv", "extr referen", "lte all", "je matches", "yara detel", "yara dete", "include review", "exchange lte", "je elf", "passive dns", "certificate", "files", "trojan", "related tags", "worm", "medium", "write c", "write", "high", "binary", "yara rule", "default", "moved", "schaan", "as834 ipxo", "dynamicloader", "program", "ee fc", "users", "ff d5", "python", "windows", "autoit", "confuserex", "stream", "guard", "launcher", "updater", "global", "america flag", "ashburn", "america related", "tags", "indicator facts", "historical otx", "controller fake", "akamai rank", "russia", "present nov", "aaaa", "link", "a domains", "ip address", "meta", "cve -2014-2321", "handle", "address range", "cidr", "network name", "allocation type", "pa status", "whois server", "included iocs", "manually add", "iocs o", "iocs", "sugges", "stop show", "types", "external", "ripe", "pa abusec", "neterra", "sofia", "bulgaria phone", "filtered person", "neven dilkov", "bg phone", "filtered route", "a5ip", "aa2023", "aamirai", "a2scanner", "apple inc", "issuer", "valid", "algorit", "thum", "name", "a9 a8", "status", "macho", "macho 64bit", "mac os", "x macho", "intel", "typ no", "td td", "td tr", "a td", "dynamic dns", "date", "name servers", "arial", "error", "null", "enough", "hosts", "win32", "fast", "contacted", "MacSync_AppleScript_Stealer", "cve-2018-10562", "source", "roboto", "robotodraft", "helvetica", "iframe", "manually ada", "review iocs", "abv0", "qaeaav0", "cptbdev", "w4uninitialized", "qaeaav01", "abv01", "qaexn", "qbenxz", "phoneidentify", "qbepaxxz" ], "references": [ "https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org", "IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com", "Zercega \u2022 IPv4 84.54.51.82", "Zercega \u2022 http://bot.hamsterrace.space:5966/", "Zercega \u2022 multi-user.target", "Zercega \u2022 ootheca.pw", "CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393", "Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS rules:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.", "Yara detected: Xmrig cryptocurrency miner", "Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance", "meta.com \u2022 meta.com.apple", "geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63", "ELF contains segments with high entropy indicating compressed/encrypted content", "/etc/systemd/system/geomi.service File type: ASCII text", "http://www.bing.lt/search?q=", "Win.Malware.Salat-10058846-0", "Yara Detections: MacSync_AppleScript_Stealer", "Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara", "Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process", "Alerts: resumethread_remote_process enumerates_running_processes reads_self", "Alerts: packer_unknown_pe_section_name script_tool_executed", "Alerts: queries_computer_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry", "Contacted: 188.114.96.1 Domains Contacted dns.google", "distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "display_name": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "target": "/malware/Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "CVE-2014-2321", "display_name": "CVE-2014-2321", "target": null }, { "id": "Botnet", "display_name": "Botnet", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" } ], "industries": [], "TLP": "green", "cloned_from": "69d5859750dfad7fe7989ef4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 169, "URL": 1871, "domain": 393, "hostname": 925, "FileHash-MD5": 391, "FileHash-SHA1": 390, "FileHash-SHA256": 2452, "CVE": 1, "SSLCertFingerprint": 1, "IPv6": 9, "email": 4, "CIDR": 1 }, "indicator_count": 6607, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d5859750dfad7fe7989ef4", "name": "Apple / Cloud/ Data Network within Zergeca / Zerg Botnet \u2022 MacSync_AppleScript_Stealer", "description": "", "modified": "2026-04-07T22:30:47.312000", "created": "2026-04-07T22:30:47.312000", "tags": [ "added active", "related pulses", "found", "zergeca botnet", "zergeca", "upx packer", "khtml", "gecko", "united", "ids detections", "yara detections", "https domain", "tls sni", "ip lookup", "external ip", "malware", "encrypt", "techniques", "modify system", "process", "https", "performs dns", "tls version", "reads cpu", "proc indicative", "urls", "downloads", "persistence", "data upload", "extraction", "find s", "failed", "typ don", "ipv4 url", "canreb", "type ipv4", "url domail", "domail showing", "elf conta", "typ url", "zercega", "enter sc", "type", "include", "review", "n1 exclude", "suggestedincc", "a50 typ", "ipv4", "matches yara", "dete data", "yara detectea", "cro intormation", "exclude sugges", "sc car", "extra lte", "referen", "l extraction", "droo anv", "extr referen", "lte all", "je matches", "yara detel", "yara dete", "include review", "exchange lte", "je elf", "passive dns", "certificate", "files", "trojan", "related tags", "worm", "medium", "write c", "write", "high", "binary", "yara rule", "default", "moved", "schaan", "as834 ipxo", "dynamicloader", "program", "ee fc", "users", "ff d5", "python", "windows", "autoit", "confuserex", "stream", "guard", "launcher", "updater", "global", "america flag", "ashburn", "america related", "tags", "indicator facts", "historical otx", "controller fake", "akamai rank", "russia", "present nov", "aaaa", "link", "a domains", "ip address", "meta", "cve -2014-2321", "handle", "address range", "cidr", "network name", "allocation type", "pa status", "whois server", "included iocs", "manually add", "iocs o", "iocs", "sugges", "stop show", "types", "external", "ripe", "pa abusec", "neterra", "sofia", "bulgaria phone", "filtered person", "neven dilkov", "bg phone", "filtered route", "a5ip", "aa2023", "aamirai", "a2scanner", "apple inc", "issuer", "valid", "algorit", "thum", "name", "a9 a8", "status", "macho", "macho 64bit", "mac os", "x macho", "intel", "typ no", "td td", "td tr", "a td", "dynamic dns", "date", "name servers", "arial", "error", "null", "enough", "hosts", "win32", "fast", "contacted", "MacSync_AppleScript_Stealer", "cve-2018-10562", "source", "roboto", "robotodraft", "helvetica", "iframe", "manually ada", "review iocs", "abv0", "qaeaav0", "cptbdev", "w4uninitialized", "qaeaav01", "abv01", "qaexn", "qbenxz", "phoneidentify", "qbepaxxz" ], "references": [ "https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org", "IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com", "Zercega \u2022 IPv4 84.54.51.82", "Zercega \u2022 http://bot.hamsterrace.space:5966/", "Zercega \u2022 multi-user.target", "Zercega \u2022 ootheca.pw", "CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393", "Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS rules:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.", "Yara detected: Xmrig cryptocurrency miner", "Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance", "meta.com \u2022 meta.com.apple", "geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63", "ELF contains segments with high entropy indicating compressed/encrypted content", "/etc/systemd/system/geomi.service File type: ASCII text", "http://www.bing.lt/search?q=", "Win.Malware.Salat-10058846-0", "Yara Detections: MacSync_AppleScript_Stealer", "Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara", "Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process", "Alerts: resumethread_remote_process enumerates_running_processes reads_self", "Alerts: packer_unknown_pe_section_name script_tool_executed", "Alerts: queries_computer_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry", "Contacted: 188.114.96.1 Domains Contacted dns.google", "distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "display_name": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "target": "/malware/Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "CVE-2014-2321", "display_name": "CVE-2014-2321", "target": null }, { "id": "Botnet", "display_name": "Botnet", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 169, "URL": 1871, "domain": 393, "hostname": 925, "FileHash-MD5": 391, "FileHash-SHA1": 390, "FileHash-SHA256": 2452, "CVE": 1, "SSLCertFingerprint": 1, "IPv6": 9, "email": 4, "CIDR": 1 }, "indicator_count": 6607, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d1396bb42208f8aa25b8ae", "name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable", "description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.", "modified": "2026-04-04T16:16:43.680000", "created": "2026-04-04T16:16:43.680000", "tags": [ "binary", "yara rule", "binary file", "yara", "pe section", "av detections", "ip address", "url analysis", "urls", "singapore", "singapore asn", "as14061", "edgeview drive", "suite", "broomfield", "colorado", "key usage", "handle", "v3 serial", "number", "cert validity", "asia pacific", "traefik default", "cert", "thumbprint", "name", "all filehash", "learn", "adversaries", "calls", "ck id", "name tactics", "suspicious", "informative", "reads", "defense evasion", "loads", "model", "call", "getprocaddress", "span", "path", "mitre att", "ck matrix", "access type", "value", "windir", "open", "error", "click", "contact", "meta", "april", "hybrid", "format", "strings", "united", "b778b1", "div div", "d9e4f4", "edf2f8", "status", "fastest privacy", "first dns", "trojan", "pegasus", "title", "dynamicloader", "ms windows", "intel", "pe32 executable", "win32", "medium", "pe32", "high", "mozilla", "delphi", "injectdll", "write", "malware", "observer", "stream", "unknown", "lredmond", "stwa", "omicrosoft", "stwashington", "server ca", "https domain", "accept", "read c", "ogoogle trust", "worm", "code", "td td", "td tr", "a td", "dynamic dns", "name servers", "arial", "zeppelin", "null", "enough", "hosts", "fast", "tls sni", "cloudflare dns", "google dns", "showing", "get icarus", "show", "ascii text", "global", "next", "cc fd", "d4 dc", "a3 ad", "a8 c7", "bb c7", "f0 f1", "f4 ca", "bc a1", "win64", "local", "otx logo", "hostname", "passive dns", "files", "less", "related tags", "servers", "certificate", "domain", "cloudflare", "khtml", "gecko", "ids detections", "yara detections", "ip lookup", "encrypt", "elf executable", "sysv", "linux", "elf64 operation", "unix", "exec amd6464", "elf geomi", "modify system", "process l", "t1543", "systemd service", "ta0004", "techniques", "process create", "modify syst", "t1036 indicator", "remc t1070", "file", "directoi t1222", "t1027 masquerac", "t1070", "data upload", "extraction", "failed", "ta0005", "t1027", "memory pattern", "domains", "dns resolutions", "full reports", "v ip", "traffic tcp", "g sh", "c tmpsample", "binrm f", "usrbinid id", "usrbinsystemctl", "proc1environ", "proccpuinfo", "include", "review exclude", "sample", "https", "performs dns", "tls version", "mitre attack", "network info", "file type", "persistence", "include review", "exclude sugges", "find s", "unique ru", "review occ", "exclude data", "alvoes", "include data", "suggest", "find c", "typ filet", "filet ce", "layer protocol", "http performs", "reads cpu", "proc indicative", "filet filet", "pulse", "file hach", "h1256", "filer data", "typ data", "filer filehuon", "filet filer", "exchange all", "typ no", "no entri", "exclude", "suggested ocs", "manualy", "hua muicalul", "find", "indicatore", "typ innicatad", "new threat", "dive into", "zergeca botnet", "reference", "report publish", "zergeca", "all se", "matches edolavd", "matches data", "matches matches", "type", "extr", "tico data", "get hello", "mirai variant", "useragent", "hello", "outbound", "world", "search", "hackingtrio ua", "inbound", "mirai", "info", "shell", "pulse pulses", "files ip", "address domain", "ip related", "labs pulses", "pulses", "post", "http traffic", "tocstut", "reference id", "xor key", "canada", "america", "germany", "doh", "ddos", "botnet", "en", "xor", "twitter", "stop", "loader", "downloader", "zerg", "mirai", "golang", "c2 resolution", "germany", "c2 ip", "virustotal", "smux", "ck ids", "t1082", "applescript", "t1190", "application", "private server", "t1609", "command", "unix shell", "software supply", "service", "chain", "t1499", "entries", "otx telemetry", "next associated", "backdoor", "detections", "sha256 add", "alerts", "heur", "all domain", "creation date", "record value", "aaaa", "date", "unknown ns", "ponmocup post", "infection dns", "mtb nov", "ipv4 add", "external ip", "copy" ], "references": [ "www.joewa.com", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "Loads modules at runtime Looks up procedures from modules", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "Crowdsourced SIGMA Below:", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS Below:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Unique rule identifier: This rule belongs to a private collection.", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "crypto-pool.fr", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "IDS: Observed Suspicious UA (Hello, World)", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: cape_detected_threat", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "https://dns.google/resolve?name=SELECT", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Address shows an place of origin: Broomfield , Co", "Believed to be originating from Germany and Russia", "BGP Hurricane Electric seen", "Potentially Pegasus related . Found to be affecting an IOS device", "Indicators seen may have affected a few OTX users. Is ongoing", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "This pulse is so huge it\u2019s a mess. Will break down." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Thailand", "Germany", "Canada" ], "malware_families": [ { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Trojan.Sagnt/R011c0dfs24", "display_name": "Trojan.Sagnt/R011c0dfs24", "target": null }, { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "Unix.Trojan.Mirai", "display_name": "Unix.Trojan.Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-7669677-0", "display_name": "Unix.Trojan.Mirai-7669677-0", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 795, "FileHash-SHA1": 648, "FileHash-SHA256": 3708, "IPv4": 294, "URL": 2587, "domain": 739, "hostname": 1129, "email": 14, "CIDR": 15, "IPv6": 27, "SSLCertFingerprint": 18, "CVE": 4 }, "indicator_count": 9978, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d1395ab63bf8e8d2c384eb", "name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable", "description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.", "modified": "2026-04-04T16:16:26.128000", "created": "2026-04-04T16:16:26.128000", "tags": [ "binary", "yara rule", "binary file", "yara", "pe section", "av detections", "ip address", "url analysis", "urls", "singapore", "singapore asn", "as14061", "edgeview drive", "suite", "broomfield", "colorado", "key usage", "handle", "v3 serial", "number", "cert validity", "asia pacific", "traefik default", "cert", "thumbprint", "name", "all filehash", "learn", "adversaries", "calls", "ck id", "name tactics", "suspicious", "informative", "reads", "defense evasion", "loads", "model", "call", "getprocaddress", "span", "path", "mitre att", "ck matrix", "access type", "value", "windir", "open", "error", "click", "contact", "meta", "april", "hybrid", "format", "strings", "united", "b778b1", "div div", "d9e4f4", "edf2f8", "status", "fastest privacy", "first dns", "trojan", "pegasus", "title", "dynamicloader", "ms windows", "intel", "pe32 executable", "win32", "medium", "pe32", "high", "mozilla", "delphi", "injectdll", "write", "malware", "observer", "stream", "unknown", "lredmond", "stwa", "omicrosoft", "stwashington", "server ca", "https domain", "accept", "read c", "ogoogle trust", "worm", "code", "td td", "td tr", "a td", "dynamic dns", "name servers", "arial", "zeppelin", "null", "enough", "hosts", "fast", "tls sni", "cloudflare dns", "google dns", "showing", "get icarus", "show", "ascii text", "global", "next", "cc fd", "d4 dc", "a3 ad", "a8 c7", "bb c7", "f0 f1", "f4 ca", "bc a1", "win64", "local", "otx logo", "hostname", "passive dns", "files", "less", "related tags", "servers", "certificate", "domain", "cloudflare", "khtml", "gecko", "ids detections", "yara detections", "ip lookup", "encrypt", "elf executable", "sysv", "linux", "elf64 operation", "unix", "exec amd6464", "elf geomi", "modify system", "process l", "t1543", "systemd service", "ta0004", "techniques", "process create", "modify syst", "t1036 indicator", "remc t1070", "file", "directoi t1222", "t1027 masquerac", "t1070", "data upload", "extraction", "failed", "ta0005", "t1027", "memory pattern", "domains", "dns resolutions", "full reports", "v ip", "traffic tcp", "g sh", "c tmpsample", "binrm f", "usrbinid id", "usrbinsystemctl", "proc1environ", "proccpuinfo", "include", "review exclude", "sample", "https", "performs dns", "tls version", "mitre attack", "network info", "file type", "persistence", "include review", "exclude sugges", "find s", "unique ru", "review occ", "exclude data", "alvoes", "include data", "suggest", "find c", "typ filet", "filet ce", "layer protocol", "http performs", "reads cpu", "proc indicative", "filet filet", "pulse", "file hach", "h1256", "filer data", "typ data", "filer filehuon", "filet filer", "exchange all", "typ no", "no entri", "exclude", "suggested ocs", "manualy", "hua muicalul", "find", "indicatore", "typ innicatad", "new threat", "dive into", "zergeca botnet", "reference", "report publish", "zergeca", "all se", "matches edolavd", "matches data", "matches matches", "type", "extr", "tico data", "get hello", "mirai variant", "useragent", "hello", "outbound", "world", "search", "hackingtrio ua", "inbound", "mirai", "info", "shell", "pulse pulses", "files ip", "address domain", "ip related", "labs pulses", "pulses", "post", "http traffic", "tocstut", "reference id", "xor key", "canada", "america", "germany", "doh", "ddos", "botnet", "en", "xor", "twitter", "stop", "loader", "downloader", "zerg", "mirai", "golang", "c2 resolution", "germany", "c2 ip", "virustotal", "smux", "ck ids", "t1082", "applescript", "t1190", "application", "private server", "t1609", "command", "unix shell", "software supply", "service", "chain", "t1499", "entries", "otx telemetry", "next associated", "backdoor", "detections", "sha256 add", "alerts", "heur", "all domain", "creation date", "record value", "aaaa", "date", "unknown ns", "ponmocup post", "infection dns", "mtb nov", "ipv4 add", "external ip", "copy" ], "references": [ "www.joewa.com", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "Loads modules at runtime Looks up procedures from modules", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "Crowdsourced SIGMA Below:", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS Below:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Unique rule identifier: This rule belongs to a private collection.", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "crypto-pool.fr", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "IDS: Observed Suspicious UA (Hello, World)", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: cape_detected_threat", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "https://dns.google/resolve?name=SELECT", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Address shows an place of origin: Broomfield , Co", "Believed to be originating from Germany and Russia", "BGP Hurricane Electric seen", "Potentially Pegasus related . Found to be affecting an IOS device", "Indicators seen may have affected a few OTX users. Is ongoing", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "This pulse is so huge it\u2019s a mess. Will break down." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Thailand", "Germany", "Canada" ], "malware_families": [ { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Trojan.Sagnt/R011c0dfs24", "display_name": "Trojan.Sagnt/R011c0dfs24", "target": null }, { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "Unix.Trojan.Mirai", "display_name": "Unix.Trojan.Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-7669677-0", "display_name": "Unix.Trojan.Mirai-7669677-0", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 795, "FileHash-SHA1": 648, "FileHash-SHA256": 3708, "IPv4": 294, "URL": 2587, "domain": 739, "hostname": 1129, "email": 14, "CIDR": 15, "IPv6": 27, "SSLCertFingerprint": 18, "CVE": 4 }, "indicator_count": 9978, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6976d69ecbc0497f97e28618", "name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)", "description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello", "modified": "2026-02-25T02:03:02.441000", "created": "2026-01-26T02:51:10.502000", "tags": [ "united", "error", "port", "destination", "host", "tlsv1", "intel", "ms windows", "worm", "delphi", "write", "malware", "suspicious", "autorun", "bloat", "checkin", "google", "drive", "cape", "lowfi", "hookwowlow dec", "passive dns", "mtb jan", "mtb nov", "hookwowlow nov", "twitter", "trojandropper", "virtool", "win32", "susp", "hookwowlow", "injection", "please", "x msedge", "ipv4 add", "urls", "dynamicloader", "windows", "professional", "delete c", "tls issuing", "x005x00xc0", "xc0xc0", "xc0nxc0tx00jx00", "stwa", "lredmond", "explorer", "powershell", "accept", "corporation10", "trojan", "pegasus", "url add", "http", "hostname", "files domain", "files related", "related tags", "present sep", "present aug", "redacted for", "ip address", "search", "unknown cname", "memcommit", "default", "sectigo limited", "read c", "gb st", "inprocserver32", "sectigo public", "defender", "next", "present jan", "spain", "domain add", "files", "asn as15169", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "ck techniques", "mitre att", "ck matrix", "starfield", "hybrid", "general", "path", "strings", "extraction", "data upload", "failed", "include review", "exclude sugges", "stop data", "levelblue", "open threat", "url https", "none google", "url http", "no expiration", "iocs", "domain", "pdf report", "pcap", "stix", "openioc", "ocs to", "exclude", "suggesteu", "find s", "snow", "aitypes", "suspicious_redirect", "url_encoding", "present dec", "unknown aaaa", "present oct", "record value", "body", "encrypt", "access att", "link initial", "ascii text", "pattern match", "sha256", "show technique", "iframe", "local", "united states", "brian sabey", "christopher p. ahmann", "black rock", "td td", "td tr", "a td", "dynamic dns", "meta name", "strong", "static dns", "date", "null", "enough", "hosts", "fast" ], "references": [ "Sprouts Farmers Market", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?", "Pegasus | A targets devices are obviously infiltrated", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi", "Alerts: cape_detected_threat https_ urls", "IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252", "Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog", "Domains Contacted: drive.usercontent.google.com", "ConventionEngine_Anomaly_MultiPDB_Double", "https://jviwczq.zc-apple.com/", "SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx", "Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,", "Malware Hosting: 13.107.226.70", "Scanning Host: 13.107.246.70", "https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com", "http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/", "pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com", "www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/", "endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/", "https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us", "https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com", "https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/", "http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com", "sprouts@em.sprouts.com?", "http://blackrock.work.gd/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io", "supplierportal.gov2x.com", "http://wonporn.com/top/Pakistani_Sucking", "https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo", "https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303", "supply.qld.gov.au", "okta-dev.gov2x.com", "verify.gov.tl", "api.optimizer.insitemaxdev.gov2x.com", "iot.insitemaxdev.gov2x.com", "https://kb.drakesoftware.com/Site/Browse/15183/State", "https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW", "freedns.afraid.org", "https://hello.riskxchange.co/api/mailings/unsubscribe", "Sabey , Ahmann, Quasi Government, Government" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFI:HookwowLow", "display_name": "#LowFI:HookwowLow", "target": null }, { "id": "Win.Trojan.CobaltStrike-9044898-1", "display_name": "Win.Trojan.CobaltStrike-9044898-1", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "SLF:Win64/CobPipe.A", "display_name": "SLF:Win64/CobPipe.A", "target": "/malware/SLF:Win64/CobPipe.A" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:Trojan:Win32/Anorocuriv.A", "display_name": "ALF:Trojan:Win32/Anorocuriv.A", "target": null }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Win.Trojan.Pushdo-15", "display_name": "Win.Trojan.Pushdo-15", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Win32:Trojano-CHF\\ [Trj]", "display_name": "Win32:Trojano-CHF\\ [Trj]", "target": null }, { "id": "Win.Downloader.3867-1", "display_name": "Win.Downloader.3867-1", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "Virtool:Win32/CeeInject.gen!AH", "display_name": "Virtool:Win32/CeeInject.gen!AH", "target": "/malware/Virtool:Win32/CeeInject.gen!AH" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1055.008", "name": "Ptrace System Calls", "display_name": "T1055.008 - Ptrace System Calls" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [ "Retail", "Government", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12640, "hostname": 4429, "email": 7, "domain": 1250, "FileHash-SHA256": 1633, "FileHash-MD5": 278, "FileHash-SHA1": 343, "SSLCertFingerprint": 17 }, "indicator_count": 20597, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6976d6a601f06adcd1ed22fc", "name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)", "description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello", "modified": "2026-02-25T02:03:02.441000", "created": "2026-01-26T02:51:18.022000", "tags": [ "united", "error", "port", "destination", "host", "tlsv1", "intel", "ms windows", "worm", "delphi", "write", "malware", "suspicious", "autorun", "bloat", "checkin", "google", "drive", "cape", "lowfi", "hookwowlow dec", "passive dns", "mtb jan", "mtb nov", "hookwowlow nov", "twitter", "trojandropper", "virtool", "win32", "susp", "hookwowlow", "injection", "please", "x msedge", "ipv4 add", "urls", "dynamicloader", "windows", "professional", "delete c", "tls issuing", "x005x00xc0", "xc0xc0", "xc0nxc0tx00jx00", "stwa", "lredmond", "explorer", "powershell", "accept", "corporation10", "trojan", "pegasus", "url add", "http", "hostname", "files domain", "files related", "related tags", "present sep", "present aug", "redacted for", "ip address", "search", "unknown cname", "memcommit", "default", "sectigo limited", "read c", "gb st", "inprocserver32", "sectigo public", "defender", "next", "present jan", "spain", "domain add", "files", "asn as15169", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "ck techniques", "mitre att", "ck matrix", "starfield", "hybrid", "general", "path", "strings", "extraction", "data upload", "failed", "include review", "exclude sugges", "stop data", "levelblue", "open threat", "url https", "none google", "url http", "no expiration", "iocs", "domain", "pdf report", "pcap", "stix", "openioc", "ocs to", "exclude", "suggesteu", "find s", "snow", "aitypes", "suspicious_redirect", "url_encoding", "present dec", "unknown aaaa", "present oct", "record value", "body", "encrypt", "access att", "link initial", "ascii text", "pattern match", "sha256", "show technique", "iframe", "local", "united states", "brian sabey", "christopher p. ahmann", "black rock", "td td", "td tr", "a td", "dynamic dns", "meta name", "strong", "static dns", "date", "null", "enough", "hosts", "fast" ], "references": [ "Sprouts Farmers Market", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?", "Pegasus | A targets devices are obviously infiltrated", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi", "Alerts: cape_detected_threat https_ urls", "IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252", "Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog", "Domains Contacted: drive.usercontent.google.com", "ConventionEngine_Anomaly_MultiPDB_Double", "https://jviwczq.zc-apple.com/", "SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx", "Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,", "Malware Hosting: 13.107.226.70", "Scanning Host: 13.107.246.70", "https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com", "http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/", "pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com", "www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/", "endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/", "https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us", "https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com", "https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/", "http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com", "sprouts@em.sprouts.com?", "http://blackrock.work.gd/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io", "supplierportal.gov2x.com", "http://wonporn.com/top/Pakistani_Sucking", "https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo", "https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303", "supply.qld.gov.au", "okta-dev.gov2x.com", "verify.gov.tl", "api.optimizer.insitemaxdev.gov2x.com", "iot.insitemaxdev.gov2x.com", "https://kb.drakesoftware.com/Site/Browse/15183/State", "https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW", "freedns.afraid.org", "https://hello.riskxchange.co/api/mailings/unsubscribe", "Sabey , Ahmann, Quasi Government, Government" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFI:HookwowLow", "display_name": "#LowFI:HookwowLow", "target": null }, { "id": "Win.Trojan.CobaltStrike-9044898-1", "display_name": "Win.Trojan.CobaltStrike-9044898-1", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "SLF:Win64/CobPipe.A", "display_name": "SLF:Win64/CobPipe.A", "target": "/malware/SLF:Win64/CobPipe.A" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:Trojan:Win32/Anorocuriv.A", "display_name": "ALF:Trojan:Win32/Anorocuriv.A", "target": null }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Win.Trojan.Pushdo-15", "display_name": "Win.Trojan.Pushdo-15", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Win32:Trojano-CHF\\ [Trj]", "display_name": "Win32:Trojano-CHF\\ [Trj]", "target": null }, { "id": "Win.Downloader.3867-1", "display_name": "Win.Downloader.3867-1", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "Virtool:Win32/CeeInject.gen!AH", "display_name": "Virtool:Win32/CeeInject.gen!AH", "target": "/malware/Virtool:Win32/CeeInject.gen!AH" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1055.008", "name": "Ptrace System Calls", "display_name": "T1055.008 - Ptrace System Calls" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [ "Retail", "Government", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12640, "hostname": 4429, "email": 7, "domain": 1250, "FileHash-SHA256": 1633, "FileHash-MD5": 278, "FileHash-SHA1": 343, "SSLCertFingerprint": 17 }, "indicator_count": 20597, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6976d6afd744c55bd596ed6e", "name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)", "description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello", "modified": "2026-02-25T02:03:02.441000", "created": "2026-01-26T02:51:27.248000", "tags": [ "united", "error", "port", "destination", "host", "tlsv1", "intel", "ms windows", "worm", "delphi", "write", "malware", "suspicious", "autorun", "bloat", "checkin", "google", "drive", "cape", "lowfi", "hookwowlow dec", "passive dns", "mtb jan", "mtb nov", "hookwowlow nov", "twitter", "trojandropper", "virtool", "win32", "susp", "hookwowlow", "injection", "please", "x msedge", "ipv4 add", "urls", "dynamicloader", "windows", "professional", "delete c", "tls issuing", "x005x00xc0", "xc0xc0", "xc0nxc0tx00jx00", "stwa", "lredmond", "explorer", "powershell", "accept", "corporation10", "trojan", "pegasus", "url add", "http", "hostname", "files domain", "files related", "related tags", "present sep", "present aug", "redacted for", "ip address", "search", "unknown cname", "memcommit", "default", "sectigo limited", "read c", "gb st", "inprocserver32", "sectigo public", "defender", "next", "present jan", "spain", "domain add", "files", "asn as15169", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "ck techniques", "mitre att", "ck matrix", "starfield", "hybrid", "general", "path", "strings", "extraction", "data upload", "failed", "include review", "exclude sugges", "stop data", "levelblue", "open threat", "url https", "none google", "url http", "no expiration", "iocs", "domain", "pdf report", "pcap", "stix", "openioc", "ocs to", "exclude", "suggesteu", "find s", "snow", "aitypes", "suspicious_redirect", "url_encoding", "present dec", "unknown aaaa", "present oct", "record value", "body", "encrypt", "access att", "link initial", "ascii text", "pattern match", "sha256", "show technique", "iframe", "local", "united states", "brian sabey", "christopher p. ahmann", "black rock", "td td", "td tr", "a td", "dynamic dns", "meta name", "strong", "static dns", "date", "null", "enough", "hosts", "fast" ], "references": [ "Sprouts Farmers Market", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?", "Pegasus | A targets devices are obviously infiltrated", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi", "Alerts: cape_detected_threat https_ urls", "IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252", "Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog", "Domains Contacted: drive.usercontent.google.com", "ConventionEngine_Anomaly_MultiPDB_Double", "https://jviwczq.zc-apple.com/", "SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx", "Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,", "Malware Hosting: 13.107.226.70", "Scanning Host: 13.107.246.70", "https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com", "http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/", "pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com", "www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/", "endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/", "https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us", "https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com", "https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/", "http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com", "sprouts@em.sprouts.com?", "http://blackrock.work.gd/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io", "supplierportal.gov2x.com", "http://wonporn.com/top/Pakistani_Sucking", "https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo", "https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303", "supply.qld.gov.au", "okta-dev.gov2x.com", "verify.gov.tl", "api.optimizer.insitemaxdev.gov2x.com", "iot.insitemaxdev.gov2x.com", "https://kb.drakesoftware.com/Site/Browse/15183/State", "https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW", "freedns.afraid.org", "https://hello.riskxchange.co/api/mailings/unsubscribe", "Sabey , Ahmann, Quasi Government, Government" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFI:HookwowLow", "display_name": "#LowFI:HookwowLow", "target": null }, { "id": "Win.Trojan.CobaltStrike-9044898-1", "display_name": "Win.Trojan.CobaltStrike-9044898-1", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "SLF:Win64/CobPipe.A", "display_name": "SLF:Win64/CobPipe.A", "target": "/malware/SLF:Win64/CobPipe.A" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:Trojan:Win32/Anorocuriv.A", "display_name": "ALF:Trojan:Win32/Anorocuriv.A", "target": null }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Win.Trojan.Pushdo-15", "display_name": "Win.Trojan.Pushdo-15", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Win32:Trojano-CHF\\ [Trj]", "display_name": "Win32:Trojano-CHF\\ [Trj]", "target": null }, { "id": "Win.Downloader.3867-1", "display_name": "Win.Downloader.3867-1", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "Virtool:Win32/CeeInject.gen!AH", "display_name": "Virtool:Win32/CeeInject.gen!AH", "target": "/malware/Virtool:Win32/CeeInject.gen!AH" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1055.008", "name": "Ptrace System Calls", "display_name": "T1055.008 - Ptrace System Calls" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [ "Retail", "Government", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12640, "hostname": 4429, "email": 7, "domain": 1250, "FileHash-SHA256": 1633, "FileHash-MD5": 278, "FileHash-SHA1": 343, "SSLCertFingerprint": 17 }, "indicator_count": 20597, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "683bab3569597686293e62f2", "name": "Railnet extra", "description": "", "modified": "2026-02-05T02:22:30.510000", "created": "2025-06-01T01:21:57.890000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 202, "FileHash-MD5": 100, "FileHash-SHA1": 101, "FileHash-SHA256": 337, "domain": 21, "hostname": 9 }, "indicator_count": 770, "is_author": false, "is_subscribing": null, "subscriber_count": 177, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6952fbca42c1b0da7431e6a7", "name": "Pegasus / Pegacloud - Infiltration (10-2013 or 2014 to Current/ Ongoing) ", "description": "", "modified": "2025-12-29T22:08:10.280000", "created": "2025-12-29T22:08:10.280000", "tags": [ "backdoor", "cyprus", "trojan", "mtb sep", "passive dns", "ddos", "mtb oct", "mtb aug", "ipv4 add", "smokeloader", "trojandropper", "extraction", "se extraction", "failed", "data upload", "enter s", "enter sc", "data u", "extrac please", "prop", "extre data", "type", "extr data", "include review", "exclude", "find s", "typ data", "source tir", "extri", "exclude sugges", "se type", "extra", "include data", "exclude review", "show", "showinil tvnes", "dom dom", "sc cat959", "drop", "pulse pulses", "worm", "files show", "date hash", "avast avg", "win32", "susp", "cyprus showing", "entries", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "registrar", "se cre", "pul use", "url list", "status http", "linkid182227", "linkid151642", "first", "domain list", "ii llc", "sc data", "ukl extract", "hiloti style", "msle", "win3 data", "onio", "observea", "data data", "stop data", "monitored target", "tsara", "pegasus", "social engineering" ], "references": [ "http://fakejuko.site40/", "pegacloud.net", "IDS: Hiloti Style GET to PHP with invalid terse MSIE headers", "IDS: Win32/Ibashade CnC Beacon", "IDS: Win32.Scar.hhrw POST", "IDS: Trojan.Win32.Cosmu.cdqg Checkin", "IDS: OnionDuke CnC Beacon 1", "IDS: Observed Suspicious UA (Mozilla/5.0)", "IDS: Data POST to an image file (jpg)", "cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:WormX-gen [Wrm]", "display_name": "Win32:WormX-gen [Wrm]", "target": null }, { "id": "Worm:Win32:Drolnux", "display_name": "Worm:Win32:Drolnux", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": "6877422df67773a07ef450c2", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1630, "URL": 4078, "FileHash-MD5": 245, "FileHash-SHA1": 246, "FileHash-SHA256": 2561, "CVE": 2, "domain": 1307, "email": 1 }, "indicator_count": 10070, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "110 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f7ced2cf17d264b49628bc", "name": "NIDS - Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information", "description": "Multiple malware\u2019s targeting Dropbox & Ebay accounts. Referenced in earlier pukses. Further investigation shows link found in apps on multiple Apple devices. Afraid. Org still running & wreaking havoc globally. Currently targets a Music studio in Clear Creek County Co. The signal bounces from Fire station directly to studio gaining full access to everything.\n\nI am very disappointed with the abuses in f the Palantir , Gotham , Foundry products being abused by law firms and Private Investigators.\nIt is very destructive, causing loss, these firms are literally stealing and making money with other people\u2019s intellectual property and tough luck on the actual inventor, artist, writer because they even steal , cancel your insurance or back accounts leaving you unable to make a claim. \n\nGreat discretion should be used to qualify for these tools used to track, terrorize and access private information as well as tarnish the names of civilians , family ,businesses, stalking tracking known location.", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T18:20:02.120000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f80c6bcd3fff3a4f126a68", "name": "Sventore \u2022 Agent Tesla Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information ", "description": "", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T22:42:51.657000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": "68f7ced2cf17d264b49628bc", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f7582b2454d926e77db68c", "name": "AWS does have issues - Indictor removal service impacting threat hunting services", "description": "Malicious. I hope the pulse posted yesterday didn\u2019t lead to AWS outage. I learned about it a few a few hours ago. AWS does have issues, like having a monopoly and the type of services allowed to exist on their servers. I never saw the links until I learned. I appreciate tips , opinions , and sharing.received. An issue found on targets old iOS 14 device ,due to deletions . This had me researching a link that is related to multiple links researched before. Impacts: Threat hunting services. * Worm:Win32/AutoRun.XXY!bit (Emotet and Neshta relationship). There are many other malicious indicators.", "modified": "2025-11-20T06:00:01.014000", "created": "2025-10-21T09:53:47.767000", "tags": [ "url http", "url https", "united", "sweden", "canada", "search", "type indicator", "added active", "related pulses", "aws", "passive dns", "urls", "files domain", "files related", "related tags", "none google", "safe browsing", "present jun", "present sep", "present aug", "present jul", "present oct", "present may", "ip address", "uruguay unknown", "india showing", "next associated", "urls show", "date checked", "url hostname", "server response", "google safe", "unknown", "write", "read", "unknown www", "et trojan", "suspicious", "read c", "myagrent", "get myagrent", "win32", "malware", "ids detections", "et", "dynamicloader", "medium", "write c", "high", "pcratgh0st cnc", "backdoor family", "show", "ms windows", "trojandropper", "code", "next", "polymorphic", "indicator role", "title added", "active related", "report spam", "threat hunters", "brian", "sabey created", "day ago", "white indicator", "sabey", "worm", "emotet", "tags", "malware family", "ck ids", "t1140", "information", "t1045", "packing", "t1060", "dns", "role title", "filehashmd5", "malware attacks", "find encrypted", "pulses url", "q oct", "dns", "ators show", "tbmvid", "sourcelnms", "ipv4", "types", "indicators show" ], "references": [ "business-support.intel.com \u2022 dns0.org \u2022 http://g-ns-1047.awsdns-20.org/", "Alerts: physical_drive_access deletes_executed_files anomalous_deletefile", "Alerts: suspicious_iocontrol_codes polymorphic static_pe_anomaly suricata_alert", "Alerts: injection_rwx antivm_checks_available_memory queries_computer_name", "Alerts: resumethread_remote_process antivm_generic_disk antisandbox_sleep dynamic_function_loading", "Alerts: enumerates_running_processes reads_self packer_unknown_pe_section_name contains_pe_overlay dropper queries_keyboard_layout", "102 Yara Detections: XOR_embeded_exefile_xored_with_round_256_bytes_key", "More PE Packer Microsoft Visual C++ Compilation | File Type PEXE - PE32 executable (GUI) Intel 80386, for MS Windows", "IDS Detections: Backdoor family PCRat/Gh0st CnC traffic Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)", "Contacted ipp.getcash2018.com conf.f.360.cn", "All IP\u2019s Contacted 27.102.115.143 199.232.210.172 Domains", "IDS Detections: Backdoor family PCRat/Gh0st CnC traffic Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)", "New? patch-aws-8y03-v202542-266-2.space.prod.a0core.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "TrojanDropper:Win32/Zegost.B", "display_name": "TrojanDropper:Win32/Zegost.B", "target": "/malware/TrojanDropper:Win32/Zegost.B" }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "Trojan:Win32/Fugrafa", "display_name": "Trojan:Win32/Fugrafa", "target": "/malware/Trojan:Win32/Fugrafa" }, { "id": "Win32:MalwareX-gen", "display_name": "Win32:MalwareX-gen", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1224, "URL": 2979, "domain": 609, "FileHash-SHA256": 765, "FileHash-SHA1": 350, "FileHash-MD5": 374, "CVE": 1, "email": 1 }, "indicator_count": 6303, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f5cfa9b74d6faa43eb6585", "name": "Indicator Removal service affecting Threat Hunters | Brian Sabey", "description": "Indicator removal used by M. Brian Sabey to for the purpose of attacking networks and removing malicious indicators related to entities and attacks deployed by & Co. Impacts: Threat hunting services. * Worm:Win32/AutoRun.XXY!bit (Emotet and Neshta relationship).\nThere are many other malicious indicators.\n\n* foundryvttcasero.roleros.cl", "modified": "2025-11-19T05:02:39.961000", "created": "2025-10-20T05:59:04.173000", "tags": [ "url https", "url http", "hostname", "b9sdwan", "b9 no", "united", "passive dns", "ipv4 add", "urls", "location united", "america flag", "san jose", "trojan", "canada unknown", "hostname add", "url analysis", "http", "ip address", "related nids", "path", "america asn", "as4983 intel", "canada", "gmt p3p", "cp noi", "adm dev", "psai com", "unknown ns", "united states", "twitter", "url add", "files location", "flag united", "status", "emails", "servers", "mtb aug", "win32", "invalid url", "lowfi", "body html", "head title", "files", "files ip", "filehashmd5", "iocs", "type indicator", "role title", "related pulses", "dynamicloader", "directui", "write c", "element", "classinfobase", "forbidden", "write", "high", "worm", "delphi", "guard", "error", "vmprotect", "malware", "defender", "suspicious", "port", "read c", "destination", "crlf line", "rgba", "unicode", "png image", "td td", "td tr", "a td", "dynamic dns", "search", "arial", "trojandropper", "null", "enough", "hosts", "fast", "afraid", "a domains", "welcome", "ok server", "gmt content", "present sep", "unknown soa", "unknown cname", "present oct", "present aug", "event rocket", "title", "cookie", "encrypt", "sabey type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1434, "URL": 3982, "FileHash-MD5": 391, "FileHash-SHA1": 309, "FileHash-SHA256": 1525, "domain": 758, "email": 10, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 8413, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f80aa152fdd795fa008e2e", "name": "Small & Comisproc Indicator Removal service Affects Threat Hunter Sevices", "description": "", "modified": "2025-11-19T05:02:39.961000", "created": "2025-10-21T22:35:13.128000", "tags": [ "url https", "url http", "hostname", "b9sdwan", "b9 no", "united", "passive dns", "ipv4 add", "urls", "location united", "america flag", "san jose", "trojan", "canada unknown", "hostname add", "url analysis", "http", "ip address", "related nids", "path", "america asn", "as4983 intel", "canada", "gmt p3p", "cp noi", "adm dev", "psai com", "unknown ns", "united states", "twitter", "url add", "files location", "flag united", "status", "emails", "servers", "mtb aug", "win32", "invalid url", "lowfi", "body html", "head title", "files", "files ip", "filehashmd5", "iocs", "type indicator", "role title", "related pulses", "dynamicloader", "directui", "write c", "element", "classinfobase", "forbidden", "write", "high", "worm", "delphi", "guard", "error", "vmprotect", "malware", "defender", "suspicious", "port", "read c", "destination", "crlf line", "rgba", "unicode", "png image", "td td", "td tr", "a td", "dynamic dns", "search", "arial", "trojandropper", "null", "enough", "hosts", "fast", "afraid", "a domains", "welcome", "ok server", "gmt content", "present sep", "unknown soa", "unknown cname", "present oct", "present aug", "event rocket", "title", "cookie", "encrypt", "sabey type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": "68f5cfa9b74d6faa43eb6585", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1434, "URL": 3982, "FileHash-MD5": 391, "FileHash-SHA1": 309, "FileHash-SHA256": 1525, "domain": 758, "email": 10, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 8413, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6877422df67773a07ef450c2", "name": "Pegasus / Pegacloud - Infiltration", "description": "Pegasus IoC\u2019s found in the periphery of research. Appears target contacted a \u2018fake host\u2019 after finding name in multiple highly malicious domains. May have appeared between 12/2013 - 11-2014. Target was contacted by telephone and asked \u2018 have you checked Googled yourself\u2019, to which target answered \u2018Not really\u2019. Target was told \u2018you really should Google yourself\u2019. Target, upset about content clicked and began a takedown effort with host.\n\nThis seems to be at the start of many malicious campaigns. Requires further investigation.", "modified": "2025-08-15T05:01:22.570000", "created": "2025-07-16T06:09:49.704000", "tags": [ "backdoor", "cyprus", "trojan", "mtb sep", "passive dns", "ddos", "mtb oct", "mtb aug", "ipv4 add", "smokeloader", "trojandropper", "extraction", "se extraction", "failed", "data upload", "enter s", "enter sc", "data u", "extrac please", "prop", "extre data", "type", "extr data", "include review", "exclude", "find s", "typ data", "source tir", "extri", "exclude sugges", "se type", "extra", "include data", "exclude review", "show", "showinil tvnes", "dom dom", "sc cat959", "drop", "pulse pulses", "worm", "files show", "date hash", "avast avg", "win32", "susp", "cyprus showing", "entries", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "registrar", "se cre", "pul use", "url list", "status http", "linkid182227", "linkid151642", "first", "domain list", "ii llc", "sc data", "ukl extract", "hiloti style", "msle", "win3 data", "onio", "observea", "data data", "stop data", "monitored target", "tsara", "pegasus", "social engineering" ], "references": [ "http://fakejuko.site40/", "pegacloud.net", "IDS: Hiloti Style GET to PHP with invalid terse MSIE headers", "IDS: Win32/Ibashade CnC Beacon", "IDS: Win32.Scar.hhrw POST", "IDS: Trojan.Win32.Cosmu.cdqg Checkin", "IDS: OnionDuke CnC Beacon 1", "IDS: Observed Suspicious UA (Mozilla/5.0)", "IDS: Data POST to an image file (jpg)", "cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:WormX-gen [Wrm]", "display_name": "Win32:WormX-gen [Wrm]", "target": null }, { "id": "Worm:Win32:Drolnux", "display_name": "Worm:Win32:Drolnux", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1630, "URL": 4078, "FileHash-MD5": 245, "FileHash-SHA1": 246, "FileHash-SHA256": 2561, "CVE": 2, "domain": 1307, "email": 1 }, "indicator_count": 10070, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "247 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io", "ConventionEngine_Anomaly_MultiPDB_Double", "http://www.bing.lt/search?q=", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "sprouts@em.sprouts.com?", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/", "Malware Hosting: 13.107.226.70", "verify.gov.tl", "IDS: OnionDuke CnC Beacon 1", "Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29", "Zercega \u2022 http://bot.hamsterrace.space:5966/", "cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "meta.com \u2022 meta.com.apple", "www.joewa.com", "Alerts: packer_unknown_pe_section_name script_tool_executed", "http://fakejuko.site40/", "Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry", "target.dropboxbusiness.com", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Alerts: injection_rwx antivm_checks_available_memory queries_computer_name", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/", "IDS: Data POST to an image file (jpg)", "Scanning Host: 13.107.246.70", "Alerts: queries_computer_name queries_keyboard_layout queries_locale_api", "Crowdsourced IDS rules:", "supply.qld.gov.au", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "IDS Detections: Backdoor family PCRat/Gh0st CnC traffic Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)", "Zercega \u2022 IPv4 84.54.51.82", "All IP\u2019s Contacted 27.102.115.143 199.232.210.172 Domains", "https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Contacted: 188.114.96.1 Domains Contacted dns.google", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com", "https://kb.drakesoftware.com/Site/Browse/15183/State", "https://dns.google/resolve?name=SELECT", "https://hello.riskxchange.co/api/mailings/unsubscribe", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "Potentially Pegasus related . Found to be affecting an IOS device", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "IDS: Observed Suspicious UA (Mozilla/5.0)", "Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog", "Alerts: cape_detected_threat https_ urls", "https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/", "https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo", "Alerts: resumethread_remote_process antivm_generic_disk antisandbox_sleep dynamic_function_loading", "distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page", "IDS: Win32.Scar.hhrw POST", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "IDS: Win32/Ibashade CnC Beacon", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Zercega \u2022 ootheca.pw", "https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com", "aohhpesayw.lawsonengineers.co.", "New? patch-aws-8y03-v202542-266-2.space.prod.a0core.net", "IDS: Observed Suspicious UA (Hello, World)", "This pulse is so huge it\u2019s a mess. Will break down.", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "BGP Hurricane Electric seen", "Yara detected: Xmrig cryptocurrency miner", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.", "Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,", "business-support.intel.com \u2022 dns0.org \u2022 http://g-ns-1047.awsdns-20.org/", "Alerts: enumerates_running_processes reads_self packer_unknown_pe_section_name contains_pe_overlay dropper queries_keyboard_layout", "Yara Detections: MacSync_AppleScript_Stealer", "Alerts: resumethread_remote_process enumerates_running_processes reads_self", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "Pegasus | A targets devices are obviously infiltrated", "Alerts: cape_detected_threat", "www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com", "https://api.strem.io/api/addonCollectionGet%", "http://blackrock.work.gd/", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "gitea.neconsside.com \u2022 http://f7194.vip/login", "Alerts: suspicious_iocontrol_codes polymorphic static_pe_anomaly suricata_alert", "iot.insitemaxdev.gov2x.com", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Believed to be originating from Germany and Russia", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "More PE Packer Microsoft Visual C++ Compilation | File Type PEXE - PE32 executable (GUI) Intel 80386, for MS Windows", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com", "Zercega \u2022 multi-user.target", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "2012647\tDropbox.com Offsite File Backup in Use", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "supplierportal.gov2x.com", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "Crowdsourced IDS Below:", "Contacted ipp.getcash2018.com conf.f.360.cn", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com", "http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "http://wonporn.com/top/Pakistani_Sucking", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "Indicators seen may have affected a few OTX users. Is ongoing", "okta-dev.gov2x.com", "freedns.afraid.org", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Address shows an place of origin: Broomfield , Co", "https://jviwczq.zc-apple.com/", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "afraid.org | evergreen.afraid.org", "IDS: Hiloti Style GET to PHP with invalid terse MSIE headers", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?", "Domains Contacted: drive.usercontent.google.com", "IDS: Trojan.Win32.Cosmu.cdqg Checkin", "Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process", "Sabey , Ahmann, Quasi Government, Government", "Crowdsourced SIGMA Below:", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "crypto-pool.fr", "102 Yara Detections: XOR_embeded_exefile_xored_with_round_256_bytes_key", "CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393", "http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "/etc/systemd/system/geomi.service File type: ASCII text", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io", "consolefoundry.date \u2022 http://consolefoundry.date", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "ELF contains segments with high entropy indicating compressed/encrypted content", "Alerts: physical_drive_access deletes_executed_files anomalous_deletefile", "geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63", "https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Loads modules at runtime Looks up procedures from modules", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "Matches rule ET POLICY External IP Lookup ipinfo.io", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "Sprouts Farmers Market", "pegacloud.net", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "api.optimizer.insitemaxdev.gov2x.com", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "Win.Malware.Salat-10058846-0", "Unique rule identifier: This rule belongs to a private collection." ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Backdoor:win32/fynloski.a", "Alf:trojan:win32/anorocuriv.a", "Kentuchy", "Cve-2023-22518", "Worm:win32/autorun.xxy!bit", "Trojandropper:win32/zegost.b", "Botnet", "Cve-2025-20393", "Trojandownloader:win32/cutwail.bs", "Win.trojan.emotet-9850453-0", "Neshta", "Malwarex-gen", "Worm:win32/autorun!atmn", "Win32:wormx-gen [wrm]", "Trojan.sagnt/r011c0dfs24", "Win32:malwarex-gen", "Backdoor:win32/tofsee.t", "Worm:win32/autorun.b", "Win.downloader.3867-1", "Trojan:win32/fugrafa", "Cve-2014-2321", "Unix.trojan.mirai-7669677-0", "Et", "Trojan:win32/pariham.a", "Alf:jasyp:trojandownloader:win32/smallagent!", "Win.malware.salat-10058846-0", "Alf:program:win32/webcompanion", "Win.trojan.pushdo-15", "#lowfi:hookwowlow", "Pegasus - mob-s0005", "Other malware", "Win.trojan.tofsee-7102058-0", "Win32:evo-gen\\ [susp]", "Alf:jasyp:trojandownloader:win32/smallagent!atmn", "Unix.trojan.mirai", "Worm:win32:drolnux", "Zergeca", "Win32:trojano-chf\\ [trj]", "Cve-2024-6387", "Pegasus", "Win.trojan.vbgeneric-6735875-0", "Win.trojan.cobaltstrike-9044898-1", "Virtool:win32/ceeinject.gen!ah", "Autoit", "Win.trojan.tofsee-7102058-0\tbackdoor:win32/tofsee.t", "Zegost", "Nids", "Slf:win64/cobpipe.a", "Sf:shellcode-au\\ [trj]", "Worm:win32/mofksys.rnd!mtb", "Cve-2018-10562", "#lowfidetectsvmware" ], "industries": [ "Retail", "Government", "Technology", "Telecommunications" ], "unique_indicators": 64484 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/afraid.org", "whois": "http://whois.domaintools.com/afraid.org", "domain": "afraid.org", "hostname": "freedns.afraid.org" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 15, "pulses": [ { "id": "69d586108786e7be59439809", "name": "Bot.io", "description": "", "modified": "2026-04-07T22:32:48.996000", "created": "2026-04-07T22:32:48.996000", "tags": [ "added active", "related pulses", "found", "zergeca botnet", "zergeca", "upx packer", "khtml", "gecko", "united", "ids detections", "yara detections", "https domain", "tls sni", "ip lookup", "external ip", "malware", "encrypt", "techniques", "modify system", "process", "https", "performs dns", "tls version", "reads cpu", "proc indicative", "urls", "downloads", "persistence", "data upload", "extraction", "find s", "failed", "typ don", "ipv4 url", "canreb", "type ipv4", "url domail", "domail showing", "elf conta", "typ url", "zercega", "enter sc", "type", "include", "review", "n1 exclude", "suggestedincc", "a50 typ", "ipv4", "matches yara", "dete data", "yara detectea", "cro intormation", "exclude sugges", "sc car", "extra lte", "referen", "l extraction", "droo anv", "extr referen", "lte all", "je matches", "yara detel", "yara dete", "include review", "exchange lte", "je elf", "passive dns", "certificate", "files", "trojan", "related tags", "worm", "medium", "write c", "write", "high", "binary", "yara rule", "default", "moved", "schaan", "as834 ipxo", "dynamicloader", "program", "ee fc", "users", "ff d5", "python", "windows", "autoit", "confuserex", "stream", "guard", "launcher", "updater", "global", "america flag", "ashburn", "america related", "tags", "indicator facts", "historical otx", "controller fake", "akamai rank", "russia", "present nov", "aaaa", "link", "a domains", "ip address", "meta", "cve -2014-2321", "handle", "address range", "cidr", "network name", "allocation type", "pa status", "whois server", "included iocs", "manually add", "iocs o", "iocs", "sugges", "stop show", "types", "external", "ripe", "pa abusec", "neterra", "sofia", "bulgaria phone", "filtered person", "neven dilkov", "bg phone", "filtered route", "a5ip", "aa2023", "aamirai", "a2scanner", "apple inc", "issuer", "valid", "algorit", "thum", "name", "a9 a8", "status", "macho", "macho 64bit", "mac os", "x macho", "intel", "typ no", "td td", "td tr", "a td", "dynamic dns", "date", "name servers", "arial", "error", "null", "enough", "hosts", "win32", "fast", "contacted", "MacSync_AppleScript_Stealer", "cve-2018-10562", "source", "roboto", "robotodraft", "helvetica", "iframe", "manually ada", "review iocs", "abv0", "qaeaav0", "cptbdev", "w4uninitialized", "qaeaav01", "abv01", "qaexn", "qbenxz", "phoneidentify", "qbepaxxz" ], "references": [ "https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org", "IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com", "Zercega \u2022 IPv4 84.54.51.82", "Zercega \u2022 http://bot.hamsterrace.space:5966/", "Zercega \u2022 multi-user.target", "Zercega \u2022 ootheca.pw", "CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393", "Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS rules:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.", "Yara detected: Xmrig cryptocurrency miner", "Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance", "meta.com \u2022 meta.com.apple", "geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63", "ELF contains segments with high entropy indicating compressed/encrypted content", "/etc/systemd/system/geomi.service File type: ASCII text", "http://www.bing.lt/search?q=", "Win.Malware.Salat-10058846-0", "Yara Detections: MacSync_AppleScript_Stealer", "Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara", "Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process", "Alerts: resumethread_remote_process enumerates_running_processes reads_self", "Alerts: packer_unknown_pe_section_name script_tool_executed", "Alerts: queries_computer_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry", "Contacted: 188.114.96.1 Domains Contacted dns.google", "distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "display_name": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "target": "/malware/Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "CVE-2014-2321", "display_name": "CVE-2014-2321", "target": null }, { "id": "Botnet", "display_name": "Botnet", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" } ], "industries": [], "TLP": "green", "cloned_from": "69d5859750dfad7fe7989ef4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 169, "URL": 1871, "domain": 393, "hostname": 925, "FileHash-MD5": 391, "FileHash-SHA1": 390, "FileHash-SHA256": 2452, "CVE": 1, "SSLCertFingerprint": 1, "IPv6": 9, "email": 4, "CIDR": 1 }, "indicator_count": 6607, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d5859750dfad7fe7989ef4", "name": "Apple / Cloud/ Data Network within Zergeca / Zerg Botnet \u2022 MacSync_AppleScript_Stealer", "description": "", "modified": "2026-04-07T22:30:47.312000", "created": "2026-04-07T22:30:47.312000", "tags": [ "added active", "related pulses", "found", "zergeca botnet", "zergeca", "upx packer", "khtml", "gecko", "united", "ids detections", "yara detections", "https domain", "tls sni", "ip lookup", "external ip", "malware", "encrypt", "techniques", "modify system", "process", "https", "performs dns", "tls version", "reads cpu", "proc indicative", "urls", "downloads", "persistence", "data upload", "extraction", "find s", "failed", "typ don", "ipv4 url", "canreb", "type ipv4", "url domail", "domail showing", "elf conta", "typ url", "zercega", "enter sc", "type", "include", "review", "n1 exclude", "suggestedincc", "a50 typ", "ipv4", "matches yara", "dete data", "yara detectea", "cro intormation", "exclude sugges", "sc car", "extra lte", "referen", "l extraction", "droo anv", "extr referen", "lte all", "je matches", "yara detel", "yara dete", "include review", "exchange lte", "je elf", "passive dns", "certificate", "files", "trojan", "related tags", "worm", "medium", "write c", "write", "high", "binary", "yara rule", "default", "moved", "schaan", "as834 ipxo", "dynamicloader", "program", "ee fc", "users", "ff d5", "python", "windows", "autoit", "confuserex", "stream", "guard", "launcher", "updater", "global", "america flag", "ashburn", "america related", "tags", "indicator facts", "historical otx", "controller fake", "akamai rank", "russia", "present nov", "aaaa", "link", "a domains", "ip address", "meta", "cve -2014-2321", "handle", "address range", "cidr", "network name", "allocation type", "pa status", "whois server", "included iocs", "manually add", "iocs o", "iocs", "sugges", "stop show", "types", "external", "ripe", "pa abusec", "neterra", "sofia", "bulgaria phone", "filtered person", "neven dilkov", "bg phone", "filtered route", "a5ip", "aa2023", "aamirai", "a2scanner", "apple inc", "issuer", "valid", "algorit", "thum", "name", "a9 a8", "status", "macho", "macho 64bit", "mac os", "x macho", "intel", "typ no", "td td", "td tr", "a td", "dynamic dns", "date", "name servers", "arial", "error", "null", "enough", "hosts", "win32", "fast", "contacted", "MacSync_AppleScript_Stealer", "cve-2018-10562", "source", "roboto", "robotodraft", "helvetica", "iframe", "manually ada", "review iocs", "abv0", "qaeaav0", "cptbdev", "w4uninitialized", "qaeaav01", "abv01", "qaexn", "qbenxz", "phoneidentify", "qbepaxxz" ], "references": [ "https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org", "IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com", "Zercega \u2022 IPv4 84.54.51.82", "Zercega \u2022 http://bot.hamsterrace.space:5966/", "Zercega \u2022 multi-user.target", "Zercega \u2022 ootheca.pw", "CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393", "Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS rules:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.", "Yara detected: Xmrig cryptocurrency miner", "Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance", "meta.com \u2022 meta.com.apple", "geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63", "ELF contains segments with high entropy indicating compressed/encrypted content", "/etc/systemd/system/geomi.service File type: ASCII text", "http://www.bing.lt/search?q=", "Win.Malware.Salat-10058846-0", "Yara Detections: MacSync_AppleScript_Stealer", "Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara", "Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process", "Alerts: resumethread_remote_process enumerates_running_processes reads_self", "Alerts: packer_unknown_pe_section_name script_tool_executed", "Alerts: queries_computer_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry", "Contacted: 188.114.96.1 Domains Contacted dns.google", "distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "display_name": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "target": "/malware/Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "CVE-2014-2321", "display_name": "CVE-2014-2321", "target": null }, { "id": "Botnet", "display_name": "Botnet", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 169, "URL": 1871, "domain": 393, "hostname": 925, "FileHash-MD5": 391, "FileHash-SHA1": 390, "FileHash-SHA256": 2452, "CVE": 1, "SSLCertFingerprint": 1, "IPv6": 9, "email": 4, "CIDR": 1 }, "indicator_count": 6607, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d1396bb42208f8aa25b8ae", "name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable", "description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.", "modified": "2026-04-04T16:16:43.680000", "created": "2026-04-04T16:16:43.680000", "tags": [ "binary", "yara rule", "binary file", "yara", "pe section", "av detections", "ip address", "url analysis", "urls", "singapore", "singapore asn", "as14061", "edgeview drive", "suite", "broomfield", "colorado", "key usage", "handle", "v3 serial", "number", "cert validity", "asia pacific", "traefik default", "cert", "thumbprint", "name", "all filehash", "learn", "adversaries", "calls", "ck id", "name tactics", "suspicious", "informative", "reads", "defense evasion", "loads", "model", "call", "getprocaddress", "span", "path", "mitre att", "ck matrix", "access type", "value", "windir", "open", "error", "click", "contact", "meta", "april", "hybrid", "format", "strings", "united", "b778b1", "div div", "d9e4f4", "edf2f8", "status", "fastest privacy", "first dns", "trojan", "pegasus", "title", "dynamicloader", "ms windows", "intel", "pe32 executable", "win32", "medium", "pe32", "high", "mozilla", "delphi", "injectdll", "write", "malware", "observer", "stream", "unknown", "lredmond", "stwa", "omicrosoft", "stwashington", "server ca", "https domain", "accept", "read c", "ogoogle trust", "worm", "code", "td td", "td tr", "a td", "dynamic dns", "name servers", "arial", "zeppelin", "null", "enough", "hosts", "fast", "tls sni", "cloudflare dns", "google dns", "showing", "get icarus", "show", "ascii text", "global", "next", "cc fd", "d4 dc", "a3 ad", "a8 c7", "bb c7", "f0 f1", "f4 ca", "bc a1", "win64", "local", "otx logo", "hostname", "passive dns", "files", "less", "related tags", "servers", "certificate", "domain", "cloudflare", "khtml", "gecko", "ids detections", "yara detections", "ip lookup", "encrypt", "elf executable", "sysv", "linux", "elf64 operation", "unix", "exec amd6464", "elf geomi", "modify system", "process l", "t1543", "systemd service", "ta0004", "techniques", "process create", "modify syst", "t1036 indicator", "remc t1070", "file", "directoi t1222", "t1027 masquerac", "t1070", "data upload", "extraction", "failed", "ta0005", "t1027", "memory pattern", "domains", "dns resolutions", "full reports", "v ip", "traffic tcp", "g sh", "c tmpsample", "binrm f", "usrbinid id", "usrbinsystemctl", "proc1environ", "proccpuinfo", "include", "review exclude", "sample", "https", "performs dns", "tls version", "mitre attack", "network info", "file type", "persistence", "include review", "exclude sugges", "find s", "unique ru", "review occ", "exclude data", "alvoes", "include data", "suggest", "find c", "typ filet", "filet ce", "layer protocol", "http performs", "reads cpu", "proc indicative", "filet filet", "pulse", "file hach", "h1256", "filer data", "typ data", "filer filehuon", "filet filer", "exchange all", "typ no", "no entri", "exclude", "suggested ocs", "manualy", "hua muicalul", "find", "indicatore", "typ innicatad", "new threat", "dive into", "zergeca botnet", "reference", "report publish", "zergeca", "all se", "matches edolavd", "matches data", "matches matches", "type", "extr", "tico data", "get hello", "mirai variant", "useragent", "hello", "outbound", "world", "search", "hackingtrio ua", "inbound", "mirai", "info", "shell", "pulse pulses", "files ip", "address domain", "ip related", "labs pulses", "pulses", "post", "http traffic", "tocstut", "reference id", "xor key", "canada", "america", "germany", "doh", "ddos", "botnet", "en", "xor", "twitter", "stop", "loader", "downloader", "zerg", "mirai", "golang", "c2 resolution", "germany", "c2 ip", "virustotal", "smux", "ck ids", "t1082", "applescript", "t1190", "application", "private server", "t1609", "command", "unix shell", "software supply", "service", "chain", "t1499", "entries", "otx telemetry", "next associated", "backdoor", "detections", "sha256 add", "alerts", "heur", "all domain", "creation date", "record value", "aaaa", "date", "unknown ns", "ponmocup post", "infection dns", "mtb nov", "ipv4 add", "external ip", "copy" ], "references": [ "www.joewa.com", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "Loads modules at runtime Looks up procedures from modules", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "Crowdsourced SIGMA Below:", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS Below:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Unique rule identifier: This rule belongs to a private collection.", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "crypto-pool.fr", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "IDS: Observed Suspicious UA (Hello, World)", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: cape_detected_threat", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "https://dns.google/resolve?name=SELECT", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Address shows an place of origin: Broomfield , Co", "Believed to be originating from Germany and Russia", "BGP Hurricane Electric seen", "Potentially Pegasus related . Found to be affecting an IOS device", "Indicators seen may have affected a few OTX users. Is ongoing", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "This pulse is so huge it\u2019s a mess. Will break down." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Thailand", "Germany", "Canada" ], "malware_families": [ { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Trojan.Sagnt/R011c0dfs24", "display_name": "Trojan.Sagnt/R011c0dfs24", "target": null }, { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "Unix.Trojan.Mirai", "display_name": "Unix.Trojan.Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-7669677-0", "display_name": "Unix.Trojan.Mirai-7669677-0", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 795, "FileHash-SHA1": 648, "FileHash-SHA256": 3708, "IPv4": 294, "URL": 2587, "domain": 739, "hostname": 1129, "email": 14, "CIDR": 15, "IPv6": 27, "SSLCertFingerprint": 18, "CVE": 4 }, "indicator_count": 9978, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d1395ab63bf8e8d2c384eb", "name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable", "description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.", "modified": "2026-04-04T16:16:26.128000", "created": "2026-04-04T16:16:26.128000", "tags": [ "binary", "yara rule", "binary file", "yara", "pe section", "av detections", "ip address", "url analysis", "urls", "singapore", "singapore asn", "as14061", "edgeview drive", "suite", "broomfield", "colorado", "key usage", "handle", "v3 serial", "number", "cert validity", "asia pacific", "traefik default", "cert", "thumbprint", "name", "all filehash", "learn", "adversaries", "calls", "ck id", "name tactics", "suspicious", "informative", "reads", "defense evasion", "loads", "model", "call", "getprocaddress", "span", "path", "mitre att", "ck matrix", "access type", "value", "windir", "open", "error", "click", "contact", "meta", "april", "hybrid", "format", "strings", "united", "b778b1", "div div", "d9e4f4", "edf2f8", "status", "fastest privacy", "first dns", "trojan", "pegasus", "title", "dynamicloader", "ms windows", "intel", "pe32 executable", "win32", "medium", "pe32", "high", "mozilla", "delphi", "injectdll", "write", "malware", "observer", "stream", "unknown", "lredmond", "stwa", "omicrosoft", "stwashington", "server ca", "https domain", "accept", "read c", "ogoogle trust", "worm", "code", "td td", "td tr", "a td", "dynamic dns", "name servers", "arial", "zeppelin", "null", "enough", "hosts", "fast", "tls sni", "cloudflare dns", "google dns", "showing", "get icarus", "show", "ascii text", "global", "next", "cc fd", "d4 dc", "a3 ad", "a8 c7", "bb c7", "f0 f1", "f4 ca", "bc a1", "win64", "local", "otx logo", "hostname", "passive dns", "files", "less", "related tags", "servers", "certificate", "domain", "cloudflare", "khtml", "gecko", "ids detections", "yara detections", "ip lookup", "encrypt", "elf executable", "sysv", "linux", "elf64 operation", "unix", "exec amd6464", "elf geomi", "modify system", "process l", "t1543", "systemd service", "ta0004", "techniques", "process create", "modify syst", "t1036 indicator", "remc t1070", "file", "directoi t1222", "t1027 masquerac", "t1070", "data upload", "extraction", "failed", "ta0005", "t1027", "memory pattern", "domains", "dns resolutions", "full reports", "v ip", "traffic tcp", "g sh", "c tmpsample", "binrm f", "usrbinid id", "usrbinsystemctl", "proc1environ", "proccpuinfo", "include", "review exclude", "sample", "https", "performs dns", "tls version", "mitre attack", "network info", "file type", "persistence", "include review", "exclude sugges", "find s", "unique ru", "review occ", "exclude data", "alvoes", "include data", "suggest", "find c", "typ filet", "filet ce", "layer protocol", "http performs", "reads cpu", "proc indicative", "filet filet", "pulse", "file hach", "h1256", "filer data", "typ data", "filer filehuon", "filet filer", "exchange all", "typ no", "no entri", "exclude", "suggested ocs", "manualy", "hua muicalul", "find", "indicatore", "typ innicatad", "new threat", "dive into", "zergeca botnet", "reference", "report publish", "zergeca", "all se", "matches edolavd", "matches data", "matches matches", "type", "extr", "tico data", "get hello", "mirai variant", "useragent", "hello", "outbound", "world", "search", "hackingtrio ua", "inbound", "mirai", "info", "shell", "pulse pulses", "files ip", "address domain", "ip related", "labs pulses", "pulses", "post", "http traffic", "tocstut", "reference id", "xor key", "canada", "america", "germany", "doh", "ddos", "botnet", "en", "xor", "twitter", "stop", "loader", "downloader", "zerg", "mirai", "golang", "c2 resolution", "germany", "c2 ip", "virustotal", "smux", "ck ids", "t1082", "applescript", "t1190", "application", "private server", "t1609", "command", "unix shell", "software supply", "service", "chain", "t1499", "entries", "otx telemetry", "next associated", "backdoor", "detections", "sha256 add", "alerts", "heur", "all domain", "creation date", "record value", "aaaa", "date", "unknown ns", "ponmocup post", "infection dns", "mtb nov", "ipv4 add", "external ip", "copy" ], "references": [ "www.joewa.com", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "Loads modules at runtime Looks up procedures from modules", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "Crowdsourced SIGMA Below:", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS Below:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Unique rule identifier: This rule belongs to a private collection.", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "crypto-pool.fr", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "IDS: Observed Suspicious UA (Hello, World)", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: cape_detected_threat", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "https://dns.google/resolve?name=SELECT", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Address shows an place of origin: Broomfield , Co", "Believed to be originating from Germany and Russia", "BGP Hurricane Electric seen", "Potentially Pegasus related . Found to be affecting an IOS device", "Indicators seen may have affected a few OTX users. Is ongoing", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "This pulse is so huge it\u2019s a mess. Will break down." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Thailand", "Germany", "Canada" ], "malware_families": [ { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Trojan.Sagnt/R011c0dfs24", "display_name": "Trojan.Sagnt/R011c0dfs24", "target": null }, { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "Unix.Trojan.Mirai", "display_name": "Unix.Trojan.Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-7669677-0", "display_name": "Unix.Trojan.Mirai-7669677-0", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 795, "FileHash-SHA1": 648, "FileHash-SHA256": 3708, "IPv4": 294, "URL": 2587, "domain": 739, "hostname": 1129, "email": 14, "CIDR": 15, "IPv6": 27, "SSLCertFingerprint": 18, "CVE": 4 }, "indicator_count": 9978, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6976d69ecbc0497f97e28618", "name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)", "description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello", "modified": "2026-02-25T02:03:02.441000", "created": "2026-01-26T02:51:10.502000", "tags": [ "united", "error", "port", "destination", "host", "tlsv1", "intel", "ms windows", "worm", "delphi", "write", "malware", "suspicious", "autorun", "bloat", "checkin", "google", "drive", "cape", "lowfi", "hookwowlow dec", "passive dns", "mtb jan", "mtb nov", "hookwowlow nov", "twitter", "trojandropper", "virtool", "win32", "susp", "hookwowlow", "injection", "please", "x msedge", "ipv4 add", "urls", "dynamicloader", "windows", "professional", "delete c", "tls issuing", "x005x00xc0", "xc0xc0", "xc0nxc0tx00jx00", "stwa", "lredmond", "explorer", "powershell", "accept", "corporation10", "trojan", "pegasus", "url add", "http", "hostname", "files domain", "files related", "related tags", "present sep", "present aug", "redacted for", "ip address", "search", "unknown cname", "memcommit", "default", "sectigo limited", "read c", "gb st", "inprocserver32", "sectigo public", "defender", "next", "present jan", "spain", "domain add", "files", "asn as15169", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "ck techniques", "mitre att", "ck matrix", "starfield", "hybrid", "general", "path", "strings", "extraction", "data upload", "failed", "include review", "exclude sugges", "stop data", "levelblue", "open threat", "url https", "none google", "url http", "no expiration", "iocs", "domain", "pdf report", "pcap", "stix", "openioc", "ocs to", "exclude", "suggesteu", "find s", "snow", "aitypes", "suspicious_redirect", "url_encoding", "present dec", "unknown aaaa", "present oct", "record value", "body", "encrypt", "access att", "link initial", "ascii text", "pattern match", "sha256", "show technique", "iframe", "local", "united states", "brian sabey", "christopher p. ahmann", "black rock", "td td", "td tr", "a td", "dynamic dns", "meta name", "strong", "static dns", "date", "null", "enough", "hosts", "fast" ], "references": [ "Sprouts Farmers Market", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?", "Pegasus | A targets devices are obviously infiltrated", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi", "Alerts: cape_detected_threat https_ urls", "IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252", "Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog", "Domains Contacted: drive.usercontent.google.com", "ConventionEngine_Anomaly_MultiPDB_Double", "https://jviwczq.zc-apple.com/", "SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx", "Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,", "Malware Hosting: 13.107.226.70", "Scanning Host: 13.107.246.70", "https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com", "http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/", "pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com", "www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/", "endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/", "https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us", "https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com", "https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/", "http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com", "sprouts@em.sprouts.com?", "http://blackrock.work.gd/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io", "supplierportal.gov2x.com", "http://wonporn.com/top/Pakistani_Sucking", "https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo", "https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303", "supply.qld.gov.au", "okta-dev.gov2x.com", "verify.gov.tl", "api.optimizer.insitemaxdev.gov2x.com", "iot.insitemaxdev.gov2x.com", "https://kb.drakesoftware.com/Site/Browse/15183/State", "https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW", "freedns.afraid.org", "https://hello.riskxchange.co/api/mailings/unsubscribe", "Sabey , Ahmann, Quasi Government, Government" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFI:HookwowLow", "display_name": "#LowFI:HookwowLow", "target": null }, { "id": "Win.Trojan.CobaltStrike-9044898-1", "display_name": "Win.Trojan.CobaltStrike-9044898-1", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "SLF:Win64/CobPipe.A", "display_name": "SLF:Win64/CobPipe.A", "target": "/malware/SLF:Win64/CobPipe.A" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:Trojan:Win32/Anorocuriv.A", "display_name": "ALF:Trojan:Win32/Anorocuriv.A", "target": null }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Win.Trojan.Pushdo-15", "display_name": "Win.Trojan.Pushdo-15", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Win32:Trojano-CHF\\ [Trj]", "display_name": "Win32:Trojano-CHF\\ [Trj]", "target": null }, { "id": "Win.Downloader.3867-1", "display_name": "Win.Downloader.3867-1", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "Virtool:Win32/CeeInject.gen!AH", "display_name": "Virtool:Win32/CeeInject.gen!AH", "target": "/malware/Virtool:Win32/CeeInject.gen!AH" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1055.008", "name": "Ptrace System Calls", "display_name": "T1055.008 - Ptrace System Calls" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [ "Retail", "Government", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12640, "hostname": 4429, "email": 7, "domain": 1250, "FileHash-SHA256": 1633, "FileHash-MD5": 278, "FileHash-SHA1": 343, "SSLCertFingerprint": 17 }, "indicator_count": 20597, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6976d6a601f06adcd1ed22fc", "name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)", "description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello", "modified": "2026-02-25T02:03:02.441000", "created": "2026-01-26T02:51:18.022000", "tags": [ "united", "error", "port", "destination", "host", "tlsv1", "intel", "ms windows", "worm", "delphi", "write", "malware", "suspicious", "autorun", "bloat", "checkin", "google", "drive", "cape", "lowfi", "hookwowlow dec", "passive dns", "mtb jan", "mtb nov", "hookwowlow nov", "twitter", "trojandropper", "virtool", "win32", "susp", "hookwowlow", "injection", "please", "x msedge", "ipv4 add", "urls", "dynamicloader", "windows", "professional", "delete c", "tls issuing", "x005x00xc0", "xc0xc0", "xc0nxc0tx00jx00", "stwa", "lredmond", "explorer", "powershell", "accept", "corporation10", "trojan", "pegasus", "url add", "http", "hostname", "files domain", "files related", "related tags", "present sep", "present aug", "redacted for", "ip address", "search", "unknown cname", "memcommit", "default", "sectigo limited", "read c", "gb st", "inprocserver32", "sectigo public", "defender", "next", "present jan", "spain", "domain add", "files", "asn as15169", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "ck techniques", "mitre att", "ck matrix", "starfield", "hybrid", "general", "path", "strings", "extraction", "data upload", "failed", "include review", "exclude sugges", "stop data", "levelblue", "open threat", "url https", "none google", "url http", "no expiration", "iocs", "domain", "pdf report", "pcap", "stix", "openioc", "ocs to", "exclude", "suggesteu", "find s", "snow", "aitypes", "suspicious_redirect", "url_encoding", "present dec", "unknown aaaa", "present oct", "record value", "body", "encrypt", "access att", "link initial", "ascii text", "pattern match", "sha256", "show technique", "iframe", "local", "united states", "brian sabey", "christopher p. ahmann", "black rock", "td td", "td tr", "a td", "dynamic dns", "meta name", "strong", "static dns", "date", "null", "enough", "hosts", "fast" ], "references": [ "Sprouts Farmers Market", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?", "Pegasus | A targets devices are obviously infiltrated", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi", "Alerts: cape_detected_threat https_ urls", "IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252", "Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog", "Domains Contacted: drive.usercontent.google.com", "ConventionEngine_Anomaly_MultiPDB_Double", "https://jviwczq.zc-apple.com/", "SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx", "Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,", "Malware Hosting: 13.107.226.70", "Scanning Host: 13.107.246.70", "https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com", "http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/", "pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com", "www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/", "endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/", "https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us", "https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com", "https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/", "http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com", "sprouts@em.sprouts.com?", "http://blackrock.work.gd/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io", "supplierportal.gov2x.com", "http://wonporn.com/top/Pakistani_Sucking", "https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo", "https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303", "supply.qld.gov.au", "okta-dev.gov2x.com", "verify.gov.tl", "api.optimizer.insitemaxdev.gov2x.com", "iot.insitemaxdev.gov2x.com", "https://kb.drakesoftware.com/Site/Browse/15183/State", "https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW", "freedns.afraid.org", "https://hello.riskxchange.co/api/mailings/unsubscribe", "Sabey , Ahmann, Quasi Government, Government" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFI:HookwowLow", "display_name": "#LowFI:HookwowLow", "target": null }, { "id": "Win.Trojan.CobaltStrike-9044898-1", "display_name": "Win.Trojan.CobaltStrike-9044898-1", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "SLF:Win64/CobPipe.A", "display_name": "SLF:Win64/CobPipe.A", "target": "/malware/SLF:Win64/CobPipe.A" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:Trojan:Win32/Anorocuriv.A", "display_name": "ALF:Trojan:Win32/Anorocuriv.A", "target": null }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Win.Trojan.Pushdo-15", "display_name": "Win.Trojan.Pushdo-15", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Win32:Trojano-CHF\\ [Trj]", "display_name": "Win32:Trojano-CHF\\ [Trj]", "target": null }, { "id": "Win.Downloader.3867-1", "display_name": "Win.Downloader.3867-1", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "Virtool:Win32/CeeInject.gen!AH", "display_name": "Virtool:Win32/CeeInject.gen!AH", "target": "/malware/Virtool:Win32/CeeInject.gen!AH" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1055.008", "name": "Ptrace System Calls", "display_name": "T1055.008 - Ptrace System Calls" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [ "Retail", "Government", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12640, "hostname": 4429, "email": 7, "domain": 1250, "FileHash-SHA256": 1633, "FileHash-MD5": 278, "FileHash-SHA1": 343, "SSLCertFingerprint": 17 }, "indicator_count": 20597, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6976d6afd744c55bd596ed6e", "name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)", "description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello", "modified": "2026-02-25T02:03:02.441000", "created": "2026-01-26T02:51:27.248000", "tags": [ "united", "error", "port", "destination", "host", "tlsv1", "intel", "ms windows", "worm", "delphi", "write", "malware", "suspicious", "autorun", "bloat", "checkin", "google", "drive", "cape", "lowfi", "hookwowlow dec", "passive dns", "mtb jan", "mtb nov", "hookwowlow nov", "twitter", "trojandropper", "virtool", "win32", "susp", "hookwowlow", "injection", "please", "x msedge", "ipv4 add", "urls", "dynamicloader", "windows", "professional", "delete c", "tls issuing", "x005x00xc0", "xc0xc0", "xc0nxc0tx00jx00", "stwa", "lredmond", "explorer", "powershell", "accept", "corporation10", "trojan", "pegasus", "url add", "http", "hostname", "files domain", "files related", "related tags", "present sep", "present aug", "redacted for", "ip address", "search", "unknown cname", "memcommit", "default", "sectigo limited", "read c", "gb st", "inprocserver32", "sectigo public", "defender", "next", "present jan", "spain", "domain add", "files", "asn as15169", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "ck techniques", "mitre att", "ck matrix", "starfield", "hybrid", "general", "path", "strings", "extraction", "data upload", "failed", "include review", "exclude sugges", "stop data", "levelblue", "open threat", "url https", "none google", "url http", "no expiration", "iocs", "domain", "pdf report", "pcap", "stix", "openioc", "ocs to", "exclude", "suggesteu", "find s", "snow", "aitypes", "suspicious_redirect", "url_encoding", "present dec", "unknown aaaa", "present oct", "record value", "body", "encrypt", "access att", "link initial", "ascii text", "pattern match", "sha256", "show technique", "iframe", "local", "united states", "brian sabey", "christopher p. ahmann", "black rock", "td td", "td tr", "a td", "dynamic dns", "meta name", "strong", "static dns", "date", "null", "enough", "hosts", "fast" ], "references": [ "Sprouts Farmers Market", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?", "Pegasus | A targets devices are obviously infiltrated", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi", "Alerts: cape_detected_threat https_ urls", "IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252", "Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog", "Domains Contacted: drive.usercontent.google.com", "ConventionEngine_Anomaly_MultiPDB_Double", "https://jviwczq.zc-apple.com/", "SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx", "Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,", "Malware Hosting: 13.107.226.70", "Scanning Host: 13.107.246.70", "https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com", "http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/", "pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com", "www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/", "endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/", "https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us", "https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com", "https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/", "http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com", "sprouts@em.sprouts.com?", "http://blackrock.work.gd/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io", "supplierportal.gov2x.com", "http://wonporn.com/top/Pakistani_Sucking", "https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo", "https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303", "supply.qld.gov.au", "okta-dev.gov2x.com", "verify.gov.tl", "api.optimizer.insitemaxdev.gov2x.com", "iot.insitemaxdev.gov2x.com", "https://kb.drakesoftware.com/Site/Browse/15183/State", "https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW", "freedns.afraid.org", "https://hello.riskxchange.co/api/mailings/unsubscribe", "Sabey , Ahmann, Quasi Government, Government" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFI:HookwowLow", "display_name": "#LowFI:HookwowLow", "target": null }, { "id": "Win.Trojan.CobaltStrike-9044898-1", "display_name": "Win.Trojan.CobaltStrike-9044898-1", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "SLF:Win64/CobPipe.A", "display_name": "SLF:Win64/CobPipe.A", "target": "/malware/SLF:Win64/CobPipe.A" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:Trojan:Win32/Anorocuriv.A", "display_name": "ALF:Trojan:Win32/Anorocuriv.A", "target": null }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Win.Trojan.Pushdo-15", "display_name": "Win.Trojan.Pushdo-15", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Win32:Trojano-CHF\\ [Trj]", "display_name": "Win32:Trojano-CHF\\ [Trj]", "target": null }, { "id": "Win.Downloader.3867-1", "display_name": "Win.Downloader.3867-1", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "Virtool:Win32/CeeInject.gen!AH", "display_name": "Virtool:Win32/CeeInject.gen!AH", "target": "/malware/Virtool:Win32/CeeInject.gen!AH" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1055.008", "name": "Ptrace System Calls", "display_name": "T1055.008 - Ptrace System Calls" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [ "Retail", "Government", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12640, "hostname": 4429, "email": 7, "domain": 1250, "FileHash-SHA256": 1633, "FileHash-MD5": 278, "FileHash-SHA1": 343, "SSLCertFingerprint": 17 }, "indicator_count": 20597, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "683bab3569597686293e62f2", "name": "Railnet extra", "description": "", "modified": "2026-02-05T02:22:30.510000", "created": "2025-06-01T01:21:57.890000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 202, "FileHash-MD5": 100, "FileHash-SHA1": 101, "FileHash-SHA256": 337, "domain": 21, "hostname": 9 }, "indicator_count": 770, "is_author": false, "is_subscribing": null, "subscriber_count": 177, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6952fbca42c1b0da7431e6a7", "name": "Pegasus / Pegacloud - Infiltration (10-2013 or 2014 to Current/ Ongoing) ", "description": "", "modified": "2025-12-29T22:08:10.280000", "created": "2025-12-29T22:08:10.280000", "tags": [ "backdoor", "cyprus", "trojan", "mtb sep", "passive dns", "ddos", "mtb oct", "mtb aug", "ipv4 add", "smokeloader", "trojandropper", "extraction", "se extraction", "failed", "data upload", "enter s", "enter sc", "data u", "extrac please", "prop", "extre data", "type", "extr data", "include review", "exclude", "find s", "typ data", "source tir", "extri", "exclude sugges", "se type", "extra", "include data", "exclude review", "show", "showinil tvnes", "dom dom", "sc cat959", "drop", "pulse pulses", "worm", "files show", "date hash", "avast avg", "win32", "susp", "cyprus showing", "entries", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "registrar", "se cre", "pul use", "url list", "status http", "linkid182227", "linkid151642", "first", "domain list", "ii llc", "sc data", "ukl extract", "hiloti style", "msle", "win3 data", "onio", "observea", "data data", "stop data", "monitored target", "tsara", "pegasus", "social engineering" ], "references": [ "http://fakejuko.site40/", "pegacloud.net", "IDS: Hiloti Style GET to PHP with invalid terse MSIE headers", "IDS: Win32/Ibashade CnC Beacon", "IDS: Win32.Scar.hhrw POST", "IDS: Trojan.Win32.Cosmu.cdqg Checkin", "IDS: OnionDuke CnC Beacon 1", "IDS: Observed Suspicious UA (Mozilla/5.0)", "IDS: Data POST to an image file (jpg)", "cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:WormX-gen [Wrm]", "display_name": "Win32:WormX-gen [Wrm]", "target": null }, { "id": "Worm:Win32:Drolnux", "display_name": "Worm:Win32:Drolnux", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": "6877422df67773a07ef450c2", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1630, "URL": 4078, "FileHash-MD5": 245, "FileHash-SHA1": 246, "FileHash-SHA256": 2561, "CVE": 2, "domain": 1307, "email": 1 }, "indicator_count": 10070, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "110 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f7ced2cf17d264b49628bc", "name": "NIDS - Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information", "description": "Multiple malware\u2019s targeting Dropbox & Ebay accounts. Referenced in earlier pukses. Further investigation shows link found in apps on multiple Apple devices. Afraid. Org still running & wreaking havoc globally. Currently targets a Music studio in Clear Creek County Co. The signal bounces from Fire station directly to studio gaining full access to everything.\n\nI am very disappointed with the abuses in f the Palantir , Gotham , Foundry products being abused by law firms and Private Investigators.\nIt is very destructive, causing loss, these firms are literally stealing and making money with other people\u2019s intellectual property and tough luck on the actual inventor, artist, writer because they even steal , cancel your insurance or back accounts leaving you unable to make a claim. \n\nGreat discretion should be used to qualify for these tools used to track, terrorize and access private information as well as tarnish the names of civilians , family ,businesses, stalking tracking known location.", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T18:20:02.120000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://freedns.afraid.org/dynamic/index.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://freedns.afraid.org/dynamic/index.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776615720.0088263 }