{ "type": "URL", "indicator": "https://ftp.license.md/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ftp.license.md/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3756752307, "indicator": "https://ftp.license.md/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "68ac1823eed9568e26950b98", "name": "ELF: Mirai - Malicious media | sentient.industries | Palantir", "description": "Malicious entity weaponizing AI and next level cyber attacks, targeting, hacking, espionage, tracking, bad traffic, botnet, honeypots, bots , ddos. \n\nIt\u2019s really easy to become a target. Protest a cause, become a victim of crime by someone protected by a major entity , incur a large loss insurance case or have a high profile potential lawsuit on and on\u2026 \n\nExcessive overreach, low accountability, no barrier to access, designed to be the cyber warfare weapon.\nIf this is a spoof and NOT Palantir which (but it is) still relentlessly , as malicious. You don\u2019t own your devices or privacy.\n\n#mustbestrangelyexitingtowatchthestoicsquirm", "modified": "2025-09-24T07:05:04.439000", "created": "2025-08-25T08:00:35.492000", "tags": [ "sentientindustries", "adult", "pornography", "targeting", "content reputation", "palantirfoundry", "palantir", "malicious media", "tool", "abuse", "citizens", "gay", "united", "cache control", "access control", "passive dns", "ip address", "body found", "gmt content", "express cache", "accept", "pragma", "avast avg", "mirai", "games", "aniporn", "eporner", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "javascript", "defense evasion", "spawns", "attrib", "extid", "fbid", "creatortool", "pattern match", "date", "path", "august", "hybrid", "general", "click", "strings", "bham", "this", "core", "unknown aaaa", "moved", "unknown ns", "body", "h1 center", "title", "data upload", "extraction", "iocs", "monitored target", "copy md5", "copy sha1", "copy sha256", "mitre att", "show technique", "ck matrix", "span", "possible", "local", "meta", "roboto", "supportscookie", "spearphishing", "initial access", "ssl certificate", "t1105", "T1027.013 - Encrypted/Encoded File" ], "references": [ "https://targeting-ai.com/dr-wisit-cheungpasitporn-invite-dhonneur-a-paris-pour-intelligence-artificielle-et-nephrologie-2025/ (phishing)", "conf.targeting-ai.com \u2022 http://conf.targeting-ai.com \u2022 https://conf.targeting-ai.com \u2022 https://droidcall.cc/EQBhOSFz/", "http://securityidiots.com/Web-Pentest/SQL-Injection/bypass-login-using-sql-injection.html", "1-ai-chatbox-widget-2iv.pages.dev", "FileleHash Sha256 [7a6da9fd351d428e9bfb8edbbca1275d9cdaf7f0371c77d2c227645509f7ebec ELF:Mirai-GH\\ [Trj] \u2022 Unix.Trojan.Gafgyt-6748839", "Found in Palantirfoundry in sentient.indusutries linked to songculture.com (downed)", "Redirecting to /verify/547062ef [URL https://eporner.blog \u2022 IPv4 104.21.3.107]", "https://hayageek.com/drag-and-drop-file-upload-jquery", "https://hayageek.com/rsa-encryption-decryption-openssl-c/", "https://www-321chat-com.webpkgcache.com/doc/-/s/www.321chat.com/", "https://www.melitta.be/portal/pics/layout/touchicons/apple-touch-icon-precomposed.png [Key-Systems GmbH]", "https://hybrid-analysis.com/sample/627cf8e9a89c998bd5cb607854bbe31b82679c116b4e3834ff942220d61d3488/68ac1098bfa5002fad02e045", "T1027.013 - Encrypted/Encoded File" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "PornBlackmailer", "display_name": "PornBlackmailer", "target": null }, { "id": "Win32/PornTool", "display_name": "Win32/PornTool", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Gafgyt-6748839", "display_name": "Unix.Trojan.Gafgyt-6748839", "target": null }, { "id": "supportsCookie", "display_name": "supportsCookie", "target": null } ], "attack_ids": [ { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1532", "name": "Data Encrypted", "display_name": "T1532 - Data Encrypted" } ], "industries": [ "Telecommunications", "Technology", "Civilian Society", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 966, "domain": 222, "hostname": 272, "FileHash-MD5": 78, "FileHash-SHA1": 84, "FileHash-SHA256": 346, "SSLCertFingerprint": 10 }, "indicator_count": 1978, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "249 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67f5555b6ce863d998e83e26", "name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net", "description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.", "modified": "2025-05-11T19:03:59.885000", "created": "2025-04-08T16:56:59.641000", "tags": [ "generated from", "do not", "edit uri", "urls", "edit", "rewriteengine", "rewritecond", "rewriterule", "r301", "xml2encalias", "beralloct", "berbvarrayadd", "berbvarrayfree", "berbvdup", "berbvecadd", "berbvecfree", "berbvfree", "berdump", "berdup", "berdupbv", "laerrordomain", "laerrornoncekey", "lamechanismtree", "lacontext", "ladomainstate", "laenvironment", "lanotification", "laprivatekey", "lapublickey", "laright", "apple swift", "o librarylevel", "combine import", "foundation", "swift import", "mcpeerid", "mcsession", "property", "copyright", "protocol", "class", "bonjour", "ascii lowercase", "abc company", "section", "bonjour txt", "note", "ui element", "utf8 encoding", "nscopying", "nsdictionary", "nsstring", "mcextern", "attribute", "mcextern extern", "mcexternweak", "nsenum", "nsinteger", "mcerrorcode", "mcerrorunknown", "mcerrortimedout", "peer", "example", "bonjour apis", "stop", "tags", "session", "nsprogress", "nserror", "nsurl", "nsarray", "create", "nsuinteger", "notifies", "mcsession api", "interface", "dbictrace", "dbivporth", "dbictracelevel", "dbdtffoo", "dbihseterrchar", "dbicstate", "dbictraceflags", "provides macros", "dbi release", "only", "sqlsuccess", "odbc", "sqlok", "tim bunce", "england", "sql cli", "sql datatype", "sqlguid", "sqlwlongvarchar", "main", "beware", "sv sth", "sv dbh", "impsth", "impdbh", "sv keysv", "sv params", "sv attr", "sv attribs", "sv drh", "void", "fri jul", "mixed", "dbixsrevision", "plsvundef", "license", "spagain", "perlioprintf", "dbiclogpio", "putback", "ireland", "gnu general", "super", "magic", "dbicflags", "dbis", "svrv", "null", "imp2com", "dbicactivekids", "dbicfiadestroy", "sv h", "dbicdbistate", "code", "copy", "refer", "trace", "error", "unknown", "hookopcheckh", "startexternc", "hookopcheckcb", "userdata", "endexternc", "isinternalbuild", "kickmcxdforuid", "loadappkit", "ardconfig", "authenticator", "dsauthenticator", "dsnode", "dsrecord", "group", "hostconfig", "apfsvolumelock", "apfsvolumerole", "aoskgetosinfo", "aoskgetuserinfo", "aosaddappleid", "aosdisablepcs", "aosenablepcs", "aoslog", "aoslogforce", "aosrelaycookie", "didfailcallback", "kaosaccountkey", "kapcsbundle", "kapcspath", "kjsonextension", "apcsbucketid", "apcsreports", "apconfiguration", "apversiondata", "apversionhelper", "systemvolumesvm", "name size", "identifier", "gb disk0s3", "devdisk3", "apfs container", "scheme", "physical store", "macintosh hd", "apfs snapshot", "preboot", "refs address", "size wired", "name", "version", "uuid", "linked against", "renderer", "helper", "chrome helper", "contains", "cloud ui", "macintosh", "khtml", "gecko", "ui helper", "plugin", "service", "good", "battery power", "apfs encryption", "jumpcloud go", "chrome web", "store", "privacy badger", "flowcrypt", "encrypt gmail", "simple", "google", "b2b phone", "number", "apollo", "future", "exccrash", "sigkill", "code signature", "invalid", "sigabrt", "protonvpn", "excguard", "excbreakpoint", "sigtrap", "excbadaccess", "appl", "english", "adobe crash", "adobe", "acrobat dcadobe", "processor", "uninstaller", "assistant", "install", "cloud", "dock", "calendar", "music", "terminal", "tips", "installer", "updater", "proton", "tools", "stub", "python", "clock", "powershell", "team", "rave scout", "cookies", "public folder", "key cert", "sign", "crl sign", "root ca", "authority", "public primary", "global root", "verisign", "academic", "premium", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "agent", "command line", "progress", "yubico", "macos13action", "disableoverride", "disableairdrop", "denyactivation", "enable", "loginwindowtext", "jumpcloud", "autoupdate", "loggingoption", "enablefirewall", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "daemon", "server", "open directory", "user", "account", "kerberos admin", "kerberos change", "device daemon", "network", "desktop", "screensaver", "bridge", "aesxtsarm", "aesecbarm", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "darwin kernel", "wed mar", "wkarraycreate", "wkbooleancreate", "wkcontextcreate", "wkdatacreate", "wkdatagettypeid", "wkdoublecreate", "wkframecopyurl", "wkgettypeid", "wkimagecreate", "wkpagecandelete", "webview", "notice", "this software", "including", "but not", "limited to", "redistribution", "is provided", "by apple", "direct", "damage", "apiavailable", "webkit", "nsswiftname", "document", "a block", "as is", "hasinclude", "wkdownload", "abstract", "wkerrorcode", "wkerrorunknown", "discussion", "bool", "whether", "wkcontentworld", "wkwebview", "javascript", "nsunavailable", "vaargs", "nsswiftasync", "wkswiftasync", "wkcookiepolicy", "wkswiftuiactor", "nshttpcookie", "targetosiphone", "wknavigation", "decides", "boolean value", "apideprecated", "methodkind", "wkerrordomain", "wkscriptmessage", "promise", "fulfill", "const", "url scheme", "mark", "wkuserscript", "targetosvision", "param", "wkframeinfo", "targetosios", "pass", "window", "mime type", "link", "nsimage", "returns", "nsset", "checks", "matches", "a boolean", "defaults", "wkwebextension", "cgsize", "uiimage", "apis", "nsdate", "wkcontentmode", "wkextern", "possible", "cgfloat", "media", "cgrect", "apiunavailable", "framework", "nsswiftuiactor", "targetoswatch", "confirms", "apple upgrade", "nsstring user", "nsobject", "provider", "apple", "password", "uicontrol", "nscontrol", "asuseragerange", "check", "opaque user", "apple id", "initiate", "asauthorization", "operation", "state", "nserrorenum", "nsdata", "relying party", "asapiavailable", "perform", "realm", "http response", "authorization", "http", "oauth", "saml", "a byte", "nsdata userid", "relying", "a string", "nsdata readdata", "bool didwrite", "a cose", "nsdata first", "nsdata second", "nsstring name", "bool appid", "targetosxr", "nsstring appid", "bluetooth", "mdm profile", "nsurl url", "returns yes", "a state", "a json", "web token", "private seckeys", "enables", "keychain", "asswiftsendable", "cose algorithm", "ecdsa", "sha256", "cose curve", "p256", "nullable", "bool success", "remove", "call", "complete", "initializes", "time code", "extensions", "asextern extern", "asextern", "nsswiftsendable", "prepare", "list", "nsextension", "attempt", "nsstring label", "creates", "nsstring code", "a key", "webauthn", "nssecurecoding", "input", "output", "initialize", "nsinteger rank", "json", "inputs", "hash", "nsstring origin", "settings app", "extension", "https urls", "safari", "cancel", "nsuuid uuid", "r uftpexu", "nsmutabledata", "vnsdate", "mprcjy", "postfix", "domain", "canonical", "tables", "ldap", "post", "replace user", "address", "wietse venema", "bugs", "mail", "aliases", "postfix version", "restrict", "sample", "person", "basic system", "general", "reject empty", "postfix smtp", "ipv6 host", "reject", "reply", "access", "prior", "hold", "info", "mail delivery", "charset", "system", "report", "postfix dsn", "mail returned", "this", "generic", "smtp", "isp mail", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "write", "date", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "unix", "cyrus", "path", "uucp", "shell", "local", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "file", "update", "usrsbin", "file format", "no group", "daemondirectory", "deliver mail", "transport", "description", "result format", "virtual", "virtual alias", "redirect mail", "relocated", "matches user", "synopsis", "lastname", "firstname", "apple computer", "tcpip", "supported", "quantum", "facility", "level", "level info", "broadcast", "ignore", "rules", "sender", "automounter map", "use directory", "get home", "home autohome", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "kernel", "readline", "jabber", "group database", "dovecot", "postfix scsd", "networkd", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "status mailfrom", "returnpath via", "pidfile", "flags", "bcgjnuwz", "bin usrsbin", "sbin", "default pf", "care", "audio", "user database", "unix copy", "gate daemon", "bashno", "r etcbashrc", "rfc1323", "m1460", "macos x", "signature", "linux", "opera", "xp sp1", "windows sp1", "nmap syn", "m265", "synack", "mind", "macos", "warp", "ipv6", "internet", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "networkup", "term", "devnull", "common setup", "configure", "set command", "dns hostname", "dns query", "see also", "kame", "sunnet manager", "rpcsrc", "netlicense", "ftpd", "bindash binksh", "binsh bintcsh", "jumpcloud ldap", "smb2", "security", "workgroup", "standalone", "samba server", "enforce", "smb3", "example share", "improper use", "ctrlc", "none", "fax reception", "hardwired", "0007", "must", "visudo", "blocksize", "charset lang", "language lcall", "lines columns", "lscolors", "sshauthsock", "orion", "setup user", "home", "zdotdir", "delete", "beep", "vendor", "kf10", "kf11", "kf12", "kf13", "backspace", "insert", "resume", "termsessionid", "savehist", "sharehistory", "h do", "volume", "de l", "l uuid", "m tra", "n est", "suuid", "prfen", "fusion", "syst", "look", "executant", "alla", "over", "test", "overie", "zapis", "rapid", "disco usa", "de macos", "nie s", "i denne", "adgjmpsvx", "diskgthis disk", "01k8x j", "34disk", "levy kytt", "dict", "array", "plist", "apple root", "code signing", "inode64r", "xofkoxzh", "integer", "doctype", "brain", "abcd", "ogwo", "boaw", "cobwa", "uhawavauatsh", "ip bitmap", "foewdc", "could", "ip block", "funcs", "cogwo", "trash", "double", "hunt", "affa", "carr", "crypto", "docwbac", "q1b0", "q1 0", "h h5", "docwbag", "slice", "format", "zero", "alfa", "hera", "lelei", "hehe", "hisp", "fail", "katy", "zakk", "eodwcbgao", "hhk8di", "alma", "topo", "open", "huhk", "piper", "hehx", "eh ui", "h20hph", "hif h", "hmhhihqhyla hq", "r11b0", "target", "uus10u", "hifh", "loghookfailed", "loghook", "hell", "q1b 0", "f duh", "aqw1", "1160" ], "references": [ "index.html.en", "bind.html", "caching.html", "BUILDING", "configuring.html", "content-negotiation.html", "custom-error.html", "convenience.map", "LDAP.tbd", "lber.h", "ldap.h", "LocalAuthentication.tbd", "arm64e-apple-macos.swiftinterface", "x86_64-apple-ios-macabi.swiftinterface", "arm64e-apple-ios-macabi.swiftinterface", "x86_64-apple-macos.swiftinterface", "MultipeerConnectivity.tbd", "module.modulemap", "MCNearbyServiceAdvertiser.h", "MCPeerID.h", "MCError.h", "MCNearbyServiceBrowser.h", "MCAdvertiserAssistant.h", "MultipeerConnectivity.apinotes", "MultipeerConnectivity.h", "MCSession.h", "MCBrowserViewController.h", "dbivport.h", "dbi_sql.h", "dbd_xsh.h", "dbixs_rev.h", "Driver_xst.h", "DBIXS.h", "hook_op_check.h", "Admin.tbd", "AirPlayReceiver.tbd", "apfs_boot_mount.tbd", "AOSKit.tbd", "APConfigurationSystem.tbd", "AppleFirmwareUpdate.tbd", "launchdaemons.txt", "preboot_archive_errors.log", "mounts.txt", "launchagents.txt", "disk_structure.txt", "user_launchagents.txt", "security_status.txt", "kexts.txt", "process_list.txt", "battery.csv", "diskEncryption.csv", "chromeExtensions.csv", "crashes.csv", "interfaceAddrs.csv", "kernel.csv", "interfaceDetails.csv", "etcHosts.csv", "applications.csv", "mounts.csv", "sharedFolders.csv", "certificates.csv", "sharingPreferences.csv", "launchD.csv", "usbDevices.csv", "managedPolicies.csv", "systemInfo.csv", "users.csv", "sipConfig.csv", "systemControls.csv", "canonical", "aliases", "custom_header_checks", "access", "bounce.cf.default", "generic", "header_checks", "main.cf.default", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "main.cf.proto", "master.cf.proto", "master.cf", "TLS_LICENSE", "postfix-files", "transport", "virtual", "relocated", "afpovertcp.cfg", "asl.conf", "auto_home", "auto_master", "autofs.conf", "bashrc_Apple_Terminal", "com.apple.screensharing.agent.launchd", "bashrc", "command_args.json", "csh.cshrc", "csh.login", "find.codes", "csh.logout", "ftpusers", "gettytab", "irbrc", "kern_loader.conf", "group", "locate.rc", "man.conf", "mail.rc", "manpaths", "networks", "nfs.conf", "newsyslog.conf", "ntp_opendirectory.conf", "ntp.conf", "notify.conf", "paths", "pf.conf", "passwd", "profile", "pf.os", "protocols", "rc.netboot", "rc.common", "rmtab", "resolv.conf", "rtadvd.conf", "rpc", "shells", "smb.conf", "sudo_lecture", "ttys", "syslog.conf", "xtab", "sudoers", "zprofile", "zshrc", "zshrc_Apple_Terminal", "CodeResources", "version.plist", "Info.plist" ], "public": 1, "adversary": "DragonForce Malaysia Hacker Group", "targeted_countries": [], "malware_families": [ { "id": "Lastname", "display_name": "Lastname", "target": null }, { "id": "Firstname", "display_name": "Firstname", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4449, "domain": 3847, "URL": 14263, "FileHash-SHA256": 2356, "FileHash-MD5": 223, "FileHash-SHA1": 523, "email": 223, "CVE": 40, "CIDR": 12, "SSLCertFingerprint": 302 }, "indicator_count": 26238, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "385 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67127cfd194972b2b7a01965", "name": "Discord", "description": "Discord W11 Sample Device\nC:\\ProgramData*\\Discord", "modified": "2024-11-17T15:01:49.122000", "created": "2024-10-18T15:21:33.350000", "tags": [ "Discord" ], "references": [ "https://www.virustotal.com/gui/collection/ab283165c61c702e1aed28375718dd2674179c61c517d93baabc2219becf081a/community", "https://www.virustotal.com/gui/collection/ab283165c61c702e1aed28375718dd2674179c61c517d93baabc2219becf081a/iocs", "https://www.virustotal.com/gui/collection/ab283165c61c702e1aed28375718dd2674179c61c517d93baabc2219becf081a/summary", "https://www.virustotal.com/gui/collection/ab283165c61c702e1aed28375718dd2674179c61c517d93baabc2219becf081a/graph" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 80, "FileHash-SHA1": 80, "FileHash-SHA256": 357, "URL": 472, "domain": 413, "hostname": 153 }, "indicator_count": 1555, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "560 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654e46078568d62bc323e093", "name": "Imaging Center affected by WebToolbar \u2022 Critical C2 and Mitre Att", "description": "Critical - dpqhhab.exe\n216d5b6361d88c59cd0fb66c0ca94a27f6c1e0d592fc325b6d58929d4d5a1e76", "modified": "2023-12-10T13:00:37.604000", "created": "2023-11-10T15:02:31.518000", "tags": [ "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "malware site", "phishing site", "malicious site", "crack", "wacatac", "unsafe", "phishing", "xrat", "xtrat", "nircmd", "swrort", "iframe", "downldr", "installcore", "agent", "unruy", "filetour", "cleaner", "patcher", "adload", "win64", "artemis", "riskware", "genkryptik", "fuery", "alexa", "blacklist https", "united", "ip address", "presenoker", "opencandy", "exploit", "quasar rat", "mimikatz", "malicious", "applicunwnt", "acint", "systweak", "behav", "tiggre", "conduit", "trojanspy", "webtoolbar", "gc", "xfbml1", "pattern match", "file", "ascii text", "indicator", "windows nt", "script", "appdata", "mitre att", "date", "unknown", "error", "hybrid", "general", "local", "click", "facebook", "strings", "class", "generator", "critical", "ssl certificate", "whois record", "threat roundup", "october", "contacted", "january", "resolutions", "whois whois", "june", "communicating", "february" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Gc", "display_name": "Gc", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 221, "FileHash-SHA1": 171, "FileHash-SHA256": 2904, "domain": 4834, "hostname": 1631, "CVE": 9, "URL": 5670 }, "indicator_count": 15440, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "903 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654e46130211d24d7f9ef311", "name": "Imaging Center affected by WebToolbar \u2022 Critical C2 and Mitre Att", "description": "Critical - dpqhhab.exe\n216d5b6361d88c59cd0fb66c0ca94a27f6c1e0d592fc325b6d58929d4d5a1e76", "modified": "2023-12-10T13:00:37.604000", "created": "2023-11-10T15:02:43.841000", "tags": [ "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "malware site", "phishing site", "malicious site", "crack", "wacatac", "unsafe", "phishing", "xrat", "xtrat", "nircmd", "swrort", "iframe", "downldr", "installcore", "agent", "unruy", "filetour", "cleaner", "patcher", "adload", "win64", "artemis", "riskware", "genkryptik", "fuery", "alexa", "blacklist https", "united", "ip address", "presenoker", "opencandy", "exploit", "quasar rat", "mimikatz", "malicious", "applicunwnt", "acint", "systweak", "behav", "tiggre", "conduit", "trojanspy", "webtoolbar", "gc", "xfbml1", "pattern match", "file", "ascii text", "indicator", "windows nt", "script", "appdata", "mitre att", "date", "unknown", "error", "hybrid", "general", "local", "click", "facebook", "strings", "class", "generator", "critical", "ssl certificate", "whois record", "threat roundup", "october", "contacted", "january", "resolutions", "whois whois", "june", "communicating", "february" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Gc", "display_name": "Gc", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 221, "FileHash-SHA1": 171, "FileHash-SHA256": 2904, "domain": 4834, "hostname": 1631, "CVE": 9, "URL": 5670 }, "indicator_count": 15440, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "903 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654e469fbf2e1c732bbeb7a3", "name": "Imaging Center affected by WebToolbar \u2022 Critical C2 and Mitre Att", "description": "Critical - dpqhhab.exe\n216d5b6361d88c59cd0fb66c0ca94a27f6c1e0d592fc325b6d58929d4d5a1e76\n\nAllows bad actor to alter diagnosis without physician override or documentation of.", "modified": "2023-12-10T13:00:37.604000", "created": "2023-11-10T15:05:03.947000", "tags": [ "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "malware site", "phishing site", "malicious site", "crack", "wacatac", "unsafe", "phishing", "xrat", "xtrat", "nircmd", "swrort", "iframe", "downldr", "installcore", "agent", "unruy", "filetour", "cleaner", "patcher", "adload", "win64", "artemis", "riskware", "genkryptik", "fuery", "alexa", "blacklist https", "united", "ip address", "presenoker", "opencandy", "exploit", "quasar rat", "mimikatz", "malicious", "applicunwnt", "acint", "systweak", "behav", "tiggre", "conduit", "trojanspy", "webtoolbar", "gc", "xfbml1", "pattern match", "file", "ascii text", "indicator", "windows nt", "script", "appdata", "mitre att", "date", "unknown", "error", "hybrid", "general", "local", "click", "facebook", "strings", "class", "generator", "critical", "ssl certificate", "whois record", "threat roundup", "october", "contacted", "january", "resolutions", "whois whois", "june", "communicating", "february" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Gc", "display_name": "Gc", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 221, "FileHash-SHA1": 171, "FileHash-SHA256": 2904, "domain": 4834, "hostname": 1631, "CVE": 9, "URL": 5670 }, "indicator_count": 15440, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "903 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a598f3d4e8c2cffd4f73", "name": "SMS SPY \u2022 Remote Access", "description": "", "modified": "2023-12-06T16:47:19.410000", "created": "2023-12-06T16:47:19.410000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1043, "hostname": 684, "domain": 639, "FileHash-MD5": 382, "FileHash-SHA1": 212, "URL": 2215 }, "indicator_count": 5175, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650b67e5a3ff15727eed5a06", "name": "SMS SPY \u2022 Remote Access", "description": "Malvertizing. Spyware\nMalbranding:\nTagging tool tags allows adversaries to tag targets name in malicious website. Target may be lured by salacious content featuring their own name or someone known to person, click on link infecting devices.", "modified": "2023-10-20T21:00:45.519000", "created": "2023-09-20T21:45:09.422000", "tags": [ "site", "cisco umbrella", "alexa top", "million", "alexa", "united", "engineering", "phishing", "bank", "cobalt strike", "emotet", "phishtank", "spammer", "malware site", "deepscan", "malicious", "smsspy", "bradesco", "stealer", "facebook", "download", "service", "zbot", "formbook", "coinminer", "raccoonstealer", "social engineering", "vj75", "http", "oid3", "vis1", "redirect chain", "z554903578", "slfrd1", "xpccbgarern6r", "xpcyqqhir7yvq", "xpchgxkc32lbs", "pattern match", "q0o0mahttp", "pfunction", "lkvoid", "glfunction", "befunction", "mrtk", "7jfjrw", "zzvyn6uhsb" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:MSIL/RacoonStealer", "display_name": "Trojan:MSIL/RacoonStealer", "target": "/malware/Trojan:MSIL/RacoonStealer" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Zbot", "display_name": "ALF:HeraklezEval:Trojan:Win32/Zbot", "target": null }, { "id": "TrojanSpy:Win32/Bradesco", "display_name": "TrojanSpy:Win32/Bradesco", "target": "/malware/TrojanSpy:Win32/Bradesco" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 639, "hostname": 684, "FileHash-MD5": 382, "FileHash-SHA1": 212, "FileHash-SHA256": 1043, "URL": 2215 }, "indicator_count": 5175, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "954 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "rpc", "mounts.csv", "mounts.txt", "configuring.html", "lber.h", "zshrc", "apfs_boot_mount.tbd", "CodeResources", "transport", "asl.conf", "auto_home", "manpaths", "postfix-files", "MCBrowserViewController.h", "smb.conf", "kern_loader.conf", "MCSession.h", "dbivport.h", "rmtab", "arm64e-apple-macos.swiftinterface", "launchagents.txt", "certificates.csv", "https://hayageek.com/drag-and-drop-file-upload-jquery", "header_checks", "process_list.txt", "applications.csv", "locate.rc", "etcHosts.csv", "Found in Palantirfoundry in sentient.indusutries linked to songculture.com (downed)", "MCPeerID.h", "version.plist", "sharedFolders.csv", "canonical", "rtadvd.conf", "LocalAuthentication.tbd", "sipConfig.csv", "sudoers", "https://www.melitta.be/portal/pics/layout/touchicons/apple-touch-icon-precomposed.png [Key-Systems GmbH]", "ldap.h", "MCAdvertiserAssistant.h", "syslog.conf", "x86_64-apple-ios-macabi.swiftinterface", "MCNearbyServiceAdvertiser.h", "sudo_lecture", "main.cf.proto", "passwd", "MultipeerConnectivity.h", "https://www.virustotal.com/gui/collection/ab283165c61c702e1aed28375718dd2674179c61c517d93baabc2219becf081a/graph", "Redirecting to /verify/547062ef [URL https://eporner.blog \u2022 IPv4 104.21.3.107]", "hook_op_check.h", "csh.login", "chromeExtensions.csv", "user_launchagents.txt", "sharingPreferences.csv", "main.cf.default", "rc.common", "bounce.cf.default", "dbd_xsh.h", "https://www.virustotal.com/gui/collection/ab283165c61c702e1aed28375718dd2674179c61c517d93baabc2219becf081a/community", "command_args.json", "auto_master", "usbDevices.csv", "master.cf.default", "autofs.conf", "TLS_LICENSE", "https://www-321chat-com.webpkgcache.com/doc/-/s/www.321chat.com/", "man.conf", "networks", "https://www.virustotal.com/gui/collection/ab283165c61c702e1aed28375718dd2674179c61c517d93baabc2219becf081a/summary", "bashrc_Apple_Terminal", "profile", "security_status.txt", "master.cf", "convenience.map", "MCError.h", "bashrc", "csh.cshrc", "systemControls.csv", "xtab", "virtual", "makedefs.out", "group", "battery.csv", "managedPolicies.csv", "caching.html", "ntp.conf", "pf.os", "https://targeting-ai.com/dr-wisit-cheungpasitporn-invite-dhonneur-a-paris-pour-intelligence-artificielle-et-nephrologie-2025/ (phishing)", "FileleHash Sha256 [7a6da9fd351d428e9bfb8edbbca1275d9cdaf7f0371c77d2c227645509f7ebec ELF:Mirai-GH\\ [Trj] \u2022 Unix.Trojan.Gafgyt-6748839", "Driver_xst.h", "pf.conf", "LICENSE", "ftpusers", "T1027.013 - Encrypted/Encoded File", "find.codes", "launchdaemons.txt", "interfaceDetails.csv", "users.csv", "custom-error.html", "mail.rc", "paths", "shells", "crashes.csv", "conf.targeting-ai.com \u2022 http://conf.targeting-ai.com \u2022 https://conf.targeting-ai.com \u2022 https://droidcall.cc/EQBhOSFz/", "LDAP.tbd", "aliases", "resolv.conf", "https://hayageek.com/rsa-encryption-decryption-openssl-c/", "AOSKit.tbd", "arm64e-apple-ios-macabi.swiftinterface", "master.cf.proto", "Admin.tbd", "index.html.en", "AppleFirmwareUpdate.tbd", "generic", "relocated", "afpovertcp.cfg", "module.modulemap", "custom_header_checks", "access", "http://securityidiots.com/Web-Pentest/SQL-Injection/bypass-login-using-sql-injection.html", "kexts.txt", "systemInfo.csv", "main.cf", "kernel.csv", "1-ai-chatbox-widget-2iv.pages.dev", "MCNearbyServiceBrowser.h", "csh.logout", "Info.plist", "AirPlayReceiver.tbd", "disk_structure.txt", "irbrc", "gettytab", "ttys", "MultipeerConnectivity.apinotes", "bind.html", "zshrc_Apple_Terminal", "dbi_sql.h", "rc.netboot", "zprofile", "x86_64-apple-macos.swiftinterface", "https://hybrid-analysis.com/sample/627cf8e9a89c998bd5cb607854bbe31b82679c116b4e3834ff942220d61d3488/68ac1098bfa5002fad02e045", "preboot_archive_errors.log", "interfaceAddrs.csv", "com.apple.screensharing.agent.launchd", "MultipeerConnectivity.tbd", "DBIXS.h", "BUILDING", "protocols", "ntp_opendirectory.conf", "APConfigurationSystem.tbd", "https://www.virustotal.com/gui/collection/ab283165c61c702e1aed28375718dd2674179c61c517d93baabc2219becf081a/iocs", "dbixs_rev.h", "notify.conf", "launchD.csv", "newsyslog.conf", "nfs.conf", "diskEncryption.csv", "content-negotiation.html" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "DragonForce Malaysia Hacker Group" ], "malware_families": [ "Trojan:msil/racoonstealer", "Lastname", "Cobalt strike", "Pornblackmailer", "Webtoolbar", "Formbook", "Unix.trojan.gafgyt-6748839", "Supportscookie", "Trojanspy:win32/bradesco", "Win32/porntool", "Mirai", "Firstname", "Gc", "Elf:mirai-gh\\ [trj]", "Alf:heraklezeval:trojan:win32/zbot", "Trojanspy" ], "industries": [ "Civilian society", "Technology", "Government", "Telecommunications" ], "unique_indicators": 46428 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/license.md", "whois": "http://whois.domaintools.com/license.md", "domain": "license.md", "hostname": "ftp.license.md" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "68ac1823eed9568e26950b98", "name": "ELF: Mirai - Malicious media | sentient.industries | Palantir", "description": "Malicious entity weaponizing AI and next level cyber attacks, targeting, hacking, espionage, tracking, bad traffic, botnet, honeypots, bots , ddos. \n\nIt\u2019s really easy to become a target. Protest a cause, become a victim of crime by someone protected by a major entity , incur a large loss insurance case or have a high profile potential lawsuit on and on\u2026 \n\nExcessive overreach, low accountability, no barrier to access, designed to be the cyber warfare weapon.\nIf this is a spoof and NOT Palantir which (but it is) still relentlessly , as malicious. You don\u2019t own your devices or privacy.\n\n#mustbestrangelyexitingtowatchthestoicsquirm", "modified": "2025-09-24T07:05:04.439000", "created": "2025-08-25T08:00:35.492000", "tags": [ "sentientindustries", "adult", "pornography", "targeting", "content reputation", "palantirfoundry", "palantir", "malicious media", "tool", "abuse", "citizens", "gay", "united", "cache control", "access control", "passive dns", "ip address", "body found", "gmt content", "express cache", "accept", "pragma", "avast avg", "mirai", "games", "aniporn", "eporner", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "javascript", "defense evasion", "spawns", "attrib", "extid", "fbid", "creatortool", "pattern match", "date", "path", "august", "hybrid", "general", "click", "strings", "bham", "this", "core", "unknown aaaa", "moved", "unknown ns", "body", "h1 center", "title", "data upload", "extraction", "iocs", "monitored target", "copy md5", "copy sha1", "copy sha256", "mitre att", "show technique", "ck matrix", "span", "possible", "local", "meta", "roboto", "supportscookie", "spearphishing", "initial access", "ssl certificate", "t1105", "T1027.013 - Encrypted/Encoded File" ], "references": [ "https://targeting-ai.com/dr-wisit-cheungpasitporn-invite-dhonneur-a-paris-pour-intelligence-artificielle-et-nephrologie-2025/ (phishing)", "conf.targeting-ai.com \u2022 http://conf.targeting-ai.com \u2022 https://conf.targeting-ai.com \u2022 https://droidcall.cc/EQBhOSFz/", "http://securityidiots.com/Web-Pentest/SQL-Injection/bypass-login-using-sql-injection.html", "1-ai-chatbox-widget-2iv.pages.dev", "FileleHash Sha256 [7a6da9fd351d428e9bfb8edbbca1275d9cdaf7f0371c77d2c227645509f7ebec ELF:Mirai-GH\\ [Trj] \u2022 Unix.Trojan.Gafgyt-6748839", "Found in Palantirfoundry in sentient.indusutries linked to songculture.com (downed)", "Redirecting to /verify/547062ef [URL https://eporner.blog \u2022 IPv4 104.21.3.107]", "https://hayageek.com/drag-and-drop-file-upload-jquery", "https://hayageek.com/rsa-encryption-decryption-openssl-c/", "https://www-321chat-com.webpkgcache.com/doc/-/s/www.321chat.com/", "https://www.melitta.be/portal/pics/layout/touchicons/apple-touch-icon-precomposed.png [Key-Systems GmbH]", "https://hybrid-analysis.com/sample/627cf8e9a89c998bd5cb607854bbe31b82679c116b4e3834ff942220d61d3488/68ac1098bfa5002fad02e045", "T1027.013 - Encrypted/Encoded File" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "PornBlackmailer", "display_name": "PornBlackmailer", "target": null }, { "id": "Win32/PornTool", "display_name": "Win32/PornTool", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Gafgyt-6748839", "display_name": "Unix.Trojan.Gafgyt-6748839", "target": null }, { "id": "supportsCookie", "display_name": "supportsCookie", "target": null } ], "attack_ids": [ { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1532", "name": "Data Encrypted", "display_name": "T1532 - Data Encrypted" } ], "industries": [ "Telecommunications", "Technology", "Civilian Society", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 966, "domain": 222, "hostname": 272, "FileHash-MD5": 78, "FileHash-SHA1": 84, "FileHash-SHA256": 346, "SSLCertFingerprint": 10 }, "indicator_count": 1978, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "249 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67f5555b6ce863d998e83e26", "name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net", "description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.", "modified": "2025-05-11T19:03:59.885000", "created": "2025-04-08T16:56:59.641000", "tags": [ "generated from", "do not", "edit uri", "urls", "edit", "rewriteengine", "rewritecond", "rewriterule", "r301", "xml2encalias", "beralloct", "berbvarrayadd", "berbvarrayfree", "berbvdup", "berbvecadd", "berbvecfree", "berbvfree", "berdump", "berdup", "berdupbv", "laerrordomain", "laerrornoncekey", "lamechanismtree", "lacontext", "ladomainstate", "laenvironment", "lanotification", "laprivatekey", "lapublickey", "laright", "apple swift", "o librarylevel", "combine import", "foundation", "swift import", "mcpeerid", "mcsession", "property", "copyright", "protocol", "class", "bonjour", "ascii lowercase", "abc company", "section", "bonjour txt", "note", "ui element", "utf8 encoding", "nscopying", "nsdictionary", "nsstring", "mcextern", "attribute", "mcextern extern", "mcexternweak", "nsenum", "nsinteger", "mcerrorcode", "mcerrorunknown", "mcerrortimedout", "peer", "example", "bonjour apis", "stop", "tags", "session", "nsprogress", "nserror", "nsurl", "nsarray", "create", "nsuinteger", "notifies", "mcsession api", "interface", "dbictrace", "dbivporth", "dbictracelevel", "dbdtffoo", "dbihseterrchar", "dbicstate", "dbictraceflags", "provides macros", "dbi release", "only", "sqlsuccess", "odbc", "sqlok", "tim bunce", "england", "sql cli", "sql datatype", "sqlguid", "sqlwlongvarchar", "main", "beware", "sv sth", "sv dbh", "impsth", "impdbh", "sv keysv", "sv params", "sv attr", "sv attribs", "sv drh", "void", "fri jul", "mixed", "dbixsrevision", "plsvundef", "license", "spagain", "perlioprintf", "dbiclogpio", "putback", "ireland", "gnu general", "super", "magic", "dbicflags", "dbis", "svrv", "null", "imp2com", "dbicactivekids", "dbicfiadestroy", "sv h", "dbicdbistate", "code", "copy", "refer", "trace", "error", "unknown", "hookopcheckh", "startexternc", "hookopcheckcb", "userdata", "endexternc", "isinternalbuild", "kickmcxdforuid", "loadappkit", "ardconfig", "authenticator", "dsauthenticator", "dsnode", "dsrecord", "group", "hostconfig", "apfsvolumelock", "apfsvolumerole", "aoskgetosinfo", "aoskgetuserinfo", "aosaddappleid", "aosdisablepcs", "aosenablepcs", "aoslog", "aoslogforce", "aosrelaycookie", "didfailcallback", "kaosaccountkey", "kapcsbundle", "kapcspath", "kjsonextension", "apcsbucketid", "apcsreports", "apconfiguration", "apversiondata", "apversionhelper", "systemvolumesvm", "name size", "identifier", "gb disk0s3", "devdisk3", "apfs container", "scheme", "physical store", "macintosh hd", "apfs snapshot", "preboot", "refs address", "size wired", "name", "version", "uuid", "linked against", "renderer", "helper", "chrome helper", "contains", "cloud ui", "macintosh", "khtml", "gecko", "ui helper", "plugin", "service", "good", "battery power", "apfs encryption", "jumpcloud go", "chrome web", "store", "privacy badger", "flowcrypt", "encrypt gmail", "simple", "google", "b2b phone", "number", "apollo", "future", "exccrash", "sigkill", "code signature", "invalid", "sigabrt", "protonvpn", "excguard", "excbreakpoint", "sigtrap", "excbadaccess", "appl", "english", "adobe crash", "adobe", "acrobat dcadobe", "processor", "uninstaller", "assistant", "install", "cloud", "dock", "calendar", "music", "terminal", "tips", "installer", "updater", "proton", "tools", "stub", "python", "clock", "powershell", "team", "rave scout", "cookies", "public folder", "key cert", "sign", "crl sign", "root ca", "authority", "public primary", "global root", "verisign", "academic", "premium", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "agent", "command line", "progress", "yubico", "macos13action", "disableoverride", "disableairdrop", "denyactivation", "enable", "loginwindowtext", "jumpcloud", "autoupdate", "loggingoption", "enablefirewall", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "daemon", "server", "open directory", "user", "account", "kerberos admin", "kerberos change", "device daemon", "network", "desktop", "screensaver", "bridge", "aesxtsarm", "aesecbarm", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "darwin kernel", "wed mar", "wkarraycreate", "wkbooleancreate", "wkcontextcreate", "wkdatacreate", "wkdatagettypeid", "wkdoublecreate", "wkframecopyurl", "wkgettypeid", "wkimagecreate", "wkpagecandelete", "webview", "notice", "this software", "including", "but not", "limited to", "redistribution", "is provided", "by apple", "direct", "damage", "apiavailable", "webkit", "nsswiftname", "document", "a block", "as is", "hasinclude", "wkdownload", "abstract", "wkerrorcode", "wkerrorunknown", "discussion", "bool", "whether", "wkcontentworld", "wkwebview", "javascript", "nsunavailable", "vaargs", "nsswiftasync", "wkswiftasync", "wkcookiepolicy", "wkswiftuiactor", "nshttpcookie", "targetosiphone", "wknavigation", "decides", "boolean value", "apideprecated", "methodkind", "wkerrordomain", "wkscriptmessage", "promise", "fulfill", "const", "url scheme", "mark", "wkuserscript", "targetosvision", "param", "wkframeinfo", "targetosios", "pass", "window", "mime type", "link", "nsimage", "returns", "nsset", "checks", "matches", "a boolean", "defaults", "wkwebextension", "cgsize", "uiimage", "apis", "nsdate", "wkcontentmode", "wkextern", "possible", "cgfloat", "media", "cgrect", "apiunavailable", "framework", "nsswiftuiactor", "targetoswatch", "confirms", "apple upgrade", "nsstring user", "nsobject", "provider", "apple", "password", "uicontrol", "nscontrol", "asuseragerange", "check", "opaque user", "apple id", "initiate", "asauthorization", "operation", "state", "nserrorenum", "nsdata", "relying party", "asapiavailable", "perform", "realm", "http response", "authorization", "http", "oauth", "saml", "a byte", "nsdata userid", "relying", "a string", "nsdata readdata", "bool didwrite", "a cose", "nsdata first", "nsdata second", "nsstring name", "bool appid", "targetosxr", "nsstring appid", "bluetooth", "mdm profile", "nsurl url", "returns yes", "a state", "a json", "web token", "private seckeys", "enables", "keychain", "asswiftsendable", "cose algorithm", "ecdsa", "sha256", "cose curve", "p256", "nullable", "bool success", "remove", "call", "complete", "initializes", "time code", "extensions", "asextern extern", "asextern", "nsswiftsendable", "prepare", "list", "nsextension", "attempt", "nsstring label", "creates", "nsstring code", "a key", "webauthn", "nssecurecoding", "input", "output", "initialize", "nsinteger rank", "json", "inputs", "hash", "nsstring origin", "settings app", "extension", "https urls", "safari", "cancel", "nsuuid uuid", "r uftpexu", "nsmutabledata", "vnsdate", "mprcjy", "postfix", "domain", "canonical", "tables", "ldap", "post", "replace user", "address", "wietse venema", "bugs", "mail", "aliases", "postfix version", "restrict", "sample", "person", "basic system", "general", "reject empty", "postfix smtp", "ipv6 host", "reject", "reply", "access", "prior", "hold", "info", "mail delivery", "charset", "system", "report", "postfix dsn", "mail returned", "this", "generic", "smtp", "isp mail", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "write", "date", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "unix", "cyrus", "path", "uucp", "shell", "local", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "file", "update", "usrsbin", "file format", "no group", "daemondirectory", "deliver mail", "transport", "description", "result format", "virtual", "virtual alias", "redirect mail", "relocated", "matches user", "synopsis", "lastname", "firstname", "apple computer", "tcpip", "supported", "quantum", "facility", "level", "level info", "broadcast", "ignore", "rules", "sender", "automounter map", "use directory", "get home", "home autohome", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "kernel", "readline", "jabber", "group database", "dovecot", "postfix scsd", "networkd", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "status mailfrom", "returnpath via", "pidfile", "flags", "bcgjnuwz", "bin usrsbin", "sbin", "default pf", "care", "audio", "user database", "unix copy", "gate daemon", "bashno", "r etcbashrc", "rfc1323", "m1460", "macos x", "signature", "linux", "opera", "xp sp1", "windows sp1", "nmap syn", "m265", "synack", "mind", "macos", "warp", "ipv6", "internet", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "networkup", "term", "devnull", "common setup", "configure", "set command", "dns hostname", "dns query", "see also", "kame", "sunnet manager", "rpcsrc", "netlicense", "ftpd", "bindash binksh", "binsh bintcsh", "jumpcloud ldap", "smb2", "security", "workgroup", "standalone", "samba server", "enforce", "smb3", "example share", "improper use", "ctrlc", "none", "fax reception", "hardwired", "0007", "must", "visudo", "blocksize", "charset lang", "language lcall", "lines columns", "lscolors", "sshauthsock", "orion", "setup user", "home", "zdotdir", "delete", "beep", "vendor", "kf10", "kf11", "kf12", "kf13", "backspace", "insert", "resume", "termsessionid", "savehist", "sharehistory", "h do", "volume", "de l", "l uuid", "m tra", "n est", "suuid", "prfen", "fusion", "syst", "look", "executant", "alla", "over", "test", "overie", "zapis", "rapid", "disco usa", "de macos", "nie s", "i denne", "adgjmpsvx", "diskgthis disk", "01k8x j", "34disk", "levy kytt", "dict", "array", "plist", "apple root", "code signing", "inode64r", "xofkoxzh", "integer", "doctype", "brain", "abcd", "ogwo", "boaw", "cobwa", "uhawavauatsh", "ip bitmap", "foewdc", "could", "ip block", "funcs", "cogwo", "trash", "double", "hunt", "affa", "carr", "crypto", "docwbac", "q1b0", "q1 0", "h h5", "docwbag", "slice", "format", "zero", "alfa", "hera", "lelei", "hehe", "hisp", "fail", "katy", "zakk", "eodwcbgao", "hhk8di", "alma", "topo", "open", "huhk", "piper", "hehx", "eh ui", "h20hph", "hif h", "hmhhihqhyla hq", "r11b0", "target", "uus10u", "hifh", "loghookfailed", "loghook", "hell", "q1b 0", "f duh", "aqw1", "1160" ], "references": [ "index.html.en", "bind.html", "caching.html", "BUILDING", "configuring.html", "content-negotiation.html", "custom-error.html", "convenience.map", "LDAP.tbd", "lber.h", "ldap.h", "LocalAuthentication.tbd", "arm64e-apple-macos.swiftinterface", "x86_64-apple-ios-macabi.swiftinterface", "arm64e-apple-ios-macabi.swiftinterface", "x86_64-apple-macos.swiftinterface", "MultipeerConnectivity.tbd", "module.modulemap", "MCNearbyServiceAdvertiser.h", "MCPeerID.h", "MCError.h", "MCNearbyServiceBrowser.h", "MCAdvertiserAssistant.h", "MultipeerConnectivity.apinotes", "MultipeerConnectivity.h", "MCSession.h", "MCBrowserViewController.h", "dbivport.h", "dbi_sql.h", "dbd_xsh.h", "dbixs_rev.h", "Driver_xst.h", "DBIXS.h", "hook_op_check.h", "Admin.tbd", "AirPlayReceiver.tbd", "apfs_boot_mount.tbd", "AOSKit.tbd", "APConfigurationSystem.tbd", "AppleFirmwareUpdate.tbd", "launchdaemons.txt", "preboot_archive_errors.log", "mounts.txt", "launchagents.txt", "disk_structure.txt", "user_launchagents.txt", "security_status.txt", "kexts.txt", "process_list.txt", "battery.csv", "diskEncryption.csv", "chromeExtensions.csv", "crashes.csv", "interfaceAddrs.csv", "kernel.csv", "interfaceDetails.csv", "etcHosts.csv", "applications.csv", "mounts.csv", "sharedFolders.csv", "certificates.csv", "sharingPreferences.csv", "launchD.csv", "usbDevices.csv", "managedPolicies.csv", "systemInfo.csv", "users.csv", "sipConfig.csv", "systemControls.csv", "canonical", "aliases", "custom_header_checks", "access", "bounce.cf.default", "generic", "header_checks", "main.cf.default", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "main.cf.proto", "master.cf.proto", "master.cf", "TLS_LICENSE", "postfix-files", "transport", "virtual", "relocated", "afpovertcp.cfg", "asl.conf", "auto_home", "auto_master", "autofs.conf", "bashrc_Apple_Terminal", "com.apple.screensharing.agent.launchd", "bashrc", "command_args.json", "csh.cshrc", "csh.login", "find.codes", "csh.logout", "ftpusers", "gettytab", "irbrc", "kern_loader.conf", "group", "locate.rc", "man.conf", "mail.rc", "manpaths", "networks", "nfs.conf", "newsyslog.conf", "ntp_opendirectory.conf", "ntp.conf", "notify.conf", "paths", "pf.conf", "passwd", "profile", "pf.os", "protocols", "rc.netboot", "rc.common", "rmtab", "resolv.conf", "rtadvd.conf", "rpc", "shells", "smb.conf", "sudo_lecture", "ttys", "syslog.conf", "xtab", "sudoers", "zprofile", "zshrc", "zshrc_Apple_Terminal", "CodeResources", "version.plist", "Info.plist" ], "public": 1, "adversary": "DragonForce Malaysia Hacker Group", "targeted_countries": [], "malware_families": [ { "id": "Lastname", "display_name": "Lastname", "target": null }, { "id": "Firstname", "display_name": "Firstname", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4449, "domain": 3847, "URL": 14263, "FileHash-SHA256": 2356, "FileHash-MD5": 223, "FileHash-SHA1": 523, "email": 223, "CVE": 40, "CIDR": 12, "SSLCertFingerprint": 302 }, "indicator_count": 26238, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "385 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67127cfd194972b2b7a01965", "name": "Discord", "description": "Discord W11 Sample Device\nC:\\ProgramData*\\Discord", "modified": "2024-11-17T15:01:49.122000", "created": "2024-10-18T15:21:33.350000", "tags": [ "Discord" ], "references": [ "https://www.virustotal.com/gui/collection/ab283165c61c702e1aed28375718dd2674179c61c517d93baabc2219becf081a/community", "https://www.virustotal.com/gui/collection/ab283165c61c702e1aed28375718dd2674179c61c517d93baabc2219becf081a/iocs", "https://www.virustotal.com/gui/collection/ab283165c61c702e1aed28375718dd2674179c61c517d93baabc2219becf081a/summary", "https://www.virustotal.com/gui/collection/ab283165c61c702e1aed28375718dd2674179c61c517d93baabc2219becf081a/graph" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 80, "FileHash-SHA1": 80, "FileHash-SHA256": 357, "URL": 472, "domain": 413, "hostname": 153 }, "indicator_count": 1555, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "560 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654e46078568d62bc323e093", "name": "Imaging Center affected by WebToolbar \u2022 Critical C2 and Mitre Att", "description": "Critical - dpqhhab.exe\n216d5b6361d88c59cd0fb66c0ca94a27f6c1e0d592fc325b6d58929d4d5a1e76", "modified": "2023-12-10T13:00:37.604000", "created": "2023-11-10T15:02:31.518000", "tags": [ "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "malware site", "phishing site", "malicious site", "crack", "wacatac", "unsafe", "phishing", "xrat", "xtrat", "nircmd", "swrort", "iframe", "downldr", "installcore", "agent", "unruy", "filetour", "cleaner", "patcher", "adload", "win64", "artemis", "riskware", "genkryptik", "fuery", "alexa", "blacklist https", "united", "ip address", "presenoker", "opencandy", "exploit", "quasar rat", "mimikatz", "malicious", "applicunwnt", "acint", "systweak", "behav", "tiggre", "conduit", "trojanspy", "webtoolbar", "gc", "xfbml1", "pattern match", "file", "ascii text", "indicator", "windows nt", "script", "appdata", "mitre att", "date", "unknown", "error", "hybrid", "general", "local", "click", "facebook", "strings", "class", "generator", "critical", "ssl certificate", "whois record", "threat roundup", "october", "contacted", "january", "resolutions", "whois whois", "june", "communicating", "february" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Gc", "display_name": "Gc", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 221, "FileHash-SHA1": 171, "FileHash-SHA256": 2904, "domain": 4834, "hostname": 1631, "CVE": 9, "URL": 5670 }, "indicator_count": 15440, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "903 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654e46130211d24d7f9ef311", "name": "Imaging Center affected by WebToolbar \u2022 Critical C2 and Mitre Att", "description": "Critical - dpqhhab.exe\n216d5b6361d88c59cd0fb66c0ca94a27f6c1e0d592fc325b6d58929d4d5a1e76", "modified": "2023-12-10T13:00:37.604000", "created": "2023-11-10T15:02:43.841000", "tags": [ "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "malware site", "phishing site", "malicious site", "crack", "wacatac", "unsafe", "phishing", "xrat", "xtrat", "nircmd", "swrort", "iframe", "downldr", "installcore", "agent", "unruy", "filetour", "cleaner", "patcher", "adload", "win64", "artemis", "riskware", "genkryptik", "fuery", "alexa", "blacklist https", "united", "ip address", "presenoker", "opencandy", "exploit", "quasar rat", "mimikatz", "malicious", "applicunwnt", "acint", "systweak", "behav", "tiggre", "conduit", "trojanspy", "webtoolbar", "gc", "xfbml1", "pattern match", "file", "ascii text", "indicator", "windows nt", "script", "appdata", "mitre att", "date", "unknown", "error", "hybrid", "general", "local", "click", "facebook", "strings", "class", "generator", "critical", "ssl certificate", "whois record", "threat roundup", "october", "contacted", "january", "resolutions", "whois whois", "june", "communicating", "february" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Gc", "display_name": "Gc", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 221, "FileHash-SHA1": 171, "FileHash-SHA256": 2904, "domain": 4834, "hostname": 1631, "CVE": 9, "URL": 5670 }, "indicator_count": 15440, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "903 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654e469fbf2e1c732bbeb7a3", "name": "Imaging Center affected by WebToolbar \u2022 Critical C2 and Mitre Att", "description": "Critical - dpqhhab.exe\n216d5b6361d88c59cd0fb66c0ca94a27f6c1e0d592fc325b6d58929d4d5a1e76\n\nAllows bad actor to alter diagnosis without physician override or documentation of.", "modified": "2023-12-10T13:00:37.604000", "created": "2023-11-10T15:05:03.947000", "tags": [ "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "malware site", "phishing site", "malicious site", "crack", "wacatac", "unsafe", "phishing", "xrat", "xtrat", "nircmd", "swrort", "iframe", "downldr", "installcore", "agent", "unruy", "filetour", "cleaner", "patcher", "adload", "win64", "artemis", "riskware", "genkryptik", "fuery", "alexa", "blacklist https", "united", "ip address", "presenoker", "opencandy", "exploit", "quasar rat", "mimikatz", "malicious", "applicunwnt", "acint", "systweak", "behav", "tiggre", "conduit", "trojanspy", "webtoolbar", "gc", "xfbml1", "pattern match", "file", "ascii text", "indicator", "windows nt", "script", "appdata", "mitre att", "date", "unknown", "error", "hybrid", "general", "local", "click", "facebook", "strings", "class", "generator", "critical", "ssl certificate", "whois record", "threat roundup", "october", "contacted", "january", "resolutions", "whois whois", "june", "communicating", "february" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Gc", "display_name": "Gc", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 221, "FileHash-SHA1": 171, "FileHash-SHA256": 2904, "domain": 4834, "hostname": 1631, "CVE": 9, "URL": 5670 }, "indicator_count": 15440, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "903 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a598f3d4e8c2cffd4f73", "name": "SMS SPY \u2022 Remote Access", "description": "", "modified": "2023-12-06T16:47:19.410000", "created": "2023-12-06T16:47:19.410000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1043, "hostname": 684, "domain": 639, "FileHash-MD5": 382, "FileHash-SHA1": 212, "URL": 2215 }, "indicator_count": 5175, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650b67e5a3ff15727eed5a06", "name": "SMS SPY \u2022 Remote Access", "description": "Malvertizing. Spyware\nMalbranding:\nTagging tool tags allows adversaries to tag targets name in malicious website. Target may be lured by salacious content featuring their own name or someone known to person, click on link infecting devices.", "modified": "2023-10-20T21:00:45.519000", "created": "2023-09-20T21:45:09.422000", "tags": [ "site", "cisco umbrella", "alexa top", "million", "alexa", "united", "engineering", "phishing", "bank", "cobalt strike", "emotet", "phishtank", "spammer", "malware site", "deepscan", "malicious", "smsspy", "bradesco", "stealer", "facebook", "download", "service", "zbot", "formbook", "coinminer", "raccoonstealer", "social engineering", "vj75", "http", "oid3", "vis1", "redirect chain", "z554903578", "slfrd1", "xpccbgarern6r", "xpcyqqhir7yvq", "xpchgxkc32lbs", "pattern match", "q0o0mahttp", "pfunction", "lkvoid", "glfunction", "befunction", "mrtk", "7jfjrw", "zzvyn6uhsb" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:MSIL/RacoonStealer", "display_name": "Trojan:MSIL/RacoonStealer", "target": "/malware/Trojan:MSIL/RacoonStealer" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Zbot", "display_name": "ALF:HeraklezEval:Trojan:Win32/Zbot", "target": null }, { "id": "TrojanSpy:Win32/Bradesco", "display_name": "TrojanSpy:Win32/Bradesco", "target": "/malware/TrojanSpy:Win32/Bradesco" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 639, "hostname": 684, "FileHash-MD5": 382, "FileHash-SHA1": 212, "FileHash-SHA256": 1043, "URL": 2215 }, "indicator_count": 5175, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "954 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ftp.license.md/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ftp.license.md/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780278535.7336667 }