{ "type": "URL", "indicator": "https://game1.happiqo.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://game1.happiqo.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4176345289, "indicator": "https://game1.happiqo.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "696ac416596cd89cf76bce55", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:04:53.997000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "63 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696ac4327b5bc2e8be34f78a", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:05:22.323000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "63 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696ac438a696c993b672106d", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:05:28.261000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "63 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69612a0df518040b20932bef", "name": "Pahamify Pegasus | Palantir Malicious delivery via Bible app downloaded from iOS App Store", "description": "Pahamify Pegasus | Requires much further research.\nWorking backwards: Targeted device had a Bible Gateway app download by target from both iOS and Android devices. As per report each time app was accessed, iOS became glitched, passwords stolen, drive by compromise on lock screen prompted target to review app. She found the app login was changed to an unknown users name. I tested a (Bible Gateway) URI to see if her belief BG was a honey pot was true. \nThis may take 2-3 more rounds of research. \nIs Pegasus. Is Palantir. Is intrusive and malicious.\n\n[OTC auto generated Title: 2 Timothy 3 NIV - But mark this: There will be terrible - Bible Gateway]", "modified": "2026-02-08T15:00:50.749000", "created": "2026-01-09T16:17:17.632000", "tags": [ "defense evasion", "cor ta0011", "techni process", "application l", "encrypted ch", "christ jesus", "just", "final charge", "timothy10", "antioch", "iconium", "lystra", "lord", "holy scriptures", "scripture", "bible gateway", "no expiration", "expiration", "a domains", "present sep", "united", "present jun", "meta", "present oct", "present aug", "servers", "title", "data upload", "extraction", "palantir foundry", "listeners", "dev", "redirects", "redirect health", "health data", "utc google", "utc na", "script", "utc amazon", "bible", "meta tags", "read", "bible reading", "trackers google", "anchor", "analyse headers", "contenttype", "transferenco", "connection", "date fri", "server", "read c", "as16509", "rgba", "unicode", "execution", "dock", "write", "persistence", "jsvendor", "jsapp", "script script", "cssapp", "jsfirebase", "moved", "urls", "pegasus", "encrypt", "script urls", "record value", "tls handshake", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "next", "capture", "malware", "unknown", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "access att", "t1189 driveby", "html", "mitre att", "ck matrix", "ascii text", "pattern match", "et info", "bad traffic", "hybrid", "general", "local", "path", "click", "adversaries", "execution att", "t1204 user", "t1480 execution", "null", "refresh", "span", "strings", "error", "tools", "look", "verify", "restart", "timothy", "search", "tag manager", "g8t6ln06z40", "code", "css", "js", "router", "cloudfront", "John 12:17", "port", "yara rule", "high", "tofsee", "rndhex", "rndchar", "destination", "loaderid", "lidfileupd", "stream" ], "references": [ "https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV", "https://pegasus.pahamify.com/", "aptia.palantirfoundry.com \u2022 palantirfoundry.com \u2022\u2019agent-infra-mojito.palantirfoundry.com", "equilibrium.palantirfoundry.com \u2022 kt-presales.palantirfoundry.com \u2022 paloma.palantirfoundry.com", "usw-2-dev.palantirfoundry.com \u2022 lucyw.palantirfoundry.com \u2022 https://fegdip.palantirfoundry.com/", "http://dasima-containers.palantirfoundry.com/ \u2022 https://glare.palantirfoundry.com/", "https://inbound-message-listener-temporary-testing.palantirfoundry.com", "https://listeners.usw-16.palantirfoundry.com \u2022 https://pacificlife.palantirfoundry.com/", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.afa33b71-01ea-477c-bc01-f6a3ab623e9d/master", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master", "https://sfmg-testing.palantirfoundry.com\t\u2022 https://signup.palantirfoundry.com/", "https://uhsinc.palantirfoundry.com/ \u2022 https://velocityglobal.palantirfoundry.com", "https://wes.palantirfoundry.com/ \u2022 http://utilities-bootcamp.palantirfoundry.com/", "http://glare.palantirfoundry.com/ \u2022 https://woodward.palantirfoundry.com/", "https://sfmg-testing.palantirfoundry.com\t\u2022 https://signup.palantirfoundry.com/", "https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd45176426a", "https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd458176426a", "https://pegasus.pahamify.com/ \u2022 https://pegasus.pahamify.com/study-plan/ \u2022 pegasus.pahamify.com", "John 12:17" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Bible Gateway", "display_name": "Bible Gateway", "target": null }, { "id": "Pahamify Pegasus", "display_name": "Pahamify Pegasus", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6527, "hostname": 2450, "FileHash-SHA256": 1716, "FileHash-MD5": 245, "FileHash-SHA1": 134, "domain": 1101, "email": 3, "SSLCertFingerprint": 8 }, "indicator_count": 12184, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "70 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "usw-2-dev.palantirfoundry.com \u2022 lucyw.palantirfoundry.com \u2022 https://fegdip.palantirfoundry.com/", "https://wes.palantirfoundry.com/ \u2022 http://utilities-bootcamp.palantirfoundry.com/", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "search.roi.ros.gov.uk", "John 12:17", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master", "https://uhsinc.palantirfoundry.com/ \u2022 https://velocityglobal.palantirfoundry.com", "https://inbound-message-listener-temporary-testing.palantirfoundry.com", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "http://dasima-containers.palantirfoundry.com/ \u2022 https://glare.palantirfoundry.com/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.afa33b71-01ea-477c-bc01-f6a3ab623e9d/master", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd458176426a", "equilibrium.palantirfoundry.com \u2022 kt-presales.palantirfoundry.com \u2022 paloma.palantirfoundry.com", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master", "aptia.palantirfoundry.com \u2022 palantirfoundry.com \u2022\u2019agent-infra-mojito.palantirfoundry.com", "https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd45176426a", "https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV", "https://sfmg-testing.palantirfoundry.com\t\u2022 https://signup.palantirfoundry.com/", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "https://pegasus.pahamify.com/ \u2022 https://pegasus.pahamify.com/study-plan/ \u2022 pegasus.pahamify.com", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "pegasuspartners.followupboss.com", "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "https://pegasus.pahamify.com/", "http://glare.palantirfoundry.com/ \u2022 https://woodward.palantirfoundry.com/", "https://listeners.usw-16.palantirfoundry.com \u2022 https://pacificlife.palantirfoundry.com/", "Denver, US 80211 http://library.verizon.onereach.ai", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Alf:heraklezeval:trojan:win32/clipbanker", "Other malware", "Bible gateway", "Tofsee", "Pegasus", "Et", "Pahamify pegasus" ], "industries": [], "unique_indicators": 31592 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/happiqo.com", "whois": "http://whois.domaintools.com/happiqo.com", "domain": "happiqo.com", "hostname": "game1.happiqo.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "696ac416596cd89cf76bce55", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:04:53.997000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "63 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696ac4327b5bc2e8be34f78a", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:05:22.323000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "63 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696ac438a696c993b672106d", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:05:28.261000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "63 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69612a0df518040b20932bef", "name": "Pahamify Pegasus | Palantir Malicious delivery via Bible app downloaded from iOS App Store", "description": "Pahamify Pegasus | Requires much further research.\nWorking backwards: Targeted device had a Bible Gateway app download by target from both iOS and Android devices. As per report each time app was accessed, iOS became glitched, passwords stolen, drive by compromise on lock screen prompted target to review app. She found the app login was changed to an unknown users name. I tested a (Bible Gateway) URI to see if her belief BG was a honey pot was true. \nThis may take 2-3 more rounds of research. \nIs Pegasus. Is Palantir. Is intrusive and malicious.\n\n[OTC auto generated Title: 2 Timothy 3 NIV - But mark this: There will be terrible - Bible Gateway]", "modified": "2026-02-08T15:00:50.749000", "created": "2026-01-09T16:17:17.632000", "tags": [ "defense evasion", "cor ta0011", "techni process", "application l", "encrypted ch", "christ jesus", "just", "final charge", "timothy10", "antioch", "iconium", "lystra", "lord", "holy scriptures", "scripture", "bible gateway", "no expiration", "expiration", "a domains", "present sep", "united", "present jun", "meta", "present oct", "present aug", "servers", "title", "data upload", "extraction", "palantir foundry", "listeners", "dev", "redirects", "redirect health", "health data", "utc google", "utc na", "script", "utc amazon", "bible", "meta tags", "read", "bible reading", "trackers google", "anchor", "analyse headers", "contenttype", "transferenco", "connection", "date fri", "server", "read c", "as16509", "rgba", "unicode", "execution", "dock", "write", "persistence", "jsvendor", "jsapp", "script script", "cssapp", "jsfirebase", "moved", "urls", "pegasus", "encrypt", "script urls", "record value", "tls handshake", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "next", "capture", "malware", "unknown", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "access att", "t1189 driveby", "html", "mitre att", "ck matrix", "ascii text", "pattern match", "et info", "bad traffic", "hybrid", "general", "local", "path", "click", "adversaries", "execution att", "t1204 user", "t1480 execution", "null", "refresh", "span", "strings", "error", "tools", "look", "verify", "restart", "timothy", "search", "tag manager", "g8t6ln06z40", "code", "css", "js", "router", "cloudfront", "John 12:17", "port", "yara rule", "high", "tofsee", "rndhex", "rndchar", "destination", "loaderid", "lidfileupd", "stream" ], "references": [ "https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV", "https://pegasus.pahamify.com/", "aptia.palantirfoundry.com \u2022 palantirfoundry.com \u2022\u2019agent-infra-mojito.palantirfoundry.com", "equilibrium.palantirfoundry.com \u2022 kt-presales.palantirfoundry.com \u2022 paloma.palantirfoundry.com", "usw-2-dev.palantirfoundry.com \u2022 lucyw.palantirfoundry.com \u2022 https://fegdip.palantirfoundry.com/", "http://dasima-containers.palantirfoundry.com/ \u2022 https://glare.palantirfoundry.com/", "https://inbound-message-listener-temporary-testing.palantirfoundry.com", "https://listeners.usw-16.palantirfoundry.com \u2022 https://pacificlife.palantirfoundry.com/", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.afa33b71-01ea-477c-bc01-f6a3ab623e9d/master", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master", "https://sfmg-testing.palantirfoundry.com\t\u2022 https://signup.palantirfoundry.com/", "https://uhsinc.palantirfoundry.com/ \u2022 https://velocityglobal.palantirfoundry.com", "https://wes.palantirfoundry.com/ \u2022 http://utilities-bootcamp.palantirfoundry.com/", "http://glare.palantirfoundry.com/ \u2022 https://woodward.palantirfoundry.com/", "https://sfmg-testing.palantirfoundry.com\t\u2022 https://signup.palantirfoundry.com/", "https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd45176426a", "https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd458176426a", "https://pegasus.pahamify.com/ \u2022 https://pegasus.pahamify.com/study-plan/ \u2022 pegasus.pahamify.com", "John 12:17" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Bible Gateway", "display_name": "Bible Gateway", "target": null }, { "id": "Pahamify Pegasus", "display_name": "Pahamify Pegasus", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6527, "hostname": 2450, "FileHash-SHA256": 1716, "FileHash-MD5": 245, "FileHash-SHA1": 134, "domain": 1101, "email": 3, "SSLCertFingerprint": 8 }, "indicator_count": 12184, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "70 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://game1.happiqo.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://game1.happiqo.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776642361.6592646 }