{ "type": "URL", "indicator": "https://go.cambaddies.com/api/goToTheTag", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://go.cambaddies.com/api/goToTheTag", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4391470524, "indicator": "https://go.cambaddies.com/api/goToTheTag", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "6a1fc3671bc3d0f5ce8b06e6", "name": "Grok \u2022 X \u2022 Twitter Vflooder | SystemBC | QNAPCrypt", "description": "I continue to research issues affecting iOS and other smart devices, browsers, search engines and targeted individuals.\nI will limit my comments as further evaluation is required. Twitter appears to be used as a weapon to abuse of several targeted persons and their schools or businesses. Research is required to determine how. Is Twitter / X a weapon or is it abused by threat actors. Ongoing attacks dating back at least 5 years. || \n*DESCRIPTION: Detects systembc RAT REFERENCE: https://www.linkedin.com/posts/any-run_systembc-rat-explorewithanyrun-activity-7289971333671645184-Sefp/?utm_source=share&utm_medium=member_ios RULE_AUTHOR: X__Junior\n\n#malicious #spyware #twitter #x #ai_ agents #seen_before #systembc #vtflooder #qnapcrypt #cve #checkin #scripiting #injection #extraction #gobinary #operation", "modified": "2026-06-03T06:02:15.229000", "created": "2026-06-03T06:02:15.229000", "tags": [ "sysv", "buildid", "united", "windows nt", "msie", "germany as8560", "yara detections", "contacted", "z74457024643q1", "systembc", "trojan", "elf executable", "exec amd6464", "linux", "elf64 operation", "unix", "compiler", "debugging", "go binary", "injection", "header elf64", "v exec", "executable file", "advanced micro", "note", "strtab", "gmbh", "gandi sas", "group india", "private limited", "qnapcrypt", "hacktool", "chrome", "yandex", "stripchat", "amazonaws", "mal_elf_systembc", "apple ios", "ios", "apple", "telhash", "data upload", "cursor", "se data", "extraction", "n https", "data", "failed", "cve cve20246387", "log id", "gmtn", "path", "secure", "self", "samesitenone", "encrypt", "d8n timestamp", "timestamp", "organization", "false", "certificate", "search", "emails", "twitter", "twitter spyware", "twitter vtflooder", "x", "unknown aaaa", "present jun", "ip address", "belize unknown", "unknown ns", "grok x", "cursor agents", "ai", "url url", "url hostnams", "hostn url", "url data", "belize", "a domains", "moved", "alone email", "gmt server", "url analysis", "accept", "namecheap", "namecheap inc", "namesilo", "expim", "url https", "dynamicloader", "host", "ff d5", "yara rule", "ee fc", "generic http", "exe upload", "f0 ff", "eb e1", "write", "vflooder", "malware", "upload inbound", "av detections", "ids detections", "alerts", "analysis date", "checkin generic", "http exe", "upload inbound", "outbound yara", "nrv2x", "upxoepplace", "google", "adversaries", "adversarial attacks", "techniques", "create", "modify system", "process t1064", "t1543 systemd", "technir create", "full reports", "v tcp", "help", "ja3 digests", "hashes o", "et http", "get http", "post http", "dns resolutions", "cams", "adult content", "ff bb", "ff ff", "f7 b9", "c1 e8", "copy", "markus", "august", "title", "gamehack", "alberta.ca", "songculture", "lizardsquad" ], "references": [ "FileHash-SHA256 756f0b598741a6fdff640a158b6b490472e546d411da2850836b9a8ca76afdc1", "TelfHash t135324a7149bc74b5b6a6d910b3a3b4b8a6772d6566f434f51023ad84ffc1e801ce283b", "Names: testpaging \u2022 upof6w.exe \u2022 2026-04-07_259af8b0d0bc540384a06bb730cee9cd_qnapcrypt", "Yara Detections: is__elf IP\u2019s", "IP\u2019s Contacted: 104.17.118.12 57.144.248.1 176.114.120.24 80.12.24.14 95.163.61.73 142.251.98.113", "IP\u2019s Contacted: 212.227.17.162 77.88.44.55 142.93.142.17 104.18.14.206", "Domains Contacted: checkip.amazonaws.com vk.com arena.ai www.yandex.ru stripchat.com", "ELF - ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked,", "Go BuildID=qBC61D7N3q3H7j2Pq55o/WsPsx2ArOJ0T24axAUMZ/K6isHEI8QMyAMkIM3HH8/QQevOAoeyrO7eZGdBARa,", "BuildID[sha1]=068f07f6460b85817e4be47c18c10d1a1fbef817, stripped", "motherlesslive.com", "blackbox21.shop", "passwordreset.gscs.ca \u2022 https://passwordreset.gscs.ca/", "alberta.ca impacts an OTX user", "https://stripchat.org/ \u2022 27bsmextreme.tech \u2022 35bsmextreme.tech \u2022 46bsmextreme.tech \u2022", "FileHash-SHA256 9da8632065cc24646086ff5fb769c452f777aa6c2470a02a16d209baabd1e4b5", "storage/analyses/1000549/network 9da8632065cc24646086f f5 fb769c45\"", "? Con*-cted jp-\u0661\u0660\u0661\u0660\u0660\u0660.--- \u0644\u062d\u0645\u0627", "https://arena.ai/apple-touch-icon-dark.png", "https://www.forbes.com/consent/ketch/?toURL=https://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html", "nr-data.net \u2022 push.apple.com", "https://twitter.com/PORNO_SEXYBABES \u2022 twitter.com", "Vtflooder-9783271-0 -> 7476476bdc93726f46f75f5bdd5ce6c619d73f7ee82b7d93ad835c993ff14661", "Win.Malware.Vtflooder-9783271-0 -> Domains Contacted twitter.com www.virustotal.com", "IP\u2019s Contacted 162.159.140.229 34.54.88.138", "IDS Detections: Win32/Vflooder.B Checkin \u2022 Generic HTTP EXE Upload Inbound \u2022 Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2 , UPX , Nrv2x , UPX_OEP_place , , UPXv20MarkusLaszloReiser", "Yara Detections: UPX20030XMarkusOberhumerLaszloMolnarJohnReiser", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Alerts: procmem_yara suricata_alert dynamic_function_loading network_cnc_https_generic reads_self", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name injection_rwx dead_connect exec_crash", "Sigma: Matches rule Suspicious Outbound SMTP Connections by frack113", "Suspicious DNS Query for IP Lookup Service APls by Brandon George (blog post) Thomas Patzke", "Crowdsourced IDS: ET DROP Spamhaus Listed Traffic Inbound group 60", "Matches rule ET INFO External IP Lookup Domain in DNS Lookup (checkip amazonaws .com)", "Matches rule ET INFO External IP Check (checkip.amazonaws.com)", "ET HUNTING Suspicious User-Agent Observed (Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "(Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "Matches rule SURICATA Applayer Detect protocol only one direction virustotal.com", "DESCRIPTION: Detects systembc RAT REFERENCE: https://www.linkedin.com/posts/any-run_systembc-rat-explorewithanyrun-activity-7289971333671645184-Sefp/?utm_source=share&utm_medium=member_ios RULE_AUTHOR: X__Junior", "https://www.linkedin.com/posts/any-run_systembc-rat-explorewithanyrun-activity-7289971333671645184-Sefp/?utm_source=share&utm_medium=member_ios RULE_AUTHOR: X__Junior", "https://docs.cursor.com/en/cli/reference/slash-commands", "https://api.cursor.com/v0/agents/", "https://grok.com/imagine/agent/d5e99582-a7e7-4138-b129-780e171ba9ac", "beacons.bcp.gvt.com \u2022 http://vtboss.yolox.net/md5.php \u2022 finanse.mf.gov.pl", "cdn10.mypornvid.fun impacted a targeted individual", "https://click.italiansexclub.fun/click/HpdeyDt6", "https://sexfortokens.com/hotmilfbitch", "Win.Malware.Gamehack-6822792-0 IDS Detections Riskware/Cheathappens Checkin (songculture attack)" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan.Systembc/yxgdgz", "display_name": "Trojan.Systembc/yxgdgz", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Malware.Vtflooder-6722904-1", "display_name": "Win.Malware.Vtflooder-6722904-1", "target": null }, { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "QNAPCrypt", "display_name": "QNAPCrypt", "target": null }, { "id": "Win.Malware.Gamehack-6822792-0", "display_name": "Win.Malware.Gamehack-6822792-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "TA0028", "name": "Persistence", "display_name": "TA0028 - Persistence" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1468", "name": "Remotely Track Device Without Authorization", "display_name": "T1468 - Remotely Track Device Without Authorization" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1262, "FileHash-MD5": 164, "FileHash-SHA1": 207, "IPv4": 180, "URL": 1780, "domain": 370, "hostname": 708, "CVE": 3, "email": 4, "SSLCertFingerprint": 4 }, "indicator_count": 4682, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "16 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://click.italiansexclub.fun/click/HpdeyDt6", "(Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "cdn10.mypornvid.fun impacted a targeted individual", "FileHash-SHA256 9da8632065cc24646086ff5fb769c452f777aa6c2470a02a16d209baabd1e4b5", "Matches rule ET INFO External IP Lookup Domain in DNS Lookup (checkip amazonaws .com)", "blackbox21.shop", "Yara Detections: is__elf IP\u2019s", "https://api.cursor.com/v0/agents/", "Win.Malware.Gamehack-6822792-0 IDS Detections Riskware/Cheathappens Checkin (songculture attack)", "ET HUNTING Suspicious User-Agent Observed (Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "BuildID[sha1]=068f07f6460b85817e4be47c18c10d1a1fbef817, stripped", "https://grok.com/imagine/agent/d5e99582-a7e7-4138-b129-780e171ba9ac", "beacons.bcp.gvt.com \u2022 http://vtboss.yolox.net/md5.php \u2022 finanse.mf.gov.pl", "Matches rule SURICATA Applayer Detect protocol only one direction virustotal.com", "Yara Detections: UPX20030XMarkusOberhumerLaszloMolnarJohnReiser", "FileHash-SHA256 756f0b598741a6fdff640a158b6b490472e546d411da2850836b9a8ca76afdc1", "motherlesslive.com", "nr-data.net \u2022 push.apple.com", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "alberta.ca impacts an OTX user", "Crowdsourced IDS: ET DROP Spamhaus Listed Traffic Inbound group 60", "passwordreset.gscs.ca \u2022 https://passwordreset.gscs.ca/", "Yara Detections: SUSP_Imphash_Mar23_2 , UPX , Nrv2x , UPX_OEP_place , , UPXv20MarkusLaszloReiser", "Matches rule ET INFO External IP Check (checkip.amazonaws.com)", "Names: testpaging \u2022 upof6w.exe \u2022 2026-04-07_259af8b0d0bc540384a06bb730cee9cd_qnapcrypt", "IP\u2019s Contacted: 212.227.17.162 77.88.44.55 142.93.142.17 104.18.14.206", "https://sexfortokens.com/hotmilfbitch", "storage/analyses/1000549/network 9da8632065cc24646086f f5 fb769c45\"", "https://stripchat.org/ \u2022 27bsmextreme.tech \u2022 35bsmextreme.tech \u2022 46bsmextreme.tech \u2022", "https://www.linkedin.com/posts/any-run_systembc-rat-explorewithanyrun-activity-7289971333671645184-Sefp/?utm_source=share&utm_medium=member_ios RULE_AUTHOR: X__Junior", "Suspicious DNS Query for IP Lookup Service APls by Brandon George (blog post) Thomas Patzke", "Vtflooder-9783271-0 -> 7476476bdc93726f46f75f5bdd5ce6c619d73f7ee82b7d93ad835c993ff14661", "Win.Malware.Vtflooder-9783271-0 -> Domains Contacted twitter.com www.virustotal.com", "IDS Detections: Win32/Vflooder.B Checkin \u2022 Generic HTTP EXE Upload Inbound \u2022 Generic HTTP EXE Upload Outbound", "Go BuildID=qBC61D7N3q3H7j2Pq55o/WsPsx2ArOJ0T24axAUMZ/K6isHEI8QMyAMkIM3HH8/QQevOAoeyrO7eZGdBARa,", "https://twitter.com/PORNO_SEXYBABES \u2022 twitter.com", "? Con*-cted jp-\u0661\u0660\u0661\u0660\u0660\u0660.--- \u0644\u062d\u0645\u0627", "Sigma: Matches rule Suspicious Outbound SMTP Connections by frack113", "DESCRIPTION: Detects systembc RAT REFERENCE: https://www.linkedin.com/posts/any-run_systembc-rat-explorewithanyrun-activity-7289971333671645184-Sefp/?utm_source=share&utm_medium=member_ios RULE_AUTHOR: X__Junior", "Domains Contacted: checkip.amazonaws.com vk.com arena.ai www.yandex.ru stripchat.com", "ELF - ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked,", "https://www.forbes.com/consent/ketch/?toURL=https://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html", "https://docs.cursor.com/en/cli/reference/slash-commands", "https://arena.ai/apple-touch-icon-dark.png", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name injection_rwx dead_connect exec_crash", "TelfHash t135324a7149bc74b5b6a6d910b3a3b4b8a6772d6566f434f51023ad84ffc1e801ce283b", "IP\u2019s Contacted: 104.17.118.12 57.144.248.1 176.114.120.24 80.12.24.14 95.163.61.73 142.251.98.113", "IP\u2019s Contacted 162.159.140.229 34.54.88.138", "Alerts: procmem_yara suricata_alert dynamic_function_loading network_cnc_https_generic reads_self" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Trojan.systembc/yxgdgz", "Trojan:win32/vflooder", "Win.malware.vtflooder-6722904-1", "Qnapcrypt", "Win.malware.gamehack-6822792-0", "Cve-2024-6387", "Cve-2023-22518", "Cve-2025-20393" ], "industries": [], "unique_indicators": 4688 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/cambaddies.com", "whois": "http://whois.domaintools.com/cambaddies.com", "domain": "cambaddies.com", "hostname": "go.cambaddies.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "6a1fc3671bc3d0f5ce8b06e6", "name": "Grok \u2022 X \u2022 Twitter Vflooder | SystemBC | QNAPCrypt", "description": "I continue to research issues affecting iOS and other smart devices, browsers, search engines and targeted individuals.\nI will limit my comments as further evaluation is required. Twitter appears to be used as a weapon to abuse of several targeted persons and their schools or businesses. Research is required to determine how. Is Twitter / X a weapon or is it abused by threat actors. Ongoing attacks dating back at least 5 years. || \n*DESCRIPTION: Detects systembc RAT REFERENCE: https://www.linkedin.com/posts/any-run_systembc-rat-explorewithanyrun-activity-7289971333671645184-Sefp/?utm_source=share&utm_medium=member_ios RULE_AUTHOR: X__Junior\n\n#malicious #spyware #twitter #x #ai_ agents #seen_before #systembc #vtflooder #qnapcrypt #cve #checkin #scripiting #injection #extraction #gobinary #operation", "modified": "2026-06-03T06:02:15.229000", "created": "2026-06-03T06:02:15.229000", "tags": [ "sysv", "buildid", "united", "windows nt", "msie", "germany as8560", "yara detections", "contacted", "z74457024643q1", "systembc", "trojan", "elf executable", "exec amd6464", "linux", "elf64 operation", "unix", "compiler", "debugging", "go binary", "injection", "header elf64", "v exec", "executable file", "advanced micro", "note", "strtab", "gmbh", "gandi sas", "group india", "private limited", "qnapcrypt", "hacktool", "chrome", "yandex", "stripchat", "amazonaws", "mal_elf_systembc", "apple ios", "ios", "apple", "telhash", "data upload", "cursor", "se data", "extraction", "n https", "data", "failed", "cve cve20246387", "log id", "gmtn", "path", "secure", "self", "samesitenone", "encrypt", "d8n timestamp", "timestamp", "organization", "false", "certificate", "search", "emails", "twitter", "twitter spyware", "twitter vtflooder", "x", "unknown aaaa", "present jun", "ip address", "belize unknown", "unknown ns", "grok x", "cursor agents", "ai", "url url", "url hostnams", "hostn url", "url data", "belize", "a domains", "moved", "alone email", "gmt server", "url analysis", "accept", "namecheap", "namecheap inc", "namesilo", "expim", "url https", "dynamicloader", "host", "ff d5", "yara rule", "ee fc", "generic http", "exe upload", "f0 ff", "eb e1", "write", "vflooder", "malware", "upload inbound", "av detections", "ids detections", "alerts", "analysis date", "checkin generic", "http exe", "upload inbound", "outbound yara", "nrv2x", "upxoepplace", "google", "adversaries", "adversarial attacks", "techniques", "create", "modify system", "process t1064", "t1543 systemd", "technir create", "full reports", "v tcp", "help", "ja3 digests", "hashes o", "et http", "get http", "post http", "dns resolutions", "cams", "adult content", "ff bb", "ff ff", "f7 b9", "c1 e8", "copy", "markus", "august", "title", "gamehack", "alberta.ca", "songculture", "lizardsquad" ], "references": [ "FileHash-SHA256 756f0b598741a6fdff640a158b6b490472e546d411da2850836b9a8ca76afdc1", "TelfHash t135324a7149bc74b5b6a6d910b3a3b4b8a6772d6566f434f51023ad84ffc1e801ce283b", "Names: testpaging \u2022 upof6w.exe \u2022 2026-04-07_259af8b0d0bc540384a06bb730cee9cd_qnapcrypt", "Yara Detections: is__elf IP\u2019s", "IP\u2019s Contacted: 104.17.118.12 57.144.248.1 176.114.120.24 80.12.24.14 95.163.61.73 142.251.98.113", "IP\u2019s Contacted: 212.227.17.162 77.88.44.55 142.93.142.17 104.18.14.206", "Domains Contacted: checkip.amazonaws.com vk.com arena.ai www.yandex.ru stripchat.com", "ELF - ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked,", "Go BuildID=qBC61D7N3q3H7j2Pq55o/WsPsx2ArOJ0T24axAUMZ/K6isHEI8QMyAMkIM3HH8/QQevOAoeyrO7eZGdBARa,", "BuildID[sha1]=068f07f6460b85817e4be47c18c10d1a1fbef817, stripped", "motherlesslive.com", "blackbox21.shop", "passwordreset.gscs.ca \u2022 https://passwordreset.gscs.ca/", "alberta.ca impacts an OTX user", "https://stripchat.org/ \u2022 27bsmextreme.tech \u2022 35bsmextreme.tech \u2022 46bsmextreme.tech \u2022", "FileHash-SHA256 9da8632065cc24646086ff5fb769c452f777aa6c2470a02a16d209baabd1e4b5", "storage/analyses/1000549/network 9da8632065cc24646086f f5 fb769c45\"", "? Con*-cted jp-\u0661\u0660\u0661\u0660\u0660\u0660.--- \u0644\u062d\u0645\u0627", "https://arena.ai/apple-touch-icon-dark.png", "https://www.forbes.com/consent/ketch/?toURL=https://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html", "nr-data.net \u2022 push.apple.com", "https://twitter.com/PORNO_SEXYBABES \u2022 twitter.com", "Vtflooder-9783271-0 -> 7476476bdc93726f46f75f5bdd5ce6c619d73f7ee82b7d93ad835c993ff14661", "Win.Malware.Vtflooder-9783271-0 -> Domains Contacted twitter.com www.virustotal.com", "IP\u2019s Contacted 162.159.140.229 34.54.88.138", "IDS Detections: Win32/Vflooder.B Checkin \u2022 Generic HTTP EXE Upload Inbound \u2022 Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2 , UPX , Nrv2x , UPX_OEP_place , , UPXv20MarkusLaszloReiser", "Yara Detections: UPX20030XMarkusOberhumerLaszloMolnarJohnReiser", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Alerts: procmem_yara suricata_alert dynamic_function_loading network_cnc_https_generic reads_self", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name injection_rwx dead_connect exec_crash", "Sigma: Matches rule Suspicious Outbound SMTP Connections by frack113", "Suspicious DNS Query for IP Lookup Service APls by Brandon George (blog post) Thomas Patzke", "Crowdsourced IDS: ET DROP Spamhaus Listed Traffic Inbound group 60", "Matches rule ET INFO External IP Lookup Domain in DNS Lookup (checkip amazonaws .com)", "Matches rule ET INFO External IP Check (checkip.amazonaws.com)", "ET HUNTING Suspicious User-Agent Observed (Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "(Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "Matches rule SURICATA Applayer Detect protocol only one direction virustotal.com", "DESCRIPTION: Detects systembc RAT REFERENCE: https://www.linkedin.com/posts/any-run_systembc-rat-explorewithanyrun-activity-7289971333671645184-Sefp/?utm_source=share&utm_medium=member_ios RULE_AUTHOR: X__Junior", "https://www.linkedin.com/posts/any-run_systembc-rat-explorewithanyrun-activity-7289971333671645184-Sefp/?utm_source=share&utm_medium=member_ios RULE_AUTHOR: X__Junior", "https://docs.cursor.com/en/cli/reference/slash-commands", "https://api.cursor.com/v0/agents/", "https://grok.com/imagine/agent/d5e99582-a7e7-4138-b129-780e171ba9ac", "beacons.bcp.gvt.com \u2022 http://vtboss.yolox.net/md5.php \u2022 finanse.mf.gov.pl", "cdn10.mypornvid.fun impacted a targeted individual", "https://click.italiansexclub.fun/click/HpdeyDt6", "https://sexfortokens.com/hotmilfbitch", "Win.Malware.Gamehack-6822792-0 IDS Detections Riskware/Cheathappens Checkin (songculture attack)" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan.Systembc/yxgdgz", "display_name": "Trojan.Systembc/yxgdgz", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Malware.Vtflooder-6722904-1", "display_name": "Win.Malware.Vtflooder-6722904-1", "target": null }, { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "QNAPCrypt", "display_name": "QNAPCrypt", "target": null }, { "id": "Win.Malware.Gamehack-6822792-0", "display_name": "Win.Malware.Gamehack-6822792-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "TA0028", "name": "Persistence", "display_name": "TA0028 - Persistence" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1468", "name": "Remotely Track Device Without Authorization", "display_name": "T1468 - Remotely Track Device Without Authorization" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1262, "FileHash-MD5": 164, "FileHash-SHA1": 207, "IPv4": 180, "URL": 1780, "domain": 370, "hostname": 708, "CVE": 3, "email": 4, "SSLCertFingerprint": 4 }, "indicator_count": 4682, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "16 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://go.cambaddies.com/api/goToTheTag", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://go.cambaddies.com/api/goToTheTag", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780524316.0057256 }