{ "type": "URL", "indicator": "https://google.info/url", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://google.info/url", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4136432359, "indicator": "https://google.info/url", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6940b852c28f2a2c6abb4aad", "name": "FRITZ!Box \u2026.Connecting to Apple devices", "description": "Connecting to targeted Apple\ndevices overnight. \n\nHow to connect to the FRITZ!Box, how to access all of the product's functions, and what to do with the device if you are not connected to it in your home network.", "modified": "2026-01-15T01:02:47.757000", "created": "2025-12-16T01:39:30.381000", "tags": [ "fritz", "strong", "main navigation", "deutsch", "englisch", "funktionen der", "verbindung zur", "wifi", "ip address", "box avm", "lowfi", "win32", "susp", "urls", "files", "asn as44716", "related tags", "indicator facts", "germany unknown", "a domains", "meta", "typo3", "body doctype", "kasper skaarhoj", "gmt server", "pragma", "a nxdomain", "nxdomain", "whitelisted", "present aug", "present jul", "present oct", "present jun", "united", "present sep", "present nov", "next http", "scans show", "title", "div div", "a li", "wir suchen", "li ul", "avm karriere", "dich a", "reverse dns", "berlin", "germany asn", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "none related", "passive dns", "ipv4", "url analysis", "present dec", "moved", "certificate", "vertriebs gmbh", "aaaa", "as12732 gutcon", "domain", "hostname", "verdict", "files ip", "address", "germany", "as13335", "as8220 colt", "present may", "united kingdom", "regsetvalueexa", "regdword", "regbinary", "show", "yara detections", "regsetvalueexw", "regsz", "medium", "suspicious", "delphi", "malware", "write", "as6878", "msie", "chrome", "gmt content", "germany showing", "createobject", "set http", "search", "high", "read c", "et trojan", "jfif", "ascii text", "detected", "trojan generic", "checkin", "pony downloader", "http library", "virustotal", "riskware", "mcafee", "drweb", "vipre", "trojan", "panda", "next", "unknown", "as15169 google", "status", "name servers", "record value", "emails", "error", "trojandropper", "results dec", "ddos", "worm", "mtb trojan", "mtb apr", "exev2e", "ia256", "extraction", "get http", "post http", "learn", "command", "ck id", "name tactics", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "germany germany", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "pattern match", "show technique", "ck matrix", "show process", "network traffic", "t1057", "t1071", "hybrid", "local", "path", "t1204 user", "defense evasion", "t1480 execution", "sha1", "sha256", "size", "script", "null", "span", "refresh", "footer", "body", "june", "general", "click", "strings", "tools", "tracker", "code", "look", "verify", "restart", "bad traffic", "et info", "tls handshake", "failure", "process details", "flag", "link", "present feb", "servers", "redacted for", "as20546 soprado", "encrypt", "mtb sep", "ransom", "next associated", "twitter", "virtool", "hostname add", "location russia", "as200350", "russia unknown", "federation flag", "ipv4 add", "asn as200350", "related", "domain add", "unknown ns", "expiration date", "http version", "windows nt", "gbot", "post method", "port", "destination", "delete", "get na", "as15169", "expiration", "url https", "no expiration", "showing", "entries", "url add", "pulse pulses", "http", "files domain", "files related", "pulses none", "unknown cname", "cname", "asn as24940", "less", "date", "pulse submit" ], "references": [ "https://fritz.box/login | router.box | wlan.box | mesh.box | myfritz.box | https://business.kozow.com/bbox/ |", "https://avm.de/ Connection: close Content Type: text/html charset=iso 8859 1", "AVM Computersysteme Vertriebs GmbH Certificate Subject: IT Certificate Subject *.avm.de Certificate Issuer: US", "Certificate Issuer: DigiCert Inc Certificate Issuer: |DigiCert SHA2 Secur Server CA", "Subject: DE Certificate Subject: Berlin Certificate Subject", "https://uutiskirje.professiogroup.com/go/54382390-5506438-191003959\u241d", "http://b25d1a05.click.convertkit-mail2.com \u2022 https://b25d1a05.click.convertkit-mail2.com", "https://push.adac.passcreator.com/ | passcreator-metrics.e07cc1.flownative.cloud", "ecs-80-158-49-8.reverse.open-telekom-cloud.com", "http://24.211.14.182:5555/login.htm?page=%2F | s5wpr2nreqby04v9.myfritz.ne", "HYPERTRM.EXE - FileHash-SHA256 21cf992aba3d4adbc8a6bd65337f46a93983fbec8fe0f4639be826571ae469ba", "Copyright \u00a9 Hilgraeve, Inc. 2001 Product Microsoft\u00ae Windows\u00ae Operating System Description HyperTerminal Applet", "Original Name HYPERTRM.EXE Internal Name HyperTrm File Version 5.1.2600.0", "Comments HyperTerminal \u00ae was developed by Hilgraeve, Inc. for Microsoft", "ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System", "ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.\t192.168.56.103\t173.194.113.114", "ET TROJAN Trojan Generic - POST To gate.php with no referer\t192.168.56.103\t173.194.113.114", "ET TROJAN Fareit/Pony Downloader Checkin 2\t192.168.56.103\t173.194.113.114", "ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98\t192.168.56.103\t173.194.113.114", "http://applewaebastian.fritz.box/ \u2022 applewaebastian.fritz.box", "http://netuser.joymeng.com/charge_apple/notify", "https://www.passcreator.com/en/apple-wallet-passes", "https://sso.myfritz.net/static/images/icons/apple-touch-icon-76x76.png No", "apple-business.cancom.at", "Apple - 162.55.158.153", "Crypt2.AZDI - FileHash-SHA256 62ffd7a3a21a5732870c4ad92fad7287a5270e4a5508752cfef0aa6f9ea30d1f", "Inject.BRDV - FileHash-SHA256\t25f639cdaae06656ab5e0cc80512146aa59097439c388dd15e4cc09343d9a283", "Win32:Androp - FileHash-MD5 99c6c9564af67a954661ebf6e41391d2", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-MD5\t99c8310538a090d2b7e5db3ea22b839a", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA1-2f7189e96cda26dbb6948354667fdd1ad37c04c0", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA256\tae2fb6755dbf52fa44e427fbe0f29bf541aeedf66656edeb08ba9d7ef1617afc", "Ip Traffic: TCP 74.125.24.106:80 (googleapis.com) TCP 85.195.91.179:80 (catch-cdn.com) UDP :53", "ALF:CERT:Adware:Win32/Peapoon Win.Malware.Midie-6847893-0\tTrojanDropper:Win32/Muldrop.V!MTB Win.Malware.Generickdz-9938530-0\tTrojan:Win32/Zombie.A Win.Malware.Genpack-6989317-0\tTrojanDropper:Win32/VB.IL Win.Trojan.VBGeneric-6735875-0\tWorm:Win32/Mofksys" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#LowFi:Tool:Win32/VbsToExeV2E", "display_name": "#LowFi:Tool:Win32/VbsToExeV2E", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Androp", "display_name": "Androp", "target": null }, { "id": "Inject.BRDV", "display_name": "Inject.BRDV", "target": null }, { "id": "Win32:Androp", "display_name": "Win32:Androp", "target": null }, { "id": "Crypt2.AZDI", "display_name": "Crypt2.AZDI", "target": null }, { "id": "TEL:MSIL/DlSocConSend", "display_name": "TEL:MSIL/DlSocConSend", "target": "/malware/TEL:MSIL/DlSocConSend" }, { "id": "DDOS:Linux/Lightaidra", "display_name": "DDOS:Linux/Lightaidra", "target": "/malware/DDOS:Linux/Lightaidra" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "Trojan:Win32/Salgorea.C!MTB", "display_name": "Trojan:Win32/Salgorea.C!MTB", "target": "/malware/Trojan:Win32/Salgorea.C!MTB" }, { "id": "Worm:Win32/Autorun.XFV", "display_name": "Worm:Win32/Autorun.XFV", "target": "/malware/Worm:Win32/Autorun.XFV" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "Worm:Win32/Yuner.A", "display_name": "Worm:Win32/Yuner.A", "target": "/malware/Worm:Win32/Yuner.A" }, { "id": "Win.Trojan.Zegost", "display_name": "Win.Trojan.Zegost", "target": null }, { "id": "PWS:Win32/QQpass", "display_name": "PWS:Win32/QQpass", "target": "/malware/PWS:Win32/QQpass" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win.Trojan.Generic", "display_name": "Win.Trojan.Generic", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win32/Trickler", "display_name": "Win32/Trickler", "target": null }, { "id": "Win.Malware.Hd0kzai-9985588-0", "display_name": "Win.Malware.Hd0kzai-9985588-0", "target": null }, { "id": "Trojan:Win32/Aenjaris.AL!bit", "display_name": "Trojan:Win32/Aenjaris.AL!bit", "target": "/malware/Trojan:Win32/Aenjaris.AL!bit" }, { "id": "Trojan:Win32/Agent.AG!MTB", "display_name": "Trojan:Win32/Agent.AG!MTB", "target": "/malware/Trojan:Win32/Agent.AG!MTB" }, { "id": "Trojan:Win32/Salgorea", "display_name": "Trojan:Win32/Salgorea", "target": "/malware/Trojan:Win32/Salgorea" }, { "id": "Win.Malware.Barys-6840738-0", "display_name": "Win.Malware.Barys-6840738-0", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Trojan:Win32/EyeStye.T", "display_name": "Trojan:Win32/EyeStye.T", "target": "/malware/Trojan:Win32/EyeStye.T" }, { "id": "wormWin32/Mofksys.RND!MTB", "display_name": "wormWin32/Mofksys.RND!MTB", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "CVE 2007695", "display_name": "CVE 2007695", "target": null } ], "attack_ids": [ { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 927, "hostname": 2093, "FileHash-SHA256": 1474, "URL": 5935, "FileHash-MD5": 351, "FileHash-SHA1": 252, "email": 5, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11040, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "94 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6935c92c5fc93fd873c6aa6d", "name": "[COINBASECARTEL] - Ransomware Victim: Cinvestav - RedPacket Security | CVE-2025-11727 (New)", "description": "Related to multiple exploits. Government Cyber Defense implications but shows as very legitimate looking masquerading. I am not positive and don\u2019t want to move to Belfast. Populated NSA [.] gov domains and subdomains (w/o no headers) lightly researched but does not assert a government identity. \n*New CVE-2025-11727", "modified": "2026-01-06T18:04:02.620000", "created": "2025-12-07T18:36:28.055000", "tags": [ "memcommit", "read c", "t1082", "cryptexportkey", "invalid pointer", "write", "msil", "malware", "media", "autorun", "countries", "united", "america", "high defense", "evasion", "t1055", "ck technique", "technique id", "allocates", "potential code", "attempts", "threatintel", "dark web", "coinbasecartel", "ransomware", "osint", "tor", "data breach", "cinvestav", "ai generated", "ransomware leak", "page", "november", "investigacin y", "nacional", "mexican", "mexico", "present nov", "verdana", "td tr", "passive dns", "ip address", "urls", "aaaa", "present may", "present oct", "present jul", "virtool", "present sep", "present jun", "win32", "default", "unicode", "png image", "rgba", "high", "dock", "execution", "xport", "unknown", "data upload", "extraction", "will", "data", "name cloudflare", "hostmaster name", "org cloudflare", "townsend st", "city san", "us creation", "kelihos", "ipv4", "present dec", "files", "domain", "search", "hostname", "verdict", "location united", "asn as16625", "akamai", "urls show", "date checked", "url hostname", "server response", "google safe", "results nov", "present aug", "backdoor", "msie", "chrome", "trojan", "mtb aug", "worm", "cryp", "junkpoly", "twitter", "trojandropper", "title", "germany unknown", "ipv4 add", "pulse pulses", "hosting", "reverse dns", "cologne", "search engine", "gse compromised", "redacted for", "privacy admin", "privacy tech", "server", "organization", "street", "city", "stateprovince", "postal code", "country", "resolver domain", "cape sa", "virustot", "type pdf", "name", "lookups", "email abuse", "historical ssl", "certificates", "first", "graph summary", "cname", "address", "ip2location", "bogon ip", "admin", "network", "wifi password", "ssid", "demo", "details", "failed", "include review", "exclude sugges", "onlv", "x try", "find s", "typ url", "url data", "severity att", "module load", "icmp traffic", "dns query", "t1055 jseval", "windows nt", "port", "entries", "destination", "medium", "show", "pecompact", "june", "service", "next", "xserver", "encrypt", "t1129", "windows module", "dlls", "convention", "windows native" ], "references": [ "Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS", "Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection", "hallplan.vm05.iveins.de", "https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c", "Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx", "Name : iveins.de Service : connect", "https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com", "phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com", "https://otx.alienvault.com/indicator/cve/CVE-2025-11727" ], "public": 1, "adversary": "COINBASECARTEL", "targeted_countries": [ "United States of America", "Sweden", "Bangladesh", "Japan" ], "malware_families": [ { "id": "Trojan:Win32/Tiggre!rfn", "display_name": "Trojan:Win32/Tiggre!rfn", "target": "/malware/Trojan:Win32/Tiggre!rfn" }, { "id": "MSIL:Agent-DQ\\ [Trj]", "display_name": "MSIL:Agent-DQ\\ [Trj]", "target": null }, { "id": "VirTool:MSIL/Covent.A", "display_name": "VirTool:MSIL/Covent.A", "target": "/malware/VirTool:MSIL/Covent.A" }, { "id": "Trojan:Win32/Pynamer!rfn", "display_name": "Trojan:Win32/Pynamer!rfn", "target": "/malware/Trojan:Win32/Pynamer!rfn" }, { "id": "Win64:TrojanX", "display_name": "Win64:TrojanX", "target": null }, { "id": "VirTool:MSIL/Covent", "display_name": "VirTool:MSIL/Covent", "target": "/malware/VirTool:MSIL/Covent" }, { "id": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea", "display_name": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "Kelihos", "display_name": "Kelihos", "target": null }, { "id": "CVE-2025-11727", "display_name": "CVE-2025-11727", "target": null }, { "id": "Exploit:JS/CVE-2014-0322", "display_name": "Exploit:JS/CVE-2014-0322", "target": "/malware/Exploit:JS/CVE-2014-0322" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" } ], "industries": [ "Education" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 117, "FileHash-SHA256": 1746, "URL": 5018, "hostname": 1827, "domain": 1072, "CVE": 3, "email": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9938, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "102 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68dc624893ea922b898f911b", "name": "FBI? Ghe real one? Idk - Cab / Deive by compromised an iOS device", "description": "Checking a targets phone, it\u2019s seems very infected with limited results on google searches results. I clicked on an image I thought looked suspicious. Image was coded. I have no idea if this is the FBI I haven\u2019t examined or researched for vulnerabilities yet. I will break this down over time. The number is kept alive but number could not be verified , it was a different number altogether. The phone was out of service, I reached out to 911. And spoke to a person I can\u2019t verify. The service was reconnected a day later. It\u2019s a very crazy hack!", "modified": "2025-10-30T22:01:00.256000", "created": "2025-09-30T23:05:44.154000", "tags": [ "search", "google search", "in a", "relevance", "internet storm", "intranet", "part", "steps", "hyper v", "windowssystem32", "ping request", "algorithm", "ouno sni", "key usage", "google llc", "v3 serial", "number", "public key", "info", "key algorithm", "domain", "subject key", "identifier", "net173", "net1730000", "gogl", "orgid", "gogl address", "city", "mountain view", "stateprov", "postalcode", "registrar", "ip address", "http", "port", "accept", "info file", "network dropped", "duration cuckoo", "version file", "machine label", "shutdown", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "found", "united", "ascii text", "pattern match", "mitre att", "title", "hybrid", "general", "path", "click", "strings", "body", "initial access", "local", "passive dns", "urls", "url add", "related nids", "files location", "flag united", "backdoor", "status", "aaaa", "date", "name servers", "record value", "emails", "present aug", "present sep", "moved", "error", "antivm", "drive by", "cab by" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 544, "FileHash-SHA256": 2300, "URL": 3905, "hostname": 1675, "FileHash-MD5": 209, "FileHash-SHA1": 210, "CIDR": 1, "email": 7, "SSLCertFingerprint": 8, "CVE": 2 }, "indicator_count": 8861, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Ip Traffic: TCP 74.125.24.106:80 (googleapis.com) TCP 85.195.91.179:80 (catch-cdn.com) UDP :53", "ALF:CERT:Adware:Win32/Peapoon Win.Malware.Midie-6847893-0\tTrojanDropper:Win32/Muldrop.V!MTB Win.Malware.Generickdz-9938530-0\tTrojan:Win32/Zombie.A Win.Malware.Genpack-6989317-0\tTrojanDropper:Win32/VB.IL Win.Trojan.VBGeneric-6735875-0\tWorm:Win32/Mofksys", "Subject: DE Certificate Subject: Berlin Certificate Subject", "http://applewaebastian.fritz.box/ \u2022 applewaebastian.fritz.box", "https://push.adac.passcreator.com/ | passcreator-metrics.e07cc1.flownative.cloud", "HYPERTRM.EXE - FileHash-SHA256 21cf992aba3d4adbc8a6bd65337f46a93983fbec8fe0f4639be826571ae469ba", "https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-MD5\t99c8310538a090d2b7e5db3ea22b839a", "ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98\t192.168.56.103\t173.194.113.114", "ET TROJAN Trojan Generic - POST To gate.php with no referer\t192.168.56.103\t173.194.113.114", "http://24.211.14.182:5555/login.htm?page=%2F | s5wpr2nreqby04v9.myfritz.ne", "https://fritz.box/login | router.box | wlan.box | mesh.box | myfritz.box | https://business.kozow.com/bbox/ |", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA1-2f7189e96cda26dbb6948354667fdd1ad37c04c0", "https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com", "Copyright \u00a9 Hilgraeve, Inc. 2001 Product Microsoft\u00ae Windows\u00ae Operating System Description HyperTerminal Applet", "phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com", "Original Name HYPERTRM.EXE Internal Name HyperTrm File Version 5.1.2600.0", "Inject.BRDV - FileHash-SHA256\t25f639cdaae06656ab5e0cc80512146aa59097439c388dd15e4cc09343d9a283", "https://www.passcreator.com/en/apple-wallet-passes", "AVM Computersysteme Vertriebs GmbH Certificate Subject: IT Certificate Subject *.avm.de Certificate Issuer: US", "Apple - 162.55.158.153", "https://uutiskirje.professiogroup.com/go/54382390-5506438-191003959\u241d", "Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx", "https://sso.myfritz.net/static/images/icons/apple-touch-icon-76x76.png No", "ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.\t192.168.56.103\t173.194.113.114", "https://avm.de/ Connection: close Content Type: text/html charset=iso 8859 1", "apple-business.cancom.at", "ecs-80-158-49-8.reverse.open-telekom-cloud.com", "Crypt2.AZDI - FileHash-SHA256 62ffd7a3a21a5732870c4ad92fad7287a5270e4a5508752cfef0aa6f9ea30d1f", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA256\tae2fb6755dbf52fa44e427fbe0f29bf541aeedf66656edeb08ba9d7ef1617afc", "hallplan.vm05.iveins.de", "Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS", "ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System", "https://otx.alienvault.com/indicator/cve/CVE-2025-11727", "Win32:Androp - FileHash-MD5 99c6c9564af67a954661ebf6e41391d2", "http://netuser.joymeng.com/charge_apple/notify", "http://b25d1a05.click.convertkit-mail2.com \u2022 https://b25d1a05.click.convertkit-mail2.com", "Name : iveins.de Service : connect", "Certificate Issuer: DigiCert Inc Certificate Issuer: |DigiCert SHA2 Secur Server CA", "Comments HyperTerminal \u00ae was developed by Hilgraeve, Inc. for Microsoft", "Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection", "ET TROJAN Fareit/Pony Downloader Checkin 2\t192.168.56.103\t173.194.113.114" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "COINBASECARTEL" ], "malware_families": [ "#lowfi:hstr:msil/obfuscator.deepsea", "Tofsee", "Wormwin32/mofksys.rnd!mtb", "Trojan:win32/pynamer!rfn", "Cve 2007695", "Win32/trickler", "Et", "Trojan:win32/blihan.a", "Androp", "Win.malware.barys-6840738-0", "Trojan:win32/qqpass", "Trojan:win32/eyestye.t", "Win64:trojanx", "Inject.brdv", "Crypt2.azdi", "Ddos:linux/lightaidra", "#lowfi:tool:win32/vbstoexev2e", "Trojan:win32/glupteba.mt!mtb", "Win.trojan.zegost", "Trojandropper:win32/vb.il", "Trojan:win32/agent.ag!mtb", "Trojandropper:win32/muldrop.v!mtb", "Worm:win32/yuner.a", "Trojan:win32/aenjaris.al!bit", "Trojan:win32/salgorea.c!mtb", "Alf:heraklezeval:trojan:win32/ymacco.aa47", "Virtool:msil/covent.a", "Kelihos", "Cve-2025-11727", "Tel:msil/dlsocconsend", "Virtool:msil/covent", "Win.malware.hd0kzai-9985588-0", "Msil:agent-dq\\ [trj]", "Trojan:win32/salgorea", "Exploit:js/cve-2014-0322", "Worm:win32/autorun.xfv", "Trojan:win32/tiggre!rfn", "Win32:androp", "Unruy", "Pws:win32/qqpass", "Win32:malware", "Win.trojan.generic" ], "industries": [ "Education" ], "unique_indicators": 29538 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/google.info", "whois": "http://whois.domaintools.com/google.info", "domain": "google.info", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6940b852c28f2a2c6abb4aad", "name": "FRITZ!Box \u2026.Connecting to Apple devices", "description": "Connecting to targeted Apple\ndevices overnight. \n\nHow to connect to the FRITZ!Box, how to access all of the product's functions, and what to do with the device if you are not connected to it in your home network.", "modified": "2026-01-15T01:02:47.757000", "created": "2025-12-16T01:39:30.381000", "tags": [ "fritz", "strong", "main navigation", "deutsch", "englisch", "funktionen der", "verbindung zur", "wifi", "ip address", "box avm", "lowfi", "win32", "susp", "urls", "files", "asn as44716", "related tags", "indicator facts", "germany unknown", "a domains", "meta", "typo3", "body doctype", "kasper skaarhoj", "gmt server", "pragma", "a nxdomain", "nxdomain", "whitelisted", "present aug", "present jul", "present oct", "present jun", "united", "present sep", "present nov", "next http", "scans show", "title", "div div", "a li", "wir suchen", "li ul", "avm karriere", "dich a", "reverse dns", "berlin", "germany asn", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "none related", "passive dns", "ipv4", "url analysis", "present dec", "moved", "certificate", "vertriebs gmbh", "aaaa", "as12732 gutcon", "domain", "hostname", "verdict", "files ip", "address", "germany", "as13335", "as8220 colt", "present may", "united kingdom", "regsetvalueexa", "regdword", "regbinary", "show", "yara detections", "regsetvalueexw", "regsz", "medium", "suspicious", "delphi", "malware", "write", "as6878", "msie", "chrome", "gmt content", "germany showing", "createobject", "set http", "search", "high", "read c", "et trojan", "jfif", "ascii text", "detected", "trojan generic", "checkin", "pony downloader", "http library", "virustotal", "riskware", "mcafee", "drweb", "vipre", "trojan", "panda", "next", "unknown", "as15169 google", "status", "name servers", "record value", "emails", "error", "trojandropper", "results dec", "ddos", "worm", "mtb trojan", "mtb apr", "exev2e", "ia256", "extraction", "get http", "post http", "learn", "command", "ck id", "name tactics", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "germany germany", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "pattern match", "show technique", "ck matrix", "show process", "network traffic", "t1057", "t1071", "hybrid", "local", "path", "t1204 user", "defense evasion", "t1480 execution", "sha1", "sha256", "size", "script", "null", "span", "refresh", "footer", "body", "june", "general", "click", "strings", "tools", "tracker", "code", "look", "verify", "restart", "bad traffic", "et info", "tls handshake", "failure", "process details", "flag", "link", "present feb", "servers", "redacted for", "as20546 soprado", "encrypt", "mtb sep", "ransom", "next associated", "twitter", "virtool", "hostname add", "location russia", "as200350", "russia unknown", "federation flag", "ipv4 add", "asn as200350", "related", "domain add", "unknown ns", "expiration date", "http version", "windows nt", "gbot", "post method", "port", "destination", "delete", "get na", "as15169", "expiration", "url https", "no expiration", "showing", "entries", "url add", "pulse pulses", "http", "files domain", "files related", "pulses none", "unknown cname", "cname", "asn as24940", "less", "date", "pulse submit" ], "references": [ "https://fritz.box/login | router.box | wlan.box | mesh.box | myfritz.box | https://business.kozow.com/bbox/ |", "https://avm.de/ Connection: close Content Type: text/html charset=iso 8859 1", "AVM Computersysteme Vertriebs GmbH Certificate Subject: IT Certificate Subject *.avm.de Certificate Issuer: US", "Certificate Issuer: DigiCert Inc Certificate Issuer: |DigiCert SHA2 Secur Server CA", "Subject: DE Certificate Subject: Berlin Certificate Subject", "https://uutiskirje.professiogroup.com/go/54382390-5506438-191003959\u241d", "http://b25d1a05.click.convertkit-mail2.com \u2022 https://b25d1a05.click.convertkit-mail2.com", "https://push.adac.passcreator.com/ | passcreator-metrics.e07cc1.flownative.cloud", "ecs-80-158-49-8.reverse.open-telekom-cloud.com", "http://24.211.14.182:5555/login.htm?page=%2F | s5wpr2nreqby04v9.myfritz.ne", "HYPERTRM.EXE - FileHash-SHA256 21cf992aba3d4adbc8a6bd65337f46a93983fbec8fe0f4639be826571ae469ba", "Copyright \u00a9 Hilgraeve, Inc. 2001 Product Microsoft\u00ae Windows\u00ae Operating System Description HyperTerminal Applet", "Original Name HYPERTRM.EXE Internal Name HyperTrm File Version 5.1.2600.0", "Comments HyperTerminal \u00ae was developed by Hilgraeve, Inc. for Microsoft", "ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System", "ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.\t192.168.56.103\t173.194.113.114", "ET TROJAN Trojan Generic - POST To gate.php with no referer\t192.168.56.103\t173.194.113.114", "ET TROJAN Fareit/Pony Downloader Checkin 2\t192.168.56.103\t173.194.113.114", "ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98\t192.168.56.103\t173.194.113.114", "http://applewaebastian.fritz.box/ \u2022 applewaebastian.fritz.box", "http://netuser.joymeng.com/charge_apple/notify", "https://www.passcreator.com/en/apple-wallet-passes", "https://sso.myfritz.net/static/images/icons/apple-touch-icon-76x76.png No", "apple-business.cancom.at", "Apple - 162.55.158.153", "Crypt2.AZDI - FileHash-SHA256 62ffd7a3a21a5732870c4ad92fad7287a5270e4a5508752cfef0aa6f9ea30d1f", "Inject.BRDV - FileHash-SHA256\t25f639cdaae06656ab5e0cc80512146aa59097439c388dd15e4cc09343d9a283", "Win32:Androp - FileHash-MD5 99c6c9564af67a954661ebf6e41391d2", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-MD5\t99c8310538a090d2b7e5db3ea22b839a", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA1-2f7189e96cda26dbb6948354667fdd1ad37c04c0", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA256\tae2fb6755dbf52fa44e427fbe0f29bf541aeedf66656edeb08ba9d7ef1617afc", "Ip Traffic: TCP 74.125.24.106:80 (googleapis.com) TCP 85.195.91.179:80 (catch-cdn.com) UDP :53", "ALF:CERT:Adware:Win32/Peapoon Win.Malware.Midie-6847893-0\tTrojanDropper:Win32/Muldrop.V!MTB Win.Malware.Generickdz-9938530-0\tTrojan:Win32/Zombie.A Win.Malware.Genpack-6989317-0\tTrojanDropper:Win32/VB.IL Win.Trojan.VBGeneric-6735875-0\tWorm:Win32/Mofksys" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#LowFi:Tool:Win32/VbsToExeV2E", "display_name": "#LowFi:Tool:Win32/VbsToExeV2E", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Androp", "display_name": "Androp", "target": null }, { "id": "Inject.BRDV", "display_name": "Inject.BRDV", "target": null }, { "id": "Win32:Androp", "display_name": "Win32:Androp", "target": null }, { "id": "Crypt2.AZDI", "display_name": "Crypt2.AZDI", "target": null }, { "id": "TEL:MSIL/DlSocConSend", "display_name": "TEL:MSIL/DlSocConSend", "target": "/malware/TEL:MSIL/DlSocConSend" }, { "id": "DDOS:Linux/Lightaidra", "display_name": "DDOS:Linux/Lightaidra", "target": "/malware/DDOS:Linux/Lightaidra" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "Trojan:Win32/Salgorea.C!MTB", "display_name": "Trojan:Win32/Salgorea.C!MTB", "target": "/malware/Trojan:Win32/Salgorea.C!MTB" }, { "id": "Worm:Win32/Autorun.XFV", "display_name": "Worm:Win32/Autorun.XFV", "target": "/malware/Worm:Win32/Autorun.XFV" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "Worm:Win32/Yuner.A", "display_name": "Worm:Win32/Yuner.A", "target": "/malware/Worm:Win32/Yuner.A" }, { "id": "Win.Trojan.Zegost", "display_name": "Win.Trojan.Zegost", "target": null }, { "id": "PWS:Win32/QQpass", "display_name": "PWS:Win32/QQpass", "target": "/malware/PWS:Win32/QQpass" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win.Trojan.Generic", "display_name": "Win.Trojan.Generic", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win32/Trickler", "display_name": "Win32/Trickler", "target": null }, { "id": "Win.Malware.Hd0kzai-9985588-0", "display_name": "Win.Malware.Hd0kzai-9985588-0", "target": null }, { "id": "Trojan:Win32/Aenjaris.AL!bit", "display_name": "Trojan:Win32/Aenjaris.AL!bit", "target": "/malware/Trojan:Win32/Aenjaris.AL!bit" }, { "id": "Trojan:Win32/Agent.AG!MTB", "display_name": "Trojan:Win32/Agent.AG!MTB", "target": "/malware/Trojan:Win32/Agent.AG!MTB" }, { "id": "Trojan:Win32/Salgorea", "display_name": "Trojan:Win32/Salgorea", "target": "/malware/Trojan:Win32/Salgorea" }, { "id": "Win.Malware.Barys-6840738-0", "display_name": "Win.Malware.Barys-6840738-0", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Trojan:Win32/EyeStye.T", "display_name": "Trojan:Win32/EyeStye.T", "target": "/malware/Trojan:Win32/EyeStye.T" }, { "id": "wormWin32/Mofksys.RND!MTB", "display_name": "wormWin32/Mofksys.RND!MTB", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "CVE 2007695", "display_name": "CVE 2007695", "target": null } ], "attack_ids": [ { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 927, "hostname": 2093, "FileHash-SHA256": 1474, "URL": 5935, "FileHash-MD5": 351, "FileHash-SHA1": 252, "email": 5, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11040, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "94 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6935c92c5fc93fd873c6aa6d", "name": "[COINBASECARTEL] - Ransomware Victim: Cinvestav - RedPacket Security | CVE-2025-11727 (New)", "description": "Related to multiple exploits. Government Cyber Defense implications but shows as very legitimate looking masquerading. I am not positive and don\u2019t want to move to Belfast. Populated NSA [.] gov domains and subdomains (w/o no headers) lightly researched but does not assert a government identity. \n*New CVE-2025-11727", "modified": "2026-01-06T18:04:02.620000", "created": "2025-12-07T18:36:28.055000", "tags": [ "memcommit", "read c", "t1082", "cryptexportkey", "invalid pointer", "write", "msil", "malware", "media", "autorun", "countries", "united", "america", "high defense", "evasion", "t1055", "ck technique", "technique id", "allocates", "potential code", "attempts", "threatintel", "dark web", "coinbasecartel", "ransomware", "osint", "tor", "data breach", "cinvestav", "ai generated", "ransomware leak", "page", "november", "investigacin y", "nacional", "mexican", "mexico", "present nov", "verdana", "td tr", "passive dns", "ip address", "urls", "aaaa", "present may", "present oct", "present jul", "virtool", "present sep", "present jun", "win32", "default", "unicode", "png image", "rgba", "high", "dock", "execution", "xport", "unknown", "data upload", "extraction", "will", "data", "name cloudflare", "hostmaster name", "org cloudflare", "townsend st", "city san", "us creation", "kelihos", "ipv4", "present dec", "files", "domain", "search", "hostname", "verdict", "location united", "asn as16625", "akamai", "urls show", "date checked", "url hostname", "server response", "google safe", "results nov", "present aug", "backdoor", "msie", "chrome", "trojan", "mtb aug", "worm", "cryp", "junkpoly", "twitter", "trojandropper", "title", "germany unknown", "ipv4 add", "pulse pulses", "hosting", "reverse dns", "cologne", "search engine", "gse compromised", "redacted for", "privacy admin", "privacy tech", "server", "organization", "street", "city", "stateprovince", "postal code", "country", "resolver domain", "cape sa", "virustot", "type pdf", "name", "lookups", "email abuse", "historical ssl", "certificates", "first", "graph summary", "cname", "address", "ip2location", "bogon ip", "admin", "network", "wifi password", "ssid", "demo", "details", "failed", "include review", "exclude sugges", "onlv", "x try", "find s", "typ url", "url data", "severity att", "module load", "icmp traffic", "dns query", "t1055 jseval", "windows nt", "port", "entries", "destination", "medium", "show", "pecompact", "june", "service", "next", "xserver", "encrypt", "t1129", "windows module", "dlls", "convention", "windows native" ], "references": [ "Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS", "Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection", "hallplan.vm05.iveins.de", "https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c", "Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx", "Name : iveins.de Service : connect", "https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com", "phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com", "https://otx.alienvault.com/indicator/cve/CVE-2025-11727" ], "public": 1, "adversary": "COINBASECARTEL", "targeted_countries": [ "United States of America", "Sweden", "Bangladesh", "Japan" ], "malware_families": [ { "id": "Trojan:Win32/Tiggre!rfn", "display_name": "Trojan:Win32/Tiggre!rfn", "target": "/malware/Trojan:Win32/Tiggre!rfn" }, { "id": "MSIL:Agent-DQ\\ [Trj]", "display_name": "MSIL:Agent-DQ\\ [Trj]", "target": null }, { "id": "VirTool:MSIL/Covent.A", "display_name": "VirTool:MSIL/Covent.A", "target": "/malware/VirTool:MSIL/Covent.A" }, { "id": "Trojan:Win32/Pynamer!rfn", "display_name": "Trojan:Win32/Pynamer!rfn", "target": "/malware/Trojan:Win32/Pynamer!rfn" }, { "id": "Win64:TrojanX", "display_name": "Win64:TrojanX", "target": null }, { "id": "VirTool:MSIL/Covent", "display_name": "VirTool:MSIL/Covent", "target": "/malware/VirTool:MSIL/Covent" }, { "id": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea", "display_name": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "Kelihos", "display_name": "Kelihos", "target": null }, { "id": "CVE-2025-11727", "display_name": "CVE-2025-11727", "target": null }, { "id": "Exploit:JS/CVE-2014-0322", "display_name": "Exploit:JS/CVE-2014-0322", "target": "/malware/Exploit:JS/CVE-2014-0322" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" } ], "industries": [ "Education" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 117, "FileHash-SHA256": 1746, "URL": 5018, "hostname": 1827, "domain": 1072, "CVE": 3, "email": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9938, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "102 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68dc624893ea922b898f911b", "name": "FBI? Ghe real one? Idk - Cab / Deive by compromised an iOS device", "description": "Checking a targets phone, it\u2019s seems very infected with limited results on google searches results. I clicked on an image I thought looked suspicious. Image was coded. I have no idea if this is the FBI I haven\u2019t examined or researched for vulnerabilities yet. I will break this down over time. The number is kept alive but number could not be verified , it was a different number altogether. The phone was out of service, I reached out to 911. And spoke to a person I can\u2019t verify. The service was reconnected a day later. It\u2019s a very crazy hack!", "modified": "2025-10-30T22:01:00.256000", "created": "2025-09-30T23:05:44.154000", "tags": [ "search", "google search", "in a", "relevance", "internet storm", "intranet", "part", "steps", "hyper v", "windowssystem32", "ping request", "algorithm", "ouno sni", "key usage", "google llc", "v3 serial", "number", "public key", "info", "key algorithm", "domain", "subject key", "identifier", "net173", "net1730000", "gogl", "orgid", "gogl address", "city", "mountain view", "stateprov", "postalcode", "registrar", "ip address", "http", "port", "accept", "info file", "network dropped", "duration cuckoo", "version file", "machine label", "shutdown", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "found", "united", "ascii text", "pattern match", "mitre att", "title", "hybrid", "general", "path", "click", "strings", "body", "initial access", "local", "passive dns", "urls", "url add", "related nids", "files location", "flag united", "backdoor", "status", "aaaa", "date", "name servers", "record value", "emails", "present aug", "present sep", "moved", "error", "antivm", "drive by", "cab by" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 544, "FileHash-SHA256": 2300, "URL": 3905, "hostname": 1675, "FileHash-MD5": 209, "FileHash-SHA1": 210, "CIDR": 1, "email": 7, "SSLCertFingerprint": 8, "CVE": 2 }, "indicator_count": 8861, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://google.info/url", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://google.info/url", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776611328.5643904 }