{ "type": "URL", "indicator": "https://hallrender.com/resources/blog/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://hallrender.com/resources/blog/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4094306986, "indicator": "https://hallrender.com/resources/blog/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 16, "pulses": [ { "id": "69bea5d2987c3d14aeb2b0c9", "name": "Delete service Deleted over 1200 Brian Sabeys Porn Revenge Campaign \u2022 LevelBlue? Dopple AI | Poem Hunter: Poems ", "description": "", "modified": "2026-03-21T14:06:10.007000", "created": "2026-03-21T14:06:10.007000", "tags": [ "active related", "search filter", "time tsara", "x show", "cidr", "email", "learn more", "information", "t1027", "t1036", "t1057", "discovery", "t1059", "t1071", "title added", "poem", "the day", "wild eyesand", "unknown power", "shakespeare", "repeats", "ere man", "dowell oreilly", "read poem", "snit", "website", "loading", "rl https", "y0 nov", "vj96", "uyebaaeabaaaaac", "jid442122029", "active", "url http", "url https", "types", "indicators show", "type indicator", "added active", "tbmvid", "sourcelnms", "zx1724209326040", "read c", "module load", "showing", "delphi", "delete", "rgba", "unicode", "malware", "write", "win32", "execution", "next", "extraction", "data upload", "extre", "include data", "sc type", "url tot", "role title", "tsara brashears", "live sex", "porn video", "levelblue", "porn", "pornhub", "porn videos", "watch tsara", "most relevant", "q estimation", "green", "tsara", "online chat", "spicychat ai", "visa", "sex chat", "miss stella", "january", "philadelphia", "dopple ai", "b1 dec", "videos", "red porn", "free porn", "sunny leone", "hardcore porn", "jeffrey reimer", "puts", "love", "super", "download", "top tsara", "google search", "la iniciacin", "xxx hd", "bdsm scene", "nsfw experience", "ck ids", "open threat", "filepath https", "foundry", "palantir", "brian sabey", "yas", "tiny penis", "slander", "indicator role", "pulses url", "search" ], "references": [ "OTX must have an issue. A delete app seen before has deleted a majority of malicious IoCs. Im", "I don\u2019t appreciate OTX populated Malware suggestion \u2018SNIT\u2019 \u2018 Dopple AI\u2019 NOT malware", "OTX description for SNIT- I love to compose letters of resignation; now and then I send one in", "and leave in a lemon- hued Huff da Country or a Snit with four on the MALWARE fOORILIES", "OTX description for Dopple AI - There\u2019s someone for everyone out there in the BDSM scene, you can enjoy the", "free NSFW experience offered by Dopple AI.MALWARE", "Makes zero sense. Malicious. I don\u2019t get it. I have a Malware gift for you too!", "Y.A.S:1Byte/TinyRod SeeDescription @ Y.A.S. OFFICIAL MUSIC VIDEO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Snit", "display_name": "Snit", "target": null }, { "id": "Dopple AI", "display_name": "Dopple AI", "target": null }, { "id": "Y.A.S:1Byte/TinyRod", "display_name": "Y.A.S:1Byte/TinyRod", "target": "/malware/Y.A.S:1Byte/TinyRod" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "green", "cloned_from": "691ead29f61101bfa3700998", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2497, "hostname": 742, "FileHash-SHA256": 523, "domain": 223, "FileHash-MD5": 85, "FileHash-SHA1": 56, "email": 4 }, "indicator_count": 4130, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "691ead29f61101bfa3700998", "name": "Dopple AI | Poem Hunter: Poems - Poets - Poetry", "description": "Online terms that sexulize SA victim : Tsara brashears slander red porn videos ,\nHardcore porn, is pornography that features detailed depictions of sexual organs or sexual acts such as vaginal, anal or oral intercourse, fingering, brashears , Red Porn Videos , Tsara brashears slandered red porn\nyoujizz sex\n, Tsara brashears submission on august 27 via manual free , College fuck fest Super japanese hd compilation , \none kinky student fucks tsara brashears porn xxx porn , the best internet porn site\n, tsara brashears slandered, porn video uploaded to hardcore ,\nxxxxxxxxxx sex videos\nsearch , xxxxxxxxxx hd porn. tsara brashears\u09ac\u09b2\u09a6\u09b6\u09b0 \u09a8\u09a4\u09a8 \u09ad\u09acfrench retro gangbang in the hotel room, You will Tsara brashears porn ,\nChunky babe loves to be on top Hot Milf , xxx Movies, updates hourly.\n tsara brashears slandered,\nfrench retro gangbang in the hotel room , free porn videos. You will Tsara brashears porn jeffrey reimer puts his love on top tsara brashears brother", "modified": "2025-12-20T03:00:41.407000", "created": "2025-11-20T05:54:49.968000", "tags": [ "active related", "search filter", "time tsara", "x show", "cidr", "email", "learn more", "information", "t1027", "t1036", "t1057", "discovery", "t1059", "t1071", "title added", "poem", "the day", "wild eyesand", "unknown power", "shakespeare", "repeats", "ere man", "dowell oreilly", "read poem", "snit", "website", "loading", "rl https", "y0 nov", "vj96", "uyebaaeabaaaaac", "jid442122029", "active", "url http", "url https", "types", "indicators show", "type indicator", "added active", "tbmvid", "sourcelnms", "zx1724209326040", "read c", "module load", "showing", "delphi", "delete", "rgba", "unicode", "malware", "write", "win32", "execution", "next", "extraction", "data upload", "extre", "include data", "sc type", "url tot", "role title", "tsara brashears", "live sex", "porn video", "levelblue", "porn", "pornhub", "porn videos", "watch tsara", "most relevant", "q estimation", "green", "tsara", "online chat", "spicychat ai", "visa", "sex chat", "miss stella", "january", "philadelphia", "dopple ai", "b1 dec", "videos", "red porn", "free porn", "sunny leone", "hardcore porn", "jeffrey reimer", "puts", "love", "super", "download", "top tsara", "google search", "la iniciacin", "xxx hd", "bdsm scene", "nsfw experience", "ck ids", "open threat", "filepath https", "foundry", "palantir", "brian sabey", "yas", "tiny penis", "slander", "indicator role", "pulses url", "search" ], "references": [ "OTX must have an issue. A delete app seen before has deleted a majority of malicious IoCs. Im", "I don\u2019t appreciate OTX populated Malware suggestion \u2018SNIT\u2019 \u2018 Dopple AI\u2019 NOT malware", "OTX description for SNIT- I love to compose letters of resignation; now and then I send one in", "and leave in a lemon- hued Huff da Country or a Snit with four on the MALWARE fOORILIES", "OTX description for Dopple AI - There\u2019s someone for everyone out there in the BDSM scene, you can enjoy the", "free NSFW experience offered by Dopple AI.MALWARE", "Makes zero sense. Malicious. I don\u2019t get it. I have a Malware gift for you too!", "Y.A.S:1Byte/TinyRod SeeDescription @ Y.A.S. OFFICIAL MUSIC VIDEO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Snit", "display_name": "Snit", "target": null }, { "id": "Dopple AI", "display_name": "Dopple AI", "target": null }, { "id": "Y.A.S:1Byte/TinyRod", "display_name": "Y.A.S:1Byte/TinyRod", "target": "/malware/Y.A.S:1Byte/TinyRod" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2497, "hostname": 742, "FileHash-SHA256": 523, "domain": 223, "FileHash-MD5": 85, "FileHash-SHA1": 56, "email": 4 }, "indicator_count": 4130, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "120 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "691e2279ac1ef8b9dbfbc2b3", "name": "Mirai \u2022 Neurotox Institute", "description": "Found in peripheral. Lazarus. Related tomOperation Endgame. Strangely related to the entertainment industry. \nRelated to treatments facilities where a target I\u2019ve been researching received \u2018care\u2019. Also links to Major Entertainment conglomerate : not surprisingly Hall Render and Foundry.\nPage was stated to expire 11/21 | expired after I was able to capture a live screenshot (not updated for years) \n\n[The Neurotoxin Institute (NTI) is a multidisciplinary organization created to serve as a comprehensive independent source of information related to the basic science and the clinical applications of neurotoxins. The Institute fosters the learning and teaching of both theory and practical techniques, and encourages further research in support of these goals.\nExperimental Biology (EB)\nwww.aapmr.org]", "modified": "2025-12-19T19:00:18.927000", "created": "2025-11-19T20:03:05.195000", "tags": [ "united", "link", "virtool", "meta", "atom", "pragma", "dynamicloader", "msie", "windows nt", "tls handshake", "failure", "tlsv1", "forbidden", "ogoogle trust", "encrypt", "possible", "write", "malware", "consumed", "netherlands", "united kingdom", "read c", "sality", "delphi", "win32", "strings", "xserver", "post http", "post method", "cryptexportkey", "ocloudflare", "cryptgenkey", "calgrc4", "persistence", "execution", "div div", "script script", "span a", "a li", "unknown ns", "span", "april", "passive dns", "hosting", "reverse dns", "hostname add", "files ip", "asn as32475", "address domain", "mirai", "united states", "facebook", "twitter", "youtube", "ck ids", "mh may", "t1204 technique", "user execution", "suggested", "port", "destination", "telnet login", "high", "tcp syn", "infectednight", "resolverror", "suspicious path", "ids detections", "yara detections", "sinkhole cookie", "file score", "detections sf", "value snkz", "forbidden tls", "et trojan", "value", "et info", "et", "present oct", "domain", "title", "present sep", "moved", "server", "next associated", "ipv4 add", "urls", "files", "trojan", "cookie", "predict70 sep", "next http", "scans record", "forbidden date", "gmt content", "type", "unix", "namecheap url", "forward elf", "md5 add", "less see", "contacted", "pulse pulses", "av detections", "analysis date", "virus", "ee fc", "unknown", "yara rule", "ff d5", "search", "show", "suspicious", "fbq object", "ide value", "source level", "url text", "line", "allow attribute", "mootools", "class function", "chain", "options", "elements", "garbage", "drag", "xhr function", "ajax", "itemid14", "kb image", "kb script", "b image", "b stylesheet", "b script", "kb stylesheet", "stylesheet", "redirect chain", "path size", "type mimetype", "resource", "general full", "montreal", "canada", "asn16276", "debian", "url http", "hash", "main", "cookie object", "dns any", "date", "entries", "url https", "Foundry", "Lazarus", "Endgame", "Neurotoxin Institute", "Hall Render", "Brian Sabey", "UC Health", "Britney Spears Official" ], "references": [ "https://www.neurotoxininstitute.com/", "Backdoor.Win32.Pushdo.s Checkin", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Possible Compromised Host AnubisNetworks", "IDS Detections: Sinkhole Cookie Value Snkz 403 Forbidden TLS Handshake Failure", "IDS Detections: ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole", "IDS Detections: Cookie Value btst ET INFO Namecheap URL Forward", "IDS Detections : SUSPICIOUS Path to BusyBox root login TELNET login failed", "http://appelfarm.org", "IDS Signatures : root login 175.203.174.23 \u2022 192.168.122.52", "IDS Signatures :TELNET login failed\t77.66.206.206 \u2022 192.168.122.52", "IDS Signatures : SUSPICIOUS Path to BusyBox\t192.168.122.52\t\u2022 77.66.206.206", "Interesting Strings : 13.79.87.163", "https://urlscan.io/screenshots/32b0614f-1148-49ea-aed4-4f23afd33e56.png", "https://otx.alienvault.com/pulse/68d0f099f60e98e6c4ffc1e5", "https://otx.alienvault.com/pulse/68b5e672f492fdc96cf997aa", "https://otx.alienvault.com/pulse/68d12dd7e357755235f007e8", "https://britneyspears.com/", "hallrender.com \u2022 https://hallrender.com/resources/blog/ \u2022 https://urlmail.hallrender.com \u2022 https://urlwww.hallrender.com", "https://citrix.hallrender.com/vpn/install/ \u2022 https://citrix.hallrender.com/vpn/install/mac.htm \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept", "http://hallrender.com/attorney/brian-sabey \u2022 http://hallrender.com/attorney/brian-sabey/", "http://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC", "https://elite.hallrender.com \u2022 https://hallrender.com/attorney/gregg-m-wallander/", "brian-sabey-anyxxxtube.net \u2022 hallrender.com", "dev.hallrender.com \u2022 elite.hallrender.com \u2022 image.marketing.hallrender.com", "Now https://urlscan.io/liveshot/?width=1600&height=1200&url=http%3A%2F%2Fwww.neurotoxininstitute.com%2Findex.php%3Foption%5C%3Dcom_content%26view%5C%3Darticle%26id%5C%3D70%26Itemid%5C%3D14", "feastfoundry.com\t\u2022 https://www.feastfoundry.com/ \u2022 https://www.feastfoundry.com/mini-apple-pies/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "United States of America", "Japan", "France", "Germany", "Canada", "Netherlands", "United Kingdom of Great Britain and Northern Ireland", "New Zealand", "Italy", "Aruba", "Poland", "Singapore", "T\u00fcrkiye", "Indonesia", "Spain", "Hong Kong" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Netherlands", "display_name": "Netherlands", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Virus:Win32/Krepper.30760", "display_name": "Virus:Win32/Krepper.30760", "target": "/malware/Virus:Win32/Krepper.30760" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Mirai.A!rf", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Mirai.A!rf", "target": null }, { "id": "Suggested", "display_name": "Suggested", "target": null }, { "id": "VirTool:Win32/VBInject.gen!MH", "display_name": "VirTool:Win32/VBInject.gen!MH", "target": "/malware/VirTool:Win32/VBInject.gen!MH" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "ALF:RPF:PEATTR_SIGATTR:PREDICT:70", "display_name": "ALF:RPF:PEATTR_SIGATTR:PREDICT:70", "target": null }, { "id": "Win32:Zbot-RUV", "display_name": "Win32:Zbot-RUV", "target": null }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "Win32:Kryptik", "display_name": "Win32:Kryptik", "target": null }, { "id": "Trojan:Win32/Bulta", "display_name": "Trojan:Win32/Bulta", "target": "/malware/Trojan:Win32/Bulta" } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 511, "hostname": 198, "domain": 471, "FileHash-SHA256": 1442, "FileHash-MD5": 183, "FileHash-SHA1": 79, "email": 5, "SSLCertFingerprint": 63 }, "indicator_count": 2952, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "121 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fd0cc422cea2fd989581fd", "name": "LevelBlue - Open Threat Exchange (Malicious Attacks)", "description": "I\u2019ll\nrefer to these bad actors as the .lol .fun group. London, Australia , South Africa with US base External resources. With this group, you e probably met though attackers.. OTX errors! Difficult to pulse. There are some profiles in here that are shady and attempt or do co connect to your products. They usually begin social engineering by saying that you have a \u2018problem\u2019 just like they do. Say they are from Canada or\nFrance , somewhere abroad when they are down the street using your services. There was user \u2018Merkd\u2019 whose entire system seem to become infected by someone or someone about this platform. Check the IP address at all\nTo see if it matches or is on the same block as OTC, region will show as well. Hackers may potentially cnc / move your profile on their own block. What happened today was weird. Alien Vault became a PHP and turned bright pink and black, requesting I download page. Keep your systems locked down if you\u2019re researching not reporting vulnerabilities.", "modified": "2025-11-24T17:02:12.441000", "created": "2025-10-25T17:45:40.291000", "tags": [ "ipv4", "levelblue", "open threat", "date sat", "connection", "etag w", "cloudfront", "sameorigin age", "vary", "ip address", "kb body", "gtmkvjvztk", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "learn", "exchange og", "levelblue open", "threat exchange", "exchange", "google tag", "iocs", "search otx", "included iocs", "review iocs", "data upload", "extraction", "layer protocol", "v full", "reports v", "port t1571", "t1573", "oc0006 http", "c0014", "get http", "dns resolutions", "user", "data", "datacrashpad", "edge", "tag manager", "us er", "help files", "shell", "html", "cve202323397", "iframe tags", "community score", "url http", "url https", "united", "united kingdom", "netherlands", "search", "type indicator", "role title", "added active", "related pulses", "indicator role", "title added", "active related", "otc oct", "report spam", "week ago", "scan", "learn more", "filehashmd5", "filehashsha1", "domain", "australia", "does", "josh", "created", "filehashsha256", "present jul", "present oct", "date", "a domains", "script urls", "for privacy", "moved", "script domains", "meta", "title", "body", "pragma", "encrypt", "ck ids", "t1060", "run keys", "startup", "folder", "t1027", "files", "information", "t1055", "injection", "capture", "south korea", "malaysia", "pulses", "fatal error", "hacker known", "name", "unknown", "risk", "weeks ago", "scary", "sova", "colorado", "wire", "name unknown", "thursday", "denver", "types of", "indicators hong", "kong", "tsara brashears", "african", "ethiopia", "b8reactjs", "india", "america", "x ua", "hostname", "dicator role", "pulses url", "airplane", "icator role", "t1432", "access contact", "list", "t1525", "image", "security scan", "heuristic oct", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1114", "t1480", "internal image", "brian sabey", "month ago", "modified", "days ago", "green well", "sabey stash", "service", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sova", "display_name": "Sova", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 956, "FileHash-SHA1": 906, "FileHash-SHA256": 2651, "URL": 4450, "domain": 708, "hostname": 2403, "CVE": 1, "email": 5 }, "indicator_count": 12080, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d332d77a7eedf3ad71c406", "name": "Denizbankk.net \u2022 LevelBlue - Open Threat Exchange", "description": "Denizbankk.net \u2022 Debian.org \u2022 hallrender.com \u2022 alienvault.com \u2022 hopto.org \u2022 striven.com| ? | This is concerning. It\u2019s not like intended to find what I have found but I am disappointed. The few people on the platform who do their own research eventually leave with a large amount of reposters. Related to haallrendee, brian sabey and each link listed. Stange happenings this weak. [otx auto populated- Google Safe Browsing, Denizbankk.net, has been used by the Russian government to create a secure web address that can be accessed only if the user has the correct address.{", "modified": "2025-10-23T23:03:23.167000", "created": "2025-09-23T23:52:55.453000", "tags": [ "log id", "gmtn", "tls web", "zerossl", "zerossl rsa", "domain secure", "site ca", "fa c7", "ocsp", "a167", "code", "keepalive", "false", "record type", "ttl a", "value", "o jarm", "fingerprint", "file format", "relevance", "united", "tempe", "arizona create", "domain", "expiry date", "name", "query time", "technical city", "tempe technical", "technical state", "rdap database", "handle", "iana registrar", "links", "algorithm", "key identifier", "data", "v3 serial", "number", "cat ozerossl", "cnzerossl rsa", "validity", "server", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "registrar iana", "registrar url", "registrar whois", "date", "available from", "country", "proxy", "postal code", "city", "admin city", "tempe admin", "filehashmd5", "url https", "filehashsha1", "url http", "type indicator", "role title", "added active", "related pulses", "filehashsha256", "showing", "germany unknown", "passive dns", "entries", "a domains", "body doctype", "content type", "gmt server", "ipv4 add", "pulse submit", "url analysis", "main", "apache", "accept", "title", "present dec", "present jun", "present nov", "aaaa", "present feb", "present sep", "search", "canada", "encrypt", "devam", "ad soyad", "mteri numaras", "gvenlik iin", "gizli soru", "gvenlik sorusu", "cevab", "ltfen bir", "present may", "moved", "present oct", "ip address", "gandi sas", "body", "backdoor", "next associated", "trojandropper", "fastly error", "please", "sea p", "twitter", "win32", "creation date", "name servers", "hostname add", "pulse pulses", "urls", "record value", "japan", "germany", "ipv4", "countries", "america", "netherlands", "italy", "brian sabey", "report spam", "tsara brashears", "created", "days ago", "green well", "sabey stash", "service", "hours ago", "malicious", "forbidden", "actionlistccc", "malware family", "mufanom att", "capture", "ck ids", "checkin", "t1036", "t1055", "injection", "t1056" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 617, "URL": 2495, "hostname": 1698, "FileHash-MD5": 275, "FileHash-SHA1": 265, "FileHash-SHA256": 1241, "SSLCertFingerprint": 2, "email": 4 }, "indicator_count": 6597, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d3368ae75cccf736a55441", "name": "ET TROJAN Hiloti/Mufanom Downloader Checkin | Denizbankk.net", "description": "", "modified": "2025-10-23T23:03:23.167000", "created": "2025-09-24T00:08:42.048000", "tags": [ "log id", "gmtn", "tls web", "zerossl", "zerossl rsa", "domain secure", "site ca", "fa c7", "ocsp", "a167", "code", "keepalive", "false", "record type", "ttl a", "value", "o jarm", "fingerprint", "file format", "relevance", "united", "tempe", "arizona create", "domain", "expiry date", "name", "query time", "technical city", "tempe technical", "technical state", "rdap database", "handle", "iana registrar", "links", "algorithm", "key identifier", "data", "v3 serial", "number", "cat ozerossl", "cnzerossl rsa", "validity", "server", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "registrar iana", "registrar url", "registrar whois", "date", "available from", "country", "proxy", "postal code", "city", "admin city", "tempe admin", "filehashmd5", "url https", "filehashsha1", "url http", "type indicator", "role title", "added active", "related pulses", "filehashsha256", "showing", "germany unknown", "passive dns", "entries", "a domains", "body doctype", "content type", "gmt server", "ipv4 add", "pulse submit", "url analysis", "main", "apache", "accept", "title", "present dec", "present jun", "present nov", "aaaa", "present feb", "present sep", "search", "canada", "encrypt", "devam", "ad soyad", "mteri numaras", "gvenlik iin", "gizli soru", "gvenlik sorusu", "cevab", "ltfen bir", "present may", "moved", "present oct", "ip address", "gandi sas", "body", "backdoor", "next associated", "trojandropper", "fastly error", "please", "sea p", "twitter", "win32", "creation date", "name servers", "hostname add", "pulse pulses", "urls", "record value", "japan", "germany", "ipv4", "countries", "america", "netherlands", "italy", "brian sabey", "report spam", "tsara brashears", "created", "days ago", "green well", "sabey stash", "service", "hours ago", "malicious", "forbidden", "actionlistccc", "malware family", "mufanom att", "capture", "ck ids", "checkin", "t1036", "t1055", "injection", "t1056" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": "68d332d77a7eedf3ad71c406", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 617, "URL": 2495, "hostname": 1698, "FileHash-MD5": 275, "FileHash-SHA1": 265, "FileHash-SHA256": 1241, "SSLCertFingerprint": 2, "email": 4 }, "indicator_count": 6597, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d0f099f60e98e6c4ffc1e5", "name": "Elaborate Medical Insurance Scheme | Claims Reversal", "description": "Boring? Maybe but, victim of crime became a target of an elaborate , phishing, social engineering , hacking, theft, reputation, stalking, & physical assault scheme. A man using name Brian Sabey , Esq continues an international porn campaign. Today I\u2019m shocked by his false Medicare insurance scam denying targets claims & treatment since 2017. This information was retrieved by me via research due to unpaid medical bills Team 8 has uncovered multiple large scale breaches with information mailed , texted or sent to targets. \n We are all researchers with a combined 30 years of award winning researchers focuses in various areas. We are doing this unpaid , considering the circumstances. We are not related to the victim. \n\nAll claims of any abuses have been substantiated claims.\n\n#trulymissed #rip #briansabey #hallrender #jeffreyscottreimer #formbook_cnc #panda_cnc_checkin #claimreversalscam", "modified": "2025-10-22T05:00:52.085000", "created": "2025-09-22T06:45:45.714000", "tags": [ "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "date", "encrypt", "united", "backdoor", "entries", "passive dns", "hstr", "checkin", "next associated", "lowfi", "trojan", "ipv4 add", "twitter", "trojandropper", "ransom", "body", "url https", "type indicator", "role title", "added active", "related pulses", "url http", "ck ids", "t1036", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob", "yara", "report spam", "otx generated", "created", "hours ago", "otx auto", "new york", "tsara brashears", "search", "filehashsha1", "filehashmd5", "domain", "hostname", "virgin islands", "canada", "ireland", "pes of", "expiration", "hall render", "possible deep", "https", "panda", "post", "insane", "law firm", "virtool", "service", "iocs", "learn more", "et trojan", "msie", "windows nt", "show", "unknown", "france as16276", "united kingdom", "possible", "write", "win32", "malware", "copy", "next", "et", "returnurl" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Netherlands", "Italy", "Aruba", "Germany", "Ireland", "Spain", "Poland", "Canada", "T\u00fcrkiye", "Romania", "Sweden", "Australia", "Singapore", "Denmark" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [ "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2905, "URL": 5029, "hostname": 1146, "FileHash-SHA256": 935, "FileHash-MD5": 102, "FileHash-SHA1": 100, "email": 3 }, "indicator_count": 10220, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d0d26cf2038b0019bbb331", "name": "Tsara Brashears still has cyber stalkers Brian Sabey", "description": "Well, well, well is this a twisted love you to a gruesome death love note? \nwww.oneyoulovefranchise.com - Brian Sabey stash.\n\nOTX being attacked by a \u2018delete\u2019 service again. \n(OTX auto populated: The full text of Brian Whaley's entry into the search for the British Virgin Islands (1) has been published on the website of the law firm, Law Firm, at the age of 26.) Alleged American Brian Sabey is at least 37 years old.", "modified": "2025-10-22T04:03:39.769000", "created": "2025-09-22T04:37:00.551000", "tags": [ "url https", "url http", "filehashmd5", "domain", "hostname", "virgin islands", "search", "type indicator", "role title", "added active", "present sep", "united", "unknown aaaa", "certificate", "ip address", "creation date", "record value", "date", "title", "body", "canada", "ireland", "passive dns", "urls", "hostname add", "pulse pulses", "files", "yara", "report spam", "otx generated", "created", "hours ago", "otx auto", "new york", "tsara brashears", "medicare united", "filehashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 755, "domain": 193, "hostname": 246, "FileHash-MD5": 17, "FileHash-SHA1": 16, "email": 2, "FileHash-SHA256": 120 }, "indicator_count": 1349, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d0c20eaf6a51bb667cbe9a", "name": "Hall Render Health Insurance Interface for Tsar Brashears", "description": "It\u2019s wild how quickly a delete service appears on OTX. Even more bananas, fake law\nfirm Hall Render pretends to be a non paying health insurance entity. \n\nAre you happy about death from denied care? You just can\u2019t stop? \n\nI have asked you to stop because that\u2019s about all I can do. Stop taking pulses , stop interfering in this persons family\u2019s life , stop throwing stones at Tsara Brashears. I don\u2019t have it in me to be like you. This is illegal. I am not interested in having a legal battle to fight for someone who is at peace now. \nExactly what kind of relationship could you possibly have with Jeffrey Scott Reimer. Stop sending people to look at every person ever connected to her. How can you enjoy taking options away from someone that was so terribly injured? I hope you recover from your sickness.\n\nCease fire. You want a war. Why? It\u2019s in Gods hands unbeliever. \nIt\u2019s your net, you can get tangled up in it.", "modified": "2025-10-22T03:18:24.424000", "created": "2025-09-22T03:27:10.554000", "tags": [ "expiration", "url https", "url http", "no expiration", "hostname", "iocs", "create new", "pulse use", "pdf report", "pcap", "domain", "virgin islands", "united", "canada", "ireland", "search", "type indicator", "enter source", "url or", "text drag", "drop or", "ipv4", "returnurl", "role title", "added active", "related pulses", "filehashsha256", "claim reversal", "elqaid16867", "elqat1", "elqcst272", "islands", "learn more", "filehashsha1", "filehashmd5", "possible deep", "https", "hall render", "panda", "post", "healthcare plan", "sci c1", "virtool", "service", "data upload", "extraction", "failed", "tract indica", "idea iocs", "q data", "type", "indicator role", "title added", "active related", "pulses url", "entries", "health system", "scan", "types of", "yara", "created", "minutes ago", "otx auto", "new york", "tsara brashears", "medicare united", "report spam", "otx generated", "t1036", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob", "t1055", "brian sabey", "hall render law", "gregg wallender", "adversary", "hackers", "mark sabey", "m brian sabey", "anyxxx", "sexyourway" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 849, "domain": 85, "hostname": 357, "FileHash-MD5": 62, "FileHash-SHA1": 59, "FileHash-SHA256": 77, "email": 4 }, "indicator_count": 1493, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d0b00b7ccb342031594e77", "name": "OTX Generated with strange commentary as always", "description": "OTX Auto populated-> Yara Yara, a 27-year-old woman from New York, has found that a law firm allegedly controlled Tsara Brashears' life and healthcare plan under the guise of being a Medicare United Healthcare plan. |", "modified": "2025-10-22T02:00:03.967000", "created": "2025-09-22T02:10:19.819000", "tags": [ "expiration", "url http", "hall render", "possible deep", "https", "deep panda", "brian sabey", "tsara brashears", "panda", "post", "virtool", "service", "fraud", "url https", "search", "type indicator", "role title", "added active", "related pulses", "claim reversal", "view", "fieldlastname", "filehashmd5", "filehashsha1", "domain", "hostname", "virgin islands", "united", "canada", "ireland", "writeconsolea", "regsetvalueexa", "regdword", "module load", "t1129", "show", "micromedia", "write", "markus", "april", "win32", "lost", "malware", "copy", "c2 activity", "cnc ids", "beacon", "server", "domain status", "algorithm", "key identifier", "x509v3 subject", "full name", "date", "registrar abuse", "registrar", "data", "ipv4", "returnurl", "masquerade task", "t1448", "carrier billing", "fraud endpoint", "security scan", "iocs", "learn more", "relationship", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob", "t1060", "scan", "entries", "healthcare", "legal", "families", "sakurel", "formbook att", "ck ids", "t1199", "render", "brian", "sabey", "fieldssn", "elqaid16867", "elqat1", "elqcst272", "formbookatt", "white insane", "law firm", "run keys", "ta0011", "command", "control", "t1410", "redirection", "medium", "windows", "high", "yara detections", "backdoor", "showing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [ "Healthcare", "Legal", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2189, "FileHash-MD5": 469, "FileHash-SHA1": 447, "FileHash-SHA256": 2446, "domain": 465, "hostname": 1224, "email": 15 }, "indicator_count": 7255, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d09835fed794bdc304de40", "name": "Deep Panda | Hall Render | Brian Sabey controlled Tsara Brashears life & Healthcare", "description": "Insane. Law Firm Hall Render including attorneys allegedly named M. \u2018Brian Sabey\u2019 and \u2018Gregg Wallender\u2019 began hosting a private pay healthcare plan for Tsara Brashears under the the guise of being a Medicare United Healthcare plan from 3/2021 - 12/2024. What Fraud! Brashears became millions $ in debt. Multiple insurance companies have had to be updated only to be cancelled. She\u2019d been denied spinal stabilization surgery worsening SCI C1 - L5. I didn\u2019t expect to find this at all. When her supplies weren\u2019t paid for. Angry supplier gave information to caregiver. Since then attempts on lives. \nNone of us are safe. I wonder if this is also part of Hall Render. How is this possible?\n\nThese are very dangerous people with hitmen. \nPlease STOP!", "modified": "2025-10-21T23:02:21.484000", "created": "2025-09-22T00:28:37.292000", "tags": [ "expiration", "related pulses", "language", "html document", "ascii text", "crlf line", "doctype", "portal", "enter", "tax id", "provider portal", "home", "iis windows", "provider web", "portal account", "please", "status", "server", "domain status", "registrar abuse", "registrar", "dnssec", "us registrant", "email", "contact email", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "se review", "exclude data", "extraction", "search otx", "data upload", "enter source", "url or", "texurag", "value a", "se source", "extra", "referen data", "ica7nvfarux", "include review", "failed", "sc data", "type", "extra data", "referen", "hcpruxi include", "review exclude", "sugges", "exclude", "find s", "typ url", "hos hos", "domain hos", "hast", "referen hcpruxi", "include", "cus cndigicert", "sha256", "ca1 odigicert", "inc validity", "ogainwell", "subject public", "key info", "available from", "code", "registry tech", "admin country", "gb registrant", "organization", "registry domain", "tech email", "iocs", "name servers", "emails", "search", "certificate", "passive dns", "urls", "domain", "record value", "body", "united", "present jul", "present jun", "moved", "ip address", "entries", "unknown cname", "present may", "title", "name", "hostname add", "writeconsolea", "regsetvalueexa", "regdword", "show", "deep panda", "module load", "t1129", "post", "write", "markus", "april", "win32", "lost", "malware", "backdoor", "present dec", "virgin islands", "trojan", "present feb", "present jan", "error", "avast avg", "possible deep", "ipv4 add", "pulse pulses", "files", "hosting", "location virgin", "islands", "twitter", "panda", "associated urls", "date checked", "url hostname", "server response", "read c", "formbook cnc", "checkin", "medium", "yara detections", "delete", "ids detections", "pulse", "srs ab", "showing", "uregistruotas", "date", "pulses", "unknown ns", "xloader" ], "references": [ "/hcp/ruxitagentjs_ICA7NVfqrux_10321250808084810.js", "IDS Detections: Possible DEEP PANDA C2 Activity Possible Deep Panda - Sakula/Mivast RAT CnC", "IDS: Beacon 5 Sakula/Mivast C2 Activity HTTP traffic on port 443 (POST)", "Yara Detections: RAT_Sakula , ScanBox_Malware_Generic , Nrv2x , UPX_OEP_place , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser ,", "Yara: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "Yara: kernel32_dll_xor_exe_key_11 , xor_0xb_kernel32_dll", "Alerts: network_icmp persistence_autorun modifies_proxy_wpad packer_polymorphic", "IDS: FormBook CnC Checkin (POST) Terse HTTP 1.0 Request Possible Nivdort Beacon 5 Possible DEEP PANDA C2 Activity (208.91.197.27)", "IDS: Possible HTTP 403 XSS Attempt (Local Source) Possible Deep Panda - Sakula/Mivast RAT CnC (208.91.197.27)", "Craziest thing ever! Hall Render \u2018alleged\u2019 Law Firm was paying Tara Brasheats insurance?!", "Insane! They 1st kicked her of her Private pay United Healthcare. Put her off of Medicare. Won\u2019t pay!", "http://2fwww.hallrender.com/ \u2022 http://citrix.hallrender.com/ \u2022 http://dev.hallrender.com/ http://hallrender.com/attorney/brian-sabey/ No Expiration\t0\t URL http://hallrender.com/resource-blog No Expiration\t0\t URL http://hallrender.com/resources No Expiration\t0\t URL http://mail.hallrender.com/ No Expiration\t0\t URL http://www.hallrender.com/attorney/brian-sabey", "autodiscover.hallrender.com \u2022 hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "image.marketing.hallrender.com \u2022 https://hallrender.com/resources \u2022", "https://hallrender.com/resources/blog/ \u2022 https://www.hallrender.com/attorn", "www.podcast.hallrender.com \u2022 https://hallrender.com/resource-blog \u2022", "https://hallrender.com/attorney/gregg-m-wallander/", "https://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC", "https://hallrender.com/attorney/brian-sabey/ \u2022 https://hallrender.com/resources/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Backdoor:Win32/Plugx.N!dha", "display_name": "Backdoor:Win32/Plugx.N!dha", "target": "/malware/Backdoor:Win32/Plugx.N!dha" }, { "id": "Sakurel", "display_name": "Sakurel", "target": null }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "Virtool:Win32/Obfuscator.JM", "display_name": "Virtool:Win32/Obfuscator.JM", "target": "/malware/Virtool:Win32/Obfuscator.JM" }, { "id": "Formbook", "display_name": "Formbook", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [ "Healthcare", "Legal", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1886, "domain": 378, "hostname": 882, "FileHash-MD5": 173, "FileHash-SHA1": 172, "FileHash-SHA256": 1038, "email": 9 }, "indicator_count": 4538, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d1021acaa3ff0024effb9a", "name": "Deep Panda \u2022 Formbook - Provider Portal Account Entry \u2022 Widespread issue| Attributed to Brian Sabey of Hall Render ", "description": "", "modified": "2025-10-21T23:02:21.484000", "created": "2025-09-22T08:00:26.271000", "tags": [ "expiration", "related pulses", "language", "html document", "ascii text", "crlf line", "doctype", "portal", "enter", "tax id", "provider portal", "home", "iis windows", "provider web", "portal account", "please", "status", "server", "domain status", "registrar abuse", "registrar", "dnssec", "us registrant", "email", "contact email", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "se review", "exclude data", "extraction", "search otx", "data upload", "enter source", "url or", "texurag", "value a", "se source", "extra", "referen data", "ica7nvfarux", "include review", "failed", "sc data", "type", "extra data", "referen", "hcpruxi include", "review exclude", "sugges", "exclude", "find s", "typ url", "hos hos", "domain hos", "hast", "referen hcpruxi", "include", "cus cndigicert", "sha256", "ca1 odigicert", "inc validity", "ogainwell", "subject public", "key info", "available from", "code", "registry tech", "admin country", "gb registrant", "organization", "registry domain", "tech email", "iocs", "name servers", "emails", "search", "certificate", "passive dns", "urls", "domain", "record value", "body", "united", "present jul", "present jun", "moved", "ip address", "entries", "unknown cname", "present may", "title", "name", "hostname add", "writeconsolea", "regsetvalueexa", "regdword", "show", "deep panda", "module load", "t1129", "post", "write", "markus", "april", "win32", "lost", "malware", "backdoor", "present dec", "virgin islands", "trojan", "present feb", "present jan", "error", "avast avg", "possible deep", "ipv4 add", "pulse pulses", "files", "hosting", "location virgin", "islands", "twitter", "panda", "associated urls", "date checked", "url hostname", "server response", "read c", "formbook cnc", "checkin", "medium", "yara detections", "delete", "ids detections", "pulse", "srs ab", "showing", "uregistruotas", "date", "pulses", "unknown ns", "xloader" ], "references": [ "/hcp/ruxitagentjs_ICA7NVfqrux_10321250808084810.js", "IDS Detections: Possible DEEP PANDA C2 Activity Possible Deep Panda - Sakula/Mivast RAT CnC", "IDS: Beacon 5 Sakula/Mivast C2 Activity HTTP traffic on port 443 (POST)", "Yara Detections: RAT_Sakula , ScanBox_Malware_Generic , Nrv2x , UPX_OEP_place , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser ,", "Yara: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "Yara: kernel32_dll_xor_exe_key_11 , xor_0xb_kernel32_dll", "Alerts: network_icmp persistence_autorun modifies_proxy_wpad packer_polymorphic", "IDS: FormBook CnC Checkin (POST) Terse HTTP 1.0 Request Possible Nivdort Beacon 5 Possible DEEP PANDA C2 Activity (208.91.197.27)", "IDS: Possible HTTP 403 XSS Attempt (Local Source) Possible Deep Panda - Sakula/Mivast RAT CnC (208.91.197.27)", "Craziest thing ever! Hall Render \u2018alleged\u2019 Law Firm was paying Tara Brasheats insurance?!", "Insane! They 1st kicked her of her Private pay United Healthcare. Put her off of Medicare. Won\u2019t pay!", "http://2fwww.hallrender.com/ \u2022 http://citrix.hallrender.com/ \u2022 http://dev.hallrender.com/ http://hallrender.com/attorney/brian-sabey/ No Expiration\t0\t URL http://hallrender.com/resource-blog No Expiration\t0\t URL http://hallrender.com/resources No Expiration\t0\t URL http://mail.hallrender.com/ No Expiration\t0\t URL http://www.hallrender.com/attorney/brian-sabey", "autodiscover.hallrender.com \u2022 hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "image.marketing.hallrender.com \u2022 https://hallrender.com/resources \u2022", "https://hallrender.com/resources/blog/ \u2022 https://www.hallrender.com/attorn", "www.podcast.hallrender.com \u2022 https://hallrender.com/resource-blog \u2022", "https://hallrender.com/attorney/gregg-m-wallander/", "https://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC", "https://hallrender.com/attorney/brian-sabey/ \u2022 https://hallrender.com/resources/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Backdoor:Win32/Plugx.N!dha", "display_name": "Backdoor:Win32/Plugx.N!dha", "target": "/malware/Backdoor:Win32/Plugx.N!dha" }, { "id": "Sakurel", "display_name": "Sakurel", "target": null }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "Virtool:Win32/Obfuscator.JM", "display_name": "Virtool:Win32/Obfuscator.JM", "target": "/malware/Virtool:Win32/Obfuscator.JM" }, { "id": "Formbook", "display_name": "Formbook", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [ "Healthcare", "Legal", "Government" ], "TLP": "white", "cloned_from": "68d09835fed794bdc304de40", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1886, "domain": 378, "hostname": 882, "FileHash-MD5": 173, "FileHash-SHA1": 172, "FileHash-SHA256": 1038, "email": 9 }, "indicator_count": 4538, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d0cbab63b68549437a7c0b", "name": "Brain Sabey Anyxxx Porn Hall Render Law Firm & Health Insurance Company", "description": "", "modified": "2025-10-21T00:02:57.489000", "created": "2025-09-22T04:08:11.333000", "tags": [ "url https", "url http", "filehashsha1", "filehashmd5", "types of", "virgin islands", "united", "canada", "ireland", "search", "japan", "type indicator", "role title", "added active", "expiration", "no expiration", "hostname", "domain", "pulse show", "possible deep", "https", "hall render", "panda", "post", "medicare united", "healthcare plan", "sci c1", "iocs", "enter source", "url or", "text drag", "drop or", "browse to", "select file", "relationship", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob", "t1060", "service" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [ "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 793, "domain": 41, "hostname": 259, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 1101, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "180 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689030129ed94e6805755c52", "name": "iimcb.e-kei.pl iimcb.gov.pl ip4 94.152.54.231 (94.152.0.0/16) ???", "description": "https://www.virustotal.com/gui/domain/iimcb.e-kei.pl/details\nhttps://www.virustotal.com/gui/domain/iimcb.gov.pl/details\nhttps://www.virustotal.com/gui/ip-address/94.152.54.231/details", "modified": "2025-09-03T03:00:19.806000", "created": "2025-08-04T03:59:14.325000", "tags": [], "references": [ "iimcb.e-kei.pl", "iimcb.e.gov.pl", "iimcb.gov.pl" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 249, "FileHash-MD5": 2, "FileHash-SHA1": 26, "FileHash-SHA256": 49, "hostname": 961, "URL": 2001, "CVE": 1 }, "indicator_count": 3289, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "228 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6878ab97e659d23d965452ac", "name": "Yandex - Tofsee.AX | Malvertising Hub for US", "description": "Win32/Tofsee.AX google.com connectivity check\n Can\u2019t access all malware files.\n\nYandex has long been a malvertising Hub for US and other non- Russian threat actors.", "modified": "2025-08-16T07:00:49.321000", "created": "2025-07-17T07:51:51.799000", "tags": [ "status", "russia", "creation date", "passive dns", "urls", "date", "hostname add", "pulse pulses", "files", "verdict", "present jul", "certificate", "ip address", "search", "record value", "showing", "xml title", "present jan", "present sep", "present oct", "whois", "urlvoid", "related", "https", "expiration", "http", "months ago", "expiration http", "url http", "report spam", "smear", "brian sabey", "sabey", "data upload", "extraction", "url https", "type indicator", "role title", "added active", "related pulses", "entries", "tbmvid", "sourcelnms", "zx1724209326040", "hostname", "trojan", "delete c", "united", "grum", "show", "cape", "tofsee", "high", "total", "copy", "write", "malware", "patched", "next", "class", "failed", "indicator role", "title added", "active related", "filehashmd5", "filehashsha1", "filehashsha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2337, "hostname": 833, "email": 4, "domain": 357, "FileHash-MD5": 113, "FileHash-SHA256": 1551, "FileHash-SHA1": 108, "SSLCertFingerprint": 1 }, "indicator_count": 5304, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68788dfd4a0943cb318c7137", "name": "DarkWatchman Chekin Activity", "description": "", "modified": "2025-08-16T06:02:36.091000", "created": "2025-07-17T05:45:33.250000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "678f0dbdbc59dd2ea5656dcf", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7596, "FileHash-SHA1": 3987, "FileHash-SHA256": 8622, "URL": 1922, "domain": 2530, "hostname": 2524, "email": 37, "CVE": 6, "SSLCertFingerprint": 6 }, "indicator_count": 27230, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Tofsee: 'google.com' | https://www.gov50.icu |", "hallrender.com \u2022 https://hallrender.com/resources/blog/ \u2022 https://urlmail.hallrender.com \u2022 https://urlwww.hallrender.com", "https://otx.alienvault.com/pulse/68d12dd7e357755235f007e8", "IDS: Possible HTTP 403 XSS Attempt (Local Source) Possible Deep Panda - Sakula/Mivast RAT CnC (208.91.197.27)", "http://2fwww.hallrender.com/ \u2022 http://citrix.hallrender.com/ \u2022 http://dev.hallrender.com/ http://hallrender.com/attorney/brian-sabey/ No Expiration\t0\t URL http://hallrender.com/resource-blog No Expiration\t0\t URL http://hallrender.com/resources No Expiration\t0\t URL http://mail.hallrender.com/ No Expiration\t0\t URL http://www.hallrender.com/attorney/brian-sabey", "Backdoor.Win32.Pushdo.s Checkin", "Craziest thing ever! Hall Render \u2018alleged\u2019 Law Firm was paying Tara Brasheats insurance?!", "https://citrix.hallrender.com/vpn/install/ \u2022 https://citrix.hallrender.com/vpn/install/mac.htm \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "brian-sabey-anyxxxtube.net \u2022 hallrender.com", "Yara Detections: is__elf , DemonBot", "free NSFW experience offered by Dopple AI.MALWARE", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "feastfoundry.com\t\u2022 https://www.feastfoundry.com/ \u2022 https://www.feastfoundry.com/mini-apple-pies/", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "image.marketing.hallrender.com \u2022 https://hallrender.com/resources \u2022", "iimcb.e-kei.pl", "http://appelfarm.org", "autodiscover.hallrender.com \u2022 hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "/hcp/ruxitagentjs_ICA7NVfqrux_10321250808084810.js", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Possible Compromised Host AnubisNetworks", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "https://tulach.cc/ | tulach.cc |", "https://britneyspears.com/", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "Interesting Strings : 13.79.87.163", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "https://otx.alienvault.com/pulse/68b5e672f492fdc96cf997aa", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "iimcb.gov.pl", "https://hallrender.com/attorney/brian-sabey/ \u2022 https://hallrender.com/resources/", "https://www.neurotoxininstitute.com/", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: RAT_Sakula , ScanBox_Malware_Generic , Nrv2x , UPX_OEP_place , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser ,", "IDS Detections : SUSPICIOUS Path to BusyBox root login TELNET login failed", "Now https://urlscan.io/liveshot/?width=1600&height=1200&url=http%3A%2F%2Fwww.neurotoxininstitute.com%2Findex.php%3Foption%5C%3Dcom_content%26view%5C%3Darticle%26id%5C%3D70%26Itemid%5C%3D14", "IDS Signatures : SUSPICIOUS Path to BusyBox\t192.168.122.52\t\u2022 77.66.206.206", "Alerts: network_icmp persistence_autorun modifies_proxy_wpad packer_polymorphic", "https://elite.hallrender.com \u2022 https://hallrender.com/attorney/gregg-m-wallander/", "I don\u2019t appreciate OTX populated Malware suggestion \u2018SNIT\u2019 \u2018 Dopple AI\u2019 NOT malware", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: Cookie Value btst ET INFO Namecheap URL Forward", "https://otx.alienvault.com/pulse/68d0f099f60e98e6c4ffc1e5", "IDS: Beacon 5 Sakula/Mivast C2 Activity HTTP traffic on port 443 (POST)", "www.pornhubselect.com | pornhub.software", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "Insane! They 1st kicked her of her Private pay United Healthcare. Put her off of Medicare. Won\u2019t pay!", "IDS Signatures : root login 175.203.174.23 \u2022 192.168.122.52", "IDS Detections: Possible DEEP PANDA C2 Activity Possible Deep Panda - Sakula/Mivast RAT CnC", "Makes zero sense. Malicious. I don\u2019t get it. I have a Malware gift for you too!", "IDS Detections: ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole", "OTX description for SNIT- I love to compose letters of resignation; now and then I send one in", "http://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "dev.hallrender.com \u2022 elite.hallrender.com \u2022 image.marketing.hallrender.com", "www.podcast.hallrender.com \u2022 https://hallrender.com/resource-blog \u2022", "https://urlscan.io/screenshots/32b0614f-1148-49ea-aed4-4f23afd33e56.png", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "https://hallrender.com/resources/blog/ \u2022 https://www.hallrender.com/attorn", "IDS Signatures :TELNET login failed\t77.66.206.206 \u2022 192.168.122.52", "https://hallrender.com/attorney/gregg-m-wallander/", "OTX must have an issue. A delete app seen before has deleted a majority of malicious IoCs. Im", "Yara: kernel32_dll_xor_exe_key_11 , xor_0xb_kernel32_dll", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "IDS: FormBook CnC Checkin (POST) Terse HTTP 1.0 Request Possible Nivdort Beacon 5 Possible DEEP PANDA C2 Activity (208.91.197.27)", "DISTINCTIO8.pdf", "and leave in a lemon- hued Huff da Country or a Snit with four on the MALWARE fOORILIES", "Yara: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "http://hallrender.com/attorney/brian-sabey \u2022 http://hallrender.com/attorney/brian-sabey/", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "OTX description for Dopple AI - There\u2019s someone for everyone out there in the BDSM scene, you can enjoy the", "https://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC", "IDS Detections: Andariel Backdoor Activity (Checkin)", "iimcb.e.gov.pl", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "Y.A.S:1Byte/TinyRod SeeDescription @ Y.A.S. OFFICIAL MUSIC VIDEO", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "hubt.pornhub.com | www.pornhub.com | pornative.com", "IDS Detections: Sinkhole Cookie Value Snkz 403 Forbidden TLS Handshake Failure", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Lazarus" ], "malware_families": [ "Trojan:win32/bulta", "Ddos:linux/gafgyt.ya!mtb", "Trojan:win32/zombie.a", "Onelouder", "Backdoor:win32/tofsee", "Win.malware.qshell-9875653-0", "Dopple ai", "Snit", "Formbook", "Win.trojan.installcore-1177", "Win32:zbot-ruv", "Win.malware.oxypumper-6900435-0", "Netherlands", "Suggested", "Nids", "Win.packed.generic-9967832-0", "Cve-2017-17215", "Ransom:win32/haperlock", "Win32:kryptik", "Tofsee", "Unix.trojan.mirai-6981169-0", "Cve-2014-8361", "Win32:evo-gen", "Win.trojan.sarwent-10012602-0", "Backdoor:win32/plugx.n!dha", "Virtool:win32/vbinject.gen!mh", "Virus:win32/sivis.a", "Tel:createscheduledtask", "Cve-2023-27350", "Trojanspy", "Mirai", "Et", "Ransom", "Alf:rpf:peattr_sigattr:predict:70", "M1", "Sakurel", "Virtool:win32/obfuscator.jm", "Y.a.s:1byte/tinyrod", "Trojan:win32/neurevt", "Virus:win32/krepper.30760", "Sova", "Softcnapp", "Sality", "Trojandownloader:win32/cutwail", "Alf:heraklezeval:backdoor:linux/mirai.a!rf" ], "industries": [ "Government", "Healthcare", "Legal" ], "unique_indicators": 77641 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/hallrender.com", "whois": "http://whois.domaintools.com/hallrender.com", "domain": "hallrender.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 16, "pulses": [ { "id": "69bea5d2987c3d14aeb2b0c9", "name": "Delete service Deleted over 1200 Brian Sabeys Porn Revenge Campaign \u2022 LevelBlue? Dopple AI | Poem Hunter: Poems ", "description": "", "modified": "2026-03-21T14:06:10.007000", "created": "2026-03-21T14:06:10.007000", "tags": [ "active related", "search filter", "time tsara", "x show", "cidr", "email", "learn more", "information", "t1027", "t1036", "t1057", "discovery", "t1059", "t1071", "title added", "poem", "the day", "wild eyesand", "unknown power", "shakespeare", "repeats", "ere man", "dowell oreilly", "read poem", "snit", "website", "loading", "rl https", "y0 nov", "vj96", "uyebaaeabaaaaac", "jid442122029", "active", "url http", "url https", "types", "indicators show", "type indicator", "added active", "tbmvid", "sourcelnms", "zx1724209326040", "read c", "module load", "showing", "delphi", "delete", "rgba", "unicode", "malware", "write", "win32", "execution", "next", "extraction", "data upload", "extre", "include data", "sc type", "url tot", "role title", "tsara brashears", "live sex", "porn video", "levelblue", "porn", "pornhub", "porn videos", "watch tsara", "most relevant", "q estimation", "green", "tsara", "online chat", "spicychat ai", "visa", "sex chat", "miss stella", "january", "philadelphia", "dopple ai", "b1 dec", "videos", "red porn", "free porn", "sunny leone", "hardcore porn", "jeffrey reimer", "puts", "love", "super", "download", "top tsara", "google search", "la iniciacin", "xxx hd", "bdsm scene", "nsfw experience", "ck ids", "open threat", "filepath https", "foundry", "palantir", "brian sabey", "yas", "tiny penis", "slander", "indicator role", "pulses url", "search" ], "references": [ "OTX must have an issue. A delete app seen before has deleted a majority of malicious IoCs. Im", "I don\u2019t appreciate OTX populated Malware suggestion \u2018SNIT\u2019 \u2018 Dopple AI\u2019 NOT malware", "OTX description for SNIT- I love to compose letters of resignation; now and then I send one in", "and leave in a lemon- hued Huff da Country or a Snit with four on the MALWARE fOORILIES", "OTX description for Dopple AI - There\u2019s someone for everyone out there in the BDSM scene, you can enjoy the", "free NSFW experience offered by Dopple AI.MALWARE", "Makes zero sense. Malicious. I don\u2019t get it. I have a Malware gift for you too!", "Y.A.S:1Byte/TinyRod SeeDescription @ Y.A.S. OFFICIAL MUSIC VIDEO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Snit", "display_name": "Snit", "target": null }, { "id": "Dopple AI", "display_name": "Dopple AI", "target": null }, { "id": "Y.A.S:1Byte/TinyRod", "display_name": "Y.A.S:1Byte/TinyRod", "target": "/malware/Y.A.S:1Byte/TinyRod" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "green", "cloned_from": "691ead29f61101bfa3700998", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2497, "hostname": 742, "FileHash-SHA256": 523, "domain": 223, "FileHash-MD5": 85, "FileHash-SHA1": 56, "email": 4 }, "indicator_count": 4130, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "691ead29f61101bfa3700998", "name": "Dopple AI | Poem Hunter: Poems - Poets - Poetry", "description": "Online terms that sexulize SA victim : Tsara brashears slander red porn videos ,\nHardcore porn, is pornography that features detailed depictions of sexual organs or sexual acts such as vaginal, anal or oral intercourse, fingering, brashears , Red Porn Videos , Tsara brashears slandered red porn\nyoujizz sex\n, Tsara brashears submission on august 27 via manual free , College fuck fest Super japanese hd compilation , \none kinky student fucks tsara brashears porn xxx porn , the best internet porn site\n, tsara brashears slandered, porn video uploaded to hardcore ,\nxxxxxxxxxx sex videos\nsearch , xxxxxxxxxx hd porn. tsara brashears\u09ac\u09b2\u09a6\u09b6\u09b0 \u09a8\u09a4\u09a8 \u09ad\u09acfrench retro gangbang in the hotel room, You will Tsara brashears porn ,\nChunky babe loves to be on top Hot Milf , xxx Movies, updates hourly.\n tsara brashears slandered,\nfrench retro gangbang in the hotel room , free porn videos. You will Tsara brashears porn jeffrey reimer puts his love on top tsara brashears brother", "modified": "2025-12-20T03:00:41.407000", "created": "2025-11-20T05:54:49.968000", "tags": [ "active related", "search filter", "time tsara", "x show", "cidr", "email", "learn more", "information", "t1027", "t1036", "t1057", "discovery", "t1059", "t1071", "title added", "poem", "the day", "wild eyesand", "unknown power", "shakespeare", "repeats", "ere man", "dowell oreilly", "read poem", "snit", "website", "loading", "rl https", "y0 nov", "vj96", "uyebaaeabaaaaac", "jid442122029", "active", "url http", "url https", "types", "indicators show", "type indicator", "added active", "tbmvid", "sourcelnms", "zx1724209326040", "read c", "module load", "showing", "delphi", "delete", "rgba", "unicode", "malware", "write", "win32", "execution", "next", "extraction", "data upload", "extre", "include data", "sc type", "url tot", "role title", "tsara brashears", "live sex", "porn video", "levelblue", "porn", "pornhub", "porn videos", "watch tsara", "most relevant", "q estimation", "green", "tsara", "online chat", "spicychat ai", "visa", "sex chat", "miss stella", "january", "philadelphia", "dopple ai", "b1 dec", "videos", "red porn", "free porn", "sunny leone", "hardcore porn", "jeffrey reimer", "puts", "love", "super", "download", "top tsara", "google search", "la iniciacin", "xxx hd", "bdsm scene", "nsfw experience", "ck ids", "open threat", "filepath https", "foundry", "palantir", "brian sabey", "yas", "tiny penis", "slander", "indicator role", "pulses url", "search" ], "references": [ "OTX must have an issue. A delete app seen before has deleted a majority of malicious IoCs. Im", "I don\u2019t appreciate OTX populated Malware suggestion \u2018SNIT\u2019 \u2018 Dopple AI\u2019 NOT malware", "OTX description for SNIT- I love to compose letters of resignation; now and then I send one in", "and leave in a lemon- hued Huff da Country or a Snit with four on the MALWARE fOORILIES", "OTX description for Dopple AI - There\u2019s someone for everyone out there in the BDSM scene, you can enjoy the", "free NSFW experience offered by Dopple AI.MALWARE", "Makes zero sense. Malicious. I don\u2019t get it. I have a Malware gift for you too!", "Y.A.S:1Byte/TinyRod SeeDescription @ Y.A.S. OFFICIAL MUSIC VIDEO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Snit", "display_name": "Snit", "target": null }, { "id": "Dopple AI", "display_name": "Dopple AI", "target": null }, { "id": "Y.A.S:1Byte/TinyRod", "display_name": "Y.A.S:1Byte/TinyRod", "target": "/malware/Y.A.S:1Byte/TinyRod" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2497, "hostname": 742, "FileHash-SHA256": 523, "domain": 223, "FileHash-MD5": 85, "FileHash-SHA1": 56, "email": 4 }, "indicator_count": 4130, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "120 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "691e2279ac1ef8b9dbfbc2b3", "name": "Mirai \u2022 Neurotox Institute", "description": "Found in peripheral. Lazarus. Related tomOperation Endgame. Strangely related to the entertainment industry. \nRelated to treatments facilities where a target I\u2019ve been researching received \u2018care\u2019. Also links to Major Entertainment conglomerate : not surprisingly Hall Render and Foundry.\nPage was stated to expire 11/21 | expired after I was able to capture a live screenshot (not updated for years) \n\n[The Neurotoxin Institute (NTI) is a multidisciplinary organization created to serve as a comprehensive independent source of information related to the basic science and the clinical applications of neurotoxins. The Institute fosters the learning and teaching of both theory and practical techniques, and encourages further research in support of these goals.\nExperimental Biology (EB)\nwww.aapmr.org]", "modified": "2025-12-19T19:00:18.927000", "created": "2025-11-19T20:03:05.195000", "tags": [ "united", "link", "virtool", "meta", "atom", "pragma", "dynamicloader", "msie", "windows nt", "tls handshake", "failure", "tlsv1", "forbidden", "ogoogle trust", "encrypt", "possible", "write", "malware", "consumed", "netherlands", "united kingdom", "read c", "sality", "delphi", "win32", "strings", "xserver", "post http", "post method", "cryptexportkey", "ocloudflare", "cryptgenkey", "calgrc4", "persistence", "execution", "div div", "script script", "span a", "a li", "unknown ns", "span", "april", "passive dns", "hosting", "reverse dns", "hostname add", "files ip", "asn as32475", "address domain", "mirai", "united states", "facebook", "twitter", "youtube", "ck ids", "mh may", "t1204 technique", "user execution", "suggested", "port", "destination", "telnet login", "high", "tcp syn", "infectednight", "resolverror", "suspicious path", "ids detections", "yara detections", "sinkhole cookie", "file score", "detections sf", "value snkz", "forbidden tls", "et trojan", "value", "et info", "et", "present oct", "domain", "title", "present sep", "moved", "server", "next associated", "ipv4 add", "urls", "files", "trojan", "cookie", "predict70 sep", "next http", "scans record", "forbidden date", "gmt content", "type", "unix", "namecheap url", "forward elf", "md5 add", "less see", "contacted", "pulse pulses", "av detections", "analysis date", "virus", "ee fc", "unknown", "yara rule", "ff d5", "search", "show", "suspicious", "fbq object", "ide value", "source level", "url text", "line", "allow attribute", "mootools", "class function", "chain", "options", "elements", "garbage", "drag", "xhr function", "ajax", "itemid14", "kb image", "kb script", "b image", "b stylesheet", "b script", "kb stylesheet", "stylesheet", "redirect chain", "path size", "type mimetype", "resource", "general full", "montreal", "canada", "asn16276", "debian", "url http", "hash", "main", "cookie object", "dns any", "date", "entries", "url https", "Foundry", "Lazarus", "Endgame", "Neurotoxin Institute", "Hall Render", "Brian Sabey", "UC Health", "Britney Spears Official" ], "references": [ "https://www.neurotoxininstitute.com/", "Backdoor.Win32.Pushdo.s Checkin", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Possible Compromised Host AnubisNetworks", "IDS Detections: Sinkhole Cookie Value Snkz 403 Forbidden TLS Handshake Failure", "IDS Detections: ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole", "IDS Detections: Cookie Value btst ET INFO Namecheap URL Forward", "IDS Detections : SUSPICIOUS Path to BusyBox root login TELNET login failed", "http://appelfarm.org", "IDS Signatures : root login 175.203.174.23 \u2022 192.168.122.52", "IDS Signatures :TELNET login failed\t77.66.206.206 \u2022 192.168.122.52", "IDS Signatures : SUSPICIOUS Path to BusyBox\t192.168.122.52\t\u2022 77.66.206.206", "Interesting Strings : 13.79.87.163", "https://urlscan.io/screenshots/32b0614f-1148-49ea-aed4-4f23afd33e56.png", "https://otx.alienvault.com/pulse/68d0f099f60e98e6c4ffc1e5", "https://otx.alienvault.com/pulse/68b5e672f492fdc96cf997aa", "https://otx.alienvault.com/pulse/68d12dd7e357755235f007e8", "https://britneyspears.com/", "hallrender.com \u2022 https://hallrender.com/resources/blog/ \u2022 https://urlmail.hallrender.com \u2022 https://urlwww.hallrender.com", "https://citrix.hallrender.com/vpn/install/ \u2022 https://citrix.hallrender.com/vpn/install/mac.htm \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept", "http://hallrender.com/attorney/brian-sabey \u2022 http://hallrender.com/attorney/brian-sabey/", "http://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC", "https://elite.hallrender.com \u2022 https://hallrender.com/attorney/gregg-m-wallander/", "brian-sabey-anyxxxtube.net \u2022 hallrender.com", "dev.hallrender.com \u2022 elite.hallrender.com \u2022 image.marketing.hallrender.com", "Now https://urlscan.io/liveshot/?width=1600&height=1200&url=http%3A%2F%2Fwww.neurotoxininstitute.com%2Findex.php%3Foption%5C%3Dcom_content%26view%5C%3Darticle%26id%5C%3D70%26Itemid%5C%3D14", "feastfoundry.com\t\u2022 https://www.feastfoundry.com/ \u2022 https://www.feastfoundry.com/mini-apple-pies/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "United States of America", "Japan", "France", "Germany", "Canada", "Netherlands", "United Kingdom of Great Britain and Northern Ireland", "New Zealand", "Italy", "Aruba", "Poland", "Singapore", "T\u00fcrkiye", "Indonesia", "Spain", "Hong Kong" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Netherlands", "display_name": "Netherlands", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Virus:Win32/Krepper.30760", "display_name": "Virus:Win32/Krepper.30760", "target": "/malware/Virus:Win32/Krepper.30760" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Mirai.A!rf", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Mirai.A!rf", "target": null }, { "id": "Suggested", "display_name": "Suggested", "target": null }, { "id": "VirTool:Win32/VBInject.gen!MH", "display_name": "VirTool:Win32/VBInject.gen!MH", "target": "/malware/VirTool:Win32/VBInject.gen!MH" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "ALF:RPF:PEATTR_SIGATTR:PREDICT:70", "display_name": "ALF:RPF:PEATTR_SIGATTR:PREDICT:70", "target": null }, { "id": "Win32:Zbot-RUV", "display_name": "Win32:Zbot-RUV", "target": null }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "Win32:Kryptik", "display_name": "Win32:Kryptik", "target": null }, { "id": "Trojan:Win32/Bulta", "display_name": "Trojan:Win32/Bulta", "target": "/malware/Trojan:Win32/Bulta" } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 511, "hostname": 198, "domain": 471, "FileHash-SHA256": 1442, "FileHash-MD5": 183, "FileHash-SHA1": 79, "email": 5, "SSLCertFingerprint": 63 }, "indicator_count": 2952, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "121 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fd0cc422cea2fd989581fd", "name": "LevelBlue - Open Threat Exchange (Malicious Attacks)", "description": "I\u2019ll\nrefer to these bad actors as the .lol .fun group. London, Australia , South Africa with US base External resources. With this group, you e probably met though attackers.. OTX errors! Difficult to pulse. There are some profiles in here that are shady and attempt or do co connect to your products. They usually begin social engineering by saying that you have a \u2018problem\u2019 just like they do. Say they are from Canada or\nFrance , somewhere abroad when they are down the street using your services. There was user \u2018Merkd\u2019 whose entire system seem to become infected by someone or someone about this platform. Check the IP address at all\nTo see if it matches or is on the same block as OTC, region will show as well. Hackers may potentially cnc / move your profile on their own block. What happened today was weird. Alien Vault became a PHP and turned bright pink and black, requesting I download page. Keep your systems locked down if you\u2019re researching not reporting vulnerabilities.", "modified": "2025-11-24T17:02:12.441000", "created": "2025-10-25T17:45:40.291000", "tags": [ "ipv4", "levelblue", "open threat", "date sat", "connection", "etag w", "cloudfront", "sameorigin age", "vary", "ip address", "kb body", "gtmkvjvztk", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "learn", "exchange og", "levelblue open", "threat exchange", "exchange", "google tag", "iocs", "search otx", "included iocs", "review iocs", "data upload", "extraction", "layer protocol", "v full", "reports v", "port t1571", "t1573", "oc0006 http", "c0014", "get http", "dns resolutions", "user", "data", "datacrashpad", "edge", "tag manager", "us er", "help files", "shell", "html", "cve202323397", "iframe tags", "community score", "url http", "url https", "united", "united kingdom", "netherlands", "search", "type indicator", "role title", "added active", "related pulses", "indicator role", "title added", "active related", "otc oct", "report spam", "week ago", "scan", "learn more", "filehashmd5", "filehashsha1", "domain", "australia", "does", "josh", "created", "filehashsha256", "present jul", "present oct", "date", "a domains", "script urls", "for privacy", "moved", "script domains", "meta", "title", "body", "pragma", "encrypt", "ck ids", "t1060", "run keys", "startup", "folder", "t1027", "files", "information", "t1055", "injection", "capture", "south korea", "malaysia", "pulses", "fatal error", "hacker known", "name", "unknown", "risk", "weeks ago", "scary", "sova", "colorado", "wire", "name unknown", "thursday", "denver", "types of", "indicators hong", "kong", "tsara brashears", "african", "ethiopia", "b8reactjs", "india", "america", "x ua", "hostname", "dicator role", "pulses url", "airplane", "icator role", "t1432", "access contact", "list", "t1525", "image", "security scan", "heuristic oct", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1114", "t1480", "internal image", "brian sabey", "month ago", "modified", "days ago", "green well", "sabey stash", "service", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sova", "display_name": "Sova", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 956, "FileHash-SHA1": 906, "FileHash-SHA256": 2651, "URL": 4450, "domain": 708, "hostname": 2403, "CVE": 1, "email": 5 }, "indicator_count": 12080, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d332d77a7eedf3ad71c406", "name": "Denizbankk.net \u2022 LevelBlue - Open Threat Exchange", "description": "Denizbankk.net \u2022 Debian.org \u2022 hallrender.com \u2022 alienvault.com \u2022 hopto.org \u2022 striven.com| ? | This is concerning. It\u2019s not like intended to find what I have found but I am disappointed. The few people on the platform who do their own research eventually leave with a large amount of reposters. Related to haallrendee, brian sabey and each link listed. Stange happenings this weak. [otx auto populated- Google Safe Browsing, Denizbankk.net, has been used by the Russian government to create a secure web address that can be accessed only if the user has the correct address.{", "modified": "2025-10-23T23:03:23.167000", "created": "2025-09-23T23:52:55.453000", "tags": [ "log id", "gmtn", "tls web", "zerossl", "zerossl rsa", "domain secure", "site ca", "fa c7", "ocsp", "a167", "code", "keepalive", "false", "record type", "ttl a", "value", "o jarm", "fingerprint", "file format", "relevance", "united", "tempe", "arizona create", "domain", "expiry date", "name", "query time", "technical city", "tempe technical", "technical state", "rdap database", "handle", "iana registrar", "links", "algorithm", "key identifier", "data", "v3 serial", "number", "cat ozerossl", "cnzerossl rsa", "validity", "server", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "registrar iana", "registrar url", "registrar whois", "date", "available from", "country", "proxy", "postal code", "city", "admin city", "tempe admin", "filehashmd5", "url https", "filehashsha1", "url http", "type indicator", "role title", "added active", "related pulses", "filehashsha256", "showing", "germany unknown", "passive dns", "entries", "a domains", "body doctype", "content type", "gmt server", "ipv4 add", "pulse submit", "url analysis", "main", "apache", "accept", "title", "present dec", "present jun", "present nov", "aaaa", "present feb", "present sep", "search", "canada", "encrypt", "devam", "ad soyad", "mteri numaras", "gvenlik iin", "gizli soru", "gvenlik sorusu", "cevab", "ltfen bir", "present may", "moved", "present oct", "ip address", "gandi sas", "body", "backdoor", "next associated", "trojandropper", "fastly error", "please", "sea p", "twitter", "win32", "creation date", "name servers", "hostname add", "pulse pulses", "urls", "record value", "japan", "germany", "ipv4", "countries", "america", "netherlands", "italy", "brian sabey", "report spam", "tsara brashears", "created", "days ago", "green well", "sabey stash", "service", "hours ago", "malicious", "forbidden", "actionlistccc", "malware family", "mufanom att", "capture", "ck ids", "checkin", "t1036", "t1055", "injection", "t1056" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 617, "URL": 2495, "hostname": 1698, "FileHash-MD5": 275, "FileHash-SHA1": 265, "FileHash-SHA256": 1241, "SSLCertFingerprint": 2, "email": 4 }, "indicator_count": 6597, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d3368ae75cccf736a55441", "name": "ET TROJAN Hiloti/Mufanom Downloader Checkin | Denizbankk.net", "description": "", "modified": "2025-10-23T23:03:23.167000", "created": "2025-09-24T00:08:42.048000", "tags": [ "log id", "gmtn", "tls web", "zerossl", "zerossl rsa", "domain secure", "site ca", "fa c7", "ocsp", "a167", "code", "keepalive", "false", "record type", "ttl a", "value", "o jarm", "fingerprint", "file format", "relevance", "united", "tempe", "arizona create", "domain", "expiry date", "name", "query time", "technical city", "tempe technical", "technical state", "rdap database", "handle", "iana registrar", "links", "algorithm", "key identifier", "data", "v3 serial", "number", "cat ozerossl", "cnzerossl rsa", "validity", "server", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "registrar iana", "registrar url", "registrar whois", "date", "available from", "country", "proxy", "postal code", "city", "admin city", "tempe admin", "filehashmd5", "url https", "filehashsha1", "url http", "type indicator", "role title", "added active", "related pulses", "filehashsha256", "showing", "germany unknown", "passive dns", "entries", "a domains", "body doctype", "content type", "gmt server", "ipv4 add", "pulse submit", "url analysis", "main", "apache", "accept", "title", "present dec", "present jun", "present nov", "aaaa", "present feb", "present sep", "search", "canada", "encrypt", "devam", "ad soyad", "mteri numaras", "gvenlik iin", "gizli soru", "gvenlik sorusu", "cevab", "ltfen bir", "present may", "moved", "present oct", "ip address", "gandi sas", "body", "backdoor", "next associated", "trojandropper", "fastly error", "please", "sea p", "twitter", "win32", "creation date", "name servers", "hostname add", "pulse pulses", "urls", "record value", "japan", "germany", "ipv4", "countries", "america", "netherlands", "italy", "brian sabey", "report spam", "tsara brashears", "created", "days ago", "green well", "sabey stash", "service", "hours ago", "malicious", "forbidden", "actionlistccc", "malware family", "mufanom att", "capture", "ck ids", "checkin", "t1036", "t1055", "injection", "t1056" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": "68d332d77a7eedf3ad71c406", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 617, "URL": 2495, "hostname": 1698, "FileHash-MD5": 275, "FileHash-SHA1": 265, "FileHash-SHA256": 1241, "SSLCertFingerprint": 2, "email": 4 }, "indicator_count": 6597, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d0f099f60e98e6c4ffc1e5", "name": "Elaborate Medical Insurance Scheme | Claims Reversal", "description": "Boring? Maybe but, victim of crime became a target of an elaborate , phishing, social engineering , hacking, theft, reputation, stalking, & physical assault scheme. A man using name Brian Sabey , Esq continues an international porn campaign. Today I\u2019m shocked by his false Medicare insurance scam denying targets claims & treatment since 2017. This information was retrieved by me via research due to unpaid medical bills Team 8 has uncovered multiple large scale breaches with information mailed , texted or sent to targets. \n We are all researchers with a combined 30 years of award winning researchers focuses in various areas. We are doing this unpaid , considering the circumstances. We are not related to the victim. \n\nAll claims of any abuses have been substantiated claims.\n\n#trulymissed #rip #briansabey #hallrender #jeffreyscottreimer #formbook_cnc #panda_cnc_checkin #claimreversalscam", "modified": "2025-10-22T05:00:52.085000", "created": "2025-09-22T06:45:45.714000", "tags": [ "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "date", "encrypt", "united", "backdoor", "entries", "passive dns", "hstr", "checkin", "next associated", "lowfi", "trojan", "ipv4 add", "twitter", "trojandropper", "ransom", "body", "url https", "type indicator", "role title", "added active", "related pulses", "url http", "ck ids", "t1036", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob", "yara", "report spam", "otx generated", "created", "hours ago", "otx auto", "new york", "tsara brashears", "search", "filehashsha1", "filehashmd5", "domain", "hostname", "virgin islands", "canada", "ireland", "pes of", "expiration", "hall render", "possible deep", "https", "panda", "post", "insane", "law firm", "virtool", "service", "iocs", "learn more", "et trojan", "msie", "windows nt", "show", "unknown", "france as16276", "united kingdom", "possible", "write", "win32", "malware", "copy", "next", "et", "returnurl" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Netherlands", "Italy", "Aruba", "Germany", "Ireland", "Spain", "Poland", "Canada", "T\u00fcrkiye", "Romania", "Sweden", "Australia", "Singapore", "Denmark" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [ "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2905, "URL": 5029, "hostname": 1146, "FileHash-SHA256": 935, "FileHash-MD5": 102, "FileHash-SHA1": 100, "email": 3 }, "indicator_count": 10220, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d0d26cf2038b0019bbb331", "name": "Tsara Brashears still has cyber stalkers Brian Sabey", "description": "Well, well, well is this a twisted love you to a gruesome death love note? \nwww.oneyoulovefranchise.com - Brian Sabey stash.\n\nOTX being attacked by a \u2018delete\u2019 service again. \n(OTX auto populated: The full text of Brian Whaley's entry into the search for the British Virgin Islands (1) has been published on the website of the law firm, Law Firm, at the age of 26.) Alleged American Brian Sabey is at least 37 years old.", "modified": "2025-10-22T04:03:39.769000", "created": "2025-09-22T04:37:00.551000", "tags": [ "url https", "url http", "filehashmd5", "domain", "hostname", "virgin islands", "search", "type indicator", "role title", "added active", "present sep", "united", "unknown aaaa", "certificate", "ip address", "creation date", "record value", "date", "title", "body", "canada", "ireland", "passive dns", "urls", "hostname add", "pulse pulses", "files", "yara", "report spam", "otx generated", "created", "hours ago", "otx auto", "new york", "tsara brashears", "medicare united", "filehashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 755, "domain": 193, "hostname": 246, "FileHash-MD5": 17, "FileHash-SHA1": 16, "email": 2, "FileHash-SHA256": 120 }, "indicator_count": 1349, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d0c20eaf6a51bb667cbe9a", "name": "Hall Render Health Insurance Interface for Tsar Brashears", "description": "It\u2019s wild how quickly a delete service appears on OTX. Even more bananas, fake law\nfirm Hall Render pretends to be a non paying health insurance entity. \n\nAre you happy about death from denied care? You just can\u2019t stop? \n\nI have asked you to stop because that\u2019s about all I can do. Stop taking pulses , stop interfering in this persons family\u2019s life , stop throwing stones at Tsara Brashears. I don\u2019t have it in me to be like you. This is illegal. I am not interested in having a legal battle to fight for someone who is at peace now. \nExactly what kind of relationship could you possibly have with Jeffrey Scott Reimer. Stop sending people to look at every person ever connected to her. How can you enjoy taking options away from someone that was so terribly injured? I hope you recover from your sickness.\n\nCease fire. You want a war. Why? It\u2019s in Gods hands unbeliever. \nIt\u2019s your net, you can get tangled up in it.", "modified": "2025-10-22T03:18:24.424000", "created": "2025-09-22T03:27:10.554000", "tags": [ "expiration", "url https", "url http", "no expiration", "hostname", "iocs", "create new", "pulse use", "pdf report", "pcap", "domain", "virgin islands", "united", "canada", "ireland", "search", "type indicator", "enter source", "url or", "text drag", "drop or", "ipv4", "returnurl", "role title", "added active", "related pulses", "filehashsha256", "claim reversal", "elqaid16867", "elqat1", "elqcst272", "islands", "learn more", "filehashsha1", "filehashmd5", "possible deep", "https", "hall render", "panda", "post", "healthcare plan", "sci c1", "virtool", "service", "data upload", "extraction", "failed", "tract indica", "idea iocs", "q data", "type", "indicator role", "title added", "active related", "pulses url", "entries", "health system", "scan", "types of", "yara", "created", "minutes ago", "otx auto", "new york", "tsara brashears", "medicare united", "report spam", "otx generated", "t1036", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob", "t1055", "brian sabey", "hall render law", "gregg wallender", "adversary", "hackers", "mark sabey", "m brian sabey", "anyxxx", "sexyourway" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 849, "domain": 85, "hostname": 357, "FileHash-MD5": 62, "FileHash-SHA1": 59, "FileHash-SHA256": 77, "email": 4 }, "indicator_count": 1493, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d0b00b7ccb342031594e77", "name": "OTX Generated with strange commentary as always", "description": "OTX Auto populated-> Yara Yara, a 27-year-old woman from New York, has found that a law firm allegedly controlled Tsara Brashears' life and healthcare plan under the guise of being a Medicare United Healthcare plan. |", "modified": "2025-10-22T02:00:03.967000", "created": "2025-09-22T02:10:19.819000", "tags": [ "expiration", "url http", "hall render", "possible deep", "https", "deep panda", "brian sabey", "tsara brashears", "panda", "post", "virtool", "service", "fraud", "url https", "search", "type indicator", "role title", "added active", "related pulses", "claim reversal", "view", "fieldlastname", "filehashmd5", "filehashsha1", "domain", "hostname", "virgin islands", "united", "canada", "ireland", "writeconsolea", "regsetvalueexa", "regdword", "module load", "t1129", "show", "micromedia", "write", "markus", "april", "win32", "lost", "malware", "copy", "c2 activity", "cnc ids", "beacon", "server", "domain status", "algorithm", "key identifier", "x509v3 subject", "full name", "date", "registrar abuse", "registrar", "data", "ipv4", "returnurl", "masquerade task", "t1448", "carrier billing", "fraud endpoint", "security scan", "iocs", "learn more", "relationship", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob", "t1060", "scan", "entries", "healthcare", "legal", "families", "sakurel", "formbook att", "ck ids", "t1199", "render", "brian", "sabey", "fieldssn", "elqaid16867", "elqat1", "elqcst272", "formbookatt", "white insane", "law firm", "run keys", "ta0011", "command", "control", "t1410", "redirection", "medium", "windows", "high", "yara detections", "backdoor", "showing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [ "Healthcare", "Legal", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2189, "FileHash-MD5": 469, "FileHash-SHA1": 447, "FileHash-SHA256": 2446, "domain": 465, "hostname": 1224, "email": 15 }, "indicator_count": 7255, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://hallrender.com/resources/blog/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://hallrender.com/resources/blog/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776628967.0162804 }