{ "type": "URL", "indicator": "https://henry.dns-dynamic.net/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://henry.dns-dynamic.net/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4142065228, "indicator": "https://henry.dns-dynamic.net/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "6a16a621eac2621d97ca6596", "name": "Credit Q.Vashti [\"Device Isolation | Lumen Technologies | Palantir and\"] clone by Q Vashti (researcher)", "description": "", "modified": "2026-05-27T08:25:07.936000", "created": "2026-05-27T08:06:57.005000", "tags": [ "url https", "url http", "tlsv1", "whitelisted", "united", "read c", "as15169", "stcalifornia", "execution", "dock", "write", "persistence", "malware", "encrypt", "active", "lumen technologies", "number", "error", "regexp", "sxa0", "amptoken", "optout", "retrieving", "notfound", "unknown", "form", "flash", "backdoor", "writeconsolew", "yara detections", "command line", "pdb path", "pe resource", "internalname", "windows command", "A", "aws", "name servers", "url analysis", "passive dns", "urls", "data upload", "extraction", "palantir", "c2", "aerospace", "tracking", "spywatchdog", "palapa-c2", "communications satellite", "amazon", "hughesnet", "icmp traffic", "washington c", "washington ou", "mopr", "mon jul", "local", "dynamic", "apple", "network", "t1057", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1480", "guardrails", "t1566", "present jan", "unknown ns", "ip address", "dnssec", "domain", "dynamic dns", "government", "pcup", "germany unknown", "link", "dns hosting", "cloudns", "cloud dns", "a domains", "ipv4 add", "title", "meta", "class", "servers", "present aug", "aaaa", "present sep", "present nov", "present jul", "present may", "moved", "canada unknown", "begin", "record value", "gmt content", "type", "hostname add", "files", "ascii text", "pattern match", "href", "mitre att", "ck id", "ck matrix", "network traffic", "et info", "general", "path", "click", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "input url", "defense evasion", "france", "ireland", "netherlands", "denmark", "united kingdom", "type indicator", "role title", "added active", "savvis", "centurylinktechnology", "hybrid analysis", "monitoring tools", "monitored target", "triangulation", "worm", "intel", "ms windows", "pe32", "write c", "delete c", "show", "russia as47764", "unix", "lsan jose", "odigicert inc", "markus", "url add", "http", "related nids", "files location", "russia flag", "russia hostname", "russia", "russia unknown", "hosting", "federation flag", "body", "gmt vary", "accept encoding", "gmt cache", "certificate", "pulse submit", "unknown aaaa", "search", "entries", "script domains", "script urls", "pdx cf" ], "references": [ "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "Yare: compromised_site_redirector_fromcharcode", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "Alerts: console_output has_pdb pe_unknown_resource_name", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "Tipped: A targets AI and other cyber research findings.", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "https://palapa.c.id\t (c.id)", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "cedevice.io \u2022 decagonsoftware.com", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "pcup.gov.ph:", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "https://elegantcosmedampyeah.pages.dev/", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "inst.govelopscold.com", "https://feedback.ptv.vic.gov.au/360", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "https://brand.centurylinktechnology.com", "https://prod.centurylinktechnology.com", "https://brand2.centurylinktechnology.com", "https://mobile-pocket-guide.centurylinktechnology.com", "UPX_OEP_place", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "ASP. NET", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "7box.vip" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan.Tofsee/Botx", "display_name": "Trojan.Tofsee/Botx", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "PWS:Win32/Axespec.A", "display_name": "PWS:Win32/Axespec.A", "target": "/malware/PWS:Win32/Axespec.A" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1069.003", "name": "Cloud Groups", "display_name": "T1069.003 - Cloud Groups" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": "697cdce9ec418c422eee2054", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 102, "FileHash-SHA1": 59, "FileHash-SHA256": 1929, "domain": 854, "hostname": 2156, "URL": 4475, "SSLCertFingerprint": 9, "email": 8, "CVE": 2 }, "indicator_count": 9594, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697cdce9ec418c422eee2054", "name": "Device Isolation: Lumen Technologies | Palantir and \u2018Boots on the Ground Operations\u2019", "description": "Device Isolation: Lumen Technologies (formerly CenturyLink) deployed as an admin on iOS devices. Standard factory resets may prove ineffective. Complete hardware \"air-gap\" or clean devices that have never touched your home network may be best option for deeply monitored targets.\n\nSummary of the Campaign:\nThe involvement of Lumen Technologies (as an unwanted admin), Foundry (Palantir) for data mapping, and Mirai Botnet for network disruption represents a \"scorched earth\" approach to digital destruction. Target treated as a criminal through Cellebrite, implicates specific attackers attempted to legalize what was actually a predatory stalking campaign/s.\n\n\nSurveillance Overlap: The use of Lumen Technologies and Palantir, tools allows for real-time tracking of a target's physical location\u2014explains how \u2018boots on the ground\u2019 offenders can stalk , surveillance , confront, assault and engage in various damaging attacks of specific monitored targets.", "modified": "2026-03-01T16:05:57.375000", "created": "2026-01-30T16:31:37.011000", "tags": [ "url https", "url http", "tlsv1", "whitelisted", "united", "read c", "as15169", "stcalifornia", "execution", "dock", "write", "persistence", "malware", "encrypt", "active", "lumen technologies", "number", "error", "regexp", "sxa0", "amptoken", "optout", "retrieving", "notfound", "unknown", "form", "flash", "backdoor", "writeconsolew", "yara detections", "command line", "pdb path", "pe resource", "internalname", "windows command", "A", "aws", "name servers", "url analysis", "passive dns", "urls", "data upload", "extraction", "palantir", "c2", "aerospace", "tracking", "spywatchdog", "palapa-c2", "communications satellite", "amazon", "hughesnet", "icmp traffic", "washington c", "washington ou", "mopr", "mon jul", "local", "dynamic", "apple", "network", "t1057", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1480", "guardrails", "t1566", "present jan", "unknown ns", "ip address", "dnssec", "domain", "dynamic dns", "government", "pcup", "germany unknown", "link", "dns hosting", "cloudns", "cloud dns", "a domains", "ipv4 add", "title", "meta", "class", "servers", "present aug", "aaaa", "present sep", "present nov", "present jul", "present may", "moved", "canada unknown", "begin", "record value", "gmt content", "type", "hostname add", "files", "ascii text", "pattern match", "href", "mitre att", "ck id", "ck matrix", "network traffic", "et info", "general", "path", "click", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "input url", "defense evasion", "france", "ireland", "netherlands", "denmark", "united kingdom", "type indicator", "role title", "added active", "savvis", "centurylinktechnology", "hybrid analysis", "monitoring tools", "monitored target", "triangulation", "worm", "intel", "ms windows", "pe32", "write c", "delete c", "show", "russia as47764", "unix", "lsan jose", "odigicert inc", "markus", "url add", "http", "related nids", "files location", "russia flag", "russia hostname", "russia", "russia unknown", "hosting", "federation flag", "body", "gmt vary", "accept encoding", "gmt cache", "certificate", "pulse submit", "unknown aaaa", "search", "entries", "script domains", "script urls", "pdx cf" ], "references": [ "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "Yare: compromised_site_redirector_fromcharcode", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "Alerts: console_output has_pdb pe_unknown_resource_name", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "Tipped: A targets AI and other cyber research findings.", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "https://palapa.c.id\t (c.id)", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "cedevice.io \u2022 decagonsoftware.com", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "pcup.gov.ph:", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "https://elegantcosmedampyeah.pages.dev/", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "inst.govelopscold.com", "https://feedback.ptv.vic.gov.au/360", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "https://brand.centurylinktechnology.com", "https://prod.centurylinktechnology.com", "https://brand2.centurylinktechnology.com", "https://mobile-pocket-guide.centurylinktechnology.com", "UPX_OEP_place", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "ASP. NET", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "7box.vip" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan.Tofsee/Botx", "display_name": "Trojan.Tofsee/Botx", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "PWS:Win32/Axespec.A", "display_name": "PWS:Win32/Axespec.A", "target": "/malware/PWS:Win32/Axespec.A" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1069.003", "name": "Cloud Groups", "display_name": "T1069.003 - Cloud Groups" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 102, "FileHash-SHA1": 59, "FileHash-SHA256": 1929, "domain": 854, "hostname": 2156, "URL": 4475, "SSLCertFingerprint": 9, "email": 7, "CVE": 1 }, "indicator_count": 9592, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9288e0d98f3b44c2cb90c", "name": "Ultrasounds attack - South African criminal group-Denver, Vo affects critical infrastructure , Oil and public safety", "description": "South African and Ethiopian crime group with Denver , Co presence is not only infiltrating infrastructure from banking to oil, they are human traffickers, hitmen and yes, I received this tip from team member Pheona who a \u2018sassa.gov.za\u2018 South African link recurrently as a top search suggestion in a \u2018targets\u2019 browser. The most frightening piece is that a name listed is of an Ethiopian man who attempted to force a very targeted victim to go somewhere with him,, be his girlfriend and did show up outside of her residence in a different City & County. He also knew the exact name of where she purchased specific items. If you can see this. Please help the best way you can. Something is incredibly wrong. [OTX auto populated Title: We can\u2019t rely on goodwill to protect our critical infrastructure - Help Net Security]", "modified": "2025-11-21T18:02:11.054000", "created": "2025-10-22T18:55:10.527000", "tags": [ "server nginx", "date fri", "etag w", "urls", "passive dns", "acceptranges", "contentlength", "date thu", "gmt expires", "server", "code", "link", "script script", "south africa", "ipv4", "files", "location south", "accept", "present aug", "certificate", "hostname add", "domain", "files ip", "unknown a", "script urls", "ip address", "unknown soa", "unknown ns", "reverse dns", "africa flag", "asn as16637", "dns resolutions", "domains top", "level", "unique tld", "related pulses", "tags none", "indicator facts", "title", "ipv4 add", "opinion", "netacea", "lockbit", "wannacry attack", "nhs trusts", "council", "uk government", "protect", "cni safe", "acls", "praio", "prink", "prsc", "prla", "lg2en", "cti98", "search", "seiko epson", "corporation", "arc file", "malware", "delete c", "default", "show", "write", "next", "unknown", "united", "tlsv1", "msie", "windows nt", "wow64", "slcc2", "media center", "as15169", "port", "execution", "dock", "capture", "persistence", "yara detections", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "cabinet archive", "microsoft", "read c", "dynamicloader", "medium", "ltda me", "high", "write c", "entries", "checks", "delphi", "win32", "url pulse", "data upload", "extraction", "find suggested", "type", "domain hostname", "url add", "http", "related nids", "files location", "ireland flag", "files domain", "chrome", "ireland unknown", "pulse submit", "url analysis", "body", "date", "status", "name servers", "creation date", "expiration date", "flag united", "destination", "systemdrive", "html document", "crlf line", "updater", "copy", "unknown aaaa", "moved", "domain add", "extri data", "enter sc", "extr include", "review exclude", "sugges", "present jul", "saudi arabia", "present mar", "present oct", "present jun", "present feb", "present nov", "present may", "eeee", "eeeeeee", "eeeeee", "eefe", "ebeee", "ee eme", "eeheee", "eeefee e", "eeeee e", "vmprotect", "push", "local", "defender", "regsetvalueexa", "utf8 unicode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lockbit", "display_name": "Lockbit", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "target": null }, { "id": "Other Dangerous Malware", "display_name": "Other Dangerous Malware", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Oil" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 648, "hostname": 1604, "FileHash-SHA256": 1826, "URL": 4153, "FileHash-MD5": 102, "FileHash-SHA1": 60, "SSLCertFingerprint": 18, "CVE": 2, "email": 5 }, "indicator_count": 8418, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "190 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f93b1cebf80f48450bd517", "name": "Yuner - File deletion and Disk Wiping / Cyberstalking ", "description": "", "modified": "2025-11-21T18:02:11.054000", "created": "2025-10-22T20:14:20.632000", "tags": [ "server nginx", "date fri", "etag w", "urls", "passive dns", "acceptranges", "contentlength", "date thu", "gmt expires", "server", "code", "link", "script script", "south africa", "ipv4", "files", "location south", "accept", "present aug", "certificate", "hostname add", "domain", "files ip", "unknown a", "script urls", "ip address", "unknown soa", "unknown ns", "reverse dns", "africa flag", "asn as16637", "dns resolutions", "domains top", "level", "unique tld", "related pulses", "tags none", "indicator facts", "title", "ipv4 add", "opinion", "netacea", "lockbit", "wannacry attack", "nhs trusts", "council", "uk government", "protect", "cni safe", "acls", "praio", "prink", "prsc", "prla", "lg2en", "cti98", "search", "seiko epson", "corporation", "arc file", "malware", "delete c", "default", "show", "write", "next", "unknown", "united", "tlsv1", "msie", "windows nt", "wow64", "slcc2", "media center", "as15169", "port", "execution", "dock", "capture", "persistence", "yara detections", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "cabinet archive", "microsoft", "read c", "dynamicloader", "medium", "ltda me", "high", "write c", "entries", "checks", "delphi", "win32", "url pulse", "data upload", "extraction", "find suggested", "type", "domain hostname", "url add", "http", "related nids", "files location", "ireland flag", "files domain", "chrome", "ireland unknown", "pulse submit", "url analysis", "body", "date", "status", "name servers", "creation date", "expiration date", "flag united", "destination", "systemdrive", "html document", "crlf line", "updater", "copy", "unknown aaaa", "moved", "domain add", "extri data", "enter sc", "extr include", "review exclude", "sugges", "present jul", "saudi arabia", "present mar", "present oct", "present jun", "present feb", "present nov", "present may", "eeee", "eeeeeee", "eeeeee", "eefe", "ebeee", "ee eme", "eeheee", "eeefee e", "eeeee e", "vmprotect", "push", "local", "defender", "regsetvalueexa", "utf8 unicode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lockbit", "display_name": "Lockbit", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "target": null }, { "id": "Other Dangerous Malware", "display_name": "Other Dangerous Malware", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Oil" ], "TLP": "green", "cloned_from": "68f9288e0d98f3b44c2cb90c", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 648, "hostname": 1604, "FileHash-SHA256": 1826, "URL": 4153, "FileHash-MD5": 102, "FileHash-SHA1": 60, "SSLCertFingerprint": 18, "CVE": 2, "email": 5 }, "indicator_count": 8418, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "190 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://brand2.centurylinktechnology.com", "cedevice.io \u2022 decagonsoftware.com", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "https://prod.centurylinktechnology.com", "inst.govelopscold.com", "7box.vip", "UPX_OEP_place", "Tipped: A targets AI and other cyber research findings.", "Alerts: console_output has_pdb pe_unknown_resource_name", "https://mobile-pocket-guide.centurylinktechnology.com", "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "https://elegantcosmedampyeah.pages.dev/", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "https://feedback.ptv.vic.gov.au/360", "https://brand.centurylinktechnology.com", "https://palapa.c.id\t (c.id)", "Yare: compromised_site_redirector_fromcharcode", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "pcup.gov.ph:", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "ASP. NET", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Lockbit", "Other dangerous malware", "Pws:win32/axespec.a", "Alf:heraklezeval:pua:win32/ultradownloads", "Worm:win32/lightmoon.h", "Trojan.tofsee/botx", "Alf:jasyp:trojan:win32/ircbot!atmn" ], "industries": [ "Oil" ], "unique_indicators": 17335 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/dns-dynamic.net", "whois": "http://whois.domaintools.com/dns-dynamic.net", "domain": "dns-dynamic.net", "hostname": "henry.dns-dynamic.net" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "6a16a621eac2621d97ca6596", "name": "Credit Q.Vashti [\"Device Isolation | Lumen Technologies | Palantir and\"] clone by Q Vashti (researcher)", "description": "", "modified": "2026-05-27T08:25:07.936000", "created": "2026-05-27T08:06:57.005000", "tags": [ "url https", "url http", "tlsv1", "whitelisted", "united", "read c", "as15169", "stcalifornia", "execution", "dock", "write", "persistence", "malware", "encrypt", "active", "lumen technologies", "number", "error", "regexp", "sxa0", "amptoken", "optout", "retrieving", "notfound", "unknown", "form", "flash", "backdoor", "writeconsolew", "yara detections", "command line", "pdb path", "pe resource", "internalname", "windows command", "A", "aws", "name servers", "url analysis", "passive dns", "urls", "data upload", "extraction", "palantir", "c2", "aerospace", "tracking", "spywatchdog", "palapa-c2", "communications satellite", "amazon", "hughesnet", "icmp traffic", "washington c", "washington ou", "mopr", "mon jul", "local", "dynamic", "apple", "network", "t1057", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1480", "guardrails", "t1566", "present jan", "unknown ns", "ip address", "dnssec", "domain", "dynamic dns", "government", "pcup", "germany unknown", "link", "dns hosting", "cloudns", "cloud dns", "a domains", "ipv4 add", "title", "meta", "class", "servers", "present aug", "aaaa", "present sep", "present nov", "present jul", "present may", "moved", "canada unknown", "begin", "record value", "gmt content", "type", "hostname add", "files", "ascii text", "pattern match", "href", "mitre att", "ck id", "ck matrix", "network traffic", "et info", "general", "path", "click", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "input url", "defense evasion", "france", "ireland", "netherlands", "denmark", "united kingdom", "type indicator", "role title", "added active", "savvis", "centurylinktechnology", "hybrid analysis", "monitoring tools", "monitored target", "triangulation", "worm", "intel", "ms windows", "pe32", "write c", "delete c", "show", "russia as47764", "unix", "lsan jose", "odigicert inc", "markus", "url add", "http", "related nids", "files location", "russia flag", "russia hostname", "russia", "russia unknown", "hosting", "federation flag", "body", "gmt vary", "accept encoding", "gmt cache", "certificate", "pulse submit", "unknown aaaa", "search", "entries", "script domains", "script urls", "pdx cf" ], "references": [ "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "Yare: compromised_site_redirector_fromcharcode", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "Alerts: console_output has_pdb pe_unknown_resource_name", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "Tipped: A targets AI and other cyber research findings.", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "https://palapa.c.id\t (c.id)", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "cedevice.io \u2022 decagonsoftware.com", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "pcup.gov.ph:", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "https://elegantcosmedampyeah.pages.dev/", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "inst.govelopscold.com", "https://feedback.ptv.vic.gov.au/360", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "https://brand.centurylinktechnology.com", "https://prod.centurylinktechnology.com", "https://brand2.centurylinktechnology.com", "https://mobile-pocket-guide.centurylinktechnology.com", "UPX_OEP_place", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "ASP. NET", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "7box.vip" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan.Tofsee/Botx", "display_name": "Trojan.Tofsee/Botx", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "PWS:Win32/Axespec.A", "display_name": "PWS:Win32/Axespec.A", "target": "/malware/PWS:Win32/Axespec.A" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1069.003", "name": "Cloud Groups", "display_name": "T1069.003 - Cloud Groups" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": "697cdce9ec418c422eee2054", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 102, "FileHash-SHA1": 59, "FileHash-SHA256": 1929, "domain": 854, "hostname": 2156, "URL": 4475, "SSLCertFingerprint": 9, "email": 8, "CVE": 2 }, "indicator_count": 9594, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697cdce9ec418c422eee2054", "name": "Device Isolation: Lumen Technologies | Palantir and \u2018Boots on the Ground Operations\u2019", "description": "Device Isolation: Lumen Technologies (formerly CenturyLink) deployed as an admin on iOS devices. Standard factory resets may prove ineffective. Complete hardware \"air-gap\" or clean devices that have never touched your home network may be best option for deeply monitored targets.\n\nSummary of the Campaign:\nThe involvement of Lumen Technologies (as an unwanted admin), Foundry (Palantir) for data mapping, and Mirai Botnet for network disruption represents a \"scorched earth\" approach to digital destruction. Target treated as a criminal through Cellebrite, implicates specific attackers attempted to legalize what was actually a predatory stalking campaign/s.\n\n\nSurveillance Overlap: The use of Lumen Technologies and Palantir, tools allows for real-time tracking of a target's physical location\u2014explains how \u2018boots on the ground\u2019 offenders can stalk , surveillance , confront, assault and engage in various damaging attacks of specific monitored targets.", "modified": "2026-03-01T16:05:57.375000", "created": "2026-01-30T16:31:37.011000", "tags": [ "url https", "url http", "tlsv1", "whitelisted", "united", "read c", "as15169", "stcalifornia", "execution", "dock", "write", "persistence", "malware", "encrypt", "active", "lumen technologies", "number", "error", "regexp", "sxa0", "amptoken", "optout", "retrieving", "notfound", "unknown", "form", "flash", "backdoor", "writeconsolew", "yara detections", "command line", "pdb path", "pe resource", "internalname", "windows command", "A", "aws", "name servers", "url analysis", "passive dns", "urls", "data upload", "extraction", "palantir", "c2", "aerospace", "tracking", "spywatchdog", "palapa-c2", "communications satellite", "amazon", "hughesnet", "icmp traffic", "washington c", "washington ou", "mopr", "mon jul", "local", "dynamic", "apple", "network", "t1057", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1480", "guardrails", "t1566", "present jan", "unknown ns", "ip address", "dnssec", "domain", "dynamic dns", "government", "pcup", "germany unknown", "link", "dns hosting", "cloudns", "cloud dns", "a domains", "ipv4 add", "title", "meta", "class", "servers", "present aug", "aaaa", "present sep", "present nov", "present jul", "present may", "moved", "canada unknown", "begin", "record value", "gmt content", "type", "hostname add", "files", "ascii text", "pattern match", "href", "mitre att", "ck id", "ck matrix", "network traffic", "et info", "general", "path", "click", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "input url", "defense evasion", "france", "ireland", "netherlands", "denmark", "united kingdom", "type indicator", "role title", "added active", "savvis", "centurylinktechnology", "hybrid analysis", "monitoring tools", "monitored target", "triangulation", "worm", "intel", "ms windows", "pe32", "write c", "delete c", "show", "russia as47764", "unix", "lsan jose", "odigicert inc", "markus", "url add", "http", "related nids", "files location", "russia flag", "russia hostname", "russia", "russia unknown", "hosting", "federation flag", "body", "gmt vary", "accept encoding", "gmt cache", "certificate", "pulse submit", "unknown aaaa", "search", "entries", "script domains", "script urls", "pdx cf" ], "references": [ "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "Yare: compromised_site_redirector_fromcharcode", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "Alerts: console_output has_pdb pe_unknown_resource_name", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "Tipped: A targets AI and other cyber research findings.", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "https://palapa.c.id\t (c.id)", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "cedevice.io \u2022 decagonsoftware.com", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "pcup.gov.ph:", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "https://elegantcosmedampyeah.pages.dev/", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "inst.govelopscold.com", "https://feedback.ptv.vic.gov.au/360", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "https://brand.centurylinktechnology.com", "https://prod.centurylinktechnology.com", "https://brand2.centurylinktechnology.com", "https://mobile-pocket-guide.centurylinktechnology.com", "UPX_OEP_place", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "ASP. NET", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "7box.vip" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan.Tofsee/Botx", "display_name": "Trojan.Tofsee/Botx", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "PWS:Win32/Axespec.A", "display_name": "PWS:Win32/Axespec.A", "target": "/malware/PWS:Win32/Axespec.A" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1069.003", "name": "Cloud Groups", "display_name": "T1069.003 - Cloud Groups" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 102, "FileHash-SHA1": 59, "FileHash-SHA256": 1929, "domain": 854, "hostname": 2156, "URL": 4475, "SSLCertFingerprint": 9, "email": 7, "CVE": 1 }, "indicator_count": 9592, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9288e0d98f3b44c2cb90c", "name": "Ultrasounds attack - South African criminal group-Denver, Vo affects critical infrastructure , Oil and public safety", "description": "South African and Ethiopian crime group with Denver , Co presence is not only infiltrating infrastructure from banking to oil, they are human traffickers, hitmen and yes, I received this tip from team member Pheona who a \u2018sassa.gov.za\u2018 South African link recurrently as a top search suggestion in a \u2018targets\u2019 browser. The most frightening piece is that a name listed is of an Ethiopian man who attempted to force a very targeted victim to go somewhere with him,, be his girlfriend and did show up outside of her residence in a different City & County. He also knew the exact name of where she purchased specific items. If you can see this. Please help the best way you can. Something is incredibly wrong. [OTX auto populated Title: We can\u2019t rely on goodwill to protect our critical infrastructure - Help Net Security]", "modified": "2025-11-21T18:02:11.054000", "created": "2025-10-22T18:55:10.527000", "tags": [ "server nginx", "date fri", "etag w", "urls", "passive dns", "acceptranges", "contentlength", "date thu", "gmt expires", "server", "code", "link", "script script", "south africa", "ipv4", "files", "location south", "accept", "present aug", "certificate", "hostname add", "domain", "files ip", "unknown a", "script urls", "ip address", "unknown soa", "unknown ns", "reverse dns", "africa flag", "asn as16637", "dns resolutions", "domains top", "level", "unique tld", "related pulses", "tags none", "indicator facts", "title", "ipv4 add", "opinion", "netacea", "lockbit", "wannacry attack", "nhs trusts", "council", "uk government", "protect", "cni safe", "acls", "praio", "prink", "prsc", "prla", "lg2en", "cti98", "search", "seiko epson", "corporation", "arc file", "malware", "delete c", "default", "show", "write", "next", "unknown", "united", "tlsv1", "msie", "windows nt", "wow64", "slcc2", "media center", "as15169", "port", "execution", "dock", "capture", "persistence", "yara detections", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "cabinet archive", "microsoft", "read c", "dynamicloader", "medium", "ltda me", "high", "write c", "entries", "checks", "delphi", "win32", "url pulse", "data upload", "extraction", "find suggested", "type", "domain hostname", "url add", "http", "related nids", "files location", "ireland flag", "files domain", "chrome", "ireland unknown", "pulse submit", "url analysis", "body", "date", "status", "name servers", "creation date", "expiration date", "flag united", "destination", "systemdrive", "html document", "crlf line", "updater", "copy", "unknown aaaa", "moved", "domain add", "extri data", "enter sc", "extr include", "review exclude", "sugges", "present jul", "saudi arabia", "present mar", "present oct", "present jun", "present feb", "present nov", "present may", "eeee", "eeeeeee", "eeeeee", "eefe", "ebeee", "ee eme", "eeheee", "eeefee e", "eeeee e", "vmprotect", "push", "local", "defender", "regsetvalueexa", "utf8 unicode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lockbit", "display_name": "Lockbit", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "target": null }, { "id": "Other Dangerous Malware", "display_name": "Other Dangerous Malware", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Oil" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 648, "hostname": 1604, "FileHash-SHA256": 1826, "URL": 4153, "FileHash-MD5": 102, "FileHash-SHA1": 60, "SSLCertFingerprint": 18, "CVE": 2, "email": 5 }, "indicator_count": 8418, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "190 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f93b1cebf80f48450bd517", "name": "Yuner - File deletion and Disk Wiping / Cyberstalking ", "description": "", "modified": "2025-11-21T18:02:11.054000", "created": "2025-10-22T20:14:20.632000", "tags": [ "server nginx", "date fri", "etag w", "urls", "passive dns", "acceptranges", "contentlength", "date thu", "gmt expires", "server", "code", "link", "script script", "south africa", "ipv4", "files", "location south", "accept", "present aug", "certificate", "hostname add", "domain", "files ip", "unknown a", "script urls", "ip address", "unknown soa", "unknown ns", "reverse dns", "africa flag", "asn as16637", "dns resolutions", "domains top", "level", "unique tld", "related pulses", "tags none", "indicator facts", "title", "ipv4 add", "opinion", "netacea", "lockbit", "wannacry attack", "nhs trusts", "council", "uk government", "protect", "cni safe", "acls", "praio", "prink", "prsc", "prla", "lg2en", "cti98", "search", "seiko epson", "corporation", "arc file", "malware", "delete c", "default", "show", "write", "next", "unknown", "united", "tlsv1", "msie", "windows nt", "wow64", "slcc2", "media center", "as15169", "port", "execution", "dock", "capture", "persistence", "yara detections", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "cabinet archive", "microsoft", "read c", "dynamicloader", "medium", "ltda me", "high", "write c", "entries", "checks", "delphi", "win32", "url pulse", "data upload", "extraction", "find suggested", "type", "domain hostname", "url add", "http", "related nids", "files location", "ireland flag", "files domain", "chrome", "ireland unknown", "pulse submit", "url analysis", "body", "date", "status", "name servers", "creation date", "expiration date", "flag united", "destination", "systemdrive", "html document", "crlf line", "updater", "copy", "unknown aaaa", "moved", "domain add", "extri data", "enter sc", "extr include", "review exclude", "sugges", "present jul", "saudi arabia", "present mar", "present oct", "present jun", "present feb", "present nov", "present may", "eeee", "eeeeeee", "eeeeee", "eefe", "ebeee", "ee eme", "eeheee", "eeefee e", "eeeee e", "vmprotect", "push", "local", "defender", "regsetvalueexa", "utf8 unicode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lockbit", "display_name": "Lockbit", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "target": null }, { "id": "Other Dangerous Malware", "display_name": "Other Dangerous Malware", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Oil" ], "TLP": "green", "cloned_from": "68f9288e0d98f3b44c2cb90c", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 648, "hostname": 1604, "FileHash-SHA256": 1826, "URL": 4153, "FileHash-MD5": 102, "FileHash-SHA1": 60, "SSLCertFingerprint": 18, "CVE": 2, "email": 5 }, "indicator_count": 8418, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "190 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://henry.dns-dynamic.net/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://henry.dns-dynamic.net/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780238162.307192 }