{
"type": "URL",
"indicator": "https://htmlar-stanley.dfcloan.com",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://htmlar-stanley.dfcloan.com",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 2944878557,
"indicator": "https://htmlar-stanley.dfcloan.com",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 5,
"pulses": [
{
"id": "6894f30905efa56990bb10f6",
"name": "Expanded device-local-****remotewd.com",
"description": "device-local-2ffdbd74-9f90-41fa-beb8-454ed65788c5.remotewd.com",
"modified": "2025-09-06T06:03:31.462000",
"created": "2025-08-07T18:40:09.876000",
"tags": [
"hostname",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"nameservers",
"date hash",
"avast avg",
"entries",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"itre att",
"ck techniques",
"copy md5",
"copy sha1",
"copy sha256",
"sha256",
"sha1",
"mitre att",
"pattern match",
"show technique",
"ck matrix",
"null",
"refresh",
"body",
"span",
"august",
"hybrid",
"general",
"local",
"path",
"click",
"date",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"domain",
"hostname add",
"files ip",
"address",
"location united",
"hash avast",
"avg clamav",
"msdefender aug",
"united",
"port",
"destination",
"as16509",
"search",
"unknown",
"ocloudflare",
"medium",
"memcommit",
"service",
"write",
"next",
"persistence",
"execution",
"malware",
"copy",
"encrypt",
"win32",
"mtb feb",
"trojan",
"susp",
"trojandropper",
"msr feb",
"trojanspy",
"next associated",
"urls show",
"date checked",
"virtool",
"win64",
"worm",
"mtb may",
"files show",
"heur",
"script",
"dropper",
"ransom",
"vitro",
"pe32",
"intel",
"ms windows",
"as15169",
"read c",
"asnone",
"show",
"packing t1045",
"t1045",
"delphi",
"code",
"june"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 6741,
"domain": 5822,
"FileHash-SHA256": 1550,
"URL": 16348,
"FileHash-MD5": 287,
"FileHash-SHA1": 242,
"SSLCertFingerprint": 9,
"email": 1
},
"indicator_count": 31000,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "225 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6894f4e6c41982f405592b55",
"name": "Worm:Win32/Mydoom | Expanded device-local-****remotewd.com",
"description": "",
"modified": "2025-09-06T06:03:31.462000",
"created": "2025-08-07T18:48:06.557000",
"tags": [
"hostname",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"nameservers",
"date hash",
"avast avg",
"entries",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"itre att",
"ck techniques",
"copy md5",
"copy sha1",
"copy sha256",
"sha256",
"sha1",
"mitre att",
"pattern match",
"show technique",
"ck matrix",
"null",
"refresh",
"body",
"span",
"august",
"hybrid",
"general",
"local",
"path",
"click",
"date",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"domain",
"hostname add",
"files ip",
"address",
"location united",
"hash avast",
"avg clamav",
"msdefender aug",
"united",
"port",
"destination",
"as16509",
"search",
"unknown",
"ocloudflare",
"medium",
"memcommit",
"service",
"write",
"next",
"persistence",
"execution",
"malware",
"copy",
"encrypt",
"win32",
"mtb feb",
"trojan",
"susp",
"trojandropper",
"msr feb",
"trojanspy",
"next associated",
"urls show",
"date checked",
"virtool",
"win64",
"worm",
"mtb may",
"files show",
"heur",
"script",
"dropper",
"ransom",
"vitro",
"pe32",
"intel",
"ms windows",
"as15169",
"read c",
"asnone",
"show",
"packing t1045",
"t1045",
"delphi",
"code",
"june"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6894f30905efa56990bb10f6",
"export_count": 16,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 6741,
"domain": 5822,
"FileHash-SHA256": 1550,
"URL": 16348,
"FileHash-MD5": 287,
"FileHash-SHA1": 242,
"SSLCertFingerprint": 9,
"email": 1
},
"indicator_count": 31000,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "225 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68923ea4efbf58b7ba48acec",
"name": "Hosted App",
"description": "",
"modified": "2025-09-04T16:03:17.037000",
"created": "2025-08-05T17:25:56.454000",
"tags": [
"issuer wr3",
"log id",
"gmtn",
"abn timestamp",
"ad180b80",
"full name",
"extensionsstr",
"web server",
"ca issuers",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"ssl certificate",
"spawns",
"mitre att",
"sha1",
"copy md5",
"copy sha1",
"copy sha256",
"sha256",
"ascii text",
"pattern match",
"show technique",
"date",
"format",
"august",
"hybrid",
"local",
"path",
"click",
"strings",
"flag",
"usa windows",
"hwp support",
"march",
"december",
"united",
"markmonitor",
"overview dns",
"requests domain",
"country",
"contacted hosts",
"ip address",
"process details",
"t1179 hooking",
"access windows",
"installs",
"control att",
"found",
"development att",
"name server",
"show process",
"programfiles",
"command decode",
"suricata ipv4",
"ck matrix",
"comspec",
"model",
"general",
"dynamicloader",
"unknown",
"as16509",
"whitelisted",
"medium",
"write c",
"as15169",
"search",
"high",
"write",
"android",
"malware",
"copy",
"next",
"formbook cnc",
"checkin",
"entries",
"passive dns",
"next associated",
"site",
"neue",
"ipv4",
"pulse pulses",
"exploit",
"trojan",
"virtool",
"body",
"refer",
"present dec",
"epub",
"present jan",
"present nov",
"present oct",
"showing",
"urls show",
"win32",
"win64",
"date checked",
"url hostname",
"server response",
"google safe",
"prefetch8",
"localappdata",
"prefetch1"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 3409,
"hostname": 4127,
"URL": 8408,
"SSLCertFingerprint": 9,
"FileHash-SHA256": 1175,
"FileHash-MD5": 144,
"FileHash-SHA1": 134,
"CVE": 2
},
"indicator_count": 17408,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "227 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "688343b9e60e8693f50e515f",
"name": "Cycbot & worse - Palantir Monitoring Target/s",
"description": "Palantir \u2022 Gotham \u2022 Foundry Top tier sells tools used to monitor, harass, smear , invoke fear, even \u2018kill\u2019. Used by military., too many partners to name (includes the entire government., heavy military, NSA use) of course Twitter, Apple Facebook, Pegasus related, possibly Paragon if what I\u2019ve read and researched is true. *There are 188 Palantir Foundry links in this pulse. ||\nMonitored target || Apparently ,\u2018tool\u2019 is weaponized against civilians for unknown and unwarranted purposes. || Lofty and unclear how or why a manner of death of target was predicted and posted online 12 years ago. || More research is needed.\n\nMalware named was found in research. \n\n #targeted #rip #palantir #foundry #gotham #twitter #techbromafia #silencing #overreach #quasi_gov #ongoing #active #moved #dangerous",
"modified": "2025-08-24T06:01:34.920000",
"created": "2025-07-25T08:43:37.734000",
"tags": [
"status",
"united",
"unknown ns",
"passive dns",
"urls",
"creation date",
"search",
"emails",
"date",
"expiration date",
"tcp include",
"top source",
"top destination",
"show",
"source source",
"data upload",
"extraction",
"showing",
"moved",
"certificate",
"ip address",
"domain",
"body",
"present jul",
"present jun",
"present aug",
"present sep",
"trojan",
"name servers",
"twitter",
"vtflooder",
"foundry",
"virustotal",
"gotham",
"palantir",
"tools",
"destination",
"port",
"msie",
"windows nt",
"unknown",
"read c",
"etpro trojan",
"malware",
"copy",
"write",
"infostealer",
"possible",
"virustotal",
"copyleft",
"present jan",
"entries",
"next associated",
"ipv4 add",
"pulse submit",
"url analysis",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"defense evasion",
"t1480 execution",
"discovery att",
"hostname add",
"files",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"ascii text",
"mitre att",
"pattern match",
"show technique",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"look",
"verify",
"restart",
"se extri",
"referen",
"etpro tr",
"virtool",
"referencec",
"failed",
"se extra",
"eanioae",
"include review",
"exclude sugges",
"includec review",
"exclude",
"suggest data",
"open ports",
"reverse dns",
"location united",
"america flag",
"boardman",
"t1045",
"ck ids",
"packing",
"t1060",
"run keys",
"startup",
"folder",
"t1057",
"discovery",
"t1071",
"value emails",
"name domain",
"org microsoft",
"microsoft way",
"city redmond",
"country us",
"dnssec",
"t1012",
"t1047",
"instrumentation",
"t1053",
"taskjob",
"spyware",
"source",
"signing defense",
"size",
"meta",
"onload",
"dynamicloader",
"unicode text",
"crlf line",
"utf8",
"medium",
"write c",
"default",
"delphi",
"win32",
"code",
"stream",
"next",
"akamai rank",
"show process",
"prefetch2",
"dns server",
"network traffic",
"virus",
"monitored target",
"tofsee",
"generic http",
"exe upload",
"inbound",
"outbound",
"delete",
"yara detections",
"markus",
"flowid22101",
"pixelevtid11771",
"dvid",
"urls show",
"date checked",
"188 palantir results",
"adversaries",
"development att",
"ssl certificate",
"flag",
"stop",
"facebook",
"4328",
"5943",
"stealer",
"unknown aaaa",
"present may",
"domain add",
"hyundaitx",
"twitter",
"monitored tsara",
"brashears",
"apple",
"ios",
"remote",
"cycbot",
"maudio fw",
"heur",
"productversion",
"fileversion",
"maudio firewire"
],
"references": [
"palantirfoundry.com \u2022 https://edenglobalpartners.palantirfoundry.com/",
"247seekscenter.com \u2022 ns-1986.awsdns-56.co.uk: | 365-notifcation.com",
"ETPRO TROJAN Win32/Oderoor Checkin \u2022 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain",
"Domain ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com)",
"ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection",
"platform.twitter.co \u2022 rm.twitter.co \u2022 upload.twitter.co \u2022 http://2fsyndication.twitter.co/",
"http://legal.twitter.co \u2022 http://mobile.twitter.co/",
"ec2-44-228-94-74.us-west-2.compute.amazonaws.com \u2022 defender.palantirfoundry.com",
"https://embaxter.palantirfoundry.com \u2022 https://amgistudios.palantirfoundry.com",
"https://ametrine-containers.palantirfoundry.com \u2022 https://amfp.palantirfoundry.com",
"https://ameteklms.palantirfoundry.com \u2022 https://ametrine-compute.palantirfoundry.com",
"https://amiable-constellation.palantirfoundry.com \u2022 https://amplifi.palantirfoundry.com",
"https://oscar.palantirfoundry.com/ \u2022 https://replica.palantirfoundry.com/",
"https://statemed.palantirgov.com/workspace/settings/notifications \u2022 https://cchbc.palantirfoundry.com",
"https://test-1.washington.palantircloud.com \u2022 https://tarn.palantirgov.com \u2022 https://stateplatform.palantirgov.com",
"https://imperium-dev-1.palantircloud.com \u2022 https://hii.palantirgov.com \u2022 https://genoa.washington.palantircloud.com",
"tsystems.palantirfoundry.com \u2022 https://statemed.palantirgov.com \u2022 https://statecms.palantirgov.com",
"https://replica.palantirfoundry.com/ \u2022 https://spacejam.palantirfoundry.com/ \u2022",
"https://pl.pornhub.mrst.one/ \u2022 hotamateurpornsite.xxx \u2022 squirting.porn \u2022 https://de-pornhub.mrst.one/",
"Hostname: hcl-dna-sandbox.palantirfoundry.com",
"https://www.hyundaitx.com/",
"ETPRO TROJAN Win32/Tofsee.AX google.com connectivity check",
"https://remote.downloadnow-1.com/",
"Alerts: injection_runpe deletes_self persistence_autorun stealth_file antivirus_virustotal infostealer_ftp",
"Alerts: infostealer_mail network_smtp persistence_ads recon_programs injection",
"Monitored Target - Spawned process \"iexplore.exe\" w/commandline \"SCODEF:5860 CREDAT:275457 /prefetch:2\" (Show Process) source",
"Monitored Target: Queries DNS server details \"www.hyundaitx.com\" source Network Traffic T1071.004",
"Palantir/ Hyuandi coexist | Confirmed Targets transportation was a Hyuandi SUV |",
"ipad-steals-app-ideas_1_.jpg - MD5 6dd66b729a649dec250b24533a58a996"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Vtflooder-9783271-0",
"display_name": "Win.Malware.Vtflooder-9783271-0",
"target": null
},
{
"id": "Trojan.Kazy-237",
"display_name": "Trojan.Kazy-237",
"target": null
},
{
"id": "Trojan.Vundo-5335",
"display_name": "Trojan.Vundo-5335",
"target": null
},
{
"id": "Generic31.BKFG",
"display_name": "Generic31.BKFG",
"target": null
},
{
"id": "Win.Packed.Krucky-6941986-0",
"display_name": "Win.Packed.Krucky-6941986-0",
"target": null
},
{
"id": "ALF:HSTR:KrunchyMalPacker!MTB",
"display_name": "ALF:HSTR:KrunchyMalPacker!MTB",
"target": null
},
{
"id": "Win.Trojan.Agent-920890",
"display_name": "Win.Trojan.Agent-920890",
"target": null
},
{
"id": "Win.Trojan.Jorik-10365",
"display_name": "Win.Trojan.Jorik-10365",
"target": null
},
{
"id": "Trojan.Adload-2492",
"display_name": "Trojan.Adload-2492",
"target": null
},
{
"id": "Trojan.Spy-59563",
"display_name": "Trojan.Spy-59563",
"target": null
},
{
"id": "Ransom:Win32/Cryptor",
"display_name": "Ransom:Win32/Cryptor",
"target": "/malware/Ransom:Win32/Cryptor"
},
{
"id": "Win32/Blacked",
"display_name": "Win32/Blacked",
"target": null
},
{
"id": "Win.Trojan.Cycbot-764",
"display_name": "Win.Trojan.Cycbot-764",
"target": null
},
{
"id": "Trojan.VB-47534",
"display_name": "Trojan.VB-47534",
"target": null
},
{
"id": "Backdoor:Win32/Drixed.J ,",
"display_name": "Backdoor:Win32/Drixed.J ,",
"target": "/malware/Backdoor:Win32/Drixed.J ,"
},
{
"id": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn",
"display_name": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn",
"target": null
},
{
"id": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn",
"display_name": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn",
"target": null
},
{
"id": "Malware Tool",
"display_name": "Malware Tool",
"target": null
},
{
"id": "Palantir Spyware",
"display_name": "Palantir Spyware",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0030",
"name": "Defense Evasion",
"display_name": "TA0030 - Defense Evasion"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1003.008",
"name": "/etc/passwd and /etc/shadow",
"display_name": "T1003.008 - /etc/passwd and /etc/shadow"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4203,
"domain": 1218,
"email": 9,
"hostname": 2006,
"FileHash-SHA256": 2740,
"FileHash-MD5": 424,
"FileHash-SHA1": 419,
"SSLCertFingerprint": 12
},
"indicator_count": 11031,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "238 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "687c07591d641de3c896d4a9",
"name": "icon.palantirfoundry.com - Brazzers Porn",
"description": "Another strange pulse. Persistent bad actors moved and changed name of operation; of course. Usual - Hostname\nicon.palantirfoundry.com , Apple, Samsung , X.com , Twitter , Facebook, Google, Palantir NSA or a poser? I was threatened this week, I was told that if I was on the \u2018list\u2019 they have to do anything that is asked including \u2018blow me up\u2019. Sounds nuts but I can\u2019t believe this. Whoever has been doing this is hyper dangerous.\n\nicon.palantirfoundry.com ? P.S. Huge pulse. Can\u2019t use private option to cherry pick the IoC\u2019s I\u2019d like to breakdown. Have I broken a rule?",
"modified": "2025-08-18T18:01:11.130000",
"created": "2025-07-19T21:00:09.343000",
"tags": [
"canada unknown",
"passive dns",
"ransom",
"entries",
"ipv4",
"pulse submit",
"url analysis",
"urls",
"files",
"reverse dns",
"united",
"unknown ns",
"moved",
"ip address",
"creation date",
"search",
"omain",
"pulse pulses",
"body",
"date",
"showing",
"domain",
"hostname",
"ocloudflare",
"stca",
"lsan francisco",
"ecc ca3",
"ecc ca2",
"as16509",
"unknown",
"ms windows",
"encrypt",
"write",
"next",
"service",
"malware",
"copy",
"unknown soa",
"next associated",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"results jul",
"present jan",
"medium",
"memcommit",
"module load",
"t1129",
"regopenkeyexw",
"fjlsedauv",
"et useragents",
"go http",
"registry run",
"persistence",
"execution",
"checks",
"keys",
"start folder",
"richhash",
"external",
"virustotal api",
"screenshots",
"find",
"show",
"types",
"seard type",
"indicator",
"data upload",
"extraction",
"failed",
"sc data",
"type",
"extri included",
"review data",
"sugges data",
"find suxxesteu",
"typ indicalon"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 62,
"FileHash-SHA1": 17,
"FileHash-SHA256": 1433,
"URL": 10188,
"hostname": 5658,
"domain": 5753,
"email": 4,
"SSLCertFingerprint": 20
},
"indicator_count": 23135,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "244 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"https://ametrine-containers.palantirfoundry.com \u2022 https://amfp.palantirfoundry.com",
"http://legal.twitter.co \u2022 http://mobile.twitter.co/",
"ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection",
"https://ameteklms.palantirfoundry.com \u2022 https://ametrine-compute.palantirfoundry.com",
"Alerts: injection_runpe deletes_self persistence_autorun stealth_file antivirus_virustotal infostealer_ftp",
"https://test-1.washington.palantircloud.com \u2022 https://tarn.palantirgov.com \u2022 https://stateplatform.palantirgov.com",
"ETPRO TROJAN Win32/Oderoor Checkin \u2022 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain",
"https://oscar.palantirfoundry.com/ \u2022 https://replica.palantirfoundry.com/",
"Monitored Target: Queries DNS server details \"www.hyundaitx.com\" source Network Traffic T1071.004",
"Palantir/ Hyuandi coexist | Confirmed Targets transportation was a Hyuandi SUV |",
"Domain ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com)",
"ec2-44-228-94-74.us-west-2.compute.amazonaws.com \u2022 defender.palantirfoundry.com",
"tsystems.palantirfoundry.com \u2022 https://statemed.palantirgov.com \u2022 https://statecms.palantirgov.com",
"https://embaxter.palantirfoundry.com \u2022 https://amgistudios.palantirfoundry.com",
"https://www.hyundaitx.com/",
"platform.twitter.co \u2022 rm.twitter.co \u2022 upload.twitter.co \u2022 http://2fsyndication.twitter.co/",
"palantirfoundry.com \u2022 https://edenglobalpartners.palantirfoundry.com/",
"ipad-steals-app-ideas_1_.jpg - MD5 6dd66b729a649dec250b24533a58a996",
"https://amiable-constellation.palantirfoundry.com \u2022 https://amplifi.palantirfoundry.com",
"Hostname: hcl-dna-sandbox.palantirfoundry.com",
"https://pl.pornhub.mrst.one/ \u2022 hotamateurpornsite.xxx \u2022 squirting.porn \u2022 https://de-pornhub.mrst.one/",
"https://imperium-dev-1.palantircloud.com \u2022 https://hii.palantirgov.com \u2022 https://genoa.washington.palantircloud.com",
"ETPRO TROJAN Win32/Tofsee.AX google.com connectivity check",
"247seekscenter.com \u2022 ns-1986.awsdns-56.co.uk: | 365-notifcation.com",
"https://statemed.palantirgov.com/workspace/settings/notifications \u2022 https://cchbc.palantirfoundry.com",
"https://replica.palantirfoundry.com/ \u2022 https://spacejam.palantirfoundry.com/ \u2022",
"Alerts: infostealer_mail network_smtp persistence_ads recon_programs injection",
"Monitored Target - Spawned process \"iexplore.exe\" w/commandline \"SCODEF:5860 CREDAT:275457 /prefetch:2\" (Show Process) source",
"https://remote.downloadnow-1.com/"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Win32/blacked",
"Trojan.kazy-237",
"Backdoor:win32/drixed.j ,",
"Ransom:win32/cryptor",
"Win.malware.vtflooder-9783271-0",
"Trojan.vb-47534",
"Malware tool",
"Trojan.adload-2492",
"Generic31.bkfg",
"Trojan.vundo-5335",
"Alf:hstr:krunchymalpacker!mtb",
"Win.trojan.cycbot-764",
"Palantir spyware",
"Win.packed.krucky-6941986-0",
"Win.trojan.jorik-10365",
"Alf:heraklezeval:pws:win32/ldpinch!rfn",
"Trojan.spy-59563",
"Win.trojan.agent-920890"
],
"industries": [],
"unique_indicators": 63170
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/dfcloan.com",
"whois": "http://whois.domaintools.com/dfcloan.com",
"domain": "dfcloan.com",
"hostname": "htmlar-stanley.dfcloan.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 5,
"pulses": [
{
"id": "6894f30905efa56990bb10f6",
"name": "Expanded device-local-****remotewd.com",
"description": "device-local-2ffdbd74-9f90-41fa-beb8-454ed65788c5.remotewd.com",
"modified": "2025-09-06T06:03:31.462000",
"created": "2025-08-07T18:40:09.876000",
"tags": [
"hostname",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"nameservers",
"date hash",
"avast avg",
"entries",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"itre att",
"ck techniques",
"copy md5",
"copy sha1",
"copy sha256",
"sha256",
"sha1",
"mitre att",
"pattern match",
"show technique",
"ck matrix",
"null",
"refresh",
"body",
"span",
"august",
"hybrid",
"general",
"local",
"path",
"click",
"date",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"domain",
"hostname add",
"files ip",
"address",
"location united",
"hash avast",
"avg clamav",
"msdefender aug",
"united",
"port",
"destination",
"as16509",
"search",
"unknown",
"ocloudflare",
"medium",
"memcommit",
"service",
"write",
"next",
"persistence",
"execution",
"malware",
"copy",
"encrypt",
"win32",
"mtb feb",
"trojan",
"susp",
"trojandropper",
"msr feb",
"trojanspy",
"next associated",
"urls show",
"date checked",
"virtool",
"win64",
"worm",
"mtb may",
"files show",
"heur",
"script",
"dropper",
"ransom",
"vitro",
"pe32",
"intel",
"ms windows",
"as15169",
"read c",
"asnone",
"show",
"packing t1045",
"t1045",
"delphi",
"code",
"june"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 6741,
"domain": 5822,
"FileHash-SHA256": 1550,
"URL": 16348,
"FileHash-MD5": 287,
"FileHash-SHA1": 242,
"SSLCertFingerprint": 9,
"email": 1
},
"indicator_count": 31000,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "225 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6894f4e6c41982f405592b55",
"name": "Worm:Win32/Mydoom | Expanded device-local-****remotewd.com",
"description": "",
"modified": "2025-09-06T06:03:31.462000",
"created": "2025-08-07T18:48:06.557000",
"tags": [
"hostname",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"nameservers",
"date hash",
"avast avg",
"entries",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"itre att",
"ck techniques",
"copy md5",
"copy sha1",
"copy sha256",
"sha256",
"sha1",
"mitre att",
"pattern match",
"show technique",
"ck matrix",
"null",
"refresh",
"body",
"span",
"august",
"hybrid",
"general",
"local",
"path",
"click",
"date",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"domain",
"hostname add",
"files ip",
"address",
"location united",
"hash avast",
"avg clamav",
"msdefender aug",
"united",
"port",
"destination",
"as16509",
"search",
"unknown",
"ocloudflare",
"medium",
"memcommit",
"service",
"write",
"next",
"persistence",
"execution",
"malware",
"copy",
"encrypt",
"win32",
"mtb feb",
"trojan",
"susp",
"trojandropper",
"msr feb",
"trojanspy",
"next associated",
"urls show",
"date checked",
"virtool",
"win64",
"worm",
"mtb may",
"files show",
"heur",
"script",
"dropper",
"ransom",
"vitro",
"pe32",
"intel",
"ms windows",
"as15169",
"read c",
"asnone",
"show",
"packing t1045",
"t1045",
"delphi",
"code",
"june"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6894f30905efa56990bb10f6",
"export_count": 16,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 6741,
"domain": 5822,
"FileHash-SHA256": 1550,
"URL": 16348,
"FileHash-MD5": 287,
"FileHash-SHA1": 242,
"SSLCertFingerprint": 9,
"email": 1
},
"indicator_count": 31000,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "225 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68923ea4efbf58b7ba48acec",
"name": "Hosted App",
"description": "",
"modified": "2025-09-04T16:03:17.037000",
"created": "2025-08-05T17:25:56.454000",
"tags": [
"issuer wr3",
"log id",
"gmtn",
"abn timestamp",
"ad180b80",
"full name",
"extensionsstr",
"web server",
"ca issuers",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"ssl certificate",
"spawns",
"mitre att",
"sha1",
"copy md5",
"copy sha1",
"copy sha256",
"sha256",
"ascii text",
"pattern match",
"show technique",
"date",
"format",
"august",
"hybrid",
"local",
"path",
"click",
"strings",
"flag",
"usa windows",
"hwp support",
"march",
"december",
"united",
"markmonitor",
"overview dns",
"requests domain",
"country",
"contacted hosts",
"ip address",
"process details",
"t1179 hooking",
"access windows",
"installs",
"control att",
"found",
"development att",
"name server",
"show process",
"programfiles",
"command decode",
"suricata ipv4",
"ck matrix",
"comspec",
"model",
"general",
"dynamicloader",
"unknown",
"as16509",
"whitelisted",
"medium",
"write c",
"as15169",
"search",
"high",
"write",
"android",
"malware",
"copy",
"next",
"formbook cnc",
"checkin",
"entries",
"passive dns",
"next associated",
"site",
"neue",
"ipv4",
"pulse pulses",
"exploit",
"trojan",
"virtool",
"body",
"refer",
"present dec",
"epub",
"present jan",
"present nov",
"present oct",
"showing",
"urls show",
"win32",
"win64",
"date checked",
"url hostname",
"server response",
"google safe",
"prefetch8",
"localappdata",
"prefetch1"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 3409,
"hostname": 4127,
"URL": 8408,
"SSLCertFingerprint": 9,
"FileHash-SHA256": 1175,
"FileHash-MD5": 144,
"FileHash-SHA1": 134,
"CVE": 2
},
"indicator_count": 17408,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "227 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "688343b9e60e8693f50e515f",
"name": "Cycbot & worse - Palantir Monitoring Target/s",
"description": "Palantir \u2022 Gotham \u2022 Foundry Top tier sells tools used to monitor, harass, smear , invoke fear, even \u2018kill\u2019. Used by military., too many partners to name (includes the entire government., heavy military, NSA use) of course Twitter, Apple Facebook, Pegasus related, possibly Paragon if what I\u2019ve read and researched is true. *There are 188 Palantir Foundry links in this pulse. ||\nMonitored target || Apparently ,\u2018tool\u2019 is weaponized against civilians for unknown and unwarranted purposes. || Lofty and unclear how or why a manner of death of target was predicted and posted online 12 years ago. || More research is needed.\n\nMalware named was found in research. \n\n #targeted #rip #palantir #foundry #gotham #twitter #techbromafia #silencing #overreach #quasi_gov #ongoing #active #moved #dangerous",
"modified": "2025-08-24T06:01:34.920000",
"created": "2025-07-25T08:43:37.734000",
"tags": [
"status",
"united",
"unknown ns",
"passive dns",
"urls",
"creation date",
"search",
"emails",
"date",
"expiration date",
"tcp include",
"top source",
"top destination",
"show",
"source source",
"data upload",
"extraction",
"showing",
"moved",
"certificate",
"ip address",
"domain",
"body",
"present jul",
"present jun",
"present aug",
"present sep",
"trojan",
"name servers",
"twitter",
"vtflooder",
"foundry",
"virustotal",
"gotham",
"palantir",
"tools",
"destination",
"port",
"msie",
"windows nt",
"unknown",
"read c",
"etpro trojan",
"malware",
"copy",
"write",
"infostealer",
"possible",
"virustotal",
"copyleft",
"present jan",
"entries",
"next associated",
"ipv4 add",
"pulse submit",
"url analysis",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"defense evasion",
"t1480 execution",
"discovery att",
"hostname add",
"files",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"ascii text",
"mitre att",
"pattern match",
"show technique",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"look",
"verify",
"restart",
"se extri",
"referen",
"etpro tr",
"virtool",
"referencec",
"failed",
"se extra",
"eanioae",
"include review",
"exclude sugges",
"includec review",
"exclude",
"suggest data",
"open ports",
"reverse dns",
"location united",
"america flag",
"boardman",
"t1045",
"ck ids",
"packing",
"t1060",
"run keys",
"startup",
"folder",
"t1057",
"discovery",
"t1071",
"value emails",
"name domain",
"org microsoft",
"microsoft way",
"city redmond",
"country us",
"dnssec",
"t1012",
"t1047",
"instrumentation",
"t1053",
"taskjob",
"spyware",
"source",
"signing defense",
"size",
"meta",
"onload",
"dynamicloader",
"unicode text",
"crlf line",
"utf8",
"medium",
"write c",
"default",
"delphi",
"win32",
"code",
"stream",
"next",
"akamai rank",
"show process",
"prefetch2",
"dns server",
"network traffic",
"virus",
"monitored target",
"tofsee",
"generic http",
"exe upload",
"inbound",
"outbound",
"delete",
"yara detections",
"markus",
"flowid22101",
"pixelevtid11771",
"dvid",
"urls show",
"date checked",
"188 palantir results",
"adversaries",
"development att",
"ssl certificate",
"flag",
"stop",
"facebook",
"4328",
"5943",
"stealer",
"unknown aaaa",
"present may",
"domain add",
"hyundaitx",
"twitter",
"monitored tsara",
"brashears",
"apple",
"ios",
"remote",
"cycbot",
"maudio fw",
"heur",
"productversion",
"fileversion",
"maudio firewire"
],
"references": [
"palantirfoundry.com \u2022 https://edenglobalpartners.palantirfoundry.com/",
"247seekscenter.com \u2022 ns-1986.awsdns-56.co.uk: | 365-notifcation.com",
"ETPRO TROJAN Win32/Oderoor Checkin \u2022 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain",
"Domain ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com)",
"ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection",
"platform.twitter.co \u2022 rm.twitter.co \u2022 upload.twitter.co \u2022 http://2fsyndication.twitter.co/",
"http://legal.twitter.co \u2022 http://mobile.twitter.co/",
"ec2-44-228-94-74.us-west-2.compute.amazonaws.com \u2022 defender.palantirfoundry.com",
"https://embaxter.palantirfoundry.com \u2022 https://amgistudios.palantirfoundry.com",
"https://ametrine-containers.palantirfoundry.com \u2022 https://amfp.palantirfoundry.com",
"https://ameteklms.palantirfoundry.com \u2022 https://ametrine-compute.palantirfoundry.com",
"https://amiable-constellation.palantirfoundry.com \u2022 https://amplifi.palantirfoundry.com",
"https://oscar.palantirfoundry.com/ \u2022 https://replica.palantirfoundry.com/",
"https://statemed.palantirgov.com/workspace/settings/notifications \u2022 https://cchbc.palantirfoundry.com",
"https://test-1.washington.palantircloud.com \u2022 https://tarn.palantirgov.com \u2022 https://stateplatform.palantirgov.com",
"https://imperium-dev-1.palantircloud.com \u2022 https://hii.palantirgov.com \u2022 https://genoa.washington.palantircloud.com",
"tsystems.palantirfoundry.com \u2022 https://statemed.palantirgov.com \u2022 https://statecms.palantirgov.com",
"https://replica.palantirfoundry.com/ \u2022 https://spacejam.palantirfoundry.com/ \u2022",
"https://pl.pornhub.mrst.one/ \u2022 hotamateurpornsite.xxx \u2022 squirting.porn \u2022 https://de-pornhub.mrst.one/",
"Hostname: hcl-dna-sandbox.palantirfoundry.com",
"https://www.hyundaitx.com/",
"ETPRO TROJAN Win32/Tofsee.AX google.com connectivity check",
"https://remote.downloadnow-1.com/",
"Alerts: injection_runpe deletes_self persistence_autorun stealth_file antivirus_virustotal infostealer_ftp",
"Alerts: infostealer_mail network_smtp persistence_ads recon_programs injection",
"Monitored Target - Spawned process \"iexplore.exe\" w/commandline \"SCODEF:5860 CREDAT:275457 /prefetch:2\" (Show Process) source",
"Monitored Target: Queries DNS server details \"www.hyundaitx.com\" source Network Traffic T1071.004",
"Palantir/ Hyuandi coexist | Confirmed Targets transportation was a Hyuandi SUV |",
"ipad-steals-app-ideas_1_.jpg - MD5 6dd66b729a649dec250b24533a58a996"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Vtflooder-9783271-0",
"display_name": "Win.Malware.Vtflooder-9783271-0",
"target": null
},
{
"id": "Trojan.Kazy-237",
"display_name": "Trojan.Kazy-237",
"target": null
},
{
"id": "Trojan.Vundo-5335",
"display_name": "Trojan.Vundo-5335",
"target": null
},
{
"id": "Generic31.BKFG",
"display_name": "Generic31.BKFG",
"target": null
},
{
"id": "Win.Packed.Krucky-6941986-0",
"display_name": "Win.Packed.Krucky-6941986-0",
"target": null
},
{
"id": "ALF:HSTR:KrunchyMalPacker!MTB",
"display_name": "ALF:HSTR:KrunchyMalPacker!MTB",
"target": null
},
{
"id": "Win.Trojan.Agent-920890",
"display_name": "Win.Trojan.Agent-920890",
"target": null
},
{
"id": "Win.Trojan.Jorik-10365",
"display_name": "Win.Trojan.Jorik-10365",
"target": null
},
{
"id": "Trojan.Adload-2492",
"display_name": "Trojan.Adload-2492",
"target": null
},
{
"id": "Trojan.Spy-59563",
"display_name": "Trojan.Spy-59563",
"target": null
},
{
"id": "Ransom:Win32/Cryptor",
"display_name": "Ransom:Win32/Cryptor",
"target": "/malware/Ransom:Win32/Cryptor"
},
{
"id": "Win32/Blacked",
"display_name": "Win32/Blacked",
"target": null
},
{
"id": "Win.Trojan.Cycbot-764",
"display_name": "Win.Trojan.Cycbot-764",
"target": null
},
{
"id": "Trojan.VB-47534",
"display_name": "Trojan.VB-47534",
"target": null
},
{
"id": "Backdoor:Win32/Drixed.J ,",
"display_name": "Backdoor:Win32/Drixed.J ,",
"target": "/malware/Backdoor:Win32/Drixed.J ,"
},
{
"id": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn",
"display_name": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn",
"target": null
},
{
"id": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn",
"display_name": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn",
"target": null
},
{
"id": "Malware Tool",
"display_name": "Malware Tool",
"target": null
},
{
"id": "Palantir Spyware",
"display_name": "Palantir Spyware",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0030",
"name": "Defense Evasion",
"display_name": "TA0030 - Defense Evasion"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1003.008",
"name": "/etc/passwd and /etc/shadow",
"display_name": "T1003.008 - /etc/passwd and /etc/shadow"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4203,
"domain": 1218,
"email": 9,
"hostname": 2006,
"FileHash-SHA256": 2740,
"FileHash-MD5": 424,
"FileHash-SHA1": 419,
"SSLCertFingerprint": 12
},
"indicator_count": 11031,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "238 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "687c07591d641de3c896d4a9",
"name": "icon.palantirfoundry.com - Brazzers Porn",
"description": "Another strange pulse. Persistent bad actors moved and changed name of operation; of course. Usual - Hostname\nicon.palantirfoundry.com , Apple, Samsung , X.com , Twitter , Facebook, Google, Palantir NSA or a poser? I was threatened this week, I was told that if I was on the \u2018list\u2019 they have to do anything that is asked including \u2018blow me up\u2019. Sounds nuts but I can\u2019t believe this. Whoever has been doing this is hyper dangerous.\n\nicon.palantirfoundry.com ? P.S. Huge pulse. Can\u2019t use private option to cherry pick the IoC\u2019s I\u2019d like to breakdown. Have I broken a rule?",
"modified": "2025-08-18T18:01:11.130000",
"created": "2025-07-19T21:00:09.343000",
"tags": [
"canada unknown",
"passive dns",
"ransom",
"entries",
"ipv4",
"pulse submit",
"url analysis",
"urls",
"files",
"reverse dns",
"united",
"unknown ns",
"moved",
"ip address",
"creation date",
"search",
"omain",
"pulse pulses",
"body",
"date",
"showing",
"domain",
"hostname",
"ocloudflare",
"stca",
"lsan francisco",
"ecc ca3",
"ecc ca2",
"as16509",
"unknown",
"ms windows",
"encrypt",
"write",
"next",
"service",
"malware",
"copy",
"unknown soa",
"next associated",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"results jul",
"present jan",
"medium",
"memcommit",
"module load",
"t1129",
"regopenkeyexw",
"fjlsedauv",
"et useragents",
"go http",
"registry run",
"persistence",
"execution",
"checks",
"keys",
"start folder",
"richhash",
"external",
"virustotal api",
"screenshots",
"find",
"show",
"types",
"seard type",
"indicator",
"data upload",
"extraction",
"failed",
"sc data",
"type",
"extri included",
"review data",
"sugges data",
"find suxxesteu",
"typ indicalon"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 62,
"FileHash-SHA1": 17,
"FileHash-SHA256": 1433,
"URL": 10188,
"hostname": 5658,
"domain": 5753,
"email": 4,
"SSLCertFingerprint": 20
},
"indicator_count": 23135,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "244 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://htmlar-stanley.dfcloan.com",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://htmlar-stanley.dfcloan.com",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776659815.8817554
}