{ "type": "URL", "indicator": "https://hyas.com/privacy-statement", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://hyas.com/privacy-statement", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4156789740, "indicator": "https://hyas.com/privacy-statement", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69770bdfbdd845a3d5cb2484", "name": "Drive-by Compromise | Rootkit installed on Apple Device", "description": "Drive-by Compromise | Rootkit installed on Apple Device | The devices in this example are obviously compromised. We tested a device another Apple device by viewing a Sprouts Farmers Market E-commerce website. The App crashed revealing the source of the issue. I admit that even though device is HEAVILY compromised by threat actors; it continued to preform.\nThis week the Apple devices have experienced a series of BLACK & PINK stutters One had the letter \u2018P\u2019. The most important part of the research is who & why someone targets victims of crime who are either deceased or catastrophically injured. One victims \u2018voice\u2019 has been captured and is now calling people she knew and creeping them out. \n\nAlso curious about the \u2018Hello\u2019 api lineages. Malware packed. Check-ins & Bot Network found.\n\n[OTX auto populated- Here is the full list of URLs from the 20th anniversary of the birth of Daylin Olson, who was born and raised in New York in the US, and who he is now.]\n\n#stop", "modified": "2026-02-25T06:02:12.072000", "created": "2026-01-26T06:38:23.334000", "tags": [ "url https", "url http", "netherlands", "france", "united", "canada", "spain", "ascii text", "pattern match", "mitre att", "ck id", "null", "refresh", "title", "span", "hybrid", "general", "local", "path", "strings", "error", "tools", "look", "verify", "restart", "meta", "form", "bad traffic", "et info", "tls handshake", "failure", "flag", "windir", "openurl c", "prefetch2", "analysis", "ck matrix", "href", "network traffic", "encrypt", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "ssl certificate", "initial access", "zerobits", "allocationtype", "protect", "programfiles", "processhandle", "commitsize", "viewsize", "regionsize", "viewsize d5000", "viewsize c9000", "phishing", "filehandle", "report uid", "handles modules", "files amsi", "streams", "path filehandle", "porthandle", "modules files", "amsi streams", "accept", "starfield", "onload", "root", "backdoor", "passive dns", "next associated", "gmt location", "ipv4 add", "urls", "files", "search", "domain address", "markmonitor", "name server", "se referen", "ntprotec", "data upload", "extraction", "country", "overview dns", "requests domain", "date", "contacted hosts", "ip address", "defense evasion", "found", "size", "mask", "enterprise", "trojanspy", "checkin", "gmt content", "vercel x", "twitter", "trojan", "malware", "for privacy", "servers", "domains ii", "record value", "ca issuers", "unknown aaaa", "status", "present jul", "moved", "present jan", "present oct", "present sep", "unknown ns", "present dec", "ipv4", "url analysis", "location united", "1.25.26", "q.vashti pulse", "cloud", "foundry", "process details", "formbook cnc", "cape", "autoit", "high", "formbook", "yara rule", "delete", "get na", "write", "unknown", "copy", "autoit error", "autoIt paused", "global", "div div", "script script", "h6 div", "p div", "registrar", "project", "showing", "emails", "name servers", "ids detec", "domain", "hostname", "hello", "spyware" ], "references": [ "https://hello.extendedstay.com/api/mailings/unsubscribe/PMRGSZBCHIYTGOBWGYYTOLBCN5ZGOIR2EI2DGYZVMQ3DMNZNGY3GEYZNGQ2GIMBNMEYGENBNGQZDMMZYGA3DGZRZGI4SELBCOZSXE43JN5XCEORCGQRCYITTNFTSEORCHAZEKSCRNZ3UWTKHLA4US2BWNFVWK2SKKNXHAZTBO5RGOY2FGFYUOTTGNRJHQ5RZFU4TAPJCPU", "NtProtectVirtualMemory@NTDLL.DLL", "66.33.60.130 command_and_control", "76.76.21.61 command_and_control", "IDS Detections Trojan.Generic.KDV.545753 Checkin", "https://communityinviter.com/apps/cloudfoundry/cloud-foundry", "http://cve.chainguard.dev", "http://partners.spycloud.com", "https://signin-pro-azure.crayon.com/signin-oidc", "Invalid IP (052.105.023.053)", "https://codesearch.criteois.com/opengrok/search?q=", "https://grok-chatbot.tapnetic.pro/$", "spywarewatchdog.org", "http://git.spywarewatchdog.org", "https://bot.dev.talos-systems.io/", "https://otx.alienvault.com/pulse/6976d6afd744c55bd596ed6e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Dropper.Gh0stRAT-10028210-0", "display_name": "Win.Dropper.Gh0stRAT-10028210-0", "target": null }, { "id": "Backdoor:Win32/Kanav.A", "display_name": "Backdoor:Win32/Kanav.A", "target": "/malware/Backdoor:Win32/Kanav.A" }, { "id": "Win.Trojan.Upatre-3371", "display_name": "Win.Trojan.Upatre-3371", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "Win.Trojan.Upatre-3371", "display_name": "Win.Trojan.Upatre-3371", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "Win.Dropper.LokiBot-10010685-0", "display_name": "Win.Dropper.LokiBot-10010685-0", "target": null }, { "id": "Win.Packed.Dapato-10021645-0", "display_name": "Win.Packed.Dapato-10021645-0", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Win.Packed.Malwarex-9792170-0", "display_name": "Win.Packed.Malwarex-9792170-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "AutoIt", "display_name": "AutoIt", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1584.003", "name": "Virtual Private Server", "display_name": "T1584.003 - Virtual Private Server" } ], "industries": [ "Ecommerce", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6777, "domain": 907, "hostname": 2070, "FileHash-SHA256": 1120, "FileHash-MD5": 202, "FileHash-SHA1": 184, "SSLCertFingerprint": 23, "email": 4 }, "indicator_count": 11287, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692f04e9fa3d782118e94aac", "name": "LevelBlue - Open Threat Exchange - Delete AppDeployed", "description": "I\u2019m not sure what to think. |\ndeploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev | Are these\npulses being sold or attacked? Christopher P. Ahmann of TAM Legal and his other firms has ALWAYS attacked targets phones and networks. Nothing is too outrageous for this maniac.\n\nHe is responsible for the recent attacks on devices , clouds , google accounts and a flurry of threats. Indicators in recently pulsed reports have been removed. I\u2019ve done my best to restore. \n\nI am also concerned about the safety or legitimacy of this platform.\n\nNo one is ever alerted. Simply calling someone and telling them about the compromises can equate to a big pay day for Level Blue and nothing for the victims of attacks. I need my pulses restored. \n\nIt\u2019s plausible to believe OTX was attacked by an external threat actor.\nAnything is possible when it comes to money.", "modified": "2026-01-01T15:04:20.907000", "created": "2025-12-02T15:25:29.158000", "tags": [ "levelblue", "open threat", "dynamicloader", "tlsv1", "high", "msie", "windows nt", "delete c", "fwlink", "stream", "powershell", "write", "malware", "local", "united", "flag", "date", "server", "crazy egg", "name server", "gmt flag", "domain address", "markmonitor", "enom", "sugges", "onv incude", "data upload", "find s", "extraction", "types", "type", "indicator", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "contacted hosts", "search", "entries", "read c", "medium", "memcommit", "tls handshake", "failure", "module load", "next", "execution", "dock", "capture", "persistence", "copy", "unknown", "suricata alert", "et info", "bad traffic", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "t1480 execution", "file defense", "write c", "x02x82", "xe6x15c6", "x16f", "xc0xc0xc0", "revengerat", "guard", "service", "encrypt", "entries yara", "delphi", "win32", "jordan", "delete app" ], "references": [ "https://otx.alienvault.com/indicator/domain/Tamlegal.com", "DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform Eziriz", "endgames.com \u2022 endgames.us \u2022 endgamesystems.com \u2022 http://www.onyx-ware.com/lander", "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Vmprotect-9880726-0", "display_name": "Win.Malware.Vmprotect-9880726-0", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" } ], "industries": [ "Technology", "Legal" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4624, "FileHash-SHA256": 2021, "FileHash-MD5": 51, "FileHash-SHA1": 20, "SSLCertFingerprint": 10, "hostname": 1433, "domain": 728 }, "indicator_count": 8887, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "107 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IDS Detections Trojan.Generic.KDV.545753 Checkin", "Invalid IP (052.105.023.053)", "https://otx.alienvault.com/pulse/6976d6afd744c55bd596ed6e", "66.33.60.130 command_and_control", "https://codesearch.criteois.com/opengrok/search?q=", "https://bot.dev.talos-systems.io/", "https://communityinviter.com/apps/cloudfoundry/cloud-foundry", "spywarewatchdog.org", "https://grok-chatbot.tapnetic.pro/$", "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev", "NtProtectVirtualMemory@NTDLL.DLL", "76.76.21.61 command_and_control", "endgames.com \u2022 endgames.us \u2022 endgamesystems.com \u2022 http://www.onyx-ware.com/lander", "https://signin-pro-azure.crayon.com/signin-oidc", "https://hello.extendedstay.com/api/mailings/unsubscribe/PMRGSZBCHIYTGOBWGYYTOLBCN5ZGOIR2EI2DGYZVMQ3DMNZNGY3GEYZNGQ2GIMBNMEYGENBNGQZDMMZYGA3DGZRZGI4SELBCOZSXE43JN5XCEORCGQRCYITTNFTSEORCHAZEKSCRNZ3UWTKHLA4US2BWNFVWK2SKKNXHAZTBO5RGOY2FGFYUOTTGNRJHQ5RZFU4TAPJCPU", "http://git.spywarewatchdog.org", "http://partners.spycloud.com", "http://cve.chainguard.dev", "DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform Eziriz", "https://otx.alienvault.com/indicator/domain/Tamlegal.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win.packed.dapato-10021645-0", "Win.trojan.upatre-3371", "Trojandownloader:win32/upatre.a", "Other malware", "Win.malware.vmprotect-9880726-0", "Trojanspy:win32/nivdort.cw", "Win.packed.malwarex-9792170-0", "Autoit", "Formbook", "Win.dropper.gh0strat-10028210-0", "Backdoor:win32/kanav.a", "Win.dropper.lokibot-10010685-0", "Trojan:win32/glupteba.mt!mtb" ], "industries": [ "Ecommerce", "Government", "Legal", "Technology" ], "unique_indicators": 20241 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/hyas.com", "whois": "http://whois.domaintools.com/hyas.com", "domain": "hyas.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69770bdfbdd845a3d5cb2484", "name": "Drive-by Compromise | Rootkit installed on Apple Device", "description": "Drive-by Compromise | Rootkit installed on Apple Device | The devices in this example are obviously compromised. We tested a device another Apple device by viewing a Sprouts Farmers Market E-commerce website. The App crashed revealing the source of the issue. I admit that even though device is HEAVILY compromised by threat actors; it continued to preform.\nThis week the Apple devices have experienced a series of BLACK & PINK stutters One had the letter \u2018P\u2019. The most important part of the research is who & why someone targets victims of crime who are either deceased or catastrophically injured. One victims \u2018voice\u2019 has been captured and is now calling people she knew and creeping them out. \n\nAlso curious about the \u2018Hello\u2019 api lineages. Malware packed. Check-ins & Bot Network found.\n\n[OTX auto populated- Here is the full list of URLs from the 20th anniversary of the birth of Daylin Olson, who was born and raised in New York in the US, and who he is now.]\n\n#stop", "modified": "2026-02-25T06:02:12.072000", "created": "2026-01-26T06:38:23.334000", "tags": [ "url https", "url http", "netherlands", "france", "united", "canada", "spain", "ascii text", "pattern match", "mitre att", "ck id", "null", "refresh", "title", "span", "hybrid", "general", "local", "path", "strings", "error", "tools", "look", "verify", "restart", "meta", "form", "bad traffic", "et info", "tls handshake", "failure", "flag", "windir", "openurl c", "prefetch2", "analysis", "ck matrix", "href", "network traffic", "encrypt", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "ssl certificate", "initial access", "zerobits", "allocationtype", "protect", "programfiles", "processhandle", "commitsize", "viewsize", "regionsize", "viewsize d5000", "viewsize c9000", "phishing", "filehandle", "report uid", "handles modules", "files amsi", "streams", "path filehandle", "porthandle", "modules files", "amsi streams", "accept", "starfield", "onload", "root", "backdoor", "passive dns", "next associated", "gmt location", "ipv4 add", "urls", "files", "search", "domain address", "markmonitor", "name server", "se referen", "ntprotec", "data upload", "extraction", "country", "overview dns", "requests domain", "date", "contacted hosts", "ip address", "defense evasion", "found", "size", "mask", "enterprise", "trojanspy", "checkin", "gmt content", "vercel x", "twitter", "trojan", "malware", "for privacy", "servers", "domains ii", "record value", "ca issuers", "unknown aaaa", "status", "present jul", "moved", "present jan", "present oct", "present sep", "unknown ns", "present dec", "ipv4", "url analysis", "location united", "1.25.26", "q.vashti pulse", "cloud", "foundry", "process details", "formbook cnc", "cape", "autoit", "high", "formbook", "yara rule", "delete", "get na", "write", "unknown", "copy", "autoit error", "autoIt paused", "global", "div div", "script script", "h6 div", "p div", "registrar", "project", "showing", "emails", "name servers", "ids detec", "domain", "hostname", "hello", "spyware" ], "references": [ "https://hello.extendedstay.com/api/mailings/unsubscribe/PMRGSZBCHIYTGOBWGYYTOLBCN5ZGOIR2EI2DGYZVMQ3DMNZNGY3GEYZNGQ2GIMBNMEYGENBNGQZDMMZYGA3DGZRZGI4SELBCOZSXE43JN5XCEORCGQRCYITTNFTSEORCHAZEKSCRNZ3UWTKHLA4US2BWNFVWK2SKKNXHAZTBO5RGOY2FGFYUOTTGNRJHQ5RZFU4TAPJCPU", "NtProtectVirtualMemory@NTDLL.DLL", "66.33.60.130 command_and_control", "76.76.21.61 command_and_control", "IDS Detections Trojan.Generic.KDV.545753 Checkin", "https://communityinviter.com/apps/cloudfoundry/cloud-foundry", "http://cve.chainguard.dev", "http://partners.spycloud.com", "https://signin-pro-azure.crayon.com/signin-oidc", "Invalid IP (052.105.023.053)", "https://codesearch.criteois.com/opengrok/search?q=", "https://grok-chatbot.tapnetic.pro/$", "spywarewatchdog.org", "http://git.spywarewatchdog.org", "https://bot.dev.talos-systems.io/", "https://otx.alienvault.com/pulse/6976d6afd744c55bd596ed6e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Dropper.Gh0stRAT-10028210-0", "display_name": "Win.Dropper.Gh0stRAT-10028210-0", "target": null }, { "id": "Backdoor:Win32/Kanav.A", "display_name": "Backdoor:Win32/Kanav.A", "target": "/malware/Backdoor:Win32/Kanav.A" }, { "id": "Win.Trojan.Upatre-3371", "display_name": "Win.Trojan.Upatre-3371", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "Win.Trojan.Upatre-3371", "display_name": "Win.Trojan.Upatre-3371", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "Win.Dropper.LokiBot-10010685-0", "display_name": "Win.Dropper.LokiBot-10010685-0", "target": null }, { "id": "Win.Packed.Dapato-10021645-0", "display_name": "Win.Packed.Dapato-10021645-0", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Win.Packed.Malwarex-9792170-0", "display_name": "Win.Packed.Malwarex-9792170-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "AutoIt", "display_name": "AutoIt", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1584.003", "name": "Virtual Private Server", "display_name": "T1584.003 - Virtual Private Server" } ], "industries": [ "Ecommerce", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6777, "domain": 907, "hostname": 2070, "FileHash-SHA256": 1120, "FileHash-MD5": 202, "FileHash-SHA1": 184, "SSLCertFingerprint": 23, "email": 4 }, "indicator_count": 11287, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692f04e9fa3d782118e94aac", "name": "LevelBlue - Open Threat Exchange - Delete AppDeployed", "description": "I\u2019m not sure what to think. |\ndeploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev | Are these\npulses being sold or attacked? Christopher P. Ahmann of TAM Legal and his other firms has ALWAYS attacked targets phones and networks. Nothing is too outrageous for this maniac.\n\nHe is responsible for the recent attacks on devices , clouds , google accounts and a flurry of threats. Indicators in recently pulsed reports have been removed. I\u2019ve done my best to restore. \n\nI am also concerned about the safety or legitimacy of this platform.\n\nNo one is ever alerted. Simply calling someone and telling them about the compromises can equate to a big pay day for Level Blue and nothing for the victims of attacks. I need my pulses restored. \n\nIt\u2019s plausible to believe OTX was attacked by an external threat actor.\nAnything is possible when it comes to money.", "modified": "2026-01-01T15:04:20.907000", "created": "2025-12-02T15:25:29.158000", "tags": [ "levelblue", "open threat", "dynamicloader", "tlsv1", "high", "msie", "windows nt", "delete c", "fwlink", "stream", "powershell", "write", "malware", "local", "united", "flag", "date", "server", "crazy egg", "name server", "gmt flag", "domain address", "markmonitor", "enom", "sugges", "onv incude", "data upload", "find s", "extraction", "types", "type", "indicator", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "contacted hosts", "search", "entries", "read c", "medium", "memcommit", "tls handshake", "failure", "module load", "next", "execution", "dock", "capture", "persistence", "copy", "unknown", "suricata alert", "et info", "bad traffic", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "t1480 execution", "file defense", "write c", "x02x82", "xe6x15c6", "x16f", "xc0xc0xc0", "revengerat", "guard", "service", "encrypt", "entries yara", "delphi", "win32", "jordan", "delete app" ], "references": [ "https://otx.alienvault.com/indicator/domain/Tamlegal.com", "DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform Eziriz", "endgames.com \u2022 endgames.us \u2022 endgamesystems.com \u2022 http://www.onyx-ware.com/lander", "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Vmprotect-9880726-0", "display_name": "Win.Malware.Vmprotect-9880726-0", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" } ], "industries": [ "Technology", "Legal" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4624, "FileHash-SHA256": 2021, "FileHash-MD5": 51, "FileHash-SHA1": 20, "SSLCertFingerprint": 10, "hostname": 1433, "domain": 728 }, "indicator_count": 8887, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "107 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://hyas.com/privacy-statement", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://hyas.com/privacy-statement", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776607281.1837716 }