{ "type": "URL", "indicator": "https://identity.dev-cdc.jemena.com.au", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://identity.dev-cdc.jemena.com.au", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4185311280, "indicator": "https://identity.dev-cdc.jemena.com.au", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "69ded8198b25581a09b90824", "name": "BearShare \u2022 Solarwinds? \u2022 SearchSuite \u2022 Healthcare Administration", "description": "", "modified": "2026-04-15T00:13:13.981000", "created": "2026-04-15T00:13:13.981000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": "69dab27a0493e0e80a0f35cd", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69db05f833d3d6d2231fb201", "name": "CREDIT: Q.Vashti's research: SearchSuite \u2022 Healthcare Administration CREATED 6 HOURS AGO by Q.Vashti", "description": "", "modified": "2026-04-12T02:39:52.993000", "created": "2026-04-12T02:39:52.993000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": "69dab27a0493e0e80a0f35cd", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dab27a0493e0e80a0f35cd", "name": "SearchSuite \u2022 Healthcare Administration", "description": "Embedded in communication between a healthcare system and a client. \n\nThis is just one of countless internal issues causing a gap in communication, malicious adware, spyware, system sweeps, injection, system modification, downloads , call failures.", "modified": "2026-04-11T20:43:38.695000", "created": "2026-04-11T20:43:38.695000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d8a665177b8f64c7ce5fca", "name": "LibraryLoader \u2022 Samuel Tulach | Abuse of malicious sssets engineered by DevOp & Security Researcher", "description": "Samuel Tulach is involved in various projects related to government work, particularly in areas like DevSecOps and app modernization. \nOverview of Samuel Tulach's \"uploader.exe\"\nThe file \"uploader.exe\" created by Samuel Tulach has been identified as malicious by several security engines. This classification indicates that the file poses a potential threat to users' systems.\nSecurity Engine Flags. Several security engines have flagged \"uploader.exe\" as malicious.\nSecureAge APEX\tMalicious\nSentinelOne\tMalicious\nImplications of Malicious Flags\nPotential Risks: Files flagged as malicious can lead to various security issues, including data theft, unauthorized access, or system damage.\nRecommended Actions: Users should avoid downloading or executing this file. If already downloaded, it is advisable to delete it and run a full system scan using reputable antivirus software.", "modified": "2026-04-10T07:27:33.587000", "created": "2026-04-10T07:27:33.587000", "tags": [ "x vercel", "united", "america", "germany malware", "family", "ck ids", "packing", "tulach", "ocsp", "extraction", "data upload", "enter sc", "extra data", "include review", "exclude sugges", "find s", "failed", "typ no", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "defense evasion", "pattern match", "mitre att", "ascii text", "span", "title", "meta", "path", "april", "hybrid", "general", "local", "encrypt", "click", "strings", "main", "footer", "pcsb", "naga", "magda", "no expiration", "url https", "domain", "github pages", "a domains", "passive dns", "mtb jan", "class", "sea x", "accept encoding", "trojanspy", "accept", "otx logo", "all ipv4", "urls", "files", "america flag", "space", "ck matrix", "handle", "winvmaddress", "cdecl crashpad", "null", "software", "comment", "entity", "internal", "blank", "magic", "infinity", "first", "valentine", "error", "webview", "front", "patched", "root", "tristate", "libraryloader", "packing t1045", "icmp traffic", "memcommit", "pe section", "low software", "pe resource", "filehash", "win32", "malware", "write", "backdoor", "present apr", "lowfi", "aaaa", "lowfijavazkm", "x.com", "dynamicloader", "crlf line", "unicode text", "utf8", "ee fc", "ff d5", "yara rule", "f0 ff", "eb e1", "unknown", "trojan", "zeppelin", "autorun", "united states", "china unknown", "div div", "ip address", "record value", "samuel tulach", "czechia unknown", "italy unknown", "gmt server", "all domain", "next associated", "reverse dns", "location czech", "all filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "file type", "telfhash", "virustotal api", "vendor finding", "notes clamav", "files matching", "number", "t1045", "search", "directui", "element", "medium", "classinfobase", "value", "write c", "hwndhost", "sapeav12", "worm", "explorer", "insert", "movie", "mtb apr", "mtb mar", "trojandropper", "displayname", "windows", "high", "delete c", "tofsee", "stream", "push", "url http", "c mar", "virtool", "c jan", "c dec", "toolbar", "ransom", "article", "windows nt", "gmtvia", "html", "bad traffic", "et info", "tls handshake", "belgium", "present dec", "present feb", "intel", "elf upx", "medium risk", "info", "moved", "hostname add", "whois registrar", "media", "delphi", "guard", "code", "devsecops", "github", "github internet", "archive samuel", "tulach", "government work", "key areas", "devops process", "security engine", "flags", "apex malicious", "implications", "malicious flags", "potential risks", "name servers", "apple id", "script urls", "show process", "secure", "win64", "khtml", "gecko", "programfiles", "cookie", "comspec", "model", "june", "spawns", "id name", "malicious", "gui", "anti cheats", "game tech", "c++" ], "references": [ "https://nextcloud.tulach.cc/ \u2022 https://nextcloud.tulach.cc/", "bleepingcomputer.com \u2022 CliffsNotes", "x.com - Malware Packed", "nr-data.net \u2022 www.youtube.com", "Alerts network_icmp allocates_rwx packer_entropy pe_features pe_unknown_resource_name Related Pulses", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "discord.com \u2022 discord.gg", "api.item.yixun.com", "Unix.Trojan.Mirai-9441505-0 Yara Detections is__elf \u2022 217.11.249.145", "Domains Contacted: fenbushijujuefuwu.com", "angryblackwomyn.com", "https://medium.com/the-pink/how-a-white-womans-anger-makes-her-racism-spill-out-563853905a42", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/41ad1d349716b3e62f914c0907323ae8e0a37198d237a02d71a0d5e05ffaa727", "https://www.forpsi.com domain forpsi.com\t Domain asp.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "www.youtube.com/watch?v=GyuMozsVyYs (why would targets channel be controlled by Tulach)", "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw", "x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290", "cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz", "porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop", "https://api.w.org/ \u2022 api.w.org", "remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png", "https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-assets-Twitter.b90ee19de735e00fb4a0.js", "developer.x.com \u2022 https://twitter.com/githubstatus", "https://twitter.com/juvlarN", "appleid.cdn-apple.com", "https://static.digitecgalaxus.ch/Files/communication/app-download-badges/apple_email_rasterized_2x/fr.png", "Samuel Tulach , an engineer writes about game security, Unity engine, and anti-cheat systems on his blog at tulach.cc", "Mr. Tulach \u2022 known for his work in cybersecurity, particularly in reverse engineering & malware analysis", "\"uploader.exe\" created by Samuel Tulach has been identified as malicious by several security engines", "Due to Samuel Tulach\u2019s good reputation , assume his assets are being abused by threat actors targeting", "I haven\u2019t yet concluded why Tulach.cc is deeply interwoven in a malicious media campaign", "Samuel Tulach\u2019s assets have been tightly connected to M. Brian Sabey, Esq", "The next pulse will show Apple IoC\u2019s related to Tulach.cc" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LibraryLoader", "display_name": "LibraryLoader", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Azorult.FW!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Azorult.FW!rfn", "target": null }, { "id": "Win.Packed.Botx-10021462-0", "display_name": "Win.Packed.Botx-10021462-0", "target": null }, { "id": "Win.Malware.Cymt-10023133-0", "display_name": "Win.Malware.Cymt-10023133-0", "target": null }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Malware.Generickdz-9937235-0", "display_name": "Win.Malware.Generickdz-9937235-0", "target": null }, { "id": "Win.Malware.Razy-6979265-0", "display_name": "Win.Malware.Razy-6979265-0", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "TrojanSpy:Win32/Nivdort.DE", "display_name": "TrojanSpy:Win32/Nivdort.DE", "target": "/malware/TrojanSpy:Win32/Nivdort.DE" }, { "id": "SLF:Win32/Elenquay.A", "display_name": "SLF:Win32/Elenquay.A", "target": "/malware/SLF:Win32/Elenquay.A" }, { "id": "Win.Dropper.QuasarRAT-10023124-0", "display_name": "Win.Dropper.QuasarRAT-10023124-0", "target": null }, { "id": "Win.Trojan.Zegost-9769410-0", "display_name": "Win.Trojan.Zegost-9769410-0", "target": null }, { "id": "ALF:HSTR:VirTool:Win32/Obfuscator!PECancer", "display_name": "ALF:HSTR:VirTool:Win32/Obfuscator!PECancer", "target": null }, { "id": "Win.Malware.Moonlight-9919383-0", "display_name": "Win.Malware.Moonlight-9919383-0", "target": null }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#LowfiJavaZKM", "display_name": "#LowfiJavaZKM", "target": null }, { "id": "Win.Malware.Swisyn-7610494-0", "display_name": "Win.Malware.Swisyn-7610494-0", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "Win.Packed.Stealerc-10017074-0", "display_name": "Win.Packed.Stealerc-10017074-0", "target": null }, { "id": "#Lowfi:Win32/AutoIt", "display_name": "#Lowfi:Win32/AutoIt", "target": "/malware/#Lowfi:Win32/AutoIt" }, { "id": "Html.Trojan.Ascii212_44_64_202-1", "display_name": "Html.Trojan.Ascii212_44_64_202-1", "target": null }, { "id": "ALFPER:HSTR:WizremURL.A1", "display_name": "ALFPER:HSTR:WizremURL.A1", "target": null }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Win.Malware.Midie-6847893-0", "display_name": "Win.Malware.Midie-6847893-0", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win.Malware.Aauto-9839281-0", "display_name": "Win.Malware.Aauto-9839281-0", "target": null }, { "id": "Win.Trojan.Agent-1371484", "display_name": "Win.Trojan.Agent-1371484", "target": null }, { "id": "SLFPER:SoftwareBundler:Win32/ICLoader.A", "display_name": "SLFPER:SoftwareBundler:Win32/ICLoader.A", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_412f60c8!ibt", "display_name": "ALF:Trojan:Win32/Cassini_412f60c8!ibt", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2710, "domain": 1227, "hostname": 1206, "FileHash-SHA256": 3867, "IPv4": 318, "FileHash-MD5": 593, "FileHash-SHA1": 459, "IPv6": 1, "SSLCertFingerprint": 19, "email": 20, "CVE": 1 }, "indicator_count": 10421, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d366448691fa5dc09cc8ad", "name": "CAPE Sandbox", "description": "GoDaddy.com, LLC, is the owner of the GoDaddy website, which has registered more than 200,000 domain names and addresses since the 1990s, including the name of PEGASUS.", "modified": "2026-04-06T07:54:40.511000", "created": "2026-04-06T07:52:35.998000", "tags": [ "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "registrar", "key identifier", "x509v3 subject", "number", "cus starizona", "cngo daddy", "authority", "g2 validity", "subject public", "key info", "key algorithm", "domain name", "status", "abuse contact", "email", "registrar iana" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 64, "FileHash-MD5": 152, "FileHash-SHA1": 16, "FileHash-SHA256": 552, "URL": 326, "domain": 69, "hostname": 213, "email": 1, "CVE": 1 }, "indicator_count": 1394, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d36643aecd94c5482eaac1", "name": "CAPE Sandbox", "description": "GoDaddy.com, LLC, is the owner of the GoDaddy website, which has registered more than 200,000 domain names and addresses since the 1990s, including the name of PEGASUS.", "modified": "2026-04-06T07:52:35.647000", "created": "2026-04-06T07:52:35.647000", "tags": [ "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "registrar", "key identifier", "x509v3 subject", "number", "cus starizona", "cngo daddy", "authority", "g2 validity", "subject public", "key info", "key algorithm", "domain name", "status", "abuse contact", "email", "registrar iana" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 64, "FileHash-MD5": 152, "FileHash-SHA1": 16, "FileHash-SHA256": 552, "URL": 326, "domain": 69, "hostname": 213, "email": 1 }, "indicator_count": 1393, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d366420a9e0656d003c295", "name": "CAPE Sandbox", "description": "GoDaddy.com, LLC, is the owner of the GoDaddy website, which has registered more than 200,000 domain names and addresses since the 1990s, including the name of PEGASUS.", "modified": "2026-04-06T07:52:34.721000", "created": "2026-04-06T07:52:34.721000", "tags": [ "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "registrar", "key identifier", "x509v3 subject", "number", "cus starizona", "cngo daddy", "authority", "g2 validity", "subject public", "key info", "key algorithm", "domain name", "status", "abuse contact", "email", "registrar iana" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 64, "FileHash-MD5": 152, "FileHash-SHA1": 16, "FileHash-SHA256": 552, "URL": 326, "domain": 69, "hostname": 213, "email": 1 }, "indicator_count": 1393, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-assets-Twitter.b90ee19de735e00fb4a0.js", "Yara Detections: Tofsee", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "\"uploader.exe\" created by Samuel Tulach has been identified as malicious by several security engines", "Domains Contacted: fenbushijujuefuwu.com", "http://cab.applemarketingtools.com", "discord.com \u2022 discord.gg", "Alerts network_icmp allocates_rwx packer_entropy pe_features pe_unknown_resource_name Related Pulses", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "http://console.applemarketingtools.com/", "africa.konnect.com", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "Musiclab, LLC", "xn--cloud-4sa.com", "pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "angryblackwomyn.com", "api.item.yixun.com", "https://api.w.org/ \u2022 api.w.org", "cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "euw-serp-dev-testing19.duck.ai", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "account-apple.com", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "https://nextcloud.tulach.cc/ \u2022 https://nextcloud.tulach.cc/", "https://medium.com/the-pink/how-a-white-womans-anger-makes-her-racism-spill-out-563853905a42", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/41ad1d349716b3e62f914c0907323ae8e0a37198d237a02d71a0d5e05ffaa727", "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw", "porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop", "Due to Samuel Tulach\u2019s good reputation , assume his assets are being abused by threat actors targeting", "Samuel Tulach\u2019s assets have been tightly connected to M. Brian Sabey, Esq", "I haven\u2019t yet concluded why Tulach.cc is deeply interwoven in a malicious media campaign", "ids-apple.com \u2022 itunes.org", "developer.x.com \u2022 https://twitter.com/githubstatus", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "https://www.forpsi.com domain forpsi.com\t Domain asp.net", "Samuel Tulach , an engineer writes about game security, Unity engine, and anti-cheat systems on his blog at tulach.cc", "Mr. Tulach \u2022 known for his work in cybersecurity, particularly in reverse engineering & malware analysis", "bleepingcomputer.com \u2022 CliffsNotes", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "nr-data.net \u2022 www.youtube.com", "Unix.Trojan.Mirai-9441505-0 Yara Detections is__elf \u2022 217.11.249.145", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "x.com - Malware Packed", "https://twitter.com/juvlarN", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "appleid.cdn-apple.com", "https://static.digitecgalaxus.ch/Files/communication/app-download-badges/apple_email_rasterized_2x/fr.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "The next pulse will show Apple IoC\u2019s related to Tulach.cc", "www.youtube.com/watch?v=GyuMozsVyYs (why would targets channel be controlled by Tulach)" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win.trojan.vbgeneric-6735875-0", "Html.trojan.ascii212_44_64_202-1", "Win.packed.generic-9967832-0", "Exploit:win32/cve-2017-0147", "Win.packer.pkr_ce1a-9980177-0", "Backdoor:win32/tofsee.t", "Win.trojan.agent-1371484", "Unix.trojan.mirai-9441505-0", "Trojandownloader:win32/nemucod", "Trojan:win32/mydoom", "Win.malware.aauto-9839281-0", "Win.malware.moonlight-9919383-0", "#lowfi:win32/autoit", "#lowfijavazkm", "Alf:hstr:virtool:win32/obfuscator!pecancer", "Win.malware.midie-6847893-0", "Slf:win32/elenquay.a", "Win.trojan.barys-10005825-0", "Trojandownloader:win32/cutwail", "Trojanspy:win32/nivdort", "Win.malware.swisyn-7610494-0", "Win.malware.jaik-9968280-0", "Trojandropper:win32/muldrop.v!mtb", "Backdoor:win32/tofsee.", "Alf:heraklezeval:trojan:win32/azorult.fw!rfn", "Win32/searchsuite", "Win.malware.generickdz-9937235-0", "Win.malware.cymt-10023133-0", "Alfper:hstr:wizremurl.a1", "Trojanspy:win32/nivdort.de", "Win.malware.razy-6979265-0", "Pws:win32/ymacco.aa50", "Win.packed.bandook-9882274-1", "Win.trojan.tofsee-7102058-0", "Worm:win32/mofksys.rnd!mtb", "Slfper:softwarebundler:win32/icloader.a", "Libraryloader", "Win32.application.bearshare.a", "Win.packed.botx-10021462-0", "Win.dropper.quasarrat-10023124-0", "Worm:win32/lightmoon.h", "Cve-2023-22518", "Alf:trojan:win32/cassini_412f60c8!ibt", "Win.trojan.zegost-9769410-0", "Win.packed.stealerc-10017074-0" ], "industries": [ "Healthcare", "Government", "Technology" ], "unique_indicators": 26410 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/jemena.com.au", "whois": "http://whois.domaintools.com/jemena.com.au", "domain": "jemena.com.au", "hostname": "identity.dev-cdc.jemena.com.au" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "69ded8198b25581a09b90824", "name": "BearShare \u2022 Solarwinds? \u2022 SearchSuite \u2022 Healthcare Administration", "description": "", "modified": "2026-04-15T00:13:13.981000", "created": "2026-04-15T00:13:13.981000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": "69dab27a0493e0e80a0f35cd", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69db05f833d3d6d2231fb201", "name": "CREDIT: Q.Vashti's research: SearchSuite \u2022 Healthcare Administration CREATED 6 HOURS AGO by Q.Vashti", "description": "", "modified": "2026-04-12T02:39:52.993000", "created": "2026-04-12T02:39:52.993000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": "69dab27a0493e0e80a0f35cd", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dab27a0493e0e80a0f35cd", "name": "SearchSuite \u2022 Healthcare Administration", "description": "Embedded in communication between a healthcare system and a client. \n\nThis is just one of countless internal issues causing a gap in communication, malicious adware, spyware, system sweeps, injection, system modification, downloads , call failures.", "modified": "2026-04-11T20:43:38.695000", "created": "2026-04-11T20:43:38.695000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d8a665177b8f64c7ce5fca", "name": "LibraryLoader \u2022 Samuel Tulach | Abuse of malicious sssets engineered by DevOp & Security Researcher", "description": "Samuel Tulach is involved in various projects related to government work, particularly in areas like DevSecOps and app modernization. \nOverview of Samuel Tulach's \"uploader.exe\"\nThe file \"uploader.exe\" created by Samuel Tulach has been identified as malicious by several security engines. This classification indicates that the file poses a potential threat to users' systems.\nSecurity Engine Flags. Several security engines have flagged \"uploader.exe\" as malicious.\nSecureAge APEX\tMalicious\nSentinelOne\tMalicious\nImplications of Malicious Flags\nPotential Risks: Files flagged as malicious can lead to various security issues, including data theft, unauthorized access, or system damage.\nRecommended Actions: Users should avoid downloading or executing this file. If already downloaded, it is advisable to delete it and run a full system scan using reputable antivirus software.", "modified": "2026-04-10T07:27:33.587000", "created": "2026-04-10T07:27:33.587000", "tags": [ "x vercel", "united", "america", "germany malware", "family", "ck ids", "packing", "tulach", "ocsp", "extraction", "data upload", "enter sc", "extra data", "include review", "exclude sugges", "find s", "failed", "typ no", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "defense evasion", "pattern match", "mitre att", "ascii text", "span", "title", "meta", "path", "april", "hybrid", "general", "local", "encrypt", "click", "strings", "main", "footer", "pcsb", "naga", "magda", "no expiration", "url https", "domain", "github pages", "a domains", "passive dns", "mtb jan", "class", "sea x", "accept encoding", "trojanspy", "accept", "otx logo", "all ipv4", "urls", "files", "america flag", "space", "ck matrix", "handle", "winvmaddress", "cdecl crashpad", "null", "software", "comment", "entity", "internal", "blank", "magic", "infinity", "first", "valentine", "error", "webview", "front", "patched", "root", "tristate", "libraryloader", "packing t1045", "icmp traffic", "memcommit", "pe section", "low software", "pe resource", "filehash", "win32", "malware", "write", "backdoor", "present apr", "lowfi", "aaaa", "lowfijavazkm", "x.com", "dynamicloader", "crlf line", "unicode text", "utf8", "ee fc", "ff d5", "yara rule", "f0 ff", "eb e1", "unknown", "trojan", "zeppelin", "autorun", "united states", "china unknown", "div div", "ip address", "record value", "samuel tulach", "czechia unknown", "italy unknown", "gmt server", "all domain", "next associated", "reverse dns", "location czech", "all filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "file type", "telfhash", "virustotal api", "vendor finding", "notes clamav", "files matching", "number", "t1045", "search", "directui", "element", "medium", "classinfobase", "value", "write c", "hwndhost", "sapeav12", "worm", "explorer", "insert", "movie", "mtb apr", "mtb mar", "trojandropper", "displayname", "windows", "high", "delete c", "tofsee", "stream", "push", "url http", "c mar", "virtool", "c jan", "c dec", "toolbar", "ransom", "article", "windows nt", "gmtvia", "html", "bad traffic", "et info", "tls handshake", "belgium", "present dec", "present feb", "intel", "elf upx", "medium risk", "info", "moved", "hostname add", "whois registrar", "media", "delphi", "guard", "code", "devsecops", "github", "github internet", "archive samuel", "tulach", "government work", "key areas", "devops process", "security engine", "flags", "apex malicious", "implications", "malicious flags", "potential risks", "name servers", "apple id", "script urls", "show process", "secure", "win64", "khtml", "gecko", "programfiles", "cookie", "comspec", "model", "june", "spawns", "id name", "malicious", "gui", "anti cheats", "game tech", "c++" ], "references": [ "https://nextcloud.tulach.cc/ \u2022 https://nextcloud.tulach.cc/", "bleepingcomputer.com \u2022 CliffsNotes", "x.com - Malware Packed", "nr-data.net \u2022 www.youtube.com", "Alerts network_icmp allocates_rwx packer_entropy pe_features pe_unknown_resource_name Related Pulses", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "discord.com \u2022 discord.gg", "api.item.yixun.com", "Unix.Trojan.Mirai-9441505-0 Yara Detections is__elf \u2022 217.11.249.145", "Domains Contacted: fenbushijujuefuwu.com", "angryblackwomyn.com", "https://medium.com/the-pink/how-a-white-womans-anger-makes-her-racism-spill-out-563853905a42", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/41ad1d349716b3e62f914c0907323ae8e0a37198d237a02d71a0d5e05ffaa727", "https://www.forpsi.com domain forpsi.com\t Domain asp.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "www.youtube.com/watch?v=GyuMozsVyYs (why would targets channel be controlled by Tulach)", "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw", "x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290", "cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz", "porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop", "https://api.w.org/ \u2022 api.w.org", "remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png", "https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-assets-Twitter.b90ee19de735e00fb4a0.js", "developer.x.com \u2022 https://twitter.com/githubstatus", "https://twitter.com/juvlarN", "appleid.cdn-apple.com", "https://static.digitecgalaxus.ch/Files/communication/app-download-badges/apple_email_rasterized_2x/fr.png", "Samuel Tulach , an engineer writes about game security, Unity engine, and anti-cheat systems on his blog at tulach.cc", "Mr. Tulach \u2022 known for his work in cybersecurity, particularly in reverse engineering & malware analysis", "\"uploader.exe\" created by Samuel Tulach has been identified as malicious by several security engines", "Due to Samuel Tulach\u2019s good reputation , assume his assets are being abused by threat actors targeting", "I haven\u2019t yet concluded why Tulach.cc is deeply interwoven in a malicious media campaign", "Samuel Tulach\u2019s assets have been tightly connected to M. Brian Sabey, Esq", "The next pulse will show Apple IoC\u2019s related to Tulach.cc" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LibraryLoader", "display_name": "LibraryLoader", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Azorult.FW!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Azorult.FW!rfn", "target": null }, { "id": "Win.Packed.Botx-10021462-0", "display_name": "Win.Packed.Botx-10021462-0", "target": null }, { "id": "Win.Malware.Cymt-10023133-0", "display_name": "Win.Malware.Cymt-10023133-0", "target": null }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Malware.Generickdz-9937235-0", "display_name": "Win.Malware.Generickdz-9937235-0", "target": null }, { "id": "Win.Malware.Razy-6979265-0", "display_name": "Win.Malware.Razy-6979265-0", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "TrojanSpy:Win32/Nivdort.DE", "display_name": "TrojanSpy:Win32/Nivdort.DE", "target": "/malware/TrojanSpy:Win32/Nivdort.DE" }, { "id": "SLF:Win32/Elenquay.A", "display_name": "SLF:Win32/Elenquay.A", "target": "/malware/SLF:Win32/Elenquay.A" }, { "id": "Win.Dropper.QuasarRAT-10023124-0", "display_name": "Win.Dropper.QuasarRAT-10023124-0", "target": null }, { "id": "Win.Trojan.Zegost-9769410-0", "display_name": "Win.Trojan.Zegost-9769410-0", "target": null }, { "id": "ALF:HSTR:VirTool:Win32/Obfuscator!PECancer", "display_name": "ALF:HSTR:VirTool:Win32/Obfuscator!PECancer", "target": null }, { "id": "Win.Malware.Moonlight-9919383-0", "display_name": "Win.Malware.Moonlight-9919383-0", "target": null }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#LowfiJavaZKM", "display_name": "#LowfiJavaZKM", "target": null }, { "id": "Win.Malware.Swisyn-7610494-0", "display_name": "Win.Malware.Swisyn-7610494-0", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "Win.Packed.Stealerc-10017074-0", "display_name": "Win.Packed.Stealerc-10017074-0", "target": null }, { "id": "#Lowfi:Win32/AutoIt", "display_name": "#Lowfi:Win32/AutoIt", "target": "/malware/#Lowfi:Win32/AutoIt" }, { "id": "Html.Trojan.Ascii212_44_64_202-1", "display_name": "Html.Trojan.Ascii212_44_64_202-1", "target": null }, { "id": "ALFPER:HSTR:WizremURL.A1", "display_name": "ALFPER:HSTR:WizremURL.A1", "target": null }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Win.Malware.Midie-6847893-0", "display_name": "Win.Malware.Midie-6847893-0", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win.Malware.Aauto-9839281-0", "display_name": "Win.Malware.Aauto-9839281-0", "target": null }, { "id": "Win.Trojan.Agent-1371484", "display_name": "Win.Trojan.Agent-1371484", "target": null }, { "id": "SLFPER:SoftwareBundler:Win32/ICLoader.A", "display_name": "SLFPER:SoftwareBundler:Win32/ICLoader.A", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_412f60c8!ibt", "display_name": "ALF:Trojan:Win32/Cassini_412f60c8!ibt", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2710, "domain": 1227, "hostname": 1206, "FileHash-SHA256": 3867, "IPv4": 318, "FileHash-MD5": 593, "FileHash-SHA1": 459, "IPv6": 1, "SSLCertFingerprint": 19, "email": 20, "CVE": 1 }, "indicator_count": 10421, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d366448691fa5dc09cc8ad", "name": "CAPE Sandbox", "description": "GoDaddy.com, LLC, is the owner of the GoDaddy website, which has registered more than 200,000 domain names and addresses since the 1990s, including the name of PEGASUS.", "modified": "2026-04-06T07:54:40.511000", "created": "2026-04-06T07:52:35.998000", "tags": [ "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "registrar", "key identifier", "x509v3 subject", "number", "cus starizona", "cngo daddy", "authority", "g2 validity", "subject public", "key info", "key algorithm", "domain name", "status", "abuse contact", "email", "registrar iana" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 64, "FileHash-MD5": 152, "FileHash-SHA1": 16, "FileHash-SHA256": 552, "URL": 326, "domain": 69, "hostname": 213, "email": 1, "CVE": 1 }, "indicator_count": 1394, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d36643aecd94c5482eaac1", "name": "CAPE Sandbox", "description": "GoDaddy.com, LLC, is the owner of the GoDaddy website, which has registered more than 200,000 domain names and addresses since the 1990s, including the name of PEGASUS.", "modified": "2026-04-06T07:52:35.647000", "created": "2026-04-06T07:52:35.647000", "tags": [ "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "registrar", "key identifier", "x509v3 subject", "number", "cus starizona", "cngo daddy", "authority", "g2 validity", "subject public", "key info", "key algorithm", "domain name", "status", "abuse contact", "email", "registrar iana" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 64, "FileHash-MD5": 152, "FileHash-SHA1": 16, "FileHash-SHA256": 552, "URL": 326, "domain": 69, "hostname": 213, "email": 1 }, "indicator_count": 1393, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d366420a9e0656d003c295", "name": "CAPE Sandbox", "description": "GoDaddy.com, LLC, is the owner of the GoDaddy website, which has registered more than 200,000 domain names and addresses since the 1990s, including the name of PEGASUS.", "modified": "2026-04-06T07:52:34.721000", "created": "2026-04-06T07:52:34.721000", "tags": [ "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "registrar", "key identifier", "x509v3 subject", "number", "cus starizona", "cngo daddy", "authority", "g2 validity", "subject public", "key info", "key algorithm", "domain name", "status", "abuse contact", "email", "registrar iana" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 64, "FileHash-MD5": 152, "FileHash-SHA1": 16, "FileHash-SHA256": 552, "URL": 326, "domain": 69, "hostname": 213, "email": 1 }, "indicator_count": 1393, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://identity.dev-cdc.jemena.com.au", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://identity.dev-cdc.jemena.com.au", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776660773.1508293 }