{ "type": "URL", "indicator": "https://infimotiontec.com/about", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://infimotiontec.com/about", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4148114970, "indicator": "https://infimotiontec.com/about", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "693de4a8a72cf95b028365f0", "name": "Bot Block 162.159.128.0/19 | X Fake tweets | Tofsee", "description": "Tofsee.Trojan.T malware infection affects infected devices. \n\n\n#unlocked #injection #dead_host #compromised_devices #folk_in _browser #botnets", "modified": "2026-01-12T21:02:35.560000", "created": "2025-12-13T22:11:52.474000", "tags": [ "network", "ip address", "subnet", "dynamicloader", "port", "destination", "high", "windows", "united", "write", "tofsee", "stream", "win64", "push", "urls", "url analysis", "dnssec", "script domains", "encrypt", "url add", "http", "related nids", "flag united", "germany", "address google", "passive dns", "ipv4 add", "files", "asn as13335", "dns resolutions", "domains top", "level", "unique tlds", "location united", "asn asnone", "present dec", "backdoor", "lowfi", "win32autoit mar", "urls show", "date checked", "connection", "httponly", "secure", "path", "expiressat", "dynamic cfray", "medium", "delete c", "displayname", "show", "unknown", "next", "rndhex", "malware", "cname", "next associated", "url hostname", "server response", "google safe", "read c", "unicode", "png image", "rgba", "memcommit", "dock", "execution", "files location", "china flag", "china hostname", "hostname", "domain", "files ip", "address", "asn as45102", "gmt content", "certificate", "associated urls", "location china", "china asn", "as4808 china", "present aug", "object", "present apr", "present oct", "alman", "present sep", "error", "present jul", "rmndrp", "present feb", "expiration", "url https", "url http", "iocs", "review iocs", "expireswed", "samesitenone", "maxage86400", "maxage0", "server", "expires", "victina nulcac", "data upload", "extraction", "enter", "enter source", "url data", "type", "extract indic", "included iocs", "china unknown", "botnet", "folk in browser", "japan unknown", "asnone country", "as13335", "a domains", "script urls", "servers", "title", "moved", "record value", "entries", "whitelisted", "powershell", "xf9xb5xf9", "xxcexf6x8fr", "k2xe7xcbxxeaxa2", "x99x19", "x88yxf9xc858", "x83x12x8da", "zx9bx8ex84", "attempts", "yara detections", "contacted", "tags none", "file type", "pe packer", "dll compilation", "guard", "botnets" ], "references": [ "https://x.com/DenverPolice/status/1999710339584475507?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet", "x.com | 162.159.140.229 (162.159.128.0/19) AS 13335 ( CLOUDFLARENET )", "foundry.neconsside.com \u2022 http://foundry.neconsside.com", "http://foundry.neconsside.com/ \u2022 https://foundry.neconsside.com \u2022 https://foundry.neconsside", "IT Mirai | https://otx.alienvault.com/indicator/domain/miraitranslate.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "United States of America", "Russian Federation", "T\u00fcrkiye", "Netherlands" ], "malware_families": [ { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "HtBot", "display_name": "HtBot", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1481", "name": "Web Service", "display_name": "T1481 - Web Service" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8145, "domain": 1389, "FileHash-SHA256": 1545, "CIDR": 2, "hostname": 2533, "FileHash-MD5": 209, "FileHash-SHA1": 190, "email": 6, "SSLCertFingerprint": 4 }, "indicator_count": 14023, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693b7dc3cf1996347652ef92", "name": "Google Site Redirector - Tesla Hackers", "description": "Silencing. By Tesla hackers. Awful example of how any victim of a crime; can become a target of the government..\nThis is especially true when the actual perpetrators work for the government are government affiliated, very wealthy, a celebrity or someone who is deemed important. In this instance the Quasi government sought to keep target seeking and obtaining life saving medical treatment, financial settlement that she was entitled to from assault, injuries from assault, false imprisonment, punitive damgages, pain and suffering, humiliation, premise liability, permanent (whole body disability @MMI ), many other crimes. The victims suffered from a great sadness and betrayal. \n\nObviously racist Elon Musk and crew have access to all government tools. Musk, All things cyber are at his disposal as \ncontinues to abuse privilege.\n They keep playing a God they don\u2019t believe in. God is the Ultimate Avenger.", "modified": "2026-01-11T00:03:08.581000", "created": "2025-12-12T02:28:19.107000", "tags": [ "compromised_site_redirector_fromcharcode", "site_redirector", "string", "regexp", "error", "number", "sxa0", "amptoken", "optout", "retrieving", "notfound", "write", "form", "flash", "vd", "tesla hackers", "nxdomain", "passive dns", "ip address", "domain", "a nxdomain", "urls", "files", "ip related", "pulses otx", "google", "unknown", "oracle", "dynamicloader", "medium", "high", "windows", "rndhex", "write c", "rndchar", "displayname", "tofsee", "yara rule", "stream", "strings", "push", "lte all", "search otx", "ource url", "or text", "paste", "data upload", "extraction", "elon musk", "indicator role", "active related", "ipv4", "exploitsource", "url https", "url http", "desktopinternet", "title added", "pulses ipv4", "less see", "ids detections", "vuze bt", "udp connection", "contacted", "filehash", "av detections", "yara detections", "alerts", "0x8aa42", "0xe3107", "upnp", "http request", "bittorrent", "file", "module load", "t1129", "post http", "install", "execution", "malware", "hostile", "crawl", "windows nt", "wow64", "get zona", "get httpget", "hash", "entries", "read c", "suspicious", "next", "united" ], "references": [ "Tesla Hackers | https://www.teslarati.com/spacex", "Yara Detections :compromised_site_redirector_fromcharcode Alerts network_icmp js_eval recon_fingerprint", "142.250.74.142.250.74.138 _exploit_source | 142.250.74.138 _exploit_source | 142.250.74.142_exploit_source", "IDS Detections Win32/ZonaInstaller Install Beacon", "https://www.google \u2022 https://ampcid.google.com/v1/publisher \u2022\u2019https://ampcid.google.com/v1/publisher:getClientId\\", "https://tagassistant.google.com/ \u2022 https://www.google-analytics.com/debug/bootstrap?id=", "https://www.google-analytics.com/debug/bootstrap?id=\\", "https://stats.g.doubleclick.net/j/collect\\ \u2022 https://tagassistant.google.com/ \u2022 https://www.google.com/ads/ga", "https://www.google-analytics.com/gtm/js?id=\\ \u2022 https://www.googletagmanager.com/gtag/js?id= \u2022", "https://www.googletagmanager.com/gtag/js?id=\\ \u2022 https://www.google-analytics.com/gtm/js?id=", "This is why our team tells a back story. It can and does happen to anyone.", "We apologize for so may typos and errors. We strive to do better at that." ], "public": 1, "adversary": "Tesla Hackers", "targeted_countries": [], "malware_families": [ { "id": "Vd", "display_name": "Vd", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Trojan.12382640-1", "display_name": "Win.Trojan.12382640-1", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 65, "FileHash-SHA1": 34, "FileHash-SHA256": 2032, "URL": 4921, "domain": 567, "hostname": 1586, "SSLCertFingerprint": 4 }, "indicator_count": 9209, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e8cd886e0bb692e8a9d08", "name": "Blocker Ransomware affecting Apple and iCloud | Injection", "description": "Wild! Hackers attack-ack-acking!\nThey\u2019re quite good. Persistent. Angry. \nIt\u2019s the same group of hackers.", "modified": "2026-01-01T06:01:02.583000", "created": "2025-12-02T06:53:12.823000", "tags": [ "url https", "url http", "domain", "fh no", "ipv4", "united", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "pattern match", "mitre att", "ck id", "ck matrix", "ascii text", "href", "network traffic", "general", "local", "click", "strings", "learn", "name tactics", "suspicious", "informative", "found", "command", "adversaries", "spawns", "defense evasion", "dynamicloader", "windows nt", "wow64", "khtml", "gecko", "write c", "unknown", "virtool", "write", "defender", "malware", "delete", "alerts", "backdoor", "high", "ip address", "t1045", "packing", "t1055", "injection", "t1060", "run keys", "startup", "folder", "t1119", "t1027", "tools", "families", "mirai", "indicator role", "active related", "hackers", "ahmann", "usual suspects" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Backdoor:Win32/Drixed", "display_name": "Backdoor:Win32/Drixed", "target": "/malware/Backdoor:Win32/Drixed" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Ransom:Win32/Blocker.NN!MTB", "display_name": "Ransom:Win32/Blocker.NN!MTB", "target": "/malware/Ransom:Win32/Blocker.NN!MTB" }, { "id": "Unix.Trojan.Mirai-7135937-0", "display_name": "Unix.Trojan.Mirai-7135937-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1066", "name": "Indicator Removal from Tools", "display_name": "T1066 - Indicator Removal from Tools" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1408", "name": "Disguise Root/Jailbreak Indicators", "display_name": "T1408 - Disguise Root/Jailbreak Indicators" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1590.002", "name": "DNS", "display_name": "T1590.002 - DNS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 234, "FileHash-SHA1": 219, "FileHash-SHA256": 841, "URL": 2606, "domain": 298, "hostname": 772, "SSLCertFingerprint": 2, "CVE": 1 }, "indicator_count": 4973, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69212b59117e7e2eb6f3adbf", "name": "X.com RAT \u2022 Tofsee | Attorney | Hacker | Affects visitors to his site.", "description": "Christopher Ahmann again. I\u2019m not sure if he is really an attorney or a hacker. He could be a Hacker and a legal consultant. Again incredibly malicious activity. #contacted #tofsee #trojan #rat #apple #telegram #cnc #google #botnets #bots \n\n[OTC populated: The following is the full list of names you can find on the website of an American law firm, which is based in New York and New Jersey, and which can be accessed via a Google search.]", "modified": "2025-12-22T02:05:33.541000", "created": "2025-11-22T03:17:45.877000", "tags": [ "twitter", "rat", "christopher p ahmann", "trojan", "lowfijavazkm", "x", "x.com", "dynamicloader", "yara rule", "ms windows", "windows", "medium", "united", "ascii text", "high", "write", "guard", "defender", "cybergate", "smartassembly", "malware", "win64", "unknown", "encrypt", "yara detections", "contacted", "av detections", "ids detections", "alerts", "port", "destination", "write c", "delete c", "tofsee", "stream", "telegram", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "ssl certificate", "pattern match", "mitre att", "path", "hybrid", "general", "click", "strings", "legal entities", "apple", "liar" ], "references": [ "x.com | https://x.com/search?q=Ahmann-Christopher-PC-Attorney-at-Law", "IDS Detection : Win32.Cybergate RAT SQLite DL", "IDS Detections : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS Detections : HTTP GET Request for sqlite3.dll - Possible Infostealer Activity", "Yara Detections : Nullsoft_NSIS", "Alerts: antisandbox_sleep creates_largekey process_creation_suspicious_location", "Alerts: infostealer_cookies persistence_autorun procmem_yara static_pe_anomaly", "Alerts: suricata_alert antiav_detectfile antivm_bochs_keys cape_extracted_content", "Alerts: infostealer_keylog injection_runpe suspicious_command_tools antidebug_guardpages mouse_movement_detect dynamic_function_loading resumethread_remote_process reads_memory_remote_process network_connection_via_suspicious_process", "Alerts: infostealer_keylog injection_runpe suspicious_command_tools antidebug_guardpages", "Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process", "Alerts: reads_memory_remote_process network_connection_via_suspicious_process", "IDS Detections : Win32/Tofsee.AX google.com connectivity check", "IDS Detections : HTTP Request with Lowercase host Header Observed", "IDS Detections : Observed Telegram Domain (t .me in TLS SNI)", "Alerts: behavior_tofsee suspicious_iocontrol_codes creates_largekey network_bind", "Alerts : persistence_autorun persistence_autorun_tasks network_smtp procmem_yara", "Alerts : static_pe_anomaly suricata_alert antivm_bochs_keys antivm_generic_disk", "Alerts : antivm_generic_services deletes_executed_files injection_runpe dead_connect", "Alerts : persistence_ads suspicious_command_tools anomalous_deletefile antisandbox_sleep", "appleid.cdn-apple.com \u2022 apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/", "https://apple.k8s.joewa.com/ \u2022 http://www.gtaging.apple.pol.kozow.com", "https://v2.papadustream.tv/episode/the-walking-dead-1x1", "https://www.rubreyatson.ddnsgeek.com/", "https://parabellumnorth.com/product/py2a-g17-69-rail-set/", "remotewd.com \u2022 device-194a3e38-d1e7-421a-8a01-d136fef966f1.remotewd.com", "https://hyperbot.net/ \u2022http://rarebot.com/rarebot-installer.exe", "accounts.google.com" ], "public": 1, "adversary": "Christopher Paul Ahmann", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#LowfiJavaZKM", "display_name": "#LowfiJavaZKM", "target": null }, { "id": "Win.Dropper.Tofsee-10012410-0", "display_name": "Win.Dropper.Tofsee-10012410-0", "target": null }, { "id": "Win.Dropper.Tofsee-10012410-0", "display_name": "Win.Dropper.Tofsee-10012410-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 360, "URL": 1750, "FileHash-MD5": 120, "FileHash-SHA1": 80, "FileHash-SHA256": 1269, "SSLCertFingerprint": 9, "hostname": 644 }, "indicator_count": 4232, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "119 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://x.com/DenverPolice/status/1999710339584475507?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet", "https://stats.g.doubleclick.net/j/collect\\ \u2022 https://tagassistant.google.com/ \u2022 https://www.google.com/ads/ga", "IT Mirai | https://otx.alienvault.com/indicator/domain/miraitranslate.com", "Alerts : static_pe_anomaly suricata_alert antivm_bochs_keys antivm_generic_disk", "http://foundry.neconsside.com/ \u2022 https://foundry.neconsside.com \u2022 https://foundry.neconsside", "https://tagassistant.google.com/ \u2022 https://www.google-analytics.com/debug/bootstrap?id=", "IDS Detections Win32/ZonaInstaller Install Beacon", "This is why our team tells a back story. It can and does happen to anyone.", "Alerts: infostealer_cookies persistence_autorun procmem_yara static_pe_anomaly", "IDS Detections : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Tesla Hackers | https://www.teslarati.com/spacex", "https://v2.papadustream.tv/episode/the-walking-dead-1x1", "https://apple.k8s.joewa.com/ \u2022 http://www.gtaging.apple.pol.kozow.com", "Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process", "https://parabellumnorth.com/product/py2a-g17-69-rail-set/", "Alerts : persistence_autorun persistence_autorun_tasks network_smtp procmem_yara", "https://www.rubreyatson.ddnsgeek.com/", "Yara Detections : Nullsoft_NSIS", "accounts.google.com", "Alerts: antisandbox_sleep creates_largekey process_creation_suspicious_location", "IDS Detection : Win32.Cybergate RAT SQLite DL", "Alerts: reads_memory_remote_process network_connection_via_suspicious_process", "https://hyperbot.net/ \u2022http://rarebot.com/rarebot-installer.exe", "https://www.google \u2022 https://ampcid.google.com/v1/publisher \u2022\u2019https://ampcid.google.com/v1/publisher:getClientId\\", "https://www.google-analytics.com/debug/bootstrap?id=\\", "Alerts : antivm_generic_services deletes_executed_files injection_runpe dead_connect", "IDS Detections : HTTP GET Request for sqlite3.dll - Possible Infostealer Activity", "IDS Detections : Observed Telegram Domain (t .me in TLS SNI)", "appleid.cdn-apple.com \u2022 apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/", "IDS Detections : Win32/Tofsee.AX google.com connectivity check", "Yara Detections :compromised_site_redirector_fromcharcode Alerts network_icmp js_eval recon_fingerprint", "Alerts: infostealer_keylog injection_runpe suspicious_command_tools antidebug_guardpages mouse_movement_detect dynamic_function_loading resumethread_remote_process reads_memory_remote_process network_connection_via_suspicious_process", "Alerts: infostealer_keylog injection_runpe suspicious_command_tools antidebug_guardpages", "x.com | https://x.com/search?q=Ahmann-Christopher-PC-Attorney-at-Law", "remotewd.com \u2022 device-194a3e38-d1e7-421a-8a01-d136fef966f1.remotewd.com", "x.com | 162.159.140.229 (162.159.128.0/19) AS 13335 ( CLOUDFLARENET )", "https://www.googletagmanager.com/gtag/js?id=\\ \u2022 https://www.google-analytics.com/gtm/js?id=", "142.250.74.142.250.74.138 _exploit_source | 142.250.74.138 _exploit_source | 142.250.74.142_exploit_source", "Alerts: behavior_tofsee suspicious_iocontrol_codes creates_largekey network_bind", "IDS Detections : HTTP Request with Lowercase host Header Observed", "https://www.google-analytics.com/gtm/js?id=\\ \u2022 https://www.googletagmanager.com/gtag/js?id= \u2022", "Alerts : persistence_ads suspicious_command_tools anomalous_deletefile antisandbox_sleep", "foundry.neconsside.com \u2022 http://foundry.neconsside.com", "We apologize for so may typos and errors. We strive to do better at that.", "Alerts: suricata_alert antiav_detectfile antivm_bochs_keys cape_extracted_content" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Tesla Hackers", "Christopher Paul Ahmann" ], "malware_families": [ "Unix.trojan.mirai-7135937-0", "Autoit", "Backdoor:win32/drixed", "Backdoor:win32/tofsee", "Backdoor:win32/tofsee.t", "#virtool:win32/obfuscator.adb", "Tofsee", "#lowfijavazkm", "Win.dropper.tofsee-10012410-0", "Mirai", "Win.trojan.12382640-1", "Vd", "Virtool:win32/injector", "Htbot", "Ransom:win32/blocker.nn!mtb" ], "industries": [], "unique_indicators": 31078 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/infimotiontec.com", "whois": "http://whois.domaintools.com/infimotiontec.com", "domain": "infimotiontec.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "693de4a8a72cf95b028365f0", "name": "Bot Block 162.159.128.0/19 | X Fake tweets | Tofsee", "description": "Tofsee.Trojan.T malware infection affects infected devices. \n\n\n#unlocked #injection #dead_host #compromised_devices #folk_in _browser #botnets", "modified": "2026-01-12T21:02:35.560000", "created": "2025-12-13T22:11:52.474000", "tags": [ "network", "ip address", "subnet", "dynamicloader", "port", "destination", "high", "windows", "united", "write", "tofsee", "stream", "win64", "push", "urls", "url analysis", "dnssec", "script domains", "encrypt", "url add", "http", "related nids", "flag united", "germany", "address google", "passive dns", "ipv4 add", "files", "asn as13335", "dns resolutions", "domains top", "level", "unique tlds", "location united", "asn asnone", "present dec", "backdoor", "lowfi", "win32autoit mar", "urls show", "date checked", "connection", "httponly", "secure", "path", "expiressat", "dynamic cfray", "medium", "delete c", "displayname", "show", "unknown", "next", "rndhex", "malware", "cname", "next associated", "url hostname", "server response", "google safe", "read c", "unicode", "png image", "rgba", "memcommit", "dock", "execution", "files location", "china flag", "china hostname", "hostname", "domain", "files ip", "address", "asn as45102", "gmt content", "certificate", "associated urls", "location china", "china asn", "as4808 china", "present aug", "object", "present apr", "present oct", "alman", "present sep", "error", "present jul", "rmndrp", "present feb", "expiration", "url https", "url http", "iocs", "review iocs", "expireswed", "samesitenone", "maxage86400", "maxage0", "server", "expires", "victina nulcac", "data upload", "extraction", "enter", "enter source", "url data", "type", "extract indic", "included iocs", "china unknown", "botnet", "folk in browser", "japan unknown", "asnone country", "as13335", "a domains", "script urls", "servers", "title", "moved", "record value", "entries", "whitelisted", "powershell", "xf9xb5xf9", "xxcexf6x8fr", "k2xe7xcbxxeaxa2", "x99x19", "x88yxf9xc858", "x83x12x8da", "zx9bx8ex84", "attempts", "yara detections", "contacted", "tags none", "file type", "pe packer", "dll compilation", "guard", "botnets" ], "references": [ "https://x.com/DenverPolice/status/1999710339584475507?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet", "x.com | 162.159.140.229 (162.159.128.0/19) AS 13335 ( CLOUDFLARENET )", "foundry.neconsside.com \u2022 http://foundry.neconsside.com", "http://foundry.neconsside.com/ \u2022 https://foundry.neconsside.com \u2022 https://foundry.neconsside", "IT Mirai | https://otx.alienvault.com/indicator/domain/miraitranslate.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "United States of America", "Russian Federation", "T\u00fcrkiye", "Netherlands" ], "malware_families": [ { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "HtBot", "display_name": "HtBot", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1481", "name": "Web Service", "display_name": "T1481 - Web Service" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8145, "domain": 1389, "FileHash-SHA256": 1545, "CIDR": 2, "hostname": 2533, "FileHash-MD5": 209, "FileHash-SHA1": 190, "email": 6, "SSLCertFingerprint": 4 }, "indicator_count": 14023, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693b7dc3cf1996347652ef92", "name": "Google Site Redirector - Tesla Hackers", "description": "Silencing. By Tesla hackers. Awful example of how any victim of a crime; can become a target of the government..\nThis is especially true when the actual perpetrators work for the government are government affiliated, very wealthy, a celebrity or someone who is deemed important. In this instance the Quasi government sought to keep target seeking and obtaining life saving medical treatment, financial settlement that she was entitled to from assault, injuries from assault, false imprisonment, punitive damgages, pain and suffering, humiliation, premise liability, permanent (whole body disability @MMI ), many other crimes. The victims suffered from a great sadness and betrayal. \n\nObviously racist Elon Musk and crew have access to all government tools. Musk, All things cyber are at his disposal as \ncontinues to abuse privilege.\n They keep playing a God they don\u2019t believe in. God is the Ultimate Avenger.", "modified": "2026-01-11T00:03:08.581000", "created": "2025-12-12T02:28:19.107000", "tags": [ "compromised_site_redirector_fromcharcode", "site_redirector", "string", "regexp", "error", "number", "sxa0", "amptoken", "optout", "retrieving", "notfound", "write", "form", "flash", "vd", "tesla hackers", "nxdomain", "passive dns", "ip address", "domain", "a nxdomain", "urls", "files", "ip related", "pulses otx", "google", "unknown", "oracle", "dynamicloader", "medium", "high", "windows", "rndhex", "write c", "rndchar", "displayname", "tofsee", "yara rule", "stream", "strings", "push", "lte all", "search otx", "ource url", "or text", "paste", "data upload", "extraction", "elon musk", "indicator role", "active related", "ipv4", "exploitsource", "url https", "url http", "desktopinternet", "title added", "pulses ipv4", "less see", "ids detections", "vuze bt", "udp connection", "contacted", "filehash", "av detections", "yara detections", "alerts", "0x8aa42", "0xe3107", "upnp", "http request", "bittorrent", "file", "module load", "t1129", "post http", "install", "execution", "malware", "hostile", "crawl", "windows nt", "wow64", "get zona", "get httpget", "hash", "entries", "read c", "suspicious", "next", "united" ], "references": [ "Tesla Hackers | https://www.teslarati.com/spacex", "Yara Detections :compromised_site_redirector_fromcharcode Alerts network_icmp js_eval recon_fingerprint", "142.250.74.142.250.74.138 _exploit_source | 142.250.74.138 _exploit_source | 142.250.74.142_exploit_source", "IDS Detections Win32/ZonaInstaller Install Beacon", "https://www.google \u2022 https://ampcid.google.com/v1/publisher \u2022\u2019https://ampcid.google.com/v1/publisher:getClientId\\", "https://tagassistant.google.com/ \u2022 https://www.google-analytics.com/debug/bootstrap?id=", "https://www.google-analytics.com/debug/bootstrap?id=\\", "https://stats.g.doubleclick.net/j/collect\\ \u2022 https://tagassistant.google.com/ \u2022 https://www.google.com/ads/ga", "https://www.google-analytics.com/gtm/js?id=\\ \u2022 https://www.googletagmanager.com/gtag/js?id= \u2022", "https://www.googletagmanager.com/gtag/js?id=\\ \u2022 https://www.google-analytics.com/gtm/js?id=", "This is why our team tells a back story. It can and does happen to anyone.", "We apologize for so may typos and errors. We strive to do better at that." ], "public": 1, "adversary": "Tesla Hackers", "targeted_countries": [], "malware_families": [ { "id": "Vd", "display_name": "Vd", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Trojan.12382640-1", "display_name": "Win.Trojan.12382640-1", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 65, "FileHash-SHA1": 34, "FileHash-SHA256": 2032, "URL": 4921, "domain": 567, "hostname": 1586, "SSLCertFingerprint": 4 }, "indicator_count": 9209, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e8cd886e0bb692e8a9d08", "name": "Blocker Ransomware affecting Apple and iCloud | Injection", "description": "Wild! Hackers attack-ack-acking!\nThey\u2019re quite good. Persistent. Angry. \nIt\u2019s the same group of hackers.", "modified": "2026-01-01T06:01:02.583000", "created": "2025-12-02T06:53:12.823000", "tags": [ "url https", "url http", "domain", "fh no", "ipv4", "united", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "pattern match", "mitre att", "ck id", "ck matrix", "ascii text", "href", "network traffic", "general", "local", "click", "strings", "learn", "name tactics", "suspicious", "informative", "found", "command", "adversaries", "spawns", "defense evasion", "dynamicloader", "windows nt", "wow64", "khtml", "gecko", "write c", "unknown", "virtool", "write", "defender", "malware", "delete", "alerts", "backdoor", "high", "ip address", "t1045", "packing", "t1055", "injection", "t1060", "run keys", "startup", "folder", "t1119", "t1027", "tools", "families", "mirai", "indicator role", "active related", "hackers", "ahmann", "usual suspects" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Backdoor:Win32/Drixed", "display_name": "Backdoor:Win32/Drixed", "target": "/malware/Backdoor:Win32/Drixed" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Ransom:Win32/Blocker.NN!MTB", "display_name": "Ransom:Win32/Blocker.NN!MTB", "target": "/malware/Ransom:Win32/Blocker.NN!MTB" }, { "id": "Unix.Trojan.Mirai-7135937-0", "display_name": "Unix.Trojan.Mirai-7135937-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1066", "name": "Indicator Removal from Tools", "display_name": "T1066 - Indicator Removal from Tools" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1408", "name": "Disguise Root/Jailbreak Indicators", "display_name": "T1408 - Disguise Root/Jailbreak Indicators" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1590.002", "name": "DNS", "display_name": "T1590.002 - DNS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 234, "FileHash-SHA1": 219, "FileHash-SHA256": 841, "URL": 2606, "domain": 298, "hostname": 772, "SSLCertFingerprint": 2, "CVE": 1 }, "indicator_count": 4973, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69212b59117e7e2eb6f3adbf", "name": "X.com RAT \u2022 Tofsee | Attorney | Hacker | Affects visitors to his site.", "description": "Christopher Ahmann again. I\u2019m not sure if he is really an attorney or a hacker. He could be a Hacker and a legal consultant. Again incredibly malicious activity. #contacted #tofsee #trojan #rat #apple #telegram #cnc #google #botnets #bots \n\n[OTC populated: The following is the full list of names you can find on the website of an American law firm, which is based in New York and New Jersey, and which can be accessed via a Google search.]", "modified": "2025-12-22T02:05:33.541000", "created": "2025-11-22T03:17:45.877000", "tags": [ "twitter", "rat", "christopher p ahmann", "trojan", "lowfijavazkm", "x", "x.com", "dynamicloader", "yara rule", "ms windows", "windows", "medium", "united", "ascii text", "high", "write", "guard", "defender", "cybergate", "smartassembly", "malware", "win64", "unknown", "encrypt", "yara detections", "contacted", "av detections", "ids detections", "alerts", "port", "destination", "write c", "delete c", "tofsee", "stream", "telegram", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "ssl certificate", "pattern match", "mitre att", "path", "hybrid", "general", "click", "strings", "legal entities", "apple", "liar" ], "references": [ "x.com | https://x.com/search?q=Ahmann-Christopher-PC-Attorney-at-Law", "IDS Detection : Win32.Cybergate RAT SQLite DL", "IDS Detections : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS Detections : HTTP GET Request for sqlite3.dll - Possible Infostealer Activity", "Yara Detections : Nullsoft_NSIS", "Alerts: antisandbox_sleep creates_largekey process_creation_suspicious_location", "Alerts: infostealer_cookies persistence_autorun procmem_yara static_pe_anomaly", "Alerts: suricata_alert antiav_detectfile antivm_bochs_keys cape_extracted_content", "Alerts: infostealer_keylog injection_runpe suspicious_command_tools antidebug_guardpages mouse_movement_detect dynamic_function_loading resumethread_remote_process reads_memory_remote_process network_connection_via_suspicious_process", "Alerts: infostealer_keylog injection_runpe suspicious_command_tools antidebug_guardpages", "Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process", "Alerts: reads_memory_remote_process network_connection_via_suspicious_process", "IDS Detections : Win32/Tofsee.AX google.com connectivity check", "IDS Detections : HTTP Request with Lowercase host Header Observed", "IDS Detections : Observed Telegram Domain (t .me in TLS SNI)", "Alerts: behavior_tofsee suspicious_iocontrol_codes creates_largekey network_bind", "Alerts : persistence_autorun persistence_autorun_tasks network_smtp procmem_yara", "Alerts : static_pe_anomaly suricata_alert antivm_bochs_keys antivm_generic_disk", "Alerts : antivm_generic_services deletes_executed_files injection_runpe dead_connect", "Alerts : persistence_ads suspicious_command_tools anomalous_deletefile antisandbox_sleep", "appleid.cdn-apple.com \u2022 apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/", "https://apple.k8s.joewa.com/ \u2022 http://www.gtaging.apple.pol.kozow.com", "https://v2.papadustream.tv/episode/the-walking-dead-1x1", "https://www.rubreyatson.ddnsgeek.com/", "https://parabellumnorth.com/product/py2a-g17-69-rail-set/", "remotewd.com \u2022 device-194a3e38-d1e7-421a-8a01-d136fef966f1.remotewd.com", "https://hyperbot.net/ \u2022http://rarebot.com/rarebot-installer.exe", "accounts.google.com" ], "public": 1, "adversary": "Christopher Paul Ahmann", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#LowfiJavaZKM", "display_name": "#LowfiJavaZKM", "target": null }, { "id": "Win.Dropper.Tofsee-10012410-0", "display_name": "Win.Dropper.Tofsee-10012410-0", "target": null }, { "id": "Win.Dropper.Tofsee-10012410-0", "display_name": "Win.Dropper.Tofsee-10012410-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 360, "URL": 1750, "FileHash-MD5": 120, "FileHash-SHA1": 80, "FileHash-SHA256": 1269, "SSLCertFingerprint": 9, "hostname": 644 }, "indicator_count": 4232, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "119 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://infimotiontec.com/about", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://infimotiontec.com/about", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776662378.5273683 }