{ "type": "URL", "indicator": "https://intelserviceupdate.com/machine/1/1/CD183513", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://intelserviceupdate.com/machine/1/1/CD183513", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3784816605, "indicator": "https://intelserviceupdate.com/machine/1/1/CD183513", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "69b2b76c9a490b69b6a085b3", "name": "Exodus/cellbrite clone by Q Vashti", "description": "", "modified": "2026-03-12T12:54:04.160000", "created": "2026-03-12T12:54:04.160000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "6916e098df39114161354b23", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4295, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3255, "domain": 2911, "hostname": 2894, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13986, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "81 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6952febb1dbcf05ee601f050", "name": "Pegasus Ongoing l Cellbrite | Exodus | Brian Sabey | HallRender | Tulach (1.29.24)", "description": "", "modified": "2025-12-29T22:20:43.238000", "created": "2025-12-29T22:20:43.238000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "65b80a20bbcd0eb305a740ec", "export_count": 40988, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4101, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3155, "domain": 2894, "hostname": 2847, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13628, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "153 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6916e098df39114161354b23", "name": "Exodus l Cellbrite \u2022 Pegasus | Brian Sabey | HallRender | Tulach ", "description": "", "modified": "2025-12-14T07:05:42.106000", "created": "2025-11-14T07:56:08.872000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "65a76c2901b34c79a681596d", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4295, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3255, "domain": 2911, "hostname": 2894, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13986, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a76c2901b34c79a681596d", "name": "Exodus l Cellbrite | Brian Sabey | HallRender | Tulach", "description": "Brian Sabey of Hall Render Law firm is incredibly entrenched in spying on a single target. Having made contact,impersonal invitations to meet, filing a lawsuit dismissed by a judge , paying to silence SA victim and spending many years spying, destroying digital profile m libel, malvertizing is concerning. \nConsidering Brashears death threats, following , being approached and attempts on her personal safety is unwarranted. Brashears was the confirmed victim of life threatening SA. How does the Federal Government allow this? Found embedded in Brashears link that came from her iPhone.", "modified": "2024-02-16T05:03:15.321000", "created": "2024-01-17T05:56:57.948000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4101, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3155, "domain": 2894, "hostname": 2847, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13628, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "836 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a77c6a22a236495c4548d6", "name": "PEGASUS | Exodus l Cellbrite | Brian Sabey | HallRender | Tulach", "description": "I'm unclear if the legitimatecy of use of Cellbrite considering Brashears was the attacked. Brashears has spoken with every authority on her own terms. Law enforcement 'you're not that important. You're not a suspect .' FBI -' Brashears victim of Identity theft case that lasted months. Alleged false reports removed.' PI's - 'someone is abusing privilege' Was a SA advocate Non Profit. Awareness Saves & social media deleted by hackers", "modified": "2024-02-16T05:03:15.321000", "created": "2024-01-17T07:06:18.453000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "remote", "malvertizing", "spying", "cyber stalking" ], "references": [ "https://tulach.cc/", "go.sabey.com", "sabey.com", "cellebrite.com", "https://cellebrite.com/en/federal-government/ [Pegasus ck privilege collection]", "https://www.pornhub.com/video/search?search=tsara+brashears", "remote.aciscomputers.com", "https://track.toccha.com/978eb025-0a62-46fa-827c-d71aa0524818?zoneid=5939372&ua=high&subzone_id=3038557&set=social&country=SY®ion=49&isp=syriatelmobiletelecom&useragent=Mozilla/5.0", "114.114.114.114 [Tulach]", "nr-data.net [Apple Private Data Collection]", "defenselawyernj.com", "attorney-marketing-specialists.com ?", "https://itunes.apple.com/app/apple-store/id284815942/us/app/image-recognition-and-searcher/id1450230225", "http://www.apple.com/appleca/AppleIncRootCertificate.cer", "http://flexlucky.com/isurvey/en/?devicemodel=iPhone&carrier=\u00aeion=Tbilisi&brand=Apple&browser=GoogleApp&prize=cur&u=track.bawiwia.com&isp=JSCGlobalErty&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=GE&click_id=wuo4jm6db011lufu2f8h138c&partner=5658402&skip=yes&frame={frame}&cost=0.010100&lang=en", "https://t.me/hermitspyware/24", "hyundai-smg.com | http://hyundai-smg.com/index.php?route=information/contact | http://hyundai-smg.com/index.php?route=information/contact", "https://imazing.com/guides/detect-pegasus-and-other-spyware-on-iphone", "http://watchhers.net/index.php [remote attackers | malware spreader]", "api-stage.pornhub.com", "newbrazzers.com [y8.com]", "www.videolan.org [info solutions]", "www2.blackbagtech.com [hidden users included]", "http://subtitles.rest7.com/subs/The.Expanse.S03E11.720p.HDTV.x264-KILLERS[eztv].mkv", "http://pegasus.diskel.co.uk/ [phishing]", "wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language", "fds.cellebrite.com", "http://www1.mychartahn.org/?tm=1&subid4=1671014887.0191400000&kw=Patient+Portal&KW1=Patient+Access+Network&KW2=Patient+Self+Check+In+System&KW3=Electronic+Health+Record+EHR+System&KW4=Patient+Appointment+Scheduling+System&KW5=Medical+Billing+System+Software&KW6=Patient+Financial+Assistance&searchbox=0&domainname=0&backfill=0", "healthcare.greatcall.com [fake call centers | PHI & PII info stealers]", "http://download.virtualbox.org/virtualbox/debian", "match.pegasus.isi.edu", "asp.net", "http://dropbox.com/ [ intrusions/ dropbox stealer]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Trojan:Win32/Comspec", "display_name": "Trojan:Win32/Comspec", "target": "/malware/Trojan:Win32/Comspec" }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" } ], "industries": [ "Individual", "Patient", "Healthcare", "Survivor" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4101, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3157, "domain": 2903, "hostname": 2847, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13639, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "836 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b80a20bbcd0eb305a740ec", "name": "Exodus l Cellbrite | Brian Sabey | HallRender | Tulach", "description": "", "modified": "2024-02-16T05:03:15.321000", "created": "2024-01-29T20:27:12.899000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "65a76c2901b34c79a681596d", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4101, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3155, "domain": 2894, "hostname": 2847, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13628, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "836 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658b9e86f7a149333882bfb9", "name": "Hijacking | Typosquatting | Masquerading Shared Modules", "description": "*Shared Modules\t\nExecution\nAdversaries may execute malicious payloads via loading shared modules.\n\n*Masquerading\t\nDefense Evasion\nAdversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.\n\nComponent Object Model Hijacking\t\nPersistence\nPrivilege Escalation\nAdversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.\nPulse: http://ww1.thecoolzipextractorapp.com/\nFound in: https://www.hallrender.com/attorney/brian-sabey/", "modified": "2024-01-26T01:05:54.754000", "created": "2023-12-27T03:48:22.319000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "maltiverse", "dinkle threat", "paste", "iocs", "analyze", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "communicating", "whois whois", "siblings parent", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12134, "FileHash-MD5": 102, "FileHash-SHA1": 101, "FileHash-SHA256": 3982, "hostname": 2878, "domain": 2159, "CVE": 1 }, "indicator_count": 21357, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "857 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658ca3f53717bb3a25e96065", "name": "Hijacking | Typosquatting | Masquerading Shared Modules | http://ww1.thecoolzipextractorapp.com/ via https://www.hallrender.com/attorney/brian-sabey/", "description": "", "modified": "2024-01-26T01:05:54.754000", "created": "2023-12-27T22:23:49.562000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "maltiverse", "dinkle threat", "paste", "iocs", "analyze", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "communicating", "whois whois", "siblings parent", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "658b9e86f7a149333882bfb9", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12134, "FileHash-MD5": 102, "FileHash-SHA1": 101, "FileHash-SHA256": 3982, "hostname": 2878, "domain": 2159, "CVE": 1 }, "indicator_count": 21357, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "857 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655e3de9eb518e46e96e9fd4", "name": "RedlineStealer | tx-p2p-pull.video-voip.com.dorm.com", "description": "tx-p2p-pull.video-voip.com.dorm.com", "modified": "2023-12-22T15:02:57.858000", "created": "2023-11-22T17:44:09.675000", "tags": [ "ssl certificate", "execution", "historical ssl", "dropped", "whois record", "whois", "referrer", "contacted", "best", "sites", "emotet", "team", "cyber threat", "united", "engineering", "malware", "hostname", "malicious site", "heur", "phishing", "phishing site", "suppobox", "facebook", "zbot", "malicious", "download", "redline stealer", "simda", "bank", "virut", "tofsee", "vawtrak", "hotmail", "steam", "nymaim", "zeus", "installcore", "ransomware", "ramnit", "union", "kraken", "pony", "betabot", "unruy", "bandoo", "matsnu", "detection list", "blacklist", "noname057", "stop", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "ascii text", "mitre att", "ck id", "show technique", "date", "unknown", "meta", "generator", "critical", "error", "body", "hybrid", "accept", "local", "click", "strings", "cisco umbrella", "site", "safe site", "html", "million", "alexa top", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "iobit", "dropper", "trojanx", "artemis", "riskware", "webshell", "exploit", "crack", "azorult", "service", "runescape", "ip address", "mail spammer", "attacker", "et cins", "active threat", "reputation ip", "threats et", "dns replication", "graph summary", "domain status", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "ALF:Cert:Bandoo", "display_name": "ALF:Cert:Bandoo", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "AdaptiveBee", "display_name": "AdaptiveBee", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 72, "FileHash-SHA256": 2087, "URL": 6558, "domain": 1279, "hostname": 2371, "CVE": 14, "email": 1 }, "indicator_count": 12483, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "892 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655e3debccfb06fb9580b69d", "name": "RedlineStealer | tx-p2p-pull.video-voip.com.dorm.com", "description": "tx-p2p-pull.video-voip.com.dorm.com", "modified": "2023-12-22T15:02:57.858000", "created": "2023-11-22T17:44:11.982000", "tags": [ "ssl certificate", "execution", "historical ssl", "dropped", "whois record", "whois", "referrer", "contacted", "best", "sites", "emotet", "team", "cyber threat", "united", "engineering", "malware", "hostname", "malicious site", "heur", "phishing", "phishing site", "suppobox", "facebook", "zbot", "malicious", "download", "redline stealer", "simda", "bank", "virut", "tofsee", "vawtrak", "hotmail", "steam", "nymaim", "zeus", "installcore", "ransomware", "ramnit", "union", "kraken", "pony", "betabot", "unruy", "bandoo", "matsnu", "detection list", "blacklist", "noname057", "stop", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "ascii text", "mitre att", "ck id", "show technique", "date", "unknown", "meta", "generator", "critical", "error", "body", "hybrid", "accept", "local", "click", "strings", "cisco umbrella", "site", "safe site", "html", "million", "alexa top", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "iobit", "dropper", "trojanx", "artemis", "riskware", "webshell", "exploit", "crack", "azorult", "service", "runescape", "ip address", "mail spammer", "attacker", "et cins", "active threat", "reputation ip", "threats et", "dns replication", "graph summary", "domain status", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "ALF:Cert:Bandoo", "display_name": "ALF:Cert:Bandoo", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "AdaptiveBee", "display_name": "AdaptiveBee", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 72, "FileHash-SHA256": 2087, "URL": 6558, "domain": 1279, "hostname": 2371, "CVE": 14, "email": 1 }, "indicator_count": 12483, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "892 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a947431aca6a0666c11b4", "name": " RedlineStealer | tx-p2p-pull.video-voip.com.dorm.com", "description": "", "modified": "2023-12-22T15:02:57.858000", "created": "2023-12-02T02:20:36.922000", "tags": [ "ssl certificate", "execution", "historical ssl", "dropped", "whois record", "whois", "referrer", "contacted", "best", "sites", "emotet", "team", "cyber threat", "united", "engineering", "malware", "hostname", "malicious site", "heur", "phishing", "phishing site", "suppobox", "facebook", "zbot", "malicious", "download", "redline stealer", "simda", "bank", "virut", "tofsee", "vawtrak", "hotmail", "steam", "nymaim", "zeus", "installcore", "ransomware", "ramnit", "union", "kraken", "pony", "betabot", "unruy", "bandoo", "matsnu", "detection list", "blacklist", "noname057", "stop", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "ascii text", "mitre att", "ck id", "show technique", "date", "unknown", "meta", "generator", "critical", "error", "body", "hybrid", "accept", "local", "click", "strings", "cisco umbrella", "site", "safe site", "html", "million", "alexa top", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "iobit", "dropper", "trojanx", "artemis", "riskware", "webshell", "exploit", "crack", "azorult", "service", "runescape", "ip address", "mail spammer", "attacker", "et cins", "active threat", "reputation ip", "threats et", "dns replication", "graph summary", "domain status", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "ALF:Cert:Bandoo", "display_name": "ALF:Cert:Bandoo", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "AdaptiveBee", "display_name": "AdaptiveBee", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": "655e3debccfb06fb9580b69d", "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 72, "FileHash-SHA256": 2087, "URL": 6558, "domain": 1279, "hostname": 2371, "CVE": 14, "email": 1 }, "indicator_count": 12483, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "892 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://download.virtualbox.org/virtualbox/debian", "114.114.114.114 [Tulach]", "https://www.pornhub.com/video/search?search=tsara+brashears", "go.sabey.com", "https://itunes.apple.com/app/apple-store/id284815942/us/app/image-recognition-and-searcher/id1450230225", "hanmail.net", "http://www1.mychartahn.org/?tm=1&subid4=1671014887.0191400000&kw=Patient+Portal&KW1=Patient+Access+Network&KW2=Patient+Self+Check+In+System&KW3=Electronic+Health+Record+EHR+System&KW4=Patient+Appointment+Scheduling+System&KW5=Medical+Billing+System+Software&KW6=Patient+Financial+Assistance&searchbox=0&domainname=0&backfill=0", "http://watchhers.net/index.php [remote attackers | malware spreader]", "sabey.com", "www2.blackbagtech.com [hidden users included]", "healthcare.greatcall.com [fake call centers | PHI & PII info stealers]", "work.a-poster.info", "defenselawyernj.com", "cellebrite.com", "https://imazing.com/guides/detect-pegasus-and-other-spyware-on-iphone", "api-stage.pornhub.com", "match.pegasus.isi.edu", "http://pegasus.diskel.co.uk/ [phishing]", "remote.aciscomputers.com", "hyundai-smg.com | http://hyundai-smg.com/index.php?route=information/contact | http://hyundai-smg.com/index.php?route=information/contact", "attorney-marketing-specialists.com ?", "http://dropbox.com/ [ intrusions/ dropbox stealer]", "www-stage40.pornhub.com", "https://twitter.com/PORNO_SEXYBABES", "asp.net", "https://cellebrite.com/en/federal-government/ [Pegasus ck privilege collection]", "cellebrite.com | https://cellebrite.com/en/federal-government/", "nr-data.net [Apple Private Data Collection]", "114.114.114.114", "www.videolan.org [info solutions]", "https://tulach.cc/", "https://track.toccha.com/978eb025-0a62-46fa-827c-d71aa0524818?zoneid=5939372&ua=high&subzone_id=3038557&set=social&country=SY®ion=49&isp=syriatelmobiletelecom&useragent=Mozilla/5.0", "https://t.me/hermitspyware/24", "http://flexlucky.com/isurvey/en/?devicemodel=iPhone&carrier=\u00aeion=Tbilisi&brand=Apple&browser=GoogleApp&prize=cur&u=track.bawiwia.com&isp=JSCGlobalErty&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=GE&click_id=wuo4jm6db011lufu2f8h138c&partner=5658402&skip=yes&frame={frame}&cost=0.010100&lang=en", "http://subtitles.rest7.com/subs/The.Expanse.S03E11.720p.HDTV.x264-KILLERS[eztv].mkv", "newbrazzers.com [y8.com]", "wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language", "fds.cellebrite.com", "http://www.apple.com/appleca/AppleIncRootCertificate.cer" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Mediamagnet", "Swrort", "Pony", "Virut", "Quasar rat", "Azorult", "Betabot", "Artemis", "Alf:cert:bandoo", "Ramnit", "Virtool:win32/tofsee", "Exodus", "Iobit", "Suppobox", "Kimsuky", "Redline stealer", "Simda", "Sality", "Trojanx", "Kraken", "Installcore", "Matsnu", "Hacktool", "Nymaim", "Adaptivebee", "Vawtrak", "Zeus", "Sabey", "Unruy", "Tulach", "Zbot", "Hallrender", "Pws:win32/raven", "Tofsee", "Trojan:win32/comspec" ], "industries": [ "Patient", "Survivor", "Individual", "Healthcare" ], "unique_indicators": 47584 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/intelserviceupdate.com", "whois": "http://whois.domaintools.com/intelserviceupdate.com", "domain": "intelserviceupdate.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "69b2b76c9a490b69b6a085b3", "name": "Exodus/cellbrite clone by Q Vashti", "description": "", "modified": "2026-03-12T12:54:04.160000", "created": "2026-03-12T12:54:04.160000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "6916e098df39114161354b23", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4295, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3255, "domain": 2911, "hostname": 2894, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13986, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "81 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6952febb1dbcf05ee601f050", "name": "Pegasus Ongoing l Cellbrite | Exodus | Brian Sabey | HallRender | Tulach (1.29.24)", "description": "", "modified": "2025-12-29T22:20:43.238000", "created": "2025-12-29T22:20:43.238000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "65b80a20bbcd0eb305a740ec", "export_count": 40988, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4101, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3155, "domain": 2894, "hostname": 2847, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13628, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "153 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6916e098df39114161354b23", "name": "Exodus l Cellbrite \u2022 Pegasus | Brian Sabey | HallRender | Tulach ", "description": "", "modified": "2025-12-14T07:05:42.106000", "created": "2025-11-14T07:56:08.872000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "65a76c2901b34c79a681596d", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4295, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3255, "domain": 2911, "hostname": 2894, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13986, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a76c2901b34c79a681596d", "name": "Exodus l Cellbrite | Brian Sabey | HallRender | Tulach", "description": "Brian Sabey of Hall Render Law firm is incredibly entrenched in spying on a single target. Having made contact,impersonal invitations to meet, filing a lawsuit dismissed by a judge , paying to silence SA victim and spending many years spying, destroying digital profile m libel, malvertizing is concerning. \nConsidering Brashears death threats, following , being approached and attempts on her personal safety is unwarranted. Brashears was the confirmed victim of life threatening SA. How does the Federal Government allow this? Found embedded in Brashears link that came from her iPhone.", "modified": "2024-02-16T05:03:15.321000", "created": "2024-01-17T05:56:57.948000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4101, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3155, "domain": 2894, "hostname": 2847, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13628, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "836 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a77c6a22a236495c4548d6", "name": "PEGASUS | Exodus l Cellbrite | Brian Sabey | HallRender | Tulach", "description": "I'm unclear if the legitimatecy of use of Cellbrite considering Brashears was the attacked. Brashears has spoken with every authority on her own terms. Law enforcement 'you're not that important. You're not a suspect .' FBI -' Brashears victim of Identity theft case that lasted months. Alleged false reports removed.' PI's - 'someone is abusing privilege' Was a SA advocate Non Profit. Awareness Saves & social media deleted by hackers", "modified": "2024-02-16T05:03:15.321000", "created": "2024-01-17T07:06:18.453000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "remote", "malvertizing", "spying", "cyber stalking" ], "references": [ "https://tulach.cc/", "go.sabey.com", "sabey.com", "cellebrite.com", "https://cellebrite.com/en/federal-government/ [Pegasus ck privilege collection]", "https://www.pornhub.com/video/search?search=tsara+brashears", "remote.aciscomputers.com", "https://track.toccha.com/978eb025-0a62-46fa-827c-d71aa0524818?zoneid=5939372&ua=high&subzone_id=3038557&set=social&country=SY®ion=49&isp=syriatelmobiletelecom&useragent=Mozilla/5.0", "114.114.114.114 [Tulach]", "nr-data.net [Apple Private Data Collection]", "defenselawyernj.com", "attorney-marketing-specialists.com ?", "https://itunes.apple.com/app/apple-store/id284815942/us/app/image-recognition-and-searcher/id1450230225", "http://www.apple.com/appleca/AppleIncRootCertificate.cer", "http://flexlucky.com/isurvey/en/?devicemodel=iPhone&carrier=\u00aeion=Tbilisi&brand=Apple&browser=GoogleApp&prize=cur&u=track.bawiwia.com&isp=JSCGlobalErty&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=GE&click_id=wuo4jm6db011lufu2f8h138c&partner=5658402&skip=yes&frame={frame}&cost=0.010100&lang=en", "https://t.me/hermitspyware/24", "hyundai-smg.com | http://hyundai-smg.com/index.php?route=information/contact | http://hyundai-smg.com/index.php?route=information/contact", "https://imazing.com/guides/detect-pegasus-and-other-spyware-on-iphone", "http://watchhers.net/index.php [remote attackers | malware spreader]", "api-stage.pornhub.com", "newbrazzers.com [y8.com]", "www.videolan.org [info solutions]", "www2.blackbagtech.com [hidden users included]", "http://subtitles.rest7.com/subs/The.Expanse.S03E11.720p.HDTV.x264-KILLERS[eztv].mkv", "http://pegasus.diskel.co.uk/ [phishing]", "wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language", "fds.cellebrite.com", "http://www1.mychartahn.org/?tm=1&subid4=1671014887.0191400000&kw=Patient+Portal&KW1=Patient+Access+Network&KW2=Patient+Self+Check+In+System&KW3=Electronic+Health+Record+EHR+System&KW4=Patient+Appointment+Scheduling+System&KW5=Medical+Billing+System+Software&KW6=Patient+Financial+Assistance&searchbox=0&domainname=0&backfill=0", "healthcare.greatcall.com [fake call centers | PHI & PII info stealers]", "http://download.virtualbox.org/virtualbox/debian", "match.pegasus.isi.edu", "asp.net", "http://dropbox.com/ [ intrusions/ dropbox stealer]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Trojan:Win32/Comspec", "display_name": "Trojan:Win32/Comspec", "target": "/malware/Trojan:Win32/Comspec" }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" } ], "industries": [ "Individual", "Patient", "Healthcare", "Survivor" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4101, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3157, "domain": 2903, "hostname": 2847, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13639, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "836 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b80a20bbcd0eb305a740ec", "name": "Exodus l Cellbrite | Brian Sabey | HallRender | Tulach", "description": "", "modified": "2024-02-16T05:03:15.321000", "created": "2024-01-29T20:27:12.899000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "65a76c2901b34c79a681596d", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4101, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3155, "domain": 2894, "hostname": 2847, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13628, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "836 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658b9e86f7a149333882bfb9", "name": "Hijacking | Typosquatting | Masquerading Shared Modules", "description": "*Shared Modules\t\nExecution\nAdversaries may execute malicious payloads via loading shared modules.\n\n*Masquerading\t\nDefense Evasion\nAdversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.\n\nComponent Object Model Hijacking\t\nPersistence\nPrivilege Escalation\nAdversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.\nPulse: http://ww1.thecoolzipextractorapp.com/\nFound in: https://www.hallrender.com/attorney/brian-sabey/", "modified": "2024-01-26T01:05:54.754000", "created": "2023-12-27T03:48:22.319000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "maltiverse", "dinkle threat", "paste", "iocs", "analyze", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "communicating", "whois whois", "siblings parent", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12134, "FileHash-MD5": 102, "FileHash-SHA1": 101, "FileHash-SHA256": 3982, "hostname": 2878, "domain": 2159, "CVE": 1 }, "indicator_count": 21357, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "857 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658ca3f53717bb3a25e96065", "name": "Hijacking | Typosquatting | Masquerading Shared Modules | http://ww1.thecoolzipextractorapp.com/ via https://www.hallrender.com/attorney/brian-sabey/", "description": "", "modified": "2024-01-26T01:05:54.754000", "created": "2023-12-27T22:23:49.562000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "maltiverse", "dinkle threat", "paste", "iocs", "analyze", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "communicating", "whois whois", "siblings parent", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "658b9e86f7a149333882bfb9", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12134, "FileHash-MD5": 102, "FileHash-SHA1": 101, "FileHash-SHA256": 3982, "hostname": 2878, "domain": 2159, "CVE": 1 }, "indicator_count": 21357, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "857 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655e3de9eb518e46e96e9fd4", "name": "RedlineStealer | tx-p2p-pull.video-voip.com.dorm.com", "description": "tx-p2p-pull.video-voip.com.dorm.com", "modified": "2023-12-22T15:02:57.858000", "created": "2023-11-22T17:44:09.675000", "tags": [ "ssl certificate", "execution", "historical ssl", "dropped", "whois record", "whois", "referrer", "contacted", "best", "sites", "emotet", "team", "cyber threat", "united", "engineering", "malware", "hostname", "malicious site", "heur", "phishing", "phishing site", "suppobox", "facebook", "zbot", "malicious", "download", "redline stealer", "simda", "bank", "virut", "tofsee", "vawtrak", "hotmail", "steam", "nymaim", "zeus", "installcore", "ransomware", "ramnit", "union", "kraken", "pony", "betabot", "unruy", "bandoo", "matsnu", "detection list", "blacklist", "noname057", "stop", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "ascii text", "mitre att", "ck id", "show technique", "date", "unknown", "meta", "generator", "critical", "error", "body", "hybrid", "accept", "local", "click", "strings", "cisco umbrella", "site", "safe site", "html", "million", "alexa top", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "iobit", "dropper", "trojanx", "artemis", "riskware", "webshell", "exploit", "crack", "azorult", "service", "runescape", "ip address", "mail spammer", "attacker", "et cins", "active threat", "reputation ip", "threats et", "dns replication", "graph summary", "domain status", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "ALF:Cert:Bandoo", "display_name": "ALF:Cert:Bandoo", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "AdaptiveBee", "display_name": "AdaptiveBee", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 72, "FileHash-SHA256": 2087, "URL": 6558, "domain": 1279, "hostname": 2371, "CVE": 14, "email": 1 }, "indicator_count": 12483, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "892 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655e3debccfb06fb9580b69d", "name": "RedlineStealer | tx-p2p-pull.video-voip.com.dorm.com", "description": "tx-p2p-pull.video-voip.com.dorm.com", "modified": "2023-12-22T15:02:57.858000", "created": "2023-11-22T17:44:11.982000", "tags": [ "ssl certificate", "execution", "historical ssl", "dropped", "whois record", "whois", "referrer", "contacted", "best", "sites", "emotet", "team", "cyber threat", "united", "engineering", "malware", "hostname", "malicious site", "heur", "phishing", "phishing site", "suppobox", "facebook", "zbot", "malicious", "download", "redline stealer", "simda", "bank", "virut", "tofsee", "vawtrak", "hotmail", "steam", "nymaim", "zeus", "installcore", "ransomware", "ramnit", "union", "kraken", "pony", "betabot", "unruy", "bandoo", "matsnu", "detection list", "blacklist", "noname057", "stop", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "ascii text", "mitre att", "ck id", "show technique", "date", "unknown", "meta", "generator", "critical", "error", "body", "hybrid", "accept", "local", "click", "strings", "cisco umbrella", "site", "safe site", "html", "million", "alexa top", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "iobit", "dropper", "trojanx", "artemis", "riskware", "webshell", "exploit", "crack", "azorult", "service", "runescape", "ip address", "mail spammer", "attacker", "et cins", "active threat", "reputation ip", "threats et", "dns replication", "graph summary", "domain status", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "ALF:Cert:Bandoo", "display_name": "ALF:Cert:Bandoo", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "AdaptiveBee", "display_name": "AdaptiveBee", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 72, "FileHash-SHA256": 2087, "URL": 6558, "domain": 1279, "hostname": 2371, "CVE": 14, "email": 1 }, "indicator_count": 12483, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "892 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://intelserviceupdate.com/machine/1/1/CD183513", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://intelserviceupdate.com/machine/1/1/CD183513", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780339276.9537244 }