{ "type": "URL", "indicator": "https://ior.osfs.top/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ior.osfs.top/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4156060858, "indicator": "https://ior.osfs.top/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "6935c92c5fc93fd873c6aa6d", "name": "[COINBASECARTEL] - Ransomware Victim: Cinvestav - RedPacket Security | CVE-2025-11727 (New)", "description": "Related to multiple exploits. Government Cyber Defense implications but shows as very legitimate looking masquerading. I am not positive and don\u2019t want to move to Belfast. Populated NSA [.] gov domains and subdomains (w/o no headers) lightly researched but does not assert a government identity. \n*New CVE-2025-11727", "modified": "2026-01-06T18:04:02.620000", "created": "2025-12-07T18:36:28.055000", "tags": [ "memcommit", "read c", "t1082", "cryptexportkey", "invalid pointer", "write", "msil", "malware", "media", "autorun", "countries", "united", "america", "high defense", "evasion", "t1055", "ck technique", "technique id", "allocates", "potential code", "attempts", "threatintel", "dark web", "coinbasecartel", "ransomware", "osint", "tor", "data breach", "cinvestav", "ai generated", "ransomware leak", "page", "november", "investigacin y", "nacional", "mexican", "mexico", "present nov", "verdana", "td tr", "passive dns", "ip address", "urls", "aaaa", "present may", "present oct", "present jul", "virtool", "present sep", "present jun", "win32", "default", "unicode", "png image", "rgba", "high", "dock", "execution", "xport", "unknown", "data upload", "extraction", "will", "data", "name cloudflare", "hostmaster name", "org cloudflare", "townsend st", "city san", "us creation", "kelihos", "ipv4", "present dec", "files", "domain", "search", "hostname", "verdict", "location united", "asn as16625", "akamai", "urls show", "date checked", "url hostname", "server response", "google safe", "results nov", "present aug", "backdoor", "msie", "chrome", "trojan", "mtb aug", "worm", "cryp", "junkpoly", "twitter", "trojandropper", "title", "germany unknown", "ipv4 add", "pulse pulses", "hosting", "reverse dns", "cologne", "search engine", "gse compromised", "redacted for", "privacy admin", "privacy tech", "server", "organization", "street", "city", "stateprovince", "postal code", "country", "resolver domain", "cape sa", "virustot", "type pdf", "name", "lookups", "email abuse", "historical ssl", "certificates", "first", "graph summary", "cname", "address", "ip2location", "bogon ip", "admin", "network", "wifi password", "ssid", "demo", "details", "failed", "include review", "exclude sugges", "onlv", "x try", "find s", "typ url", "url data", "severity att", "module load", "icmp traffic", "dns query", "t1055 jseval", "windows nt", "port", "entries", "destination", "medium", "show", "pecompact", "june", "service", "next", "xserver", "encrypt", "t1129", "windows module", "dlls", "convention", "windows native" ], "references": [ "Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS", "Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection", "hallplan.vm05.iveins.de", "https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c", "Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx", "Name : iveins.de Service : connect", "https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com", "phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com", "https://otx.alienvault.com/indicator/cve/CVE-2025-11727" ], "public": 1, "adversary": "COINBASECARTEL", "targeted_countries": [ "United States of America", "Sweden", "Bangladesh", "Japan" ], "malware_families": [ { "id": "Trojan:Win32/Tiggre!rfn", "display_name": "Trojan:Win32/Tiggre!rfn", "target": "/malware/Trojan:Win32/Tiggre!rfn" }, { "id": "MSIL:Agent-DQ\\ [Trj]", "display_name": "MSIL:Agent-DQ\\ [Trj]", "target": null }, { "id": "VirTool:MSIL/Covent.A", "display_name": "VirTool:MSIL/Covent.A", "target": "/malware/VirTool:MSIL/Covent.A" }, { "id": "Trojan:Win32/Pynamer!rfn", "display_name": "Trojan:Win32/Pynamer!rfn", "target": "/malware/Trojan:Win32/Pynamer!rfn" }, { "id": "Win64:TrojanX", "display_name": "Win64:TrojanX", "target": null }, { "id": "VirTool:MSIL/Covent", "display_name": "VirTool:MSIL/Covent", "target": "/malware/VirTool:MSIL/Covent" }, { "id": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea", "display_name": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "Kelihos", "display_name": "Kelihos", "target": null }, { "id": "CVE-2025-11727", "display_name": "CVE-2025-11727", "target": null }, { "id": "Exploit:JS/CVE-2014-0322", "display_name": "Exploit:JS/CVE-2014-0322", "target": "/malware/Exploit:JS/CVE-2014-0322" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" } ], "industries": [ "Education" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 117, "FileHash-SHA256": 1746, "URL": 5018, "hostname": 1827, "domain": 1072, "CVE": 3, "email": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9938, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "103 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692cb6dc24da17618e3d9da6", "name": "Mirai Botnet | HackTool Powershell targets LinkedIn User | 192.168.1.1 \u2022 Remote Inbound Outbound Connection", "description": "Linux Malware - LinkedIn- True Mirai Botnet (192.168.1.1) (Never Connect) Incredibly powerful attack targeting LinkedIn users. In this instance the target is an ex husband of a target. |\nNDO Group relationships seen. This is a Botnet. \n\nMay be \u2018framing\u2019 attack that was launched in 2014. Attackers sent a clear message to target that she + husband would be arrested and charged with possession of 1000\u2019s of \u2018child pornography\u2019 pictures. \n\nAttack 10/10 malicious. Worked from separate system in separate location. Hackers unlocked a device, zero clicks, removed PSW. Tulach malware seen a profile \u2018Michael Robert\u2019s of Rexxfield\u2019 may be entity (NSA) with a face like Tulach. Uses the most WILD compromises. Government contractors? \n\nSame attackers brought down Prudentials \u2018Assurance\u2019 Medicare system forever.\n ESET hackers only allowing \u2018bad traffic\u2019 .", "modified": "2025-12-30T19:04:40.430000", "created": "2025-11-30T21:27:56.239000", "tags": [ "enter", "extract", "enter source", "urls", "address", "remote connect", "private ip", "sql", "inject", "montserrat", "script urls", "germany unknown", "xml title", "wiesinger", "style", "ip address", "script domains", "body doctype", "encrypt", "botnet", "dropper", "unix", "resolverror", "et exploit", "outbound", "mirai variant", "useragent", "inbound", "et trojan", "et webserver", "scan mirai", "hello", "execution", "mirai", "malware", "shell", "nids", "ids detections", "wget command", "http headers", "dlink devices", "home network", "mvpower dvr", "shell uce", "mirai elf", "linux malware", "is__elf", "cnc", "meta http", "content", "gmt server", "files", "reverse dns", "germany", "ismaning", "germany asn", "as5539 spacenet", "germany https", "auto generated security (?)", "redacted for", "name servers", "aaaa", "search", "for privacy", "title", "intel", "ms windows", "pe32", "process32nextw", "write c", "mssql port", "hash", "beapy", "bit32bit", "agent", "write", "hacktool", "win32", "next", "suspicious user", "pybeapy cnc", "checkin", "w32beapy cnc", "beacon", "module load", "external ip", "lookup", "home assistant", "intptr", "uint32", "type", "parameter", "oldprotectflag", "mandatory", "throw", "position", "lkshkdandl", "success", "info", "powershell", "null", "error", "date hash", "next yara", "detections name", "medium", "graph tree", "sample", "sample hash", "exec bypass", "c ipconfig", "world", "jaws webserver", "chmod usage", "strings", "extraction", "data upload", "extre", "include data", "hos hos", "y se", "sugges", "find s", "typ hos", "hos data", "hos hostname", "hos host", "extr data", "tethering", "tulach", "114.114.114.114", "passive dns", "pulse pulses", "http", "related nids", "files location", "united", "flag united", "files domain", "next associated", "ipv4 add", "delphi", "read c", "packing t1045", "t1045", "worm", "code", "june", "irc nick command", "irc", "meta", "status", "record value", "unknown aaaa", "expiration", "url http", "indicator role", "pulses url", "no expiration", "url https", "url url", "o url", "request review", "hosting", "unknown", "medium security", "extra data", "failed", "linkedin", "url add", "ireland flag", "ireland", "dublin", "ireland asn", "as16509", "spyware", "nso", "nso group", "pegasus related", "nso related", "framing", "porn", "python", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "apple", "192.168.1.1", "law", "attorney" ], "references": [ "192.168.1.1 - WOW! Use your old equipment in a non - residential environment", "http://xn.com/ \u2022 www.xn--linkedinxn-6u6e.com \u2022 http://www.linkedin-xn.com/ \u2022 www.linkedin-xn.com", "Powerful Exploit: https://otx.alienvault.com/indicator/file/ba32802bdd1f0b91cf8c667b94426d73ee654ba0", "Mirai Botnet - *Inbound & Outbound connection", "IDS Detections: *WGET Command Specifying Output in HTTP Headers", "IDS Detections: *D-Link Devices Home Network Administration Protocol Command Execution", "IDS Detections: *JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: *MVPower DVR Shell UCE *Mirai Variant User-Agent (Outbound)", "Yara : Yara Detections : SUSP_XORed_Mozilla , Linux_MiningSoftware , is__elf", "Alerts : dead_host nids_exploit_alert nids_malware_alert persistency_initd network_icmp", "Alerts : tcp_syn_scan nolookup_communication network_cnc_http network_http", "Alerts : network_http_post nids_alert chmod_syscall writes_to_stdout", "Other Mitre ATT&CK T1480 T1553.00 T1027.013 T1057 T1069.002 T1071\tT1071.004", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/video/search?search=tsara+brashears", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "pornokind.vgt.pl \u2022 https://pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl/", "pornlynx.com \u2022 www.pornhub.com \u2022 www.anyxxxtube.com", "https://frostty12ice.info/ \u2022 https://lawhubh.info", "Needs researching: http://lib.jerusalem.muni.il.il \u2022 https://lib.jerusalem.muni.il.il" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unix.Dropper.Botnet-6566040-0", "display_name": "Unix.Dropper.Botnet-6566040-0", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Montserrat", "display_name": "Montserrat", "target": null }, { "id": "Beapy", "display_name": "Beapy", "target": null }, { "id": "HackTool:Win32/PowerSploit!rfn", "display_name": "HackTool:Win32/PowerSploit!rfn", "target": "/malware/HackTool:Win32/PowerSploit!rfn" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Worm:Win32/Mydoom.PB!MTB", "display_name": "Worm:Win32/Mydoom.PB!MTB", "target": "/malware/Worm:Win32/Mydoom.PB!MTB" } ], "attack_ids": [ { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "TA0036", "name": "Exfiltration", "display_name": "TA0036 - Exfiltration" }, { "id": "TA0039", "name": "Remote Service Effects", "display_name": "TA0039 - Remote Service Effects" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" } ], "industries": [ "Government", "Legal", "Healthcare", "Insurance", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4147, "domain": 871, "hostname": 2194, "FileHash-MD5": 279, "FileHash-SHA1": 257, "FileHash-SHA256": 2183, "CVE": 6, "email": 3, "SSLCertFingerprint": 1 }, "indicator_count": 9941, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "110 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Powerful Exploit: https://otx.alienvault.com/indicator/file/ba32802bdd1f0b91cf8c667b94426d73ee654ba0", "http://xn.com/ \u2022 www.xn--linkedinxn-6u6e.com \u2022 http://www.linkedin-xn.com/ \u2022 www.linkedin-xn.com", "Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection", "Mirai Botnet - *Inbound & Outbound connection", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "pornokind.vgt.pl \u2022 https://pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl/", "https://www.pornhub.com/video/search?search=tsara+brashears", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "IDS Detections: *MVPower DVR Shell UCE *Mirai Variant User-Agent (Outbound)", "Other Mitre ATT&CK T1480 T1553.00 T1027.013 T1057 T1069.002 T1071\tT1071.004", "https://otx.alienvault.com/indicator/cve/CVE-2025-11727", "https://frostty12ice.info/ \u2022 https://lawhubh.info", "Needs researching: http://lib.jerusalem.muni.il.il \u2022 https://lib.jerusalem.muni.il.il", "Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS", "Name : iveins.de Service : connect", "Alerts : dead_host nids_exploit_alert nids_malware_alert persistency_initd network_icmp", "https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c", "phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com", "https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com", "Alerts : tcp_syn_scan nolookup_communication network_cnc_http network_http", "pornlynx.com \u2022 www.pornhub.com \u2022 www.anyxxxtube.com", "hallplan.vm05.iveins.de", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "IDS Detections: *WGET Command Specifying Output in HTTP Headers", "IDS Detections: *D-Link Devices Home Network Administration Protocol Command Execution", "Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx", "192.168.1.1 - WOW! Use your old equipment in a non - residential environment", "IDS Detections: *JAWS Webserver Unauthenticated Shell Command Execution", "Alerts : network_http_post nids_alert chmod_syscall writes_to_stdout", "Yara : Yara Detections : SUSP_XORed_Mozilla , Linux_MiningSoftware , is__elf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "COINBASECARTEL" ], "malware_families": [ "Cve-2025-11727", "Unix.dropper.botnet-6566040-0", "Win32:malware", "Exploit:js/cve-2014-0322", "Virtool:msil/covent", "Tofsee", "Win64:trojanx", "Trojan:win32/pynamer!rfn", "Kelihos", "Virtool:msil/covent.a", "Hacktool:win32/powersploit!rfn", "Msil:agent-dq\\ [trj]", "Tulach", "Nids", "Beapy", "Mirai", "Trojan:win32/tiggre!rfn", "Worm:win32/mydoom.pb!mtb", "Montserrat", "#lowfi:hstr:msil/obfuscator.deepsea" ], "industries": [ "Healthcare", "Civil society", "Legal", "Education", "Government", "Insurance" ], "unique_indicators": 20059 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/osfs.top", "whois": "http://whois.domaintools.com/osfs.top", "domain": "osfs.top", "hostname": "ior.osfs.top" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "6935c92c5fc93fd873c6aa6d", "name": "[COINBASECARTEL] - Ransomware Victim: Cinvestav - RedPacket Security | CVE-2025-11727 (New)", "description": "Related to multiple exploits. Government Cyber Defense implications but shows as very legitimate looking masquerading. I am not positive and don\u2019t want to move to Belfast. Populated NSA [.] gov domains and subdomains (w/o no headers) lightly researched but does not assert a government identity. \n*New CVE-2025-11727", "modified": "2026-01-06T18:04:02.620000", "created": "2025-12-07T18:36:28.055000", "tags": [ "memcommit", "read c", "t1082", "cryptexportkey", "invalid pointer", "write", "msil", "malware", "media", "autorun", "countries", "united", "america", "high defense", "evasion", "t1055", "ck technique", "technique id", "allocates", "potential code", "attempts", "threatintel", "dark web", "coinbasecartel", "ransomware", "osint", "tor", "data breach", "cinvestav", "ai generated", "ransomware leak", "page", "november", "investigacin y", "nacional", "mexican", "mexico", "present nov", "verdana", "td tr", "passive dns", "ip address", "urls", "aaaa", "present may", "present oct", "present jul", "virtool", "present sep", "present jun", "win32", "default", "unicode", "png image", "rgba", "high", "dock", "execution", "xport", "unknown", "data upload", "extraction", "will", "data", "name cloudflare", "hostmaster name", "org cloudflare", "townsend st", "city san", "us creation", "kelihos", "ipv4", "present dec", "files", "domain", "search", "hostname", "verdict", "location united", "asn as16625", "akamai", "urls show", "date checked", "url hostname", "server response", "google safe", "results nov", "present aug", "backdoor", "msie", "chrome", "trojan", "mtb aug", "worm", "cryp", "junkpoly", "twitter", "trojandropper", "title", "germany unknown", "ipv4 add", "pulse pulses", "hosting", "reverse dns", "cologne", "search engine", "gse compromised", "redacted for", "privacy admin", "privacy tech", "server", "organization", "street", "city", "stateprovince", "postal code", "country", "resolver domain", "cape sa", "virustot", "type pdf", "name", "lookups", "email abuse", "historical ssl", "certificates", "first", "graph summary", "cname", "address", "ip2location", "bogon ip", "admin", "network", "wifi password", "ssid", "demo", "details", "failed", "include review", "exclude sugges", "onlv", "x try", "find s", "typ url", "url data", "severity att", "module load", "icmp traffic", "dns query", "t1055 jseval", "windows nt", "port", "entries", "destination", "medium", "show", "pecompact", "june", "service", "next", "xserver", "encrypt", "t1129", "windows module", "dlls", "convention", "windows native" ], "references": [ "Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS", "Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection", "hallplan.vm05.iveins.de", "https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c", "Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx", "Name : iveins.de Service : connect", "https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com", "phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com", "https://otx.alienvault.com/indicator/cve/CVE-2025-11727" ], "public": 1, "adversary": "COINBASECARTEL", "targeted_countries": [ "United States of America", "Sweden", "Bangladesh", "Japan" ], "malware_families": [ { "id": "Trojan:Win32/Tiggre!rfn", "display_name": "Trojan:Win32/Tiggre!rfn", "target": "/malware/Trojan:Win32/Tiggre!rfn" }, { "id": "MSIL:Agent-DQ\\ [Trj]", "display_name": "MSIL:Agent-DQ\\ [Trj]", "target": null }, { "id": "VirTool:MSIL/Covent.A", "display_name": "VirTool:MSIL/Covent.A", "target": "/malware/VirTool:MSIL/Covent.A" }, { "id": "Trojan:Win32/Pynamer!rfn", "display_name": "Trojan:Win32/Pynamer!rfn", "target": "/malware/Trojan:Win32/Pynamer!rfn" }, { "id": "Win64:TrojanX", "display_name": "Win64:TrojanX", "target": null }, { "id": "VirTool:MSIL/Covent", "display_name": "VirTool:MSIL/Covent", "target": "/malware/VirTool:MSIL/Covent" }, { "id": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea", "display_name": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "Kelihos", "display_name": "Kelihos", "target": null }, { "id": "CVE-2025-11727", "display_name": "CVE-2025-11727", "target": null }, { "id": "Exploit:JS/CVE-2014-0322", "display_name": "Exploit:JS/CVE-2014-0322", "target": "/malware/Exploit:JS/CVE-2014-0322" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" } ], "industries": [ "Education" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 117, "FileHash-SHA256": 1746, "URL": 5018, "hostname": 1827, "domain": 1072, "CVE": 3, "email": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9938, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "103 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692cb6dc24da17618e3d9da6", "name": "Mirai Botnet | HackTool Powershell targets LinkedIn User | 192.168.1.1 \u2022 Remote Inbound Outbound Connection", "description": "Linux Malware - LinkedIn- True Mirai Botnet (192.168.1.1) (Never Connect) Incredibly powerful attack targeting LinkedIn users. In this instance the target is an ex husband of a target. |\nNDO Group relationships seen. This is a Botnet. \n\nMay be \u2018framing\u2019 attack that was launched in 2014. Attackers sent a clear message to target that she + husband would be arrested and charged with possession of 1000\u2019s of \u2018child pornography\u2019 pictures. \n\nAttack 10/10 malicious. Worked from separate system in separate location. Hackers unlocked a device, zero clicks, removed PSW. Tulach malware seen a profile \u2018Michael Robert\u2019s of Rexxfield\u2019 may be entity (NSA) with a face like Tulach. Uses the most WILD compromises. Government contractors? \n\nSame attackers brought down Prudentials \u2018Assurance\u2019 Medicare system forever.\n ESET hackers only allowing \u2018bad traffic\u2019 .", "modified": "2025-12-30T19:04:40.430000", "created": "2025-11-30T21:27:56.239000", "tags": [ "enter", "extract", "enter source", "urls", "address", "remote connect", "private ip", "sql", "inject", "montserrat", "script urls", "germany unknown", "xml title", "wiesinger", "style", "ip address", "script domains", "body doctype", "encrypt", "botnet", "dropper", "unix", "resolverror", "et exploit", "outbound", "mirai variant", "useragent", "inbound", "et trojan", "et webserver", "scan mirai", "hello", "execution", "mirai", "malware", "shell", "nids", "ids detections", "wget command", "http headers", "dlink devices", "home network", "mvpower dvr", "shell uce", "mirai elf", "linux malware", "is__elf", "cnc", "meta http", "content", "gmt server", "files", "reverse dns", "germany", "ismaning", "germany asn", "as5539 spacenet", "germany https", "auto generated security (?)", "redacted for", "name servers", "aaaa", "search", "for privacy", "title", "intel", "ms windows", "pe32", "process32nextw", "write c", "mssql port", "hash", "beapy", "bit32bit", "agent", "write", "hacktool", "win32", "next", "suspicious user", "pybeapy cnc", "checkin", "w32beapy cnc", "beacon", "module load", "external ip", "lookup", "home assistant", "intptr", "uint32", "type", "parameter", "oldprotectflag", "mandatory", "throw", "position", "lkshkdandl", "success", "info", "powershell", "null", "error", "date hash", "next yara", "detections name", "medium", "graph tree", "sample", "sample hash", "exec bypass", "c ipconfig", "world", "jaws webserver", "chmod usage", "strings", "extraction", "data upload", "extre", "include data", "hos hos", "y se", "sugges", "find s", "typ hos", "hos data", "hos hostname", "hos host", "extr data", "tethering", "tulach", "114.114.114.114", "passive dns", "pulse pulses", "http", "related nids", "files location", "united", "flag united", "files domain", "next associated", "ipv4 add", "delphi", "read c", "packing t1045", "t1045", "worm", "code", "june", "irc nick command", "irc", "meta", "status", "record value", "unknown aaaa", "expiration", "url http", "indicator role", "pulses url", "no expiration", "url https", "url url", "o url", "request review", "hosting", "unknown", "medium security", "extra data", "failed", "linkedin", "url add", "ireland flag", "ireland", "dublin", "ireland asn", "as16509", "spyware", "nso", "nso group", "pegasus related", "nso related", "framing", "porn", "python", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "apple", "192.168.1.1", "law", "attorney" ], "references": [ "192.168.1.1 - WOW! Use your old equipment in a non - residential environment", "http://xn.com/ \u2022 www.xn--linkedinxn-6u6e.com \u2022 http://www.linkedin-xn.com/ \u2022 www.linkedin-xn.com", "Powerful Exploit: https://otx.alienvault.com/indicator/file/ba32802bdd1f0b91cf8c667b94426d73ee654ba0", "Mirai Botnet - *Inbound & Outbound connection", "IDS Detections: *WGET Command Specifying Output in HTTP Headers", "IDS Detections: *D-Link Devices Home Network Administration Protocol Command Execution", "IDS Detections: *JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: *MVPower DVR Shell UCE *Mirai Variant User-Agent (Outbound)", "Yara : Yara Detections : SUSP_XORed_Mozilla , Linux_MiningSoftware , is__elf", "Alerts : dead_host nids_exploit_alert nids_malware_alert persistency_initd network_icmp", "Alerts : tcp_syn_scan nolookup_communication network_cnc_http network_http", "Alerts : network_http_post nids_alert chmod_syscall writes_to_stdout", "Other Mitre ATT&CK T1480 T1553.00 T1027.013 T1057 T1069.002 T1071\tT1071.004", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/video/search?search=tsara+brashears", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "pornokind.vgt.pl \u2022 https://pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl/", "pornlynx.com \u2022 www.pornhub.com \u2022 www.anyxxxtube.com", "https://frostty12ice.info/ \u2022 https://lawhubh.info", "Needs researching: http://lib.jerusalem.muni.il.il \u2022 https://lib.jerusalem.muni.il.il" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unix.Dropper.Botnet-6566040-0", "display_name": "Unix.Dropper.Botnet-6566040-0", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Montserrat", "display_name": "Montserrat", "target": null }, { "id": "Beapy", "display_name": "Beapy", "target": null }, { "id": "HackTool:Win32/PowerSploit!rfn", "display_name": "HackTool:Win32/PowerSploit!rfn", "target": "/malware/HackTool:Win32/PowerSploit!rfn" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Worm:Win32/Mydoom.PB!MTB", "display_name": "Worm:Win32/Mydoom.PB!MTB", "target": "/malware/Worm:Win32/Mydoom.PB!MTB" } ], "attack_ids": [ { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "TA0036", "name": "Exfiltration", "display_name": "TA0036 - Exfiltration" }, { "id": "TA0039", "name": "Remote Service Effects", "display_name": "TA0039 - Remote Service Effects" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" } ], "industries": [ "Government", "Legal", "Healthcare", "Insurance", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4147, "domain": 871, "hostname": 2194, "FileHash-MD5": 279, "FileHash-SHA1": 257, "FileHash-SHA256": 2183, "CVE": 6, "email": 3, "SSLCertFingerprint": 1 }, "indicator_count": 9941, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "110 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ior.osfs.top/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ior.osfs.top/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776685697.337552 }