{
"type": "URL",
"indicator": "https://ipod.com.hk/sms.html",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://ipod.com.hk/sms.html",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 2920183574,
"indicator": "https://ipod.com.hk/sms.html",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 30,
"pulses": [
{
"id": "69e4e7cfdc3bb3cdffeecf7c",
"name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]",
"description": "",
"modified": "2026-04-19T14:33:51.385000",
"created": "2026-04-19T14:33:51.385000",
"tags": [
"ssl certificate",
"whois record",
"historical ssl",
"resolutions",
"referrer",
"communicating",
"siblings",
"file",
"hell",
"lenovo tablet",
"name servers",
"as714 apple",
"united",
"creation date",
"search",
"servers",
"date",
"moved",
"certificate",
"passive dns",
"body",
"historical",
"collections",
"contacted",
"strange",
"no data",
"tag count",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"blacklist http",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"malicious site",
"malware site",
"phishing site",
"million",
"malware",
"http attacker",
"ip address",
"algorithm",
"v3 serial",
"number",
"ist ca",
"g1 validity",
"public key",
"info",
"key algorithm",
"ec oid",
"key identifier",
"first",
"team alexa",
"downloader",
"wed apr",
"alexa",
"pony",
"name verdict",
"pattern match",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"script",
"beginstring",
"mitre att",
"null",
"unknown",
"span",
"error",
"class",
"generator",
"critical",
"meta",
"hybrid",
"general",
"local",
"click",
"strings",
"refresh",
"tools",
"malicious url",
"hostname",
"hostnames",
"phishing",
"union",
"team",
"bank",
"unsafe",
"spammer",
"node tcp",
"traffic",
"attacker",
"tor known",
"tor relayrouter",
"jul jan",
"mon sep",
"heur",
"artemis",
"iframe",
"conduit",
"crack",
"riskware",
"opencandy",
"cleaner",
"exploit",
"downldr",
"presenoker",
"wacatac",
"agent",
"fusioncore",
"applicunwnt",
"acint",
"nircmd",
"swrort",
"systweak",
"behav",
"tiggre",
"genkryptik",
"filetour",
"generic",
"patcher",
"driverpack",
"xtrat",
"softcnapp",
"cyber threat",
"dns server",
"http spammer",
"host",
"download",
"asyncrat",
"cobalt strike",
"apple",
"urls http",
"368600",
"320700",
"dc1542721039132",
"subdomains",
"noname057",
"tld count",
"urls",
"blacklist https",
"engineering",
"singapore",
"phishtank",
"suppobox",
"bambernek",
"facebook",
"zbot",
"malicious",
"zeus",
"emotet",
"ransomware",
"nymaim",
"redline stealer",
"service",
"virut",
"kraken",
"keybase",
"stealer",
"hawkeye",
"tinba",
"mirai",
"nanocore",
"bradesco",
"cve201711882",
"ip detections",
"country",
"83500",
"1602192580242",
"1602192586217",
"blog",
"1602192588844",
"1602192624796",
"303300",
"vhash",
"authentihash",
"ssdeep",
"file type",
"win32 exe",
"magic pe32",
"ms windows",
"intel",
"trid windows",
"control panel",
"file version",
"copyright",
"product",
"description",
"original name",
"internal name",
"rticon neutral",
"chi2",
"contained",
"details module",
"version id",
"typelib id",
"header target",
"machine intel",
"utc entry",
"point",
"count blacklist",
"tag tag",
"dot net",
"assembly common",
"clr version",
"assembly name",
"address",
"assembly",
"rva entry",
"streams size",
"entropy chi2",
"guid",
"applenoc",
"showing",
"record value",
"scan endpoints",
"all search",
"as20940",
"as16625 akamai",
"status",
"cname",
"china",
"as136907 huawei",
"nanjing",
"as2914 ntt",
"america",
"as7843 charter",
"as6461 zayo",
"domain",
"p155-fmfmobile.icloud.com",
"t-mobile",
"metro t-mobile",
"metro",
"metroby",
"social engineering",
"happywifehappylife",
"bot",
"darknet service",
"tsara brashears",
"jeffrey reimer",
"pixelrz",
"yandex",
"cp",
"cyber",
"red team",
"framing",
"qwest",
"cybercrime",
"cyber threat",
"sha256",
"runtime process",
"sha1",
"size",
"windows nt",
"indicator",
"svg scalable",
"accept",
"unis",
"buttons",
"overwrite",
"format",
"spyware",
"heodo",
"fri nov",
"installcore",
"installpack",
"win64",
"fakealert",
"dropper",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"dapato",
"networm",
"mediaget",
"softonic",
"trojan",
"encpk",
"qbot",
"predator",
"kraddare",
"iobit",
"dllinject",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"keygen",
"fareit",
"secrisk",
"unruy",
"floxif",
"adload",
"et cins",
"active threat",
"reputation ip",
"threats et",
"cins active",
"poor reputation",
"ip tcp",
"privacy admin",
"privacy tech",
"com laude",
"redacted for",
"server",
"priority",
"email",
"organization",
"city",
"cnapple public",
"server rsa",
"stcalifornia",
"cnapple ist",
"identity search",
"group",
"issuer criteria",
"type",
"ilike search",
"id logged",
"valid",
"no no",
"no na",
"ip security",
"apple",
"limited",
"ca id",
"lsalford",
"ocomodo ca",
"code signing",
"mozilla",
"android",
"memory checks",
"dotnet_encrypted",
"multi family rat detection",
"malware_win_zgrat"
],
"references": [
"Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7",
"p155-fmfmobile.icloud.com",
"\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193",
"developer.huawei.com",
"PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]",
"http://www.cscglobal.com/global/web/csc/digital-brand-services.html",
"Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45",
"fmfmobile.fe.apple-dns.net",
"http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/",
"http://notredamewormhoutnet.appleid.com/",
"news-publisher.pictures",
"applestore.net",
"airinthemorning.net",
"http://certs.apple.com/appleistca2g1_bc.cer",
"http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)",
"https://dc-mx.d3525d602ca2.pixelrz.com",
"http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c",
"http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)",
"http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)",
"http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)",
"http://pixelrz.com/lists/suggestions/rs485-arduino/",
"http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)",
"http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)",
"http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)",
"http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com",
"Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84",
"Resource: https://crt.sh/?q=privaterelay.appleid.com",
"\u2193Command and Control \u2193",
"CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36",
"CNC Hostname: urlspirit.spiritsoft.cn",
"Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16",
"Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com",
"Resource: https://urlscan.io/domain/privaterelay.appleid.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Systweak",
"display_name": "Systweak",
"target": null
},
{
"id": "Swrort",
"display_name": "Swrort",
"target": null
},
{
"id": "Tinba",
"display_name": "Tinba",
"target": null
},
{
"id": "XRat",
"display_name": "XRat",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Zeus",
"display_name": "Zeus",
"target": null
},
{
"id": "Tiggre",
"display_name": "Tiggre",
"target": null
},
{
"id": "FusionCore",
"display_name": "FusionCore",
"target": null
},
{
"id": "Redline",
"display_name": "Redline",
"target": null
},
{
"id": "Virus:DOS/Nanjing",
"display_name": "Virus:DOS/Nanjing",
"target": "/malware/Virus:DOS/Nanjing"
},
{
"id": "nircmd",
"display_name": "nircmd",
"target": null
},
{
"id": "noname057",
"display_name": "noname057",
"target": null
},
{
"id": "BlackNET",
"display_name": "BlackNET",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Softcnapp",
"display_name": "Softcnapp",
"target": null
},
{
"id": "Union",
"display_name": "Union",
"target": null
},
{
"id": "Bambernek",
"display_name": "Bambernek",
"target": null
},
{
"id": "Kraddare",
"display_name": "Kraddare",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "trojan.agensla/msil",
"display_name": "trojan.agensla/msil",
"target": null
},
{
"id": "Win:ZGRAT",
"display_name": "Win:ZGRAT",
"target": null
},
{
"id": "Wacatac.",
"display_name": "Wacatac.",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "656a971ab44409ecb7018428",
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1220,
"FileHash-SHA1": 613,
"FileHash-SHA256": 5010,
"URL": 13617,
"hostname": 3699,
"domain": 2783,
"email": 11,
"CVE": 23,
"CIDR": 2
},
"indicator_count": 26978,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "3 hours ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69e4e7c6ddf646eb4e645bd5",
"name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]",
"description": "",
"modified": "2026-04-19T14:33:42.400000",
"created": "2026-04-19T14:33:42.400000",
"tags": [
"ssl certificate",
"whois record",
"historical ssl",
"resolutions",
"referrer",
"communicating",
"siblings",
"file",
"hell",
"lenovo tablet",
"name servers",
"as714 apple",
"united",
"creation date",
"search",
"servers",
"date",
"moved",
"certificate",
"passive dns",
"body",
"historical",
"collections",
"contacted",
"strange",
"no data",
"tag count",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"blacklist http",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"malicious site",
"malware site",
"phishing site",
"million",
"malware",
"http attacker",
"ip address",
"algorithm",
"v3 serial",
"number",
"ist ca",
"g1 validity",
"public key",
"info",
"key algorithm",
"ec oid",
"key identifier",
"first",
"team alexa",
"downloader",
"wed apr",
"alexa",
"pony",
"name verdict",
"pattern match",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"script",
"beginstring",
"mitre att",
"null",
"unknown",
"span",
"error",
"class",
"generator",
"critical",
"meta",
"hybrid",
"general",
"local",
"click",
"strings",
"refresh",
"tools",
"malicious url",
"hostname",
"hostnames",
"phishing",
"union",
"team",
"bank",
"unsafe",
"spammer",
"node tcp",
"traffic",
"attacker",
"tor known",
"tor relayrouter",
"jul jan",
"mon sep",
"heur",
"artemis",
"iframe",
"conduit",
"crack",
"riskware",
"opencandy",
"cleaner",
"exploit",
"downldr",
"presenoker",
"wacatac",
"agent",
"fusioncore",
"applicunwnt",
"acint",
"nircmd",
"swrort",
"systweak",
"behav",
"tiggre",
"genkryptik",
"filetour",
"generic",
"patcher",
"driverpack",
"xtrat",
"softcnapp",
"cyber threat",
"dns server",
"http spammer",
"host",
"download",
"asyncrat",
"cobalt strike",
"apple",
"urls http",
"368600",
"320700",
"dc1542721039132",
"subdomains",
"noname057",
"tld count",
"urls",
"blacklist https",
"engineering",
"singapore",
"phishtank",
"suppobox",
"bambernek",
"facebook",
"zbot",
"malicious",
"zeus",
"emotet",
"ransomware",
"nymaim",
"redline stealer",
"service",
"virut",
"kraken",
"keybase",
"stealer",
"hawkeye",
"tinba",
"mirai",
"nanocore",
"bradesco",
"cve201711882",
"ip detections",
"country",
"83500",
"1602192580242",
"1602192586217",
"blog",
"1602192588844",
"1602192624796",
"303300",
"vhash",
"authentihash",
"ssdeep",
"file type",
"win32 exe",
"magic pe32",
"ms windows",
"intel",
"trid windows",
"control panel",
"file version",
"copyright",
"product",
"description",
"original name",
"internal name",
"rticon neutral",
"chi2",
"contained",
"details module",
"version id",
"typelib id",
"header target",
"machine intel",
"utc entry",
"point",
"count blacklist",
"tag tag",
"dot net",
"assembly common",
"clr version",
"assembly name",
"address",
"assembly",
"rva entry",
"streams size",
"entropy chi2",
"guid",
"applenoc",
"showing",
"record value",
"scan endpoints",
"all search",
"as20940",
"as16625 akamai",
"status",
"cname",
"china",
"as136907 huawei",
"nanjing",
"as2914 ntt",
"america",
"as7843 charter",
"as6461 zayo",
"domain",
"p155-fmfmobile.icloud.com",
"t-mobile",
"metro t-mobile",
"metro",
"metroby",
"social engineering",
"happywifehappylife",
"bot",
"darknet service",
"tsara brashears",
"jeffrey reimer",
"pixelrz",
"yandex",
"cp",
"cyber",
"red team",
"framing",
"qwest",
"cybercrime",
"cyber threat",
"sha256",
"runtime process",
"sha1",
"size",
"windows nt",
"indicator",
"svg scalable",
"accept",
"unis",
"buttons",
"overwrite",
"format",
"spyware",
"heodo",
"fri nov",
"installcore",
"installpack",
"win64",
"fakealert",
"dropper",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"dapato",
"networm",
"mediaget",
"softonic",
"trojan",
"encpk",
"qbot",
"predator",
"kraddare",
"iobit",
"dllinject",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"keygen",
"fareit",
"secrisk",
"unruy",
"floxif",
"adload",
"et cins",
"active threat",
"reputation ip",
"threats et",
"cins active",
"poor reputation",
"ip tcp",
"privacy admin",
"privacy tech",
"com laude",
"redacted for",
"server",
"priority",
"email",
"organization",
"city",
"cnapple public",
"server rsa",
"stcalifornia",
"cnapple ist",
"identity search",
"group",
"issuer criteria",
"type",
"ilike search",
"id logged",
"valid",
"no no",
"no na",
"ip security",
"apple",
"limited",
"ca id",
"lsalford",
"ocomodo ca",
"code signing",
"mozilla",
"android",
"memory checks",
"dotnet_encrypted",
"multi family rat detection",
"malware_win_zgrat"
],
"references": [
"Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7",
"p155-fmfmobile.icloud.com",
"\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193",
"developer.huawei.com",
"PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]",
"http://www.cscglobal.com/global/web/csc/digital-brand-services.html",
"Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45",
"fmfmobile.fe.apple-dns.net",
"http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/",
"http://notredamewormhoutnet.appleid.com/",
"news-publisher.pictures",
"applestore.net",
"airinthemorning.net",
"http://certs.apple.com/appleistca2g1_bc.cer",
"http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)",
"https://dc-mx.d3525d602ca2.pixelrz.com",
"http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c",
"http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)",
"http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)",
"http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)",
"http://pixelrz.com/lists/suggestions/rs485-arduino/",
"http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)",
"http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)",
"http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)",
"http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com",
"Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84",
"Resource: https://crt.sh/?q=privaterelay.appleid.com",
"\u2193Command and Control \u2193",
"CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36",
"CNC Hostname: urlspirit.spiritsoft.cn",
"Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16",
"Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com",
"Resource: https://urlscan.io/domain/privaterelay.appleid.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Systweak",
"display_name": "Systweak",
"target": null
},
{
"id": "Swrort",
"display_name": "Swrort",
"target": null
},
{
"id": "Tinba",
"display_name": "Tinba",
"target": null
},
{
"id": "XRat",
"display_name": "XRat",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Zeus",
"display_name": "Zeus",
"target": null
},
{
"id": "Tiggre",
"display_name": "Tiggre",
"target": null
},
{
"id": "FusionCore",
"display_name": "FusionCore",
"target": null
},
{
"id": "Redline",
"display_name": "Redline",
"target": null
},
{
"id": "Virus:DOS/Nanjing",
"display_name": "Virus:DOS/Nanjing",
"target": "/malware/Virus:DOS/Nanjing"
},
{
"id": "nircmd",
"display_name": "nircmd",
"target": null
},
{
"id": "noname057",
"display_name": "noname057",
"target": null
},
{
"id": "BlackNET",
"display_name": "BlackNET",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Softcnapp",
"display_name": "Softcnapp",
"target": null
},
{
"id": "Union",
"display_name": "Union",
"target": null
},
{
"id": "Bambernek",
"display_name": "Bambernek",
"target": null
},
{
"id": "Kraddare",
"display_name": "Kraddare",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "trojan.agensla/msil",
"display_name": "trojan.agensla/msil",
"target": null
},
{
"id": "Win:ZGRAT",
"display_name": "Win:ZGRAT",
"target": null
},
{
"id": "Wacatac.",
"display_name": "Wacatac.",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "656a971ab44409ecb7018428",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1220,
"FileHash-SHA1": 613,
"FileHash-SHA256": 5010,
"URL": 13617,
"hostname": 3699,
"domain": 2783,
"email": 11,
"CVE": 23,
"CIDR": 2
},
"indicator_count": 26978,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "3 hours ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "698e93e1ab02db8c49e8c3ed",
"name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
"description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
"modified": "2026-04-19T08:11:41.130000",
"created": "2026-02-13T03:00:49.872000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27678,
"FileHash-SHA256": 47676,
"FileHash-MD5": 42534,
"FileHash-SHA1": 23213,
"hostname": 33703,
"URL": 75433,
"SSLCertFingerprint": 30,
"CVE": 7582,
"email": 313,
"FileHash-IMPHASH": 8,
"CIDR": 26205,
"JA3": 1,
"IPv4": 80,
"URI": 5
},
"indicator_count": 284461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "9 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69ddeb45c45f6a3cd721397d",
"name": "Active attacks \u2022 Apple \u2022 Tulach",
"description": "Including 360+ Apple\nIoC\u2019s from Malicious Tulac.cc + Virtual Servers Pulses. Ongoing history of malicious attacks, custom malware engineer, malicious media , account control. \n\nI was blocked from VirusToltal. It was Tulach Nextcloud posse. What I am doing now s legal. \n\nReferenced below. URL: \"https://accountapple.com/\" contacted related malicious domain: \"accountapple.com\"\nCONTACTED DOMAIN: \"sqllq.com\" has been identified as malicious",
"modified": "2026-04-14T07:22:45.250000",
"created": "2026-04-14T07:22:45.250000",
"tags": [
"url http",
"ipv4",
"indicator role",
"active related",
"united",
"moved",
"gmt content",
"certificate",
"all domain",
"msie",
"chrome",
"extraction",
"data upload",
"twitter",
"cookie",
"extra",
"include data",
"review locs",
"exclude",
"suggested os",
"onlv",
"failed",
"stop data",
"read c",
"unicode",
"rgba",
"memcommit",
"delete",
"dock",
"write",
"execution",
"sc type",
"extri",
"include review",
"exclude sugges",
"typ data",
"a domains",
"present apr",
"script urls",
"files",
"files ip",
"address",
"ios",
"mac",
"apple",
"appleid",
"itunes",
"next associated",
"all ipv4",
"included ic",
"uny teade",
"type hostnar",
"hostnar hostnar",
"hostnar",
"macair",
"macairaustralia",
"ipad",
"ipod",
"cryptexportkey",
"invalid pointer",
"cryptgenkey",
"stream",
"defender",
"delphi",
"class",
"stack",
"format",
"unknown",
"united states",
"phishing",
"password",
"traffic redirected",
"service mod",
"service execution",
"youtube",
"music",
"streams",
"songs",
"played songs",
"music streams",
"most played",
"fonelab",
"indicator",
"included iocs",
"manually add",
"review ocs",
"exclude inn",
"sugges data",
"find",
"include",
"url https",
"enter sc",
"type",
"no matchme",
"search otx",
"https",
"references x",
"analyze",
"open th",
"url data",
"se http",
"no match",
"excluded iocs",
"iocs",
"ip whitelisted",
"whitelisted",
"tcp include",
"analysis date",
"file score",
"medium risk",
"yara detections",
"contacted",
"related tags",
"x vercel",
"file type",
"type indicator",
"role title",
"related pulses",
"mulch virtua",
"library loade",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugt",
"samuel tulach",
"unity engine",
"tulach",
"sa awareness",
"sabey",
"sar cut",
"autofill",
"includer review",
"portiana oney",
"targeting",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"musickit_1_.js",
"lazarus",
"injection",
"CVE-2017-8570",
"prefetch2",
"target",
"aaaa",
"ip address",
"record value",
"emails",
"samuel tuachs",
"sapev",
"review exclude",
"monitored target",
"script",
"mitre att",
"ascii text",
"span",
"path",
"iframe",
"april",
"hybrid",
"general",
"local",
"click",
"strings",
"body",
"development att",
"t1055.012 list planting",
"active"
],
"references": [
"https://trade.kraken.com/charts/KRAKEN:APT-USD>+y",
"https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/",
"https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/",
"https://podcasts.apple.com/us/podcast/lazarus",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"http://help.aiseesoft.jp/blu-ray-player",
"http://help.aiseesoft.jp/fonelab/",
"https://action.aiseesoft.jp/itunes.php",
"http://help.aiseesoft.jp/total-video-converter",
"http://help.aiseesoft.jp/total-video-converter/",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/",
"http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch",
"http://test-firstmile.digitecgalaxus.ch",
"https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/",
"No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]",
"cdn.rss.applemarketingtools.com",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"1.bing.com.cn",
"www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net",
"www.phantomcameras.cn",
"https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"",
"podcasts.apple.com \u2022 23.34.32.21",
"www.apple.com \u2022 23.34.32.199",
"js-cdn.music.apple.com \u2022 23.78.51.170",
"http://firstmile.digitecgalaxus.ch",
"Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb",
"Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca",
"Tulach.cc",
"https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8",
"www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as",
"Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains",
"asp.net domain pointer",
"developer.x.com",
"aotx.alienvault.com (aotx.?)",
"https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh",
"https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1020.001",
"name": "Traffic Duplication",
"display_name": "T1020.001 - Traffic Duplication"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591.002",
"name": "Business Relationships",
"display_name": "T1591.002 - Business Relationships"
},
{
"id": "T1591.001",
"name": "Determine Physical Locations",
"display_name": "T1591.001 - Determine Physical Locations"
},
{
"id": "T1585.001",
"name": "Social Media Accounts",
"display_name": "T1585.001 - Social Media Accounts"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1055.012",
"name": "Process Hollowing",
"display_name": "T1055.012 - Process Hollowing"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1029,
"domain": 396,
"email": 7,
"URL": 2784,
"FileHash-SHA256": 898,
"FileHash-MD5": 79,
"FileHash-SHA1": 68,
"IPv4": 35,
"CVE": 1,
"SSLCertFingerprint": 13
},
"indicator_count": 5310,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "5 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d9b0e549af1aae2975ebeb",
"name": "Virtual Servers \u2022 Tulach \u2022 Eternal Blue",
"description": "Interesting. Further research required. \n\nhttps://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=+New+Worker+Online%0A+PC:+DESKTOP-BBE3PFV%0A+User:+alien%0A+IP:+Sweden%0A+Country:+SE+\n\n\nhttps://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=\\\\xfff0\\\\xff9f\\\\xff9f\\\\xffa2+New+Worker+Online%0A\\\\xfff0\\\\xff9f\\\\xff92\\\\xffbb+PC:+DESKTOP-BBE3PFV%0A\\\\xfff0\\\\xff9f\\\\xff91\\\\xffa4+User:+alien%0A\\\\xfff0\\\\xff9f\\\\xff8c\\\\xff90+IP:+Sweden%0A\\\\xfff0\\\\xff9f\\\\xff97\\\\xffba+Country:+SE+",
"modified": "2026-04-11T02:24:37.102000",
"created": "2026-04-11T02:24:37.102000",
"tags": [
"related pulses",
"apple",
"imac",
"itunes",
"tulach",
"active",
"vercel",
"ms windows",
"intel",
"yara rule",
"lredmond",
"rsds",
"write c",
"tls sni",
"write",
"install",
"rijndael",
"malware",
"accept",
"self",
"mtb apr",
"lowfi",
"backdoor",
"antigua",
"trojandropper",
"all ipv4",
"urls",
"prometheus",
"files",
"files ip",
"address",
"united",
"unknown aaaa",
"cname",
"tags",
"keepalived",
"ip address",
"red hat",
"nat node",
"gns3",
"firefox",
"ovn network",
"instances",
"forum",
"linux",
"dynamicloader",
"exclusionpath",
"medium",
"high",
"telegram api",
"windows",
"f rl",
"highest sc",
"guard",
"april",
"powershell",
"c mar",
"virtool",
"c jan",
"c dec",
"urls show",
"url hostname",
"ransom",
"click",
"title",
"njrat",
"as64521i",
"bird",
"bgp",
"virtual private",
"virtual servers",
"et exploit",
"ms17010 echo",
"response",
"echo response",
"asnone",
"probe ms17010",
"nids",
"m2 ms17010",
"regsetvalueexa",
"service",
"wannacry",
"dock",
"unknown",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"found",
"mitre att",
"defense evasion",
"sha1",
"sha256",
"size",
"pattern match",
"ascii text",
"path",
"stop",
"hybrid",
"general",
"local",
"twitter",
"strings",
"core",
"telegram",
"tools"
],
"references": [
"Win.Ransomware.WannaCry-6313787-0 , Ransom:Win32/WannaCrypt.H IDS Detections Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) Possible ETERNALBLUE Probe MS17-010 (MSF style) ETERNALBLUE Probe Vulnerable System Response MS17-010 Possible ETERNALBLUE Probe MS17-010 (Generic Flags) Possible ETERNALBLUE MS17-010 Heap Spray More Yara Detections WannaCry_Ransomware , WannaCry_Ransomware_Gen , WannaDecryptor , stack_string , MS17_010_WanaCry_worm More Alerts nids_exploit",
"https://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=+New+Worker+Online%0A+PC:+DESKTOP-BBE3PFV%0A+User:+alien%0A+IP:+Sweden%0A+Country:+SE+ Akamai rank: #2475\t URL https://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=\\\\xfff0\\\\xff9f\\\\xff9f\\\\xffa2+New+Worker+Online%0A\\\\xfff0\\\\xff9f\\\\xff92\\\\xffbb+PC:+DESKTOP-BBE3PFV%0A\\\\xfff0\\\\xff9f\\\\xff91\\\\xffa4+User:+alien%0A\\\\xfff0\\\\xff9f\\\\xff8c\\\\xff9",
"https://go.recordedfuture.com/hubfs/reports/cta-2023-0816.pdf",
"https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f",
"Trojans: 149.154.166.110 command_and_control (build your own telegram) 208.95.112.1 command_and_control",
"prometheus.shorty.cicloinfinito.com",
"Win.Packed.njRAT-10002074-1",
"NJRat IDS Detections: Telegram API Domain in DNS Lookup",
"NJRat IDS Detections: Observed Telegram API Domain (api .telegram .org in TLS SNI)",
"NJRat IDS Detections: Telegram API Certificate Observed",
"NJRat Yara Detections: ByteCode_MSIL_Backdoor_AsyncRAT",
"NJRat Alerts: hardware_id_profiling network_cnc_https_pastesite persistence_autorun",
"NJRat Alerts: persistence_autorun_tasks binary_yara procmem_yara suricata_alert",
"NJRat Alerts: windows_defender_powershell network_document_file powershell_command_suspicious",
"NJRat Alerts: suspicious_command_tools antidebug_guardpages antisandbox_sleep",
"NJRat Alerts: dynamic_function_loading encrypted_ioc registers_vectored_exception_handler",
"NJRat Alerts: http_request reads_memory_remote_process network_cnc_https_generic reads_self",
"NJRat IP\u2019s Contacted 149.154.166.110 172.66.171.73",
"NJRat Domains Contacted pastebin.com api.telegram.org",
"192.168.122.200 BGP: Simulating Inter-network Dynamic Routing",
"EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010\", \"src_ip\": \"192.168.56.105\", \"dst_port\": 49317, \"sid\": 2025650, \"date\": \"2020/06/18 11:39:48\", \"dst_ip\": \"192.168.56.103\" }, \"type\": \"ioc\", \"description\": null }, { \"category\": \"suricata\", \"ioc\": { \"src_port\": 445, \"name\": \"ET EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010\", \"src_ip\": \"192.168.56.108\", \"dst_port\": 49324, "
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Japan",
"United States of America",
"China"
],
"malware_families": [
{
"id": "Win.Trojan.Generic-9908396-0",
"display_name": "Win.Trojan.Generic-9908396-0",
"target": null
},
{
"id": "Win.Trojan.Crypted-30",
"display_name": "Win.Trojan.Crypted-30",
"target": null
},
{
"id": "Backdoor:Win32/Berbew",
"display_name": "Backdoor:Win32/Berbew",
"target": "/malware/Backdoor:Win32/Berbew"
},
{
"id": "Win.Malware.Score-6985947-1",
"display_name": "Win.Malware.Score-6985947-1",
"target": null
},
{
"id": "ALF:PWS:MSIL/Stealgen.GC!MTB",
"display_name": "ALF:PWS:MSIL/Stealgen.GC!MTB",
"target": null
},
{
"id": "Win.Packed.Zpack-10013367-0",
"display_name": "Win.Packed.Zpack-10013367-0",
"target": null
},
{
"id": "ALF:Trojan:Win32/FormBook.F!MTB",
"display_name": "ALF:Trojan:Win32/FormBook.F!MTB",
"target": null
},
{
"id": "Win.Malware.Renos-10003934-0",
"display_name": "Win.Malware.Renos-10003934-0",
"target": null
},
{
"id": "Win.Trojan.Razy-10016933-0",
"display_name": "Win.Trojan.Razy-10016933-0",
"target": null
},
{
"id": "#Lowfi:AGGR:HSTR:Win32/PossibleKeylogger.A",
"display_name": "#Lowfi:AGGR:HSTR:Win32/PossibleKeylogger.A",
"target": null
},
{
"id": "NJRat",
"display_name": "NJRat",
"target": null
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Private Internet Access",
"display_name": "Private Internet Access",
"target": null
},
{
"id": "Malware Packed",
"display_name": "Malware Packed",
"target": null
},
{
"id": "W32/WannaCryptor.491A!tr.ransom",
"display_name": "W32/WannaCryptor.491A!tr.ransom",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1584.003",
"name": "Virtual Private Server",
"display_name": "T1584.003 - Virtual Private Server"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1144",
"name": "Gatekeeper Bypass",
"display_name": "T1144 - Gatekeeper Bypass"
},
{
"id": "T1003.008",
"name": "/etc/passwd and /etc/shadow",
"display_name": "T1003.008 - /etc/passwd and /etc/shadow"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
}
],
"industries": [
"Telecommunications",
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 556,
"domain": 206,
"URL": 863,
"FileHash-SHA256": 1589,
"IPv4": 519,
"FileHash-MD5": 472,
"FileHash-SHA1": 376,
"SSLCertFingerprint": 11,
"email": 1
},
"indicator_count": 4593,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "8 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf64eccb5d39a90a3c391e",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:32.565000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "23 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf64e1d5e06aa6207f78de",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:21.863000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "23 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699c6ef61298b57cd7275728",
"name": "Apple Support IOC\u2019s IcedID | Bloored | Mydoom worm | iOS IOC\u2019s",
"description": "A list of Apple and Apple related iOS\u2019s linked to a malicious redirect found in an apple.support.com redirect. Two separate Apple ID\u2019s on one iPhone. | Mimecast compromised with Emotet. iCloud siphoning. Related to Pulse found in references. | IOC\u2019s came from a single url.",
"modified": "2026-03-25T07:05:10.628000",
"created": "2026-02-23T15:15:02.857000",
"tags": [
"ipv4",
"http",
"passive dns",
"files domain",
"united",
"unknown ns",
"for privacy",
"ip address",
"domain",
"dynamicloader",
"antivirus",
"yara rule",
"fe ff",
"write c",
"msvisualcpp60",
"rsds",
"e8 c8",
"e8 a8",
"ff e1",
"unknown",
"worm",
"launch",
"write",
"explorer",
"february",
"push",
"service",
"files",
"reverse dns",
"america flag",
"america asn",
"url add",
"otx logo",
"all ipv4",
"searc",
"date checked",
"server response",
"results dec",
"unknown soa",
"present aug",
"present oct",
"present sep",
"present nov",
"moved",
"error",
"title",
"win32mydoom feb",
"aaaa",
"name servers",
"trojan",
"servers",
"virtool",
"united states",
"apple",
"crlf line",
"unicode text",
"utf8",
"ff d5",
"ascii text",
"ee fc",
"suspicious",
"music",
"malware",
"role title",
"ttl value",
".cc",
"d4 f5",
"msvisualcpp2002",
"msvisualcpp2005",
"apple support",
".ch",
"privaterelay",
"pattern match",
"ck id",
"mitre att",
"ck matrix",
"href",
"et info",
"general",
"local",
"path",
"click",
"learn",
"command",
"name tactics",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"present jun",
"backdoor",
"present may",
"status",
"ransom",
"high",
"medium",
"windows",
"tofsee",
"loaderid",
"lidfileupd",
"localcfg",
"rndhex",
"stream",
"delete",
"emotet",
"bot network",
"mitm",
"screenshot",
"mimecast"
],
"references": [
"http://apple.support.com/ht***** redirect",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"mac.store",
"https://icloud.ch/cn/ipod-touch/",
"https://icloud.ch/",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"Redirect: schemas.microsoft.com",
"apple.com(-inc.cc)",
"oas-japac-domains-applecomputer.cn",
"robert-aebi.appleid.com",
"smtp2.icl-privaterelay.appleid.com",
"http://audaxgroup.appleid.com/",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"iphonegermany.com",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"https://aspmx.l.google.com/",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"http://www.icloud-sms-alert.com/",
"monitoring.eurovision.net",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"monitor.kyos.ninja"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/IcedId.DI!MTB",
"display_name": "Trojan:Win32/IcedId.DI!MTB",
"target": "/malware/Trojan:Win32/IcedId.DI!MTB"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Worm:Win32/Bloored",
"display_name": "Worm:Win32/Bloored",
"target": "/malware/Worm:Win32/Bloored"
},
{
"id": "Win.Malware.Elenooka-6996044-0",
"display_name": "Win.Malware.Elenooka-6996044-0",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6031,
"hostname": 1971,
"domain": 1125,
"FileHash-SHA256": 1715,
"email": 18,
"FileHash-MD5": 317,
"FileHash-SHA1": 164
},
"indicator_count": 11341,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6962d43456bb524b17e9d5ce",
"name": "Apple MyDoom + IOC\u2019s isolated from Palantir related Pahamify Pegasus | BibleGateway App | Drive by & other targeting /.monitoring Access Attacks ",
"description": "",
"modified": "2026-02-09T22:00:25.303000",
"created": "2026-01-10T22:35:32.582000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "6962bb143187f7cb571ef6f5",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1190,
"hostname": 891,
"URL": 4201,
"FileHash-SHA256": 1555,
"email": 33,
"FileHash-MD5": 591,
"FileHash-SHA1": 400
},
"indicator_count": 8861,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6962bb143187f7cb571ef6f5",
"name": "Pahamify Pegasus",
"description": "Hmmm, only able to manually add IOC\u2019s after last pulse.\n\nPulse: Pahamify Pegasus - Apple IOC\u2019s",
"modified": "2026-02-09T22:00:25.303000",
"created": "2026-01-10T20:48:20.438000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1190,
"hostname": 891,
"URL": 4201,
"FileHash-SHA256": 1555,
"email": 33,
"FileHash-MD5": 591,
"FileHash-SHA1": 400
},
"indicator_count": 8861,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6962b68da732abc66a0c2caf",
"name": "Der Zugriff \u2022 Kanna \u2022 MyDoom \u2022 Sigur - Pahamify Pegasus",
"description": "Pahamify Pegasus | Execution Attack, Access Attack | Drive by Compromise | \nSifting through Pahamify Pegasus this is no longer your computer , injection, google connects, remote connections, remote mouse movement, remote access, Google espionage, bad traffic, Apple complicit access. This is your Google account and browser, this is your appleid. Still researching\u2026. || \n*https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_ ||\nMalware: Der Zugriff ,\nKanna ,\nMyDoom ,\nSigur \n#firebase #google_connection #bible_gateway_honeypot #crypto #hidden_users #who_else",
"modified": "2026-02-09T19:00:09.890000",
"created": "2026-01-10T20:29:01.675000",
"tags": [
"ip address",
"status code",
"kb body",
"iocs",
"deny age",
"cloudfront",
"utc google",
"tag manager",
"g8t6ln06z40",
"utc na",
"google tag",
"injection",
"t1055 malware",
"tree",
"help v",
"defense evasion",
"injection t1055",
"resolved ips",
"get http",
"dns resolutions",
"v memory",
"pattern domains",
"full reports",
"v help",
"memory pattern",
"urls https",
"hashes",
"tiktok",
"microsoft",
"dashboard falcon",
"request",
"windows nt",
"win64",
"khtml",
"gecko",
"response",
"appleid",
"united",
"name servers",
"aaaa",
"servers",
"moved",
"script urls",
"passive dns",
"urls",
"data upload",
"extraction",
"failed",
"jsvendor",
"jsapp",
"script script",
"cssapp",
"jsfirebase",
"pegasus",
"encrypt",
"title error",
"ipv4",
"files",
"reverse dns",
"united states",
"malware",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"execution att",
"t1204 user",
"script",
"beginstring",
"bad traffic",
"et info",
"null",
"title",
"refresh",
"span",
"strings",
"error",
"tools",
"meta",
"look",
"verify",
"restart",
"mitre att",
"ascii text",
"pattern match",
"ck matrix",
"tls handshake",
"hybrid",
"general",
"local",
"path",
"click",
"ck techniques",
"access att",
"div div",
"a li",
"ul div",
"record value",
"emails",
"accept",
"referen https",
"microsoft-falcon.net",
"proxy",
"status",
"certificate",
"updated date",
"whois server",
"zipcode",
"entries http",
"scans show",
"search",
"matches x",
"type",
"gmt cache",
"all ipv4",
"america flag",
"america asn",
"sameorigin",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"results jan",
"ipv4 add",
"win32mydoom jan",
"trojan",
"worm",
"expiration date",
"files show",
"date hash",
"avast avg",
"win32mydoom",
"backdoor",
"found",
"gmt connection",
"control",
"content type",
"twitter",
"dynamicloader",
"medium",
"high",
"msie",
"wow64",
"slcc2",
"media center",
"write",
"global",
"domain name",
"hostname",
"apple",
"racebook",
"mouse movement",
"remote mouse",
"domain",
"hostname add",
"url analysis",
"crlf line",
"ff d5",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"f0 ff",
"ff bb",
"music",
"push",
"autorun",
"unknown",
"present sep",
"present may",
"present jan",
"present aug",
"cname",
"present nov",
"present jun",
"apache",
"body",
"pragma",
"found registry",
"able",
"model",
"indicator",
"source",
"show technique",
"file",
"internet",
"errore",
"erreur",
"download",
"service",
"crypto",
"compiler",
"installer",
"yang",
"updater",
"shutdown",
"thunk",
"este",
"install",
"reboot",
"code",
"downloader",
"sigur",
"kanna",
"der zugriff",
"google",
"chrome",
"Pahamify Pegasus",
"christoper p. ahmann",
"law enforcement",
"retaliation",
"phone",
"espionage",
"united states",
"m brian sabey",
"quasi government",
"target",
"monitored targeting",
"aig",
"therahand (old name)",
"target: tsara brashears",
"douglas county, co",
"sheriff",
"industry and commerce",
"worker\u2019s compensation",
"crime",
"financial crime",
"danger",
"nem tih",
"amazon",
"aws",
"amazon aws",
"deal",
"deal with it lawfully",
"pay victim",
"protecting reimer"
],
"references": [
"https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com",
"https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
"Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur",
"Pahamify Pegasus",
"Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)",
"https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android",
"https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4",
"tv.apple.com",
"dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net",
"Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A",
"IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)",
"IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)",
"IDS: TLS Handshake Failure",
"Yara Detections BackdoorWin32Simda",
"Google_Chrome_64bit_v136.0.7103.49.exe",
"https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7",
"https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Pariham.A",
"display_name": "Trojan:Win32/Pariham.A",
"target": "/malware/Trojan:Win32/Pariham.A"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Virus:Win95/Cerebrus",
"display_name": "Virus:Win95/Cerebrus",
"target": "/malware/Virus:Win95/Cerebrus"
},
{
"id": "AutoRunIt",
"display_name": "AutoRunIt",
"target": null
},
{
"id": "Sigur",
"display_name": "Sigur",
"target": null
},
{
"id": "Kanna",
"display_name": "Kanna",
"target": null
},
{
"id": "Der Zugriff",
"display_name": "Der Zugriff",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1029",
"name": "Scheduled Transfer",
"display_name": "T1029 - Scheduled Transfer"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1074",
"name": "Data Staged",
"display_name": "T1074 - Data Staged"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1124",
"name": "System Time Discovery",
"display_name": "T1124 - System Time Discovery"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1213",
"name": "Data from Information Repositories",
"display_name": "T1213 - Data from Information Repositories"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1486",
"name": "Data Encrypted for Impact",
"display_name": "T1486 - Data Encrypted for Impact"
},
{
"id": "T1489",
"name": "Service Stop",
"display_name": "T1489 - Service Stop"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1529",
"name": "System Shutdown/Reboot",
"display_name": "T1529 - System Shutdown/Reboot"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1559",
"name": "Inter-Process Communication",
"display_name": "T1559 - Inter-Process Communication"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1569",
"name": "System Services",
"display_name": "T1569 - System Services"
},
{
"id": "T1570",
"name": "Lateral Tool Transfer",
"display_name": "T1570 - Lateral Tool Transfer"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1569.002",
"name": "Service Execution",
"display_name": "T1569.002 - Service Execution"
},
{
"id": "T1543.003",
"name": "Windows Service",
"display_name": "T1543.003 - Windows Service"
},
{
"id": "T1546.015",
"name": "Component Object Model Hijacking",
"display_name": "T1546.015 - Component Object Model Hijacking"
},
{
"id": "T1055.003",
"name": "Thread Execution Hijacking",
"display_name": "T1055.003 - Thread Execution Hijacking"
},
{
"id": "T1134.001",
"name": "Token Impersonation/Theft",
"display_name": "T1134.001 - Token Impersonation/Theft"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1134.002",
"name": "Create Process with Token",
"display_name": "T1134.002 - Create Process with Token"
},
{
"id": "T1070.006",
"name": "Timestomp",
"display_name": "T1070.006 - Timestomp"
},
{
"id": "T1564.003",
"name": "Hidden Window",
"display_name": "T1564.003 - Hidden Window"
},
{
"id": "T1497.003",
"name": "Time Based Evasion",
"display_name": "T1497.003 - Time Based Evasion"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1497.002",
"name": "User Activity Based Checks",
"display_name": "T1497.002 - User Activity Based Checks"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1027.005",
"name": "Indicator Removal from Tools",
"display_name": "T1027.005 - Indicator Removal from Tools"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1074.001",
"name": "Local Data Staging",
"display_name": "T1074.001 - Local Data Staging"
},
{
"id": "T1560.002",
"name": "Archive via Library",
"display_name": "T1560.002 - Archive via Library"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
}
],
"industries": [
"Civil Society",
"Legal",
"Government",
"Technology",
"Telecommunications",
"Financial"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6094,
"domain": 1195,
"hostname": 2001,
"FileHash-SHA256": 2598,
"FileHash-MD5": 546,
"FileHash-SHA1": 403,
"email": 16,
"CVE": 2,
"SSLCertFingerprint": 3
},
"indicator_count": 12858,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "695555b664c8998371393b8f",
"name": "\u200emyMetro App - App Store \u2022 Access Attack via iOS App",
"description": "Apple iOS attack. Drive by compromise. Device fully compromised. Service provider incorrect. Device user does not use MetroPCS as Cellular carrier. \n\n#cyberwarfare #pegasus #endgame #apple #earsinthecornfield #compromised_device #zombie",
"modified": "2026-01-30T16:01:37.437000",
"created": "2025-12-31T16:56:22.577000",
"tags": [
"espaol",
"metro pcs",
"metro",
"english",
"data",
"privacy",
"learn",
"requires",
"strong",
"see all",
"bernie",
"mint",
"never",
"example",
"click",
"indonesia",
"\u2019m",
"win32mydoom dec",
"united",
"trojan",
"name servers",
"servers",
"expiration date",
"backdoor",
"found",
"passive dns",
"gmt connection",
"control",
"content type",
"twitter",
"title",
"aaaa",
"ember cli",
"ember view",
"certificate",
"win32",
"invalid url",
"body html",
"head title",
"title head",
"body h1",
"reference",
"urls",
"akamai",
"unknown ns",
"domain",
"search",
"ipv4",
"files",
"reverse dns",
"location united",
"america flag",
"america asn",
"dynamicloader",
"port",
"high",
"medium",
"windows",
"displayname",
"write",
"destination",
"tofsee",
"stream",
"malware",
"hostile",
"read c",
"show",
"rgba",
"unicode",
"whitelisted",
"memcommit",
"delete",
"execution",
"dock",
"persistence",
"msie",
"chrome",
"ip address",
"otx telemetry",
"unknown soa",
"gmt content",
"for privacy",
"moved",
"record value",
"ubuntu date",
"encrypt",
"a domains",
"welcome",
"type",
"content length",
"ipv4 add",
"url analysis",
"accept",
"overview domain",
"files ip",
"address",
"location france",
"asn as16276",
"tags none",
"indicator facts",
"historical otx",
"france unknown",
"ovhcloud meta",
"domain add",
"present dec",
"status",
"service",
"win32cutwail",
"setcookie",
"gmt server",
"refloadapihash",
"virtool",
"present nov",
"present oct",
"all ipv4",
"hostname",
"present jul",
"saudi arabia",
"present mar",
"present jun",
"present feb",
"entries",
"france asn",
"asn as16509",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"pattern match",
"ascii text",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"sha1",
"hybrid",
"local",
"path",
"strings",
"delete c",
"okrndate",
"grum",
"powershell",
"pegasus",
"unknown",
"crlf line",
"ff d5",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"f0 ff",
"ff bb",
"push",
"autorun",
"suspicious",
"pulse pulses",
"date",
"music",
"apple",
"apple id",
"show process",
"flag",
"markmonitor",
"name tactics",
"informative",
"command",
"adversaries",
"spawns",
"access att",
"t1566 phishing",
"zerobits",
"allocationtype",
"protect",
"programfiles",
"processhandle",
"commitsize",
"viewsize",
"regionsize",
"handles modules",
"files amsi",
"filehandle",
"path filehandle",
"porthandle",
"copy md5",
"copy sha1",
"copy sha256",
"href",
"null",
"refresh",
"body",
"span",
"general",
"error",
"tools",
"look",
"verify",
"restart",
"html",
"x22scriptx22",
"binary file",
"t1189",
"cyberwarfare",
"brian sabey",
"never say anything",
"christopher ahmann",
"colorado state",
"quasi",
"zombie device",
"present may",
"emails",
"exif standard",
"tiff image",
"windows nt",
"wow64",
"slcc2",
"media center",
"jpeg image",
"copy",
"next",
"pecompact",
"february",
"packer",
"delphi",
"code",
"tlsv1",
"ogoogle trust",
"xserver",
"lowfi",
"creation date",
"domain name",
"showing",
"ids detections",
"yara detections",
"worm",
"arial",
"present aug",
"meta",
"dns domain",
"site",
"free dns",
"msil",
"dnssec",
"penetration",
"injections",
"dead host"
],
"references": [
"https://apps.apple.com/app/",
"metropcs.com/account/sign-in.html",
"smtp.google.com \u2022 www.google.com/images/errors/robot.png",
"https://www.endgamesystems.com/ \u2022 https://www.endgames.com/",
"https://freedns.afraid.org/images/exclamation",
"xred.mooo.com \u2022 mooo.com \u2022 afraid.org",
"admin@bigtits.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "\u2019m",
"display_name": "\u2019m",
"target": null
},
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Worm:Win32/Mydoom",
"display_name": "Worm:Win32/Mydoom",
"target": "/malware/Worm:Win32/Mydoom"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Win.Trojan.Installcore-877",
"display_name": "Win.Trojan.Installcore-877",
"target": null
},
{
"id": "Win.Downloader.Small",
"display_name": "Win.Downloader.Small",
"target": null
},
{
"id": "Win.Trojan.Barys-10005825-0",
"display_name": "Win.Trojan.Barys-10005825-0",
"target": null
},
{
"id": "Tibs",
"display_name": "Tibs",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "ALF:JASYP:PUA:Win32/4Shared",
"display_name": "ALF:JASYP:PUA:Win32/4Shared",
"target": null
}
],
"attack_ids": [
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1418",
"name": "Application Discovery",
"display_name": "T1418 - Application Discovery"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1195.001",
"name": "Compromise Software Dependencies and Development Tools",
"display_name": "T1195.001 - Compromise Software Dependencies and Development Tools"
},
{
"id": "T1577",
"name": "Compromise Application Executable",
"display_name": "T1577 - Compromise Application Executable"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1086",
"name": "PowerShell",
"display_name": "T1086 - PowerShell"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1863,
"URL": 4952,
"FileHash-SHA256": 1990,
"FileHash-MD5": 981,
"FileHash-SHA1": 791,
"email": 26,
"domain": 1277,
"SSLCertFingerprint": 24
},
"indicator_count": 11904,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "79 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "694dc80ac6e7fd5474b316a1",
"name": "Malicious DDOS attacks targeting Brand New 2025 | Updated Apple Products affecting IRS payment portal",
"description": "Malicious actors continue to target certain users attempting to pay the IRS. Victim is redirected to : http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan after typing in IRS.gov (w/ secure header \u2018https\u2019 )\nOnce information is input it is payment is rejected, levy against bank accounts and assets and other threats. There is social engineering as one victim is communicating with someone allegedly from the IRS? \nAlthough malicious entities contacted , malicious behavior continues. Adversaries in the Middle attack. US hacker group. Denver, Iowa, Arizona, NY and abroad. \n\n*Targets: https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main |",
"modified": "2026-01-24T22:05:13.068000",
"created": "2025-12-25T23:26:02.712000",
"tags": [
"hash avast",
"avg clamav",
"msdefender feb",
"url http",
"url https",
"zipcode",
"active related",
"cage01195 dec",
"passports",
"ipv4",
"active",
"irs",
"apple",
"role title",
"indicator role",
"malware attacks",
"find encrypted",
"lumen",
"fastly",
"create c",
"read c",
"delete",
"write",
"default",
"medium",
"rgba",
"dock",
"execution",
"xport",
"united",
"passive dns",
"urls",
"expiration date",
"unknown ns",
"unknown aaaa",
"pulse pulses",
"merit",
"dod network",
"type indicator",
"related pulses",
"name",
"name servers",
"ffffff",
"ip address",
"emails",
"object",
"clsid6bf52a52",
"cookie",
"meta",
"united kingdom",
"germany",
"russia",
"search",
"added active",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"href",
"pattern match",
"ascii text",
"ck id",
"mitre att",
"ck matrix",
"t1071",
"general",
"local",
"path",
"iframe",
"click",
"beginstring",
"segoe ui",
"null",
"refresh",
"span",
"hybrid",
"strings",
"error",
"tools",
"title",
"look",
"verify",
"restart",
"data upload",
"extraction",
"failed",
"include data",
"entries",
"unicode",
"high",
"memcommit",
"next",
"flag",
"process details",
"path expiresthu",
"moved",
"gmt set",
"domain",
"httponly path",
"encrypt",
"leaseweb",
"iowa",
"title added",
"bad traffic",
"et info",
"tls handshake",
"failure",
"command decode",
"suricata stream",
"circle",
"f5f8fa",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"development att",
"suricata http",
"windows nt",
"date",
"ips initial",
"prefetch8",
"localappdata",
"prefetch1",
"programfiles",
"edge",
"access att",
"t1566 phishing",
"initial access",
"show process",
"show technique",
"process",
"t1057",
"contacted",
"ck techniques",
"evasion att",
"body",
"report spam",
"apple",
"ddos",
"irs created",
"hours ago",
"white",
"apple user",
"industries",
"government",
"finance",
"trojandropper",
"appleservice",
"mirai",
"trojan",
"next associated",
"fastly error",
"please",
"sea p",
"mozilla",
"accept",
"alerts",
"filehash",
"md5 add",
"av detections",
"ids detections",
"yara detections",
"analysis date",
"file score",
"medium risk",
"copy",
"richhash",
"finding notes",
"clamav malware",
"files matching",
"number",
"sample analysis",
"samples show",
"date hash",
"yara rule",
"msie",
"t1063",
"windows",
"malware",
"detected",
"https domain",
"tls sni",
"markus",
"smartassembly",
"win64",
"exif data",
"present dec",
"status",
"showing",
"show",
"icmp traffic",
"pdb path",
"crlf line",
"mutex",
"ms defender",
"mtb malware",
"hide samples",
"rootkit",
"apple webkit",
"macbook pro",
"apple ios"
],
"references": [
"sa.www4.irs.gov \u2022 sa1.www4.irs.gov \u2022 sa2.www4.irs.gov \u2022 apps.irs.gov \u2022 freetaxassistance.for.irs.gov \u2022 home.treasury.gov \u2022",
"132.3.48.38 \u2022 Description: CC=US ASN=AS721 dod network information center",
"154.35.132.70\t\u2022 Description: CC=US ASN=AS14987 rethem hosting llc",
"165.206.254.134 \u2022 Description: CC=US ASN=AS6122",
"192.85.127.130 \u2022 Description: CC=US ASN=AS2173 hewlett-packard company",
"195.128.76.205 \u2022 Description: CC=RU ASN=AS8470 jsc macomnet",
"205.181.242.243 \u2022 Description: CC=US ASN=AS3738 state street bank and trust company",
"207.75.164.17 \u2022 Description: CC=US ASN=AS237 merit network",
"207.75.164.210 \u2022 Description: CC=US ASN=AS237 merit network",
"214.25.9.149 \u2022 Description: CC=US ASN=AS344 dod network information center",
"216.252.199.59 \u2022 Description: CC=US ASN=AS31827 biz net technologies",
"78.46.218.253 \u2022 Description: CC=DE ASN=AS24940 hetzner online gmbh",
"95.211.7.168 \u2022Description: CC=NL ASN=AS60781 leaseweb netherlands b.v.",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing - Adult Content",
"http://www.anyxxxtube.net/search-porn/tsara-brashears - Adult Content",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ - Adult Content",
"http://www.anyxxxtube.net/search-porn/ - Adult Content",
"https://eliyporasa.life/uelbu/5/151504-harleyxwest-porn - Adult Content",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net - Adult Content",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t- Adult Content",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io\t- Adult Content",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io - Adult Content",
"http://sissy.com/default - Adult Content",
"https://eliyporasa - Adult Content",
"64.38.232.180 - Adult Content IP",
"www.anyxxxtube.net - Adult Content",
"www.anyxxxtube.net - Adult Content IP",
"http://www.iranianporn.com/ \u2022 iranianporn.com - Adult Content",
"http://www.italianporn.com/ \u2022 italianporn.com - Adult Content IP",
"jamaicansex.com \u2022 onlinesexmags.com \u2022 sexbible.com \u2022 bestsex.com - Adult Content IP",
"https://www.anyxxxtube.net/video/2241/big-titted-sexy-chick-august-ames/ - Adult Content IP",
"http://geometry.ru/articles/blinkovsexcircle.pdf- Adult Content IP",
"http://www.onlinesexmags.com/members/gent/current/ - Adult Content IP",
"http://sissy.com/default.php?qry=xinb0NVH3vxGQfarWy4r54j5FWwjyNsIfAXqPpjmSCTYnrY20orAEt5QcaKNVYpHM3.AFndEsyGlSb_SXAGpMTdue0rkjANJ3fQ0wH3yzmI9qKCDJp39iCno_V.ci7VYf_I4t_Y2ibuGhE_rlOAs3FGeaahClLHQmyX30MRH5AfpY6B5N9LDoau6dxnMaf3qGZEX_xCRYTdVAigxUMX2qRyl16DvSb9DohTpdet4E_v0QjzIjDwGGS4PYEDpjmzIeKlCSItsv09pHL84QDb6V_fvuFw0jX8tfoI8VQmpnaeudPhO0nDmV3c5G7HjNNcF&tgt=NO+TOKEN&searchKey=free+porn&wp=1&skp=3_2402 - Adult Content IP",
"httpssa.www4.irs.gov \u2022 jobs.irs.gov \u2022 https://sa.www4.irs.gov/ \u2022 https://sa.www4.irs.gov \u2022 www.directfile.irs.gov \u2022",
"http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan \u2022 www4.irs.gov \u2022 www.drupal.org",
"asp.bet",
"apple.co \u2022 apple.com \u2022 apple.info \u2022 apple.net",
"https://www.freeiconspng.com/thumbs/icloud-logo/icloud-drive-mac-mail-cloud-apple-pc-works-c",
"https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main",
"http://usw2.apple.com/ \u2022 https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
"applefilmmaker.com \u2022 appleid.com \u2022 appleiservices.com",
"jobs.lumen.com \u2022 lumen.com \u2022 msradc.lumen.com \u2022 voip.lumen.com \u2022 www.lumen.com",
"https://otx.alienvault.com/pulse/694d7d426afd8c1c816ddb9e",
"Information gathered equals 2 pulses. Pulse (1) included",
"https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d/694d9e6a07ba5e76e203a672",
"https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d",
"https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3",
"https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676",
"https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3/694d9a33a2febcb826005ed5",
"https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676",
"Follow up need. This is a serious financial crime following the victims.",
"Victims have lost financial assets, jobs, vehicles",
"Persistent. Is Christopher P. Ahmann, Brian Sabey, State of Colorado",
"After an attack a different victim had awe , tax refund seized, Insurance became Medicaid, Was audited by the IRs and there was attempts on life w/ bad outcome"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "Win.Malware.Msilperseus-6989564-0",
"display_name": "Win.Malware.Msilperseus-6989564-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Win.Trojan.Ramnit-1847",
"display_name": "Win.Trojan.Ramnit-1847",
"target": null
},
{
"id": "Win.Trojan.Fenomengame-14",
"display_name": "Win.Trojan.Fenomengame-14",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "Pandex!gen1",
"display_name": "Pandex!gen1",
"target": null
},
{
"id": "Mirai Sim Swap",
"display_name": "Mirai Sim Swap",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Lumen IP",
"display_name": "Lumen IP",
"target": null
},
{
"id": "Unknown Malware \u2018Can't access file\u2019",
"display_name": "Unknown Malware \u2018Can't access file\u2019",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "Win.Trojan.Fenomengame-8",
"display_name": "Win.Trojan.Fenomengame-8",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/Adialer",
"display_name": "ALF:JASYP:Trojan:Win32/Adialer",
"target": null
},
{
"id": "TrojanDropper:Win32/Muldrop",
"display_name": "TrojanDropper:Win32/Muldrop",
"target": "/malware/TrojanDropper:Win32/Muldrop"
},
{
"id": "Appleservice",
"display_name": "Appleservice",
"target": null
},
{
"id": "ELF:DDoS-S\\ [Trj]",
"display_name": "ELF:DDoS-S\\ [Trj]",
"target": null
},
{
"id": "Unix.Trojan.Gafgyt-6981154-0",
"display_name": "Unix.Trojan.Gafgyt-6981154-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
}
],
"industries": [
"Financial",
"Government",
"Technology",
"IRS"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 363,
"FileHash-SHA1": 360,
"FileHash-SHA256": 3009,
"URL": 3504,
"domain": 879,
"email": 15,
"hostname": 1487,
"SSLCertFingerprint": 3
},
"indicator_count": 9620,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "84 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69312c4db6fe7eb34abd179d",
"name": "BeeLineRouter.Net \u2022 Apple \u2022 Worms \u2022 Ransom \u2022 SpyWare",
"description": "Direct- remotely accesses iOS devices. Same threat actors. Further research warranted.| \n\n#theyswarm #apple #worms #spyware #ransom #quasi",
"modified": "2026-01-03T05:02:11.376000",
"created": "2025-12-04T06:38:05.504000",
"tags": [
"worm",
"readme.exe",
"foto.pif",
"z1nic.exe",
"dynamicloader",
"high",
"windows",
"checks",
"named pipe",
"http traffic",
"ids detections",
"yara detections",
"alerts",
"launch",
"defense evasion",
"ta0005",
"files",
"msie",
"next dropped",
"process name",
"pe32",
"intel",
"ms windows",
"unknown",
"united",
"tlsv1",
"as14618",
"top source",
"top destination",
"port",
"destination",
"source source",
"matches rule",
"hidden file",
"extension",
"connection",
"http vary",
"tulach",
"url https",
"indicator role",
"active related",
"ipv4",
"url http",
"macintosh",
"intel mac",
"os x",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"bq dec",
"virtool",
"win32mydoom dec",
"trojan",
"win32cve dec",
"avast avg",
"mtb dec",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"ff d5",
"yara rule",
"ascii text",
"f0 ff",
"eb e1",
"write",
"malware",
"suspicious",
"observed dns",
"query",
"exploits",
"sid name",
"malware cve",
"exif data",
"show",
"value exe",
"next",
"all ipv4",
"pulse pulses",
"passive dns",
"urls",
"reverse dns",
"location united",
"america flag",
"ashburn",
"status",
"name servers",
"ip address",
"showing",
"domain",
"files ip",
"windows nt",
"slcc2",
"media center",
"medium",
"simda",
"internal",
"local",
"write c",
"domain add",
"ip whois",
"registrar",
"hostname",
"present jul",
"unknown ns",
"present dec",
"music",
"servers",
"hostname add",
"pulse submit",
"url analysis",
"aaaa",
"backdoor",
"entries",
"found",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"record value",
"emails",
"win32",
"mtb may",
"invalid url",
"ransom",
"trojanspy",
"msil",
"akamai",
"expiration date",
"body html",
"present nov",
"url add",
"http",
"files domain",
"files related",
"pulses none",
"related tags",
"present sep",
"present oct",
"flag",
"analysis tip",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"date",
"domain address",
"dynadot inc",
"name server",
"contacted hosts",
"process details",
"network traffic",
"ck id",
"show technique",
"mitre att",
"ck matrix",
"t1566",
"submitted url",
"t1204",
"learn",
"name tactics",
"informative",
"adversaries",
"command",
"spawns",
"access att",
"t1566 phishing",
"pattern match",
"show process",
"t1071",
"t1057",
"general",
"path",
"brian sabey",
"christopher p ahmann",
"quasi",
"foundry",
"helix",
"remote attacks",
"hit men",
"sreredrum",
"pleh"
],
"references": [
"apple.com \u2022 getsupport.apple.com \u2022",
"https://www.idvd.eu/?cid=oas-japac-domains-applestore.com.cn/90.i.lolik.anyciona.patrolita.casse.897866 \u2022 oas-japac-domains-applestore.com.cn",
"http://beelinerouter.net/",
"Tulach - 114.114.114.114",
"http://foundry2-lbl.dvr.dn2.n-helix.com",
"foundry.com \u2022 helix. com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Worm:Win32/Fadok!rfn",
"display_name": "Worm:Win32/Fadok!rfn",
"target": "/malware/Worm:Win32/Fadok!rfn"
},
{
"id": "VirTool:Win32/Injector.gen!BQ",
"display_name": "VirTool:Win32/Injector.gen!BQ",
"target": "/malware/VirTool:Win32/Injector.gen!BQ"
},
{
"id": "Mydoom",
"display_name": "Mydoom",
"target": null
},
{
"id": "Win.Spyware.88778-2",
"display_name": "Win.Spyware.88778-2",
"target": null
},
{
"id": "Win.Malware.Delf-10008156-0",
"display_name": "Win.Malware.Delf-10008156-0",
"target": null
},
{
"id": "Trojan.MyDoom/Muldrop",
"display_name": "Trojan.MyDoom/Muldrop",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator",
"display_name": "VirTool:Win32/Obfuscator",
"target": "/malware/VirTool:Win32/Obfuscator"
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1578",
"name": "Modify Cloud Compute Infrastructure",
"display_name": "T1578 - Modify Cloud Compute Infrastructure"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1584.003",
"name": "Virtual Private Server",
"display_name": "T1584.003 - Virtual Private Server"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
},
{
"id": "T1408",
"name": "Disguise Root/Jailbreak Indicators",
"display_name": "T1408 - Disguise Root/Jailbreak Indicators"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 422,
"FileHash-SHA1": 316,
"FileHash-SHA256": 1950,
"domain": 899,
"URL": 6117,
"email": 21,
"hostname": 2037,
"SSLCertFingerprint": 2,
"CVE": 1
},
"indicator_count": 11765,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "106 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "692fdb10627488a886ec6f8f",
"name": "Apple \u2022 Gamarue | Fully compromised iOS | Ahmanm , Tulach , Sabey and ?",
"description": "Device testing. Calling Apple : scam pop ups, apple advisors ,emails, screen shares. Calling : State and Government offices : scam receptionists , investigators, dropped calls, connect without ringing. Calling businesses: routed to scam to scammers. | Apps : all fake. random data. \n\nAligned with same attackers listed. Indicator deletion and attorney caught hijacking. \n\nCannot open LevelBlue Indicators on affected. device. Device can create a mini pulse. \n,",
"modified": "2026-01-02T05:01:36.144000",
"created": "2025-12-03T06:39:12.995000",
"tags": [
"united",
"servers",
"data upload",
"extraction",
"sc data",
"boot",
"techniques none",
"modules",
"logon autostart",
"execu",
"privilege",
"process",
"evasion",
"search",
"info",
"techniques low",
"execution flow",
"injection",
"apple",
"rootkit",
"hybrid analysis",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"ip address",
"process details",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"command",
"found",
"defense evasion",
"a061s.exe",
"tulach",
"christopher p ahmanm",
"passive dns",
"urls",
"url add",
"http",
"files domain",
"files related",
"pulses otx",
"virustotal",
"foundry",
"helix",
"mapkit",
"hacking",
"denver",
"retaliation",
"redirect",
"no server",
"reroute",
"scammers",
"coconut island",
"brain sabey",
"dns requests",
"domain address",
"contacted hosts",
"t1480 execution",
"file defense"
],
"references": [
"getsupport.apple.com\t \u2022 apple.com",
"Matches rule Registry Modification to Hidden File Extension by frack113",
"Matches rule Msiexec Initiated Connection by frack113",
"Matches rule Creation of an Executable by an Executable by frack113",
"Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt",
"Tulach \u2022 114.114.114.114",
"http://foundry2-lbl.dvr.dn2.n-helix.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan/Win32.Gamarue.C1976125",
"display_name": "Trojan/Win32.Gamarue.C1976125",
"target": null
},
{
"id": "Trojan.GenericKDZ.93839",
"display_name": "Trojan.GenericKDZ.93839",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "Trojan.MyDoom/Mudrop",
"display_name": "Trojan.MyDoom/Mudrop",
"target": null
},
{
"id": "Trojan.Win.Small",
"display_name": "Trojan.Win.Small",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1401",
"name": "Device Administrator Permissions",
"display_name": "T1401 - Device Administrator Permissions"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1408",
"name": "Disguise Root/Jailbreak Indicators",
"display_name": "T1408 - Disguise Root/Jailbreak Indicators"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
},
{
"id": "T1430",
"name": "Location Tracking",
"display_name": "T1430 - Location Tracking"
},
{
"id": "T1529",
"name": "System Shutdown/Reboot",
"display_name": "T1529 - System Shutdown/Reboot"
},
{
"id": "T1542.003",
"name": "Bootkit",
"display_name": "T1542.003 - Bootkit"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
}
],
"industries": [
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 413,
"FileHash-MD5": 14,
"FileHash-SHA1": 4,
"URL": 1321,
"domain": 219,
"email": 3,
"FileHash-SHA256": 696
},
"indicator_count": 2670,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "107 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69138a8144a8bf8040a92711",
"name": "Lawyers & Lazarus | Apple Spy : Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Counsel for egregious criminal acts \u2022 Christopher P. Ahmann attorney at Large",
"description": "",
"modified": "2025-12-09T17:03:48.645000",
"created": "2025-11-11T19:12:01.843000",
"tags": [
"url http",
"apple",
"california",
"apple public",
"server rsa",
"organization",
"stateprovince",
"ocsp",
"nids united",
"files",
"united",
"unknown ns",
"ip address",
"domain",
"urls files",
"passive dns",
"found title",
"sf hello",
"myriad set",
"pro myriad",
"set lucida",
"grande arial",
"sf mono",
"ipv4",
"location united",
"america flag",
"america asn",
"verdict",
"files ip",
"address",
"as42 woodynet",
"domain add",
"ipv4 add",
"reverse dns",
"trojan",
"name servers",
"emails",
"for privacy",
"ltd dba",
"com laude",
"servers",
"expiration date",
"urls",
"meta",
"a domains",
"country code",
"store home",
"title",
"accept",
"espaol",
"english",
"evil corp",
"see all",
"cyber hack",
"republic",
"canada",
"season",
"joe tidy",
"sarah rainsford",
"podcast",
"bank",
"ukraine",
"dead",
"indonesia",
"police",
"premium",
"napoleon",
"revolution",
"michelangelo",
"mozart",
"global",
"solid",
"lazarus",
"jabber zeus",
"harrods",
"ta markmonitor",
"markmonitor",
"search",
"present aug",
"unknown aaaa",
"unknown soa",
"win32",
"invalid url",
"trojanspy",
"mtb apr",
"backdoor",
"next associated",
"win64",
"trojandropper",
"twitter",
"virtool",
"ransom",
"worm",
"dynamicloader",
"tlsv1",
"high",
"globalc",
"medium",
"windows",
"cmd c",
"delete c",
"stream",
"write",
"next",
"process32nextw",
"http host",
"dns query",
"likely gandcrab",
"et trojan",
"windows nt",
"wow64",
"malware",
"ms windows",
"as16509",
"as54113",
"yara rule",
"pe32 executable",
"as15169",
"powershell",
"unknown",
"response ip",
"address google",
"safe browsing",
"hostname add",
"port",
"destination",
"pe32",
"intel",
"error",
"show",
"delphi",
"dcom",
"form",
"canvas",
"united kingdom",
"content type",
"security",
"moved",
"great britain",
"unknown a",
"body doctype",
"html public",
"ietfdtd html",
"showing",
"packing t1045",
"bytes",
"read",
"default",
"christoper p ahmann",
"target",
"victims",
"tsara brashears",
"url https",
"type indicator",
"role title",
"added active",
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"present nov",
"present oct",
"date",
"tcpmemhit",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"sha256",
"sha1",
"mitre att",
"pattern match",
"show technique",
"ck matrix",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"tools",
"look",
"verify",
"restart",
"palantir",
"foundry",
"hitmen",
"quasi",
"government contracts",
"jeffrey reimer",
"hallrender",
"workers compensation",
"record value",
"certificate"
],
"references": [
"apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC",
"https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"bpc-old.palantirfoundry.com",
"OTX auto populated targeted groups.",
"You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists",
"Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint",
"Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support",
"Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.",
"They blatantly steal from citizens , blame foreign entities.",
"This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents."
],
"public": 1,
"adversary": "Lazarus",
"targeted_countries": [
"Bangladesh",
"Japan",
"United States of America"
],
"malware_families": [
{
"id": "ALF:SpikeAexR.PEVPSZL",
"display_name": "ALF:SpikeAexR.PEVPSZL",
"target": null
},
{
"id": "Ransom:MSIL/GandCrab",
"display_name": "Ransom:MSIL/GandCrab",
"target": "/malware/Ransom:MSIL/GandCrab"
},
{
"id": "Zeus",
"display_name": "Zeus",
"target": null
},
{
"id": "Ransom:Win32/Gandcrab.H!MTB",
"display_name": "Ransom:Win32/Gandcrab.H!MTB",
"target": "/malware/Ransom:Win32/Gandcrab.H!MTB"
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [
"Banks",
"Crypto",
"Entertainment",
"Bank"
],
"TLP": "white",
"cloned_from": "6910cafb096eae0dcb39a800",
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4572,
"FileHash-MD5": 196,
"domain": 1523,
"hostname": 1393,
"FileHash-SHA256": 2400,
"FileHash-SHA1": 175,
"email": 18,
"SSLCertFingerprint": 8
},
"indicator_count": 10285,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "131 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6910cafb096eae0dcb39a800",
"name": "Lawyers & Lazarus | Apple Spy : Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious",
"description": "Chronicles of how quasi government , a State owned criminal defense attorney , protects sexual assaulter Jeffrey Reimer DPT. victim Palantir harassed, withheld healthcare , diagnoses, justice, monetary award for injured, stole insurance policies, hacked Denver artists, sold music her to artists whom profited, hacked Denver music studios, hired stalkers, human, controlled phone , car and everything in targets life including , doctors, attorneys, hospitals. It\u2019s always been clear to coming us that Anonymous and Lazarus are the police, judge , lawyer, ransom racist.\nThis group alone has cost the US billions! Responsible for 2014 Sony hack , FMOE.\nDirect Link. by phone , email in person contact , forced settlement hearing,. Adversarial Christopher P. Ahmann , relationship w / Lazarus group, hitmen , cyber crime and other crimes against persons.\n #rip #christopher_ahmann #palantir #lazarus #target_tsara_brashears",
"modified": "2025-12-09T17:03:48.645000",
"created": "2025-11-09T17:10:19.498000",
"tags": [
"url http",
"apple",
"california",
"apple public",
"server rsa",
"organization",
"stateprovince",
"ocsp",
"nids united",
"files",
"united",
"unknown ns",
"ip address",
"domain",
"urls files",
"passive dns",
"found title",
"sf hello",
"myriad set",
"pro myriad",
"set lucida",
"grande arial",
"sf mono",
"ipv4",
"location united",
"america flag",
"america asn",
"verdict",
"files ip",
"address",
"as42 woodynet",
"domain add",
"ipv4 add",
"reverse dns",
"trojan",
"name servers",
"emails",
"for privacy",
"ltd dba",
"com laude",
"servers",
"expiration date",
"urls",
"meta",
"a domains",
"country code",
"store home",
"title",
"accept",
"espaol",
"english",
"evil corp",
"see all",
"cyber hack",
"republic",
"canada",
"season",
"joe tidy",
"sarah rainsford",
"podcast",
"bank",
"ukraine",
"dead",
"indonesia",
"police",
"premium",
"napoleon",
"revolution",
"michelangelo",
"mozart",
"global",
"solid",
"lazarus",
"jabber zeus",
"harrods",
"ta markmonitor",
"markmonitor",
"search",
"present aug",
"unknown aaaa",
"unknown soa",
"win32",
"invalid url",
"trojanspy",
"mtb apr",
"backdoor",
"next associated",
"win64",
"trojandropper",
"twitter",
"virtool",
"ransom",
"worm",
"dynamicloader",
"tlsv1",
"high",
"globalc",
"medium",
"windows",
"cmd c",
"delete c",
"stream",
"write",
"next",
"process32nextw",
"http host",
"dns query",
"likely gandcrab",
"et trojan",
"windows nt",
"wow64",
"malware",
"ms windows",
"as16509",
"as54113",
"yara rule",
"pe32 executable",
"as15169",
"powershell",
"unknown",
"response ip",
"address google",
"safe browsing",
"hostname add",
"port",
"destination",
"pe32",
"intel",
"error",
"show",
"delphi",
"dcom",
"form",
"canvas",
"united kingdom",
"content type",
"security",
"moved",
"great britain",
"unknown a",
"body doctype",
"html public",
"ietfdtd html",
"showing",
"packing t1045",
"bytes",
"read",
"default",
"christoper p ahmann",
"target",
"victims",
"tsara brashears",
"url https",
"type indicator",
"role title",
"added active",
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"present nov",
"present oct",
"date",
"tcpmemhit",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"sha256",
"sha1",
"mitre att",
"pattern match",
"show technique",
"ck matrix",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"tools",
"look",
"verify",
"restart",
"palantir",
"foundry",
"hitmen",
"quasi",
"government contracts",
"jeffrey reimer",
"hallrender",
"workers compensation",
"record value",
"certificate"
],
"references": [
"apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC",
"https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"bpc-old.palantirfoundry.com",
"OTX auto populated targeted groups.",
"You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists",
"Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint",
"Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support",
"Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.",
"They blatantly steal from citizens , blame foreign entities.",
"This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents."
],
"public": 1,
"adversary": "Lazarus",
"targeted_countries": [
"Bangladesh",
"Japan",
"United States of America"
],
"malware_families": [
{
"id": "ALF:SpikeAexR.PEVPSZL",
"display_name": "ALF:SpikeAexR.PEVPSZL",
"target": null
},
{
"id": "Ransom:MSIL/GandCrab",
"display_name": "Ransom:MSIL/GandCrab",
"target": "/malware/Ransom:MSIL/GandCrab"
},
{
"id": "Zeus",
"display_name": "Zeus",
"target": null
},
{
"id": "Ransom:Win32/Gandcrab.H!MTB",
"display_name": "Ransom:Win32/Gandcrab.H!MTB",
"target": "/malware/Ransom:Win32/Gandcrab.H!MTB"
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [
"Banks",
"Crypto",
"Entertainment",
"Bank"
],
"TLP": "white",
"cloned_from": null,
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4572,
"FileHash-MD5": 196,
"domain": 1523,
"hostname": 1393,
"FileHash-SHA256": 2400,
"FileHash-SHA1": 175,
"email": 18,
"SSLCertFingerprint": 8
},
"indicator_count": 10285,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "131 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68be65e95645ef1a6c8a898d",
"name": "Apple affected by Tofsee at least 4 remote devices. DEAD Apple products",
"description": "Such a hacked device. Victims phone remotely accessed the night it was purchased. A man wearing a jammer/ deauth watch was part of an aggressive caravan of followers. Will repost related pulse. \n South Africa became customer service once again for every external service called. Target was aware. \n\nIt must be nice to SA someone, and have a racist mafia of silencers behind because the corporation didn\u2019t want bad press and the Sheriff was friends with the MD who threatened victim with future retaliation.\n\nNo one helps because this is obviously abuse by law enforcement. He is the victim. She simply suffered from life threatening injuries until the end. This should be illegal. Denied justice, representation, medical care, emergency care of any kind, diagnos3s and followed and monitored 24/7.",
"modified": "2025-10-08T04:04:41.943000",
"created": "2025-09-08T05:13:13.781000",
"tags": [
"mtb oct",
"trojandropper",
"avast avg",
"backdoor",
"trojan",
"ubuntu",
"passive dns",
"federation flag",
"asn as49505",
"dns resolutions",
"domains top",
"level",
"unique tlds",
"dynamicloader",
"high",
"medium",
"port",
"delete c",
"windows",
"displayname",
"tofsee",
"grum",
"stream",
"powershell",
"write",
"malware",
"hostile",
"misa",
"ipv4 add",
"urls",
"files",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"found",
"command",
"defense evasion",
"adversaries",
"spawns",
"united",
"orc5",
"flag",
"rhur3d",
"title",
"click",
"strings",
"refresh",
"aids",
"dzan",
"sumo",
"miny",
"judi",
"pattern match",
"mitre att",
"show technique",
"ck matrix",
"ascii text",
"show process",
"hybrid",
"general",
"local",
"path",
"t1480 execution",
"null",
"span",
"error",
"tools",
"look",
"verify",
"restart",
"domain secure",
"windows nt",
"ogoogle trust",
"zerossl ecc",
"site ca0x1ex17r",
"win64",
"unknown",
"encrypt",
"search",
"entries",
"destination",
"push",
"next",
"apple",
"moved",
"gmt content",
"type",
"content length",
"ipv4",
"date",
"handle",
"address range",
"cidr",
"network name",
"allocation type",
"assigned pi",
"status",
"whois server",
"entity ipripe",
"apnic",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"ip address",
"related nids",
"files location",
"flag united",
"unknown ns",
"name servers",
"creation date",
"emails",
"pulse pulses",
"pulses none",
"none google",
"safe browsing",
"external",
"location united",
"asn as714",
"less whois",
"registrar",
"ios",
"iphone",
"ipad",
"australia",
"dead host"
],
"references": [
"https://idmsa.apple.com/ \u2022 account.apple.com \u2022 appleid.apple.com \u2022 http://www.apple.com/filenotfound",
"https://176.113.115.136/ohhiiiii/",
"https://appleid.apple.com/cgi-bin/WebObjects/MyAppleIdCVE",
"https://ipadaustralia.com/mim/93tkkjy9zc9fv796398p4e8425id90u4u727g7094724c0a9i8",
"palantir-staging.staging.candidate.app.paulsjob.ai",
"pornhub.com\t \u2022 www.pornhub.com",
"appleaustralia.com",
"https://hybrid-analysis.com/sample/a871c76756ddf6d18d728b668d011e9d04e9db9c79734450a562f1f4b6ba2cdc/68be456cd90e6cbdf30d2afb",
"https://hybrid-analysis.com/sample/35dce2c9c408e751622991b0655871f35ab97106fa87c233dfa2b135b4014df4/68be451808aeabd5cc0e9e85"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Muldrop",
"display_name": "Muldrop",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Win.Packer.pkr_ce1a-9980177-0",
"display_name": "Win.Packer.pkr_ce1a-9980177-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1003.008",
"name": "/etc/passwd and /etc/shadow",
"display_name": "T1003.008 - /etc/passwd and /etc/shadow"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [
"Telecommunications",
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1273,
"FileHash-MD5": 347,
"domain": 606,
"hostname": 778,
"FileHash-SHA256": 2724,
"FileHash-SHA1": 322,
"email": 9,
"SSLCertFingerprint": 14,
"CIDR": 3
},
"indicator_count": 6076,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "193 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "686e17b1ac7253ec7e12f1e8",
"name": "FT Adviser | Foundry - platform.twitter.com + Apple + T-Mobile",
"description": "FT Adviser | Foundry - platform.twitter.com + Apple + T-Mobile | ImFurther investigation of familiar IoC\u2019s in Tethering T-mobile to iOS research. \n\nPalantir is the the Cyber Defense Firm that provides the weapons, man force, military, false arrest records ,reputation damage, the man who drove her off the road, constant stalking and the marketing of her music in other media.\n Realize this hot stock you\u2019re investing is a domestic and international terrorist organization. There are several\nPeople here being 24/7/365 monitored.\nThey have fulfillment centers from Amazon and can provide food to medicine, they have the entire military, all\ngovernment contracts and their own physicians. \n\n#malware #foundry #rip #palantir # twitter #paypalmafia #quasi #government # workerscompensation #law_enforcement # #jeffreyreimer #sabey #tsarabrashearslivesinourhearts",
"modified": "2025-08-08T06:00:40.325000",
"created": "2025-07-09T07:18:09.062000",
"tags": [
"present jun",
"united",
"status",
"present may",
"present sep",
"search",
"date",
"entries",
"trojan",
"name servers",
"ransom",
"twitter",
"redacted for",
"showing",
"passive dns",
"urls",
"softlayer",
"internet",
"encrypt",
"record value",
"body",
"service",
"russia",
"spain",
"germany",
"netherlands",
"aaaa",
"france",
"virtool",
"creation date",
"expiration date",
"servers",
"hostname add",
"pulse pulses",
"files",
"present aug",
"ip address",
"applenoc",
"unknown ns",
"next associated",
"urls show",
"date checked",
"url hostname",
"server response",
"unknown aaaa",
"secure server",
"msie",
"chrome",
"moved",
"title",
"gmt content",
"type",
"pulse submit",
"http",
"hostname",
"files domain",
"files related",
"pulses otx",
"pulses",
"related tags",
"google safe",
"indicator role",
"title added",
"active related",
"url https",
"dynamicloader",
"write c",
"windows nt",
"wow64",
"slcc2",
"media center",
"html",
"as15169",
"write",
"xport",
"copy",
"guard",
"malware",
"suspicious",
"next",
"extraction",
"data upload",
"failed",
"extri data",
"include review",
"exclude",
"sugges",
"stop x",
"s data",
"extr data",
"extraction data",
"enter soudcetdi",
"ad tevdag",
"cadad ad",
"draie",
"extri include",
"review",
"done",
"levelblue",
"exclude sugges",
"uny inuuue",
"find s",
"typ hos",
"script urls",
"canada unknown",
"script domains",
"a domains"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 181,
"FileHash-SHA1": 154,
"FileHash-SHA256": 1857,
"domain": 1424,
"email": 13,
"hostname": 1304,
"URL": 4168,
"CVE": 1,
"SSLCertFingerprint": 4
},
"indicator_count": 9106,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "254 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65a20ff8db3854e863dca324",
"name": "Shared Modules | Hijacker | Masquerading",
"description": "",
"modified": "2024-02-12T04:01:56.040000",
"created": "2024-01-13T04:22:16.961000",
"tags": [
"filehashmd5",
"no expiration",
"iocs",
"next",
"scan endpoints",
"all octoseek",
"create new",
"pulse use",
"pdf report",
"pcap",
"filehashsha1",
"filehashsha256",
"ipv4",
"hostname",
"expiration",
"domain",
"url https",
"url http",
"source",
"stix",
"email",
"email abuse",
"goreasonlimited",
"cc no",
"tompc",
"sum35",
"domain xn",
"searchbox0",
"domainname0",
"view",
"apple",
"apple id",
"hijacking",
"masquerading",
"exploit",
"cams",
"monitoring",
"loki bot",
"dns",
"open ports",
"malvertizing",
"malware hosting",
"apple script",
"js user",
"dga",
"dga domains",
"malware",
"multiple_versions",
"wagersta",
"decode",
"system information discovery",
"decrypt",
"evasion",
"defense evasion",
"emotet",
"android",
"ios",
"wannacry",
"trojan",
"worm",
"cyber threat",
"benjamin",
"whois record",
"ssl certificate",
"contacted",
"historical ssl",
"referrer",
"contacted urls",
"execution",
"whois whois",
"whois sslcert",
"and china",
"drop",
"uchealth",
"university of cincinnati health"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1122",
"name": "Component Object Model Hijacking",
"display_name": "T1122 - Component Object Model Hijacking"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1546.015",
"name": "Component Object Model Hijacking",
"display_name": "T1546.015 - Component Object Model Hijacking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2701,
"FileHash-SHA1": 2296,
"FileHash-SHA256": 3362,
"URL": 6191,
"domain": 2033,
"hostname": 3097,
"email": 37,
"CVE": 2
},
"indicator_count": 19719,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "797 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "656a971ab44409ecb7018428",
"name": "RVA Entry | Apple remote unlocking| Emotet | Redline | | Injection",
"description": "",
"modified": "2023-12-30T14:02:30.516000",
"created": "2023-12-02T02:31:54.823000",
"tags": [
"ssl certificate",
"whois record",
"historical ssl",
"resolutions",
"referrer",
"communicating",
"siblings",
"file",
"hell",
"lenovo tablet",
"name servers",
"as714 apple",
"united",
"creation date",
"search",
"servers",
"date",
"moved",
"certificate",
"passive dns",
"body",
"historical",
"collections",
"contacted",
"strange",
"no data",
"tag count",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"blacklist http",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"malicious site",
"malware site",
"phishing site",
"million",
"malware",
"http attacker",
"ip address",
"algorithm",
"v3 serial",
"number",
"ist ca",
"g1 validity",
"public key",
"info",
"key algorithm",
"ec oid",
"key identifier",
"first",
"team alexa",
"downloader",
"wed apr",
"alexa",
"pony",
"name verdict",
"pattern match",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"script",
"beginstring",
"mitre att",
"null",
"unknown",
"span",
"error",
"class",
"generator",
"critical",
"meta",
"hybrid",
"general",
"local",
"click",
"strings",
"refresh",
"tools",
"malicious url",
"hostname",
"hostnames",
"phishing",
"union",
"team",
"bank",
"unsafe",
"spammer",
"node tcp",
"traffic",
"attacker",
"tor known",
"tor relayrouter",
"jul jan",
"mon sep",
"heur",
"artemis",
"iframe",
"conduit",
"crack",
"riskware",
"opencandy",
"cleaner",
"exploit",
"downldr",
"presenoker",
"wacatac",
"agent",
"fusioncore",
"applicunwnt",
"acint",
"nircmd",
"swrort",
"systweak",
"behav",
"tiggre",
"genkryptik",
"filetour",
"generic",
"patcher",
"driverpack",
"xtrat",
"softcnapp",
"cyber threat",
"dns server",
"http spammer",
"host",
"download",
"asyncrat",
"cobalt strike",
"apple",
"urls http",
"368600",
"320700",
"dc1542721039132",
"subdomains",
"noname057",
"tld count",
"urls",
"blacklist https",
"engineering",
"singapore",
"phishtank",
"suppobox",
"bambernek",
"facebook",
"zbot",
"malicious",
"zeus",
"emotet",
"ransomware",
"nymaim",
"redline stealer",
"service",
"virut",
"kraken",
"keybase",
"stealer",
"hawkeye",
"tinba",
"mirai",
"nanocore",
"bradesco",
"cve201711882",
"ip detections",
"country",
"83500",
"1602192580242",
"1602192586217",
"blog",
"1602192588844",
"1602192624796",
"303300",
"vhash",
"authentihash",
"ssdeep",
"file type",
"win32 exe",
"magic pe32",
"ms windows",
"intel",
"trid windows",
"control panel",
"file version",
"copyright",
"product",
"description",
"original name",
"internal name",
"rticon neutral",
"chi2",
"contained",
"details module",
"version id",
"typelib id",
"header target",
"machine intel",
"utc entry",
"point",
"count blacklist",
"tag tag",
"dot net",
"assembly common",
"clr version",
"assembly name",
"address",
"assembly",
"rva entry",
"streams size",
"entropy chi2",
"guid",
"applenoc",
"showing",
"record value",
"scan endpoints",
"all search",
"as20940",
"as16625 akamai",
"status",
"cname",
"china",
"as136907 huawei",
"nanjing",
"as2914 ntt",
"america",
"as7843 charter",
"as6461 zayo",
"domain",
"p155-fmfmobile.icloud.com",
"t-mobile",
"metro t-mobile",
"metro",
"metroby",
"social engineering",
"happywifehappylife",
"bot",
"darknet service",
"tsara brashears",
"jeffrey reimer",
"pixelrz",
"yandex",
"cp",
"cyber",
"red team",
"framing",
"qwest",
"cybercrime",
"cyber threat",
"sha256",
"runtime process",
"sha1",
"size",
"windows nt",
"indicator",
"svg scalable",
"accept",
"unis",
"buttons",
"overwrite",
"format",
"spyware",
"heodo",
"fri nov",
"installcore",
"installpack",
"win64",
"fakealert",
"dropper",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"dapato",
"networm",
"mediaget",
"softonic",
"trojan",
"encpk",
"qbot",
"predator",
"kraddare",
"iobit",
"dllinject",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"keygen",
"fareit",
"secrisk",
"unruy",
"floxif",
"adload",
"et cins",
"active threat",
"reputation ip",
"threats et",
"cins active",
"poor reputation",
"ip tcp",
"privacy admin",
"privacy tech",
"com laude",
"redacted for",
"server",
"priority",
"email",
"organization",
"city",
"cnapple public",
"server rsa",
"stcalifornia",
"cnapple ist",
"identity search",
"group",
"issuer criteria",
"type",
"ilike search",
"id logged",
"valid",
"no no",
"no na",
"ip security",
"apple",
"limited",
"ca id",
"lsalford",
"ocomodo ca",
"code signing",
"mozilla",
"android",
"memory checks",
"dotnet_encrypted",
"multi family rat detection",
"malware_win_zgrat"
],
"references": [
"Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7",
"p155-fmfmobile.icloud.com",
"\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193",
"developer.huawei.com",
"PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]",
"http://www.cscglobal.com/global/web/csc/digital-brand-services.html",
"Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45",
"fmfmobile.fe.apple-dns.net",
"http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/",
"http://notredamewormhoutnet.appleid.com/",
"news-publisher.pictures",
"applestore.net",
"airinthemorning.net",
"http://certs.apple.com/appleistca2g1_bc.cer",
"http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)",
"https://dc-mx.d3525d602ca2.pixelrz.com",
"http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c",
"http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)",
"http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)",
"http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)",
"http://pixelrz.com/lists/suggestions/rs485-arduino/",
"http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)",
"http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)",
"http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)",
"http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com",
"Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84",
"Resource: https://crt.sh/?q=privaterelay.appleid.com",
"\u2193Command and Control \u2193",
"CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36",
"CNC Hostname: urlspirit.spiritsoft.cn",
"Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16",
"Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com",
"Resource: https://urlscan.io/domain/privaterelay.appleid.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Systweak",
"display_name": "Systweak",
"target": null
},
{
"id": "Swrort",
"display_name": "Swrort",
"target": null
},
{
"id": "Tinba",
"display_name": "Tinba",
"target": null
},
{
"id": "XRat",
"display_name": "XRat",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Zeus",
"display_name": "Zeus",
"target": null
},
{
"id": "Tiggre",
"display_name": "Tiggre",
"target": null
},
{
"id": "FusionCore",
"display_name": "FusionCore",
"target": null
},
{
"id": "Redline",
"display_name": "Redline",
"target": null
},
{
"id": "Virus:DOS/Nanjing",
"display_name": "Virus:DOS/Nanjing",
"target": "/malware/Virus:DOS/Nanjing"
},
{
"id": "nircmd",
"display_name": "nircmd",
"target": null
},
{
"id": "noname057",
"display_name": "noname057",
"target": null
},
{
"id": "BlackNET",
"display_name": "BlackNET",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Softcnapp",
"display_name": "Softcnapp",
"target": null
},
{
"id": "Union",
"display_name": "Union",
"target": null
},
{
"id": "Bambernek",
"display_name": "Bambernek",
"target": null
},
{
"id": "Kraddare",
"display_name": "Kraddare",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "trojan.agensla/msil",
"display_name": "trojan.agensla/msil",
"target": null
},
{
"id": "Win:ZGRAT",
"display_name": "Win:ZGRAT",
"target": null
},
{
"id": "Wacatac.",
"display_name": "Wacatac.",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "6569984495dfed1b14e29217",
"export_count": 68,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1220,
"FileHash-SHA1": 613,
"FileHash-SHA256": 5010,
"URL": 13617,
"hostname": 3699,
"domain": 2783,
"email": 11,
"CVE": 23,
"CIDR": 2
},
"indicator_count": 26978,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "841 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "656a9718ac97804d782cc16b",
"name": "RVA Entry | Apple remote unlocking| Emotet | Redline | | Injection",
"description": "",
"modified": "2023-12-30T14:02:30.516000",
"created": "2023-12-02T02:31:52.614000",
"tags": [
"ssl certificate",
"whois record",
"historical ssl",
"resolutions",
"referrer",
"communicating",
"siblings",
"file",
"hell",
"lenovo tablet",
"name servers",
"as714 apple",
"united",
"creation date",
"search",
"servers",
"date",
"moved",
"certificate",
"passive dns",
"body",
"historical",
"collections",
"contacted",
"strange",
"no data",
"tag count",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"blacklist http",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"malicious site",
"malware site",
"phishing site",
"million",
"malware",
"http attacker",
"ip address",
"algorithm",
"v3 serial",
"number",
"ist ca",
"g1 validity",
"public key",
"info",
"key algorithm",
"ec oid",
"key identifier",
"first",
"team alexa",
"downloader",
"wed apr",
"alexa",
"pony",
"name verdict",
"pattern match",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"script",
"beginstring",
"mitre att",
"null",
"unknown",
"span",
"error",
"class",
"generator",
"critical",
"meta",
"hybrid",
"general",
"local",
"click",
"strings",
"refresh",
"tools",
"malicious url",
"hostname",
"hostnames",
"phishing",
"union",
"team",
"bank",
"unsafe",
"spammer",
"node tcp",
"traffic",
"attacker",
"tor known",
"tor relayrouter",
"jul jan",
"mon sep",
"heur",
"artemis",
"iframe",
"conduit",
"crack",
"riskware",
"opencandy",
"cleaner",
"exploit",
"downldr",
"presenoker",
"wacatac",
"agent",
"fusioncore",
"applicunwnt",
"acint",
"nircmd",
"swrort",
"systweak",
"behav",
"tiggre",
"genkryptik",
"filetour",
"generic",
"patcher",
"driverpack",
"xtrat",
"softcnapp",
"cyber threat",
"dns server",
"http spammer",
"host",
"download",
"asyncrat",
"cobalt strike",
"apple",
"urls http",
"368600",
"320700",
"dc1542721039132",
"subdomains",
"noname057",
"tld count",
"urls",
"blacklist https",
"engineering",
"singapore",
"phishtank",
"suppobox",
"bambernek",
"facebook",
"zbot",
"malicious",
"zeus",
"emotet",
"ransomware",
"nymaim",
"redline stealer",
"service",
"virut",
"kraken",
"keybase",
"stealer",
"hawkeye",
"tinba",
"mirai",
"nanocore",
"bradesco",
"cve201711882",
"ip detections",
"country",
"83500",
"1602192580242",
"1602192586217",
"blog",
"1602192588844",
"1602192624796",
"303300",
"vhash",
"authentihash",
"ssdeep",
"file type",
"win32 exe",
"magic pe32",
"ms windows",
"intel",
"trid windows",
"control panel",
"file version",
"copyright",
"product",
"description",
"original name",
"internal name",
"rticon neutral",
"chi2",
"contained",
"details module",
"version id",
"typelib id",
"header target",
"machine intel",
"utc entry",
"point",
"count blacklist",
"tag tag",
"dot net",
"assembly common",
"clr version",
"assembly name",
"address",
"assembly",
"rva entry",
"streams size",
"entropy chi2",
"guid",
"applenoc",
"showing",
"record value",
"scan endpoints",
"all search",
"as20940",
"as16625 akamai",
"status",
"cname",
"china",
"as136907 huawei",
"nanjing",
"as2914 ntt",
"america",
"as7843 charter",
"as6461 zayo",
"domain",
"p155-fmfmobile.icloud.com",
"t-mobile",
"metro t-mobile",
"metro",
"metroby",
"social engineering",
"happywifehappylife",
"bot",
"darknet service",
"tsara brashears",
"jeffrey reimer",
"pixelrz",
"yandex",
"cp",
"cyber",
"red team",
"framing",
"qwest",
"cybercrime",
"cyber threat",
"sha256",
"runtime process",
"sha1",
"size",
"windows nt",
"indicator",
"svg scalable",
"accept",
"unis",
"buttons",
"overwrite",
"format",
"spyware",
"heodo",
"fri nov",
"installcore",
"installpack",
"win64",
"fakealert",
"dropper",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"dapato",
"networm",
"mediaget",
"softonic",
"trojan",
"encpk",
"qbot",
"predator",
"kraddare",
"iobit",
"dllinject",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"keygen",
"fareit",
"secrisk",
"unruy",
"floxif",
"adload",
"et cins",
"active threat",
"reputation ip",
"threats et",
"cins active",
"poor reputation",
"ip tcp",
"privacy admin",
"privacy tech",
"com laude",
"redacted for",
"server",
"priority",
"email",
"organization",
"city",
"cnapple public",
"server rsa",
"stcalifornia",
"cnapple ist",
"identity search",
"group",
"issuer criteria",
"type",
"ilike search",
"id logged",
"valid",
"no no",
"no na",
"ip security",
"apple",
"limited",
"ca id",
"lsalford",
"ocomodo ca",
"code signing",
"mozilla",
"android",
"memory checks",
"dotnet_encrypted",
"multi family rat detection",
"malware_win_zgrat"
],
"references": [
"Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7",
"p155-fmfmobile.icloud.com",
"\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193",
"developer.huawei.com",
"PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]",
"http://www.cscglobal.com/global/web/csc/digital-brand-services.html",
"Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45",
"fmfmobile.fe.apple-dns.net",
"http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/",
"http://notredamewormhoutnet.appleid.com/",
"news-publisher.pictures",
"applestore.net",
"airinthemorning.net",
"http://certs.apple.com/appleistca2g1_bc.cer",
"http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)",
"https://dc-mx.d3525d602ca2.pixelrz.com",
"http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c",
"http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)",
"http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)",
"http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)",
"http://pixelrz.com/lists/suggestions/rs485-arduino/",
"http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)",
"http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)",
"http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)",
"http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com",
"Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84",
"Resource: https://crt.sh/?q=privaterelay.appleid.com",
"\u2193Command and Control \u2193",
"CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36",
"CNC Hostname: urlspirit.spiritsoft.cn",
"Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16",
"Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com",
"Resource: https://urlscan.io/domain/privaterelay.appleid.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Systweak",
"display_name": "Systweak",
"target": null
},
{
"id": "Swrort",
"display_name": "Swrort",
"target": null
},
{
"id": "Tinba",
"display_name": "Tinba",
"target": null
},
{
"id": "XRat",
"display_name": "XRat",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Zeus",
"display_name": "Zeus",
"target": null
},
{
"id": "Tiggre",
"display_name": "Tiggre",
"target": null
},
{
"id": "FusionCore",
"display_name": "FusionCore",
"target": null
},
{
"id": "Redline",
"display_name": "Redline",
"target": null
},
{
"id": "Virus:DOS/Nanjing",
"display_name": "Virus:DOS/Nanjing",
"target": "/malware/Virus:DOS/Nanjing"
},
{
"id": "nircmd",
"display_name": "nircmd",
"target": null
},
{
"id": "noname057",
"display_name": "noname057",
"target": null
},
{
"id": "BlackNET",
"display_name": "BlackNET",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Softcnapp",
"display_name": "Softcnapp",
"target": null
},
{
"id": "Union",
"display_name": "Union",
"target": null
},
{
"id": "Bambernek",
"display_name": "Bambernek",
"target": null
},
{
"id": "Kraddare",
"display_name": "Kraddare",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "trojan.agensla/msil",
"display_name": "trojan.agensla/msil",
"target": null
},
{
"id": "Win:ZGRAT",
"display_name": "Win:ZGRAT",
"target": null
},
{
"id": "Wacatac.",
"display_name": "Wacatac.",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "6569984495dfed1b14e29217",
"export_count": 67,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1220,
"FileHash-SHA1": 613,
"FileHash-SHA256": 5010,
"URL": 13617,
"hostname": 3699,
"domain": 2783,
"email": 11,
"CVE": 23,
"CIDR": 2
},
"indicator_count": 26978,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "841 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6569984495dfed1b14e29217",
"name": "RVA Entry | Apple remote unlocking| Emotet | Redline | | Injection",
"description": "Active iCloud monitoring by third party. Active cyber threat.\nFound in link on iOS device: p155-fmfmobile.icloud.com\nFraud services. No data, service, or legitimate carrier",
"modified": "2023-12-30T14:02:30.516000",
"created": "2023-12-01T08:24:36.293000",
"tags": [
"ssl certificate",
"whois record",
"historical ssl",
"resolutions",
"referrer",
"communicating",
"siblings",
"file",
"hell",
"lenovo tablet",
"name servers",
"as714 apple",
"united",
"creation date",
"search",
"servers",
"date",
"moved",
"certificate",
"passive dns",
"body",
"historical",
"collections",
"contacted",
"strange",
"no data",
"tag count",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"blacklist http",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"malicious site",
"malware site",
"phishing site",
"million",
"malware",
"http attacker",
"ip address",
"algorithm",
"v3 serial",
"number",
"ist ca",
"g1 validity",
"public key",
"info",
"key algorithm",
"ec oid",
"key identifier",
"first",
"team alexa",
"downloader",
"wed apr",
"alexa",
"pony",
"name verdict",
"pattern match",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"script",
"beginstring",
"mitre att",
"null",
"unknown",
"span",
"error",
"class",
"generator",
"critical",
"meta",
"hybrid",
"general",
"local",
"click",
"strings",
"refresh",
"tools",
"malicious url",
"hostname",
"hostnames",
"phishing",
"union",
"team",
"bank",
"unsafe",
"spammer",
"node tcp",
"traffic",
"attacker",
"tor known",
"tor relayrouter",
"jul jan",
"mon sep",
"heur",
"artemis",
"iframe",
"conduit",
"crack",
"riskware",
"opencandy",
"cleaner",
"exploit",
"downldr",
"presenoker",
"wacatac",
"agent",
"fusioncore",
"applicunwnt",
"acint",
"nircmd",
"swrort",
"systweak",
"behav",
"tiggre",
"genkryptik",
"filetour",
"generic",
"patcher",
"driverpack",
"xtrat",
"softcnapp",
"cyber threat",
"dns server",
"http spammer",
"host",
"download",
"asyncrat",
"cobalt strike",
"apple",
"urls http",
"368600",
"320700",
"dc1542721039132",
"subdomains",
"noname057",
"tld count",
"urls",
"blacklist https",
"engineering",
"singapore",
"phishtank",
"suppobox",
"bambernek",
"facebook",
"zbot",
"malicious",
"zeus",
"emotet",
"ransomware",
"nymaim",
"redline stealer",
"service",
"virut",
"kraken",
"keybase",
"stealer",
"hawkeye",
"tinba",
"mirai",
"nanocore",
"bradesco",
"cve201711882",
"ip detections",
"country",
"83500",
"1602192580242",
"1602192586217",
"blog",
"1602192588844",
"1602192624796",
"303300",
"vhash",
"authentihash",
"ssdeep",
"file type",
"win32 exe",
"magic pe32",
"ms windows",
"intel",
"trid windows",
"control panel",
"file version",
"copyright",
"product",
"description",
"original name",
"internal name",
"rticon neutral",
"chi2",
"contained",
"details module",
"version id",
"typelib id",
"header target",
"machine intel",
"utc entry",
"point",
"count blacklist",
"tag tag",
"dot net",
"assembly common",
"clr version",
"assembly name",
"address",
"assembly",
"rva entry",
"streams size",
"entropy chi2",
"guid",
"applenoc",
"showing",
"record value",
"scan endpoints",
"all search",
"as20940",
"as16625 akamai",
"status",
"cname",
"china",
"as136907 huawei",
"nanjing",
"as2914 ntt",
"america",
"as7843 charter",
"as6461 zayo",
"domain",
"p155-fmfmobile.icloud.com",
"t-mobile",
"metro t-mobile",
"metro",
"metroby",
"social engineering",
"happywifehappylife",
"bot",
"darknet service",
"tsara brashears",
"jeffrey reimer",
"pixelrz",
"yandex",
"cp",
"cyber",
"red team",
"framing",
"qwest",
"cybercrime",
"cyber threat",
"sha256",
"runtime process",
"sha1",
"size",
"windows nt",
"indicator",
"svg scalable",
"accept",
"unis",
"buttons",
"overwrite",
"format",
"spyware",
"heodo",
"fri nov",
"installcore",
"installpack",
"win64",
"fakealert",
"dropper",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"dapato",
"networm",
"mediaget",
"softonic",
"trojan",
"encpk",
"qbot",
"predator",
"kraddare",
"iobit",
"dllinject",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"keygen",
"fareit",
"secrisk",
"unruy",
"floxif",
"adload",
"et cins",
"active threat",
"reputation ip",
"threats et",
"cins active",
"poor reputation",
"ip tcp",
"privacy admin",
"privacy tech",
"com laude",
"redacted for",
"server",
"priority",
"email",
"organization",
"city",
"cnapple public",
"server rsa",
"stcalifornia",
"cnapple ist",
"identity search",
"group",
"issuer criteria",
"type",
"ilike search",
"id logged",
"valid",
"no no",
"no na",
"ip security",
"apple",
"limited",
"ca id",
"lsalford",
"ocomodo ca",
"code signing",
"mozilla",
"android",
"memory checks",
"dotnet_encrypted",
"multi family rat detection",
"malware_win_zgrat"
],
"references": [
"Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7",
"p155-fmfmobile.icloud.com",
"\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193",
"developer.huawei.com",
"PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]",
"http://www.cscglobal.com/global/web/csc/digital-brand-services.html",
"Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45",
"fmfmobile.fe.apple-dns.net",
"http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/",
"http://notredamewormhoutnet.appleid.com/",
"news-publisher.pictures",
"applestore.net",
"airinthemorning.net",
"http://certs.apple.com/appleistca2g1_bc.cer",
"http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)",
"https://dc-mx.d3525d602ca2.pixelrz.com",
"http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c",
"http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)",
"http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)",
"http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)",
"http://pixelrz.com/lists/suggestions/rs485-arduino/",
"http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)",
"http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)",
"http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)",
"http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com",
"Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84",
"Resource: https://crt.sh/?q=privaterelay.appleid.com",
"\u2193Command and Control \u2193",
"CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36",
"CNC Hostname: urlspirit.spiritsoft.cn",
"Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16",
"Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com",
"Resource: https://urlscan.io/domain/privaterelay.appleid.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Systweak",
"display_name": "Systweak",
"target": null
},
{
"id": "Swrort",
"display_name": "Swrort",
"target": null
},
{
"id": "Tinba",
"display_name": "Tinba",
"target": null
},
{
"id": "XRat",
"display_name": "XRat",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Zeus",
"display_name": "Zeus",
"target": null
},
{
"id": "Tiggre",
"display_name": "Tiggre",
"target": null
},
{
"id": "FusionCore",
"display_name": "FusionCore",
"target": null
},
{
"id": "Redline",
"display_name": "Redline",
"target": null
},
{
"id": "Virus:DOS/Nanjing",
"display_name": "Virus:DOS/Nanjing",
"target": "/malware/Virus:DOS/Nanjing"
},
{
"id": "nircmd",
"display_name": "nircmd",
"target": null
},
{
"id": "noname057",
"display_name": "noname057",
"target": null
},
{
"id": "BlackNET",
"display_name": "BlackNET",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Softcnapp",
"display_name": "Softcnapp",
"target": null
},
{
"id": "Union",
"display_name": "Union",
"target": null
},
{
"id": "Bambernek",
"display_name": "Bambernek",
"target": null
},
{
"id": "Kraddare",
"display_name": "Kraddare",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "trojan.agensla/msil",
"display_name": "trojan.agensla/msil",
"target": null
},
{
"id": "Win:ZGRAT",
"display_name": "Win:ZGRAT",
"target": null
},
{
"id": "Wacatac.",
"display_name": "Wacatac.",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 82,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1220,
"FileHash-SHA1": 613,
"FileHash-SHA256": 5010,
"URL": 13617,
"hostname": 3699,
"domain": 2783,
"email": 11,
"CVE": 23,
"CIDR": 2
},
"indicator_count": 26978,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "841 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65709a271fd1e3c22cf63f86",
"name": "iCloud - cant access due to insecure conx - yes everything here is compromised via chaining, neural ai and accessibilty kit emulated via android",
"description": "",
"modified": "2023-12-06T15:58:31.832000",
"created": "2023-12-06T15:58:31.832000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 705,
"domain": 302,
"FileHash-SHA256": 840,
"URL": 2603,
"email": 2,
"FileHash-MD5": 51,
"FileHash-SHA1": 51
},
"indicator_count": 4554,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570972ccaeed5791f7bf452",
"name": "https://itunes.apple.com/us/app/live-sport-tv-listing-guide/id1182257083?ls=1&mt=8 and https://play.google.com/store/apps/details?id=sport.mobile2ads.com",
"description": "",
"modified": "2023-12-06T15:45:48.530000",
"created": "2023-12-06T15:45:48.530000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 406,
"FileHash-MD5": 53,
"FileHash-SHA1": 51,
"hostname": 58,
"domain": 49,
"URL": 169,
"email": 2
},
"indicator_count": 788,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6457f3e06dd7b18f4f6d1633",
"name": "http://www.icloud.com - hybrid scan frm 2020",
"description": "",
"modified": "2023-05-07T18:54:24.168000",
"created": "2023-05-07T18:54:24.168000",
"tags": [
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"ansi",
"data",
"decrypted ssl",
"runtime data",
"windows nt",
"size",
"sha256",
"threat level",
"pcap",
"pcap processing",
"date",
"format",
"path",
"info",
"suspicious",
"accept",
"zafi",
"gosh",
"hybrid",
"close",
"click",
"hosts",
"general",
"local",
"strings",
"team",
"april",
"qakbot"
],
"references": [
"https://www.hybrid-analysis.com/sample/d3ffdf44916b01e14fceca04c3a3beb5fbad5aeea482e2242c5a843793073874/5f7570ba06837169aa62c689"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "callmeDoris",
"id": "205385",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 229,
"hostname": 78,
"domain": 63,
"FileHash-SHA256": 182,
"email": 2,
"IPv4": 15,
"FileHash-MD5": 63,
"FileHash-SHA1": 60
},
"indicator_count": 692,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 91,
"modified_text": "1077 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6457df59f333c9e3027ac390",
"name": "iCloud - cant access due to insecure conx - yes everything here is compromised via chaining, neural ai and accessibilty kit emulated via android",
"description": "thisi s from scan 25 april 2023 \nlets compare to 2020",
"modified": "2023-05-07T17:36:13.269000",
"created": "2023-05-07T17:26:49.285000",
"tags": [
"chromeua",
"optout",
"windir",
"prefetch8 ansi",
"fatalerror",
"facebook",
"meta",
"unknown",
"suspicious",
"null",
"body",
"black",
"iframe",
"media",
"qakbot",
"icloud",
"apple"
],
"references": [
"https://www.icloud.com",
"https://www.hybrid-analysis.com/sample/d3ffdf44916b01e14fceca04c3a3beb5fbad5aeea482e2242c5a843793073874/6447a07b59116aba3303e517"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "callmeDoris",
"id": "205385",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2603,
"hostname": 705,
"domain": 302,
"FileHash-SHA256": 840,
"email": 2,
"IPv4": 10,
"FileHash-MD5": 51,
"FileHash-SHA1": 51
},
"indicator_count": 4564,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 91,
"modified_text": "1078 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "63f171a71657c53b68a4d151",
"name": "http://www.itunes.codes",
"description": "The Falcon Sandbox malware analysis service is available to download, use and view all the data on the Falcon website, including the full list of features. \u00c2\u00a31.5m.",
"modified": "2023-03-21T00:02:57.765000",
"created": "2023-02-19T00:47:35.996000",
"tags": [
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"runtime data",
"ansi",
"localappdata",
"unicode",
"hash seen",
"size",
"runtime process",
"sha256",
"sha1",
"temp",
"entropy",
"win64",
"date",
"accept",
"hybrid",
"close",
"click",
"hosts",
"code",
"ransomware",
"february",
"general",
"strings",
"format",
"suspicious",
"http://www.itunes.codes",
"www.itunes.codes"
],
"references": [
"https://hybrid-analysis.com/sample/2faedf856461cfde822d1df8ee565a98772475ddeac87e1ef117d06172a93b0c/63f0c9668d06c2130e052cc2"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "callmeDoris",
"id": "205385",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 181,
"hostname": 54,
"domain": 62,
"FileHash-SHA256": 58,
"email": 4,
"FileHash-MD5": 55,
"FileHash-SHA1": 53
},
"indicator_count": 467,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 90,
"modified_text": "1125 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "63ee3cebfc1591ef9628202c",
"name": "https://itunes.apple.com/us/app/live-sport-tv-listing-guide/id1182257083?ls=1&mt=8 and https://play.google.com/store/apps/details?id=sport.mobile2ads.com",
"description": "A chronology of key events:-1.1-3.4-4.3-year-old, 1.2-2.5-magnitude, 2.6-million-second.",
"modified": "2023-03-18T14:03:15.873000",
"created": "2023-02-16T14:25:47.934000",
"tags": [
"tcpmiss",
"cookie",
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"runtime data",
"ansi",
"localappdata",
"hash seen",
"size",
"runtime process",
"unicode",
"sha256",
"sha1",
"temp",
"entropy",
"date",
"hybrid",
"close",
"click",
"ransomware",
"february",
"general",
"strings",
"format",
"suspicious",
"self",
"script",
"live sport tv listing guide",
"gregor jutrisa",
"sports",
"entertainment",
"ios apps",
"app",
"appstore",
"app store",
"iphone",
"ipad",
"ipod touch",
"itouch",
"itunes",
"sport tv",
"ziggo sport",
"fox sports",
"sky sport",
"golf channel",
"eurosport",
"sport",
"football",
"baseball",
"golf",
"calendar"
],
"references": [
"https://itunes.apple.com/us/app/live-sport-tv-listing-guide/id1182257083?ls=1&mt=8",
"Live Sport TV Listings Guide is a comprehensive sports TV listings guide for iPad, iPhone, iPad and Android devices, available on the Apple Store, Apple TV, Connected TV and app.",
"Content Security policy for https://play.google.com/store/apps/details?id=sport.mobile2ads.com",
"Content-Security-Policy\tscript-src 'report-sample' 'nonce-7kIhV_bemRSTmuEs7_xY3A' 'unsafe-inline' 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /_/PlayStoreUi/cspreport;worker-src 'self', script-src 'unsafe-inline' 'unsafe-eval' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com https://market.android.com https://clients2.google.com https://payments.sandbox.google.com https://pay",
"https://hybrid-analysis.com/sample/1226ee40a542e22e99e73f8cb2cb310609eae8914923b7fe57f7a28c5aa48c16/63ee2b8543b88778ed20724d",
"hybrid scan upload of above URL",
"content-length\t0 x-true-cache-key\t/L/itunes.apple.com/us/app/live-sport-tv-listing-guide/id1182257083?ls=1&mt=8Browser vcd=2897 x-cache\tTCP_MISS from a23-47-195-69.deploy.akamaitechnologies.com (AkamaiGHost/10.3.4.1-33174363) (-) expires\tFri, 30 Apr 2021 04:29:13 GMT vary\tX-Apple-Store-Front, Cookie, X-Apple-Store-Front, Cookie x-responding-instance\tMZStore:3015901::: x-apple-lokamai-no-cache\ttrue pragma\tno-cache date\tFri, 30 Apr 2021 04:29:13 GMT",
"x-apple-partner\torigin.0 access-control-allow-origin\t* x-cache-remote\tTCP_MISS from a23-47-58-148.deploy.akamaitechnologies.com (AkamaiGHost/10.4.0-33449709) (-) x-daiquiri-instance\tdaiquiri:18626002:mr47p00it-qujn07082301:7987:21RELEASE69 strict-transport-security\tmax-age=31536000; includeSubDomains apple-timing-app\t3 ms server\tdaiquiri/3.0.0 x-apple-jingle-correlation-key\tCIKYKHURNQMKOWELARQB6Y5KHI connection\tkeep-alive cache-control\tmax-age=0, no-cache, no-store"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "callmeDoris",
"id": "205385",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 58,
"URL": 169,
"domain": 49,
"FileHash-SHA256": 406,
"email": 2,
"FileHash-MD5": 53,
"FileHash-SHA1": 51
},
"indicator_count": 788,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 91,
"modified_text": "1128 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"",
"apple.com \u2022 getsupport.apple.com \u2022",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t- Adult Content",
"\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193",
"p155-fmfmobile.icloud.com",
"https://hybrid-analysis.com/sample/35dce2c9c408e751622991b0655871f35ab97106fa87c233dfa2b135b4014df4/68be451808aeabd5cc0e9e85",
"asp.net domain pointer",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"https://www.hybrid-analysis.com/sample/d3ffdf44916b01e14fceca04c3a3beb5fbad5aeea482e2242c5a843793073874/6447a07b59116aba3303e517",
"192.85.127.130 \u2022 Description: CC=US ASN=AS2173 hewlett-packard company",
"NJRat Alerts: hardware_id_profiling network_cnc_https_pastesite persistence_autorun",
"developer.huawei.com",
"Pahamify Pegasus",
"http://help.aiseesoft.jp/total-video-converter/",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io - Adult Content",
"apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)",
"https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io\t- Adult Content",
"http://sissy.com/default.php?qry=xinb0NVH3vxGQfarWy4r54j5FWwjyNsIfAXqPpjmSCTYnrY20orAEt5QcaKNVYpHM3.AFndEsyGlSb_SXAGpMTdue0rkjANJ3fQ0wH3yzmI9qKCDJp39iCno_V.ci7VYf_I4t_Y2ibuGhE_rlOAs3FGeaahClLHQmyX30MRH5AfpY6B5N9LDoau6dxnMaf3qGZEX_xCRYTdVAigxUMX2qRyl16DvSb9DohTpdet4E_v0QjzIjDwGGS4PYEDpjmzIeKlCSItsv09pHL84QDb6V_fvuFw0jX8tfoI8VQmpnaeudPhO0nDmV3c5G7HjNNcF&tgt=NO+TOKEN&searchKey=free+porn&wp=1&skp=3_2402 - Adult Content IP",
"https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f",
"http://beelinerouter.net/",
"They blatantly steal from citizens , blame foreign entities.",
"applestore.net",
"Live Sport TV Listings Guide is a comprehensive sports TV listings guide for iPad, iPhone, iPad and Android devices, available on the Apple Store, Apple TV, Connected TV and app.",
"http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)",
"Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca",
"https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/",
"Resource: https://crt.sh/?q=privaterelay.appleid.com",
"http://help.aiseesoft.jp/fonelab/",
"http://sissy.com/default - Adult Content",
"https://www.hybrid-analysis.com/sample/d3ffdf44916b01e14fceca04c3a3beb5fbad5aeea482e2242c5a843793073874/5f7570ba06837169aa62c689",
"http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:",
"1.bing.com.cn",
"oas-japac-domains-applecomputer.cn",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing - Adult Content",
"http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan \u2022 www4.irs.gov \u2022 www.drupal.org",
"https://176.113.115.136/ohhiiiii/",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"mac.store",
"IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)",
"PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]",
"NJRat IP\u2019s Contacted 149.154.166.110 172.66.171.73",
"https://icloud.ch/cn/ipod-touch/",
"Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)",
"https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d/694d9e6a07ba5e76e203a672",
"Matches rule Creation of an Executable by an Executable by frack113",
"Tulach.cc",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"div>
",
"podcasts.apple.com \u2022 23.34.32.21",
"tv.apple.com",
"216.252.199.59 \u2022 Description: CC=US ASN=AS31827 biz net technologies",
"https://www.anyxxxtube.net/video/2241/big-titted-sexy-chick-august-ames/ - Adult Content IP",
"\u2193Command and Control \u2193",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
"https://hybrid-analysis.com/sample/2faedf856461cfde822d1df8ee565a98772475ddeac87e1ef117d06172a93b0c/63f0c9668d06c2130e052cc2",
"IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com",
"news-publisher.pictures",
"www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"http://www.italianporn.com/ \u2022 italianporn.com - Adult Content IP",
"palantir-staging.staging.candidate.app.paulsjob.ai",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"https://eliyporasa.life/uelbu/5/151504-harleyxwest-porn - Adult Content",
"https://www.freeiconspng.com/thumbs/icloud-logo/icloud-drive-mac-mail-cloud-apple-pc-works-c",
"207.75.164.17 \u2022 Description: CC=US ASN=AS237 merit network",
"https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
"214.25.9.149 \u2022 Description: CC=US ASN=AS344 dod network information center",
"jamaicansex.com \u2022 onlinesexmags.com \u2022 sexbible.com \u2022 bestsex.com - Adult Content IP",
"Content Security policy for https://play.google.com/store/apps/details?id=sport.mobile2ads.com",
"hybrid scan upload of above URL",
"https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4",
"https://apps.apple.com/app/",
"foundry.com \u2022 helix. com",
"Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"appleaustralia.com",
"Redirect: schemas.microsoft.com",
"Yara Detections BackdoorWin32Simda",
"xred.mooo.com \u2022 mooo.com \u2022 afraid.org",
"Persistent. Is Christopher P. Ahmann, Brian Sabey, State of Colorado",
"https://itunes.apple.com/us/app/live-sport-tv-listing-guide/id1182257083?ls=1&mt=8",
"https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main",
"http://firstmile.digitecgalaxus.ch",
"64.38.232.180 - Adult Content IP",
"http://notredamewormhoutnet.appleid.com/",
"Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt",
"http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/",
"http://apple.support.com/ht***** redirect",
"http://www.onlinesexmags.com/members/gent/current/ - Adult Content IP",
"NJRat Alerts: windows_defender_powershell network_document_file powershell_command_suspicious",
"robert-aebi.appleid.com",
"NJRat Alerts: persistence_autorun_tasks binary_yara procmem_yara suricata_alert",
"http://foundry2-lbl.dvr.dn2.n-helix.com",
"NJRat Alerts: dynamic_function_loading encrypted_ioc registers_vectored_exception_handler",
"https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7",
"Tulach \u2022 114.114.114.114",
"http://www.anyxxxtube.net/search-porn/tsara-brashears - Adult Content",
"IDS: TLS Handshake Failure",
"195.128.76.205 \u2022 Description: CC=RU ASN=AS8470 jsc macomnet",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh",
"http://www.anyxxxtube.net/search-porn/ - Adult Content",
"NJRat IDS Detections: Observed Telegram API Domain (api .telegram .org in TLS SNI)",
"getsupport.apple.com\t \u2022 apple.com",
"https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3/694d9a33a2febcb826005ed5",
"monitoring.eurovision.net",
"https://www.icloud.com",
"http://geometry.ru/articles/blinkovsexcircle.pdf- Adult Content IP",
"Victims have lost financial assets, jobs, vehicles",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)",
"https://hybrid-analysis.com/sample/a871c76756ddf6d18d728b668d011e9d04e9db9c79734450a562f1f4b6ba2cdc/68be456cd90e6cbdf30d2afb",
"http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"smtp2.icl-privaterelay.appleid.com",
"It appears there are 5-7 known affected that I was able to find",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"metropcs.com/account/sign-in.html",
"https://freedns.afraid.org/images/exclamation",
"http://www.icloud-sms-alert.com/",
"https://aspmx.l.google.com/",
"https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com",
"Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45",
"https://l.us-1.a.mimecastprotect.com/l",
"http://test-firstmile.digitecgalaxus.ch",
"78.46.218.253 \u2022 Description: CC=DE ASN=AS24940 hetzner online gmbh",
"http://help.aiseesoft.jp/total-video-converter",
"monitor.kyos.ninja",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"NJRat Domains Contacted pastebin.com api.telegram.org",
"Resource: https://urlscan.io/domain/privaterelay.appleid.com",
"apple.com(-inc.cc)",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net",
"https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android",
"bpc-old.palantirfoundry.com",
"Follow up need. This is a serious financial crime following the victims.",
"http://certs.apple.com/appleistca2g1_bc.cer",
"https://trade.kraken.com/charts/KRAKEN:APT-USD>+y",
"http://help.aiseesoft.jp/blu-ray-player",
"http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/",
"https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/",
"Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"applefilmmaker.com \u2022 appleid.com \u2022 appleiservices.com",
"Tulach - 114.114.114.114",
"https://go.recordedfuture.com/hubfs/reports/cta-2023-0816.pdf",
"https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/",
"https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8",
"Win.Packed.njRAT-10002074-1",
"CNC Hostname: urlspirit.spiritsoft.cn",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"132.3.48.38 \u2022 Description: CC=US ASN=AS721 dod network information center",
"www.anyxxxtube.net - Adult Content",
"http://usw2.apple.com/ \u2022 https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
"https://appleid.apple.com/cgi-bin/WebObjects/MyAppleIdCVE",
"http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"https://icloud.ch/",
"NJRat IDS Detections: Telegram API Domain in DNS Lookup",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16",
"www.apple.com \u2022 23.34.32.199",
"https://www.endgamesystems.com/ \u2022 https://www.endgames.com/",
"aotx.alienvault.com (aotx.?)",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ - Adult Content",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net - Adult Content",
"http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)",
"https://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=+New+Worker+Online%0A+PC:+DESKTOP-BBE3PFV%0A+User:+alien%0A+IP:+Sweden%0A+Country:+SE+ Akamai rank: #2475\t URL https://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=\\\\xfff0\\\\xff9f\\\\xff9f\\\\xffa2+New+Worker+Online%0A\\\\xfff0\\\\xff9f\\\\xff92\\\\xffbb+PC:+DESKTOP-BBE3PFV%0A\\\\xfff0\\\\xff9f\\\\xff91\\\\xffa4+User:+alien%0A\\\\xfff0\\\\xff9f\\\\xff8c\\\\xff9",
"Trojans: 149.154.166.110 command_and_control (build your own telegram) 208.95.112.1 command_and_control",
"95.211.7.168 \u2022Description: CC=NL ASN=AS60781 leaseweb netherlands b.v.",
"admin@bigtits.com",
"Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84",
"http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com",
"http://www.iranianporn.com/ \u2022 iranianporn.com - Adult Content",
"Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb",
"https://otx.alienvault.com/pulse/694d7d426afd8c1c816ddb9e",
"Matches rule Msiexec Initiated Connection by frack113",
"Content-Security-Policy\tscript-src 'report-sample' 'nonce-7kIhV_bemRSTmuEs7_xY3A' 'unsafe-inline' 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /_/PlayStoreUi/cspreport;worker-src 'self', script-src 'unsafe-inline' 'unsafe-eval' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com https://market.android.com https://clients2.google.com https://payments.sandbox.google.com https://pay",
"No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]",
"https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676",
"https://dc-mx.d3525d602ca2.pixelrz.com",
"iphonegermany.com",
"sa.www4.irs.gov \u2022 sa1.www4.irs.gov \u2022 sa2.www4.irs.gov \u2022 apps.irs.gov \u2022 freetaxassistance.for.irs.gov \u2022 home.treasury.gov \u2022",
"https://www.idvd.eu/?cid=oas-japac-domains-applestore.com.cn/90.i.lolik.anyciona.patrolita.casse.897866 \u2022 oas-japac-domains-applestore.com.cn",
"fmfmobile.fe.apple-dns.net",
"airinthemorning.net",
"Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur",
"asp.bet",
"http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"Requires further research.",
"https://hybrid-analysis.com/sample/1226ee40a542e22e99e73f8cb2cb310609eae8914923b7fe57f7a28c5aa48c16/63ee2b8543b88778ed20724d",
"Same legal , and quasi governmental pattern identified",
"www.anyxxxtube.net - Adult Content IP",
"NJRat Alerts: http_request reads_memory_remote_process network_cnc_https_generic reads_self",
"192.168.122.200 BGP: Simulating Inter-network Dynamic Routing",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.",
"NJRat Alerts: suspicious_command_tools antidebug_guardpages antisandbox_sleep",
"https://ipadaustralia.com/mim/93tkkjy9zc9fv796398p4e8425id90u4u727g7094724c0a9i8",
"Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com",
"NJRat Yara Detections: ByteCode_MSIL_Backdoor_AsyncRAT",
"Win.Ransomware.WannaCry-6313787-0 , Ransom:Win32/WannaCrypt.H IDS Detections Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) Possible ETERNALBLUE Probe MS17-010 (MSF style) ETERNALBLUE Probe Vulnerable System Response MS17-010 Possible ETERNALBLUE Probe MS17-010 (Generic Flags) Possible ETERNALBLUE MS17-010 Heap Spray More Yara Detections WannaCry_Ransomware , WannaCry_Ransomware_Gen , WannaDecryptor , stack_string , MS17_010_WanaCry_worm More Alerts nids_exploit",
"smtp.google.com \u2022 www.google.com/images/errors/robot.png",
"apple.co \u2022 apple.com \u2022 apple.info \u2022 apple.net",
"https://idmsa.apple.com/ \u2022 account.apple.com \u2022 appleid.apple.com \u2022 http://www.apple.com/filenotfound",
"cdn.rss.applemarketingtools.com",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"http://audaxgroup.appleid.com/",
"Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support",
"http://pixelrz.com/lists/suggestions/rs485-arduino/",
"Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291",
"jobs.lumen.com \u2022 lumen.com \u2022 msradc.lumen.com \u2022 voip.lumen.com \u2022 www.lumen.com",
"x-apple-partner\torigin.0 access-control-allow-origin\t* x-cache-remote\tTCP_MISS from a23-47-58-148.deploy.akamaitechnologies.com (AkamaiGHost/10.4.0-33449709) (-) x-daiquiri-instance\tdaiquiri:18626002:mr47p00it-qujn07082301:7987:21RELEASE69 strict-transport-security\tmax-age=31536000; includeSubDomains apple-timing-app\t3 ms server\tdaiquiri/3.0.0 x-apple-jingle-correlation-key\tCIKYKHURNQMKOWELARQB6Y5KHI connection\tkeep-alive cache-control\tmax-age=0, no-cache, no-store",
"https://eliyporasa - Adult Content",
"Google_Chrome_64bit_v136.0.7103.49.exe",
"Information gathered equals 2 pulses. Pulse (1) included",
"https://action.aiseesoft.jp/itunes.php",
"Verification failure observed in automated verification handlers during sandbox replay.",
"After an attack a different victim had awe , tax refund seized, Insurance became Medicaid, Was audited by the IRs and there was attempts on life w/ bad outcome",
"https://podcasts.apple.com/us/podcast/lazarus",
"154.35.132.70\t\u2022 Description: CC=US ASN=AS14987 rethem hosting llc",
"I apologize for the lack of reference.",
"https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3",
"165.206.254.134 \u2022 Description: CC=US ASN=AS6122",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content",
"OTX auto populated targeted groups.",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Matches rule Registry Modification to Hidden File Extension by frack113",
"https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d",
"pornhub.com\t \u2022 www.pornhub.com",
"http://www.cscglobal.com/global/web/csc/digital-brand-services.html",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022",
"js-cdn.music.apple.com \u2022 23.78.51.170",
"CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36",
"EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010\", \"src_ip\": \"192.168.56.105\", \"dst_port\": 49317, \"sid\": 2025650, \"date\": \"2020/06/18 11:39:48\", \"dst_ip\": \"192.168.56.103\" }, \"type\": \"ioc\", \"description\": null }, { \"category\": \"suricata\", \"ioc\": { \"src_port\": 445, \"name\": \"ET EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010\", \"src_ip\": \"192.168.56.108\", \"dst_port\": 49324, ",
"prometheus.shorty.cicloinfinito.com",
"NJRat IDS Detections: Telegram API Certificate Observed",
"207.75.164.210 \u2022 Description: CC=US ASN=AS237 merit network",
"http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"httpssa.www4.irs.gov \u2022 jobs.irs.gov \u2022 https://sa.www4.irs.gov/ \u2022 https://sa.www4.irs.gov \u2022 www.directfile.irs.gov \u2022",
"https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as",
"This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents.",
"205.181.242.243 \u2022 Description: CC=US ASN=AS3738 state street bank and trust company",
"http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)",
"dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net",
"content-length\t0 x-true-cache-key\t/L/itunes.apple.com/us/app/live-sport-tv-listing-guide/id1182257083?ls=1&mt=8Browser vcd=2897 x-cache\tTCP_MISS from a23-47-195-69.deploy.akamaitechnologies.com (AkamaiGHost/10.3.4.1-33174363) (-) expires\tFri, 30 Apr 2021 04:29:13 GMT vary\tX-Apple-Store-Front, Cookie, X-Apple-Store-Front, Cookie x-responding-instance\tMZStore:3015901::: x-apple-lokamai-no-cache\ttrue pragma\tno-cache date\tFri, 30 Apr 2021 04:29:13 GMT",
"www.phantomcameras.cn",
"developer.x.com"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"Lazarus"
],
"malware_families": [
"Wacatac.",
"Nids",
"Tiggre",
"Win.malware.jaik-9968280-0",
"Virtool:win32/injector.gen!bq",
"Win.trojan.generic-9908396-0",
"Worm:win32/mydoom",
"Virus:dos/nanjing",
"Nircmd",
"Kraddare",
"Et",
"#lowfi:aggr:hstr:win32/possiblekeylogger.a",
"Virtool:win32/obfuscator",
"Emotet",
"Redline",
"Kanna",
"Win.malware.msilperseus-6989564-0",
"Trojan.generickdz.93839",
"Alf:pws:msil/stealgen.gc!mtb",
"Win.spyware.88778-2",
"Win.trojan.fenomengame-8",
"Trojan:win32/icedid.di!mtb",
"Worm:win32/autorun",
"Trojan.agensla/msil",
"W32/wannacryptor.491a!tr.ransom",
"Win.trojan.fenomengame-14",
"Alf:jasyp:trojan:win32/adialer",
"Unix.trojan.gafgyt-6981154-0",
"Alf:jasyp:pua:win32/4shared",
"Trojan:win32/smkldr.h!mtb",
"Swrort",
"Systweak",
"Zeus",
"Other malware",
"Muldrop",
"Win.trojan.crypted-30",
"Win.trojan.razy-10016933-0",
"Win.packer.pkr_ce1a-9980177-0",
"Tinba",
"Trojan.mydoom/muldrop",
"Bambernek",
"Win.packed.zpack-10013367-0",
"Ransom:msil/gandcrab",
"Mirai sim swap",
"Xrat",
"Tulach malware",
"Suppobox",
"Win.malware.score-6985947-1",
"Malware packed",
"Alf:trojan:win32/formbook.f!mtb",
"Tibs",
"Trojan.mydoom/mudrop",
"Backdoor:win32/berbew",
"Trojan/win32.gamarue.c1976125",
"Worm:win32/fadok!rfn",
"Win.malware.renos-10003934-0",
"Alf:spikeaexr.pevpszl",
"Pandex!gen1",
"Networm",
"Noname057",
"\u2019m",
"Win.malware.delf-10008156-0",
"Apnic",
"Elf:ddos-s\\ [trj]",
"Win.trojan.barys-10005825-0",
"Win:zgrat",
"Trojan.win.small",
"Private internet access",
"Sigur",
"Trojandropper:win32/muldrop",
"Softcnapp",
"Autorunit",
"Worm:win32/bloored",
"Virus:win95/cerebrus",
"Trojanspy",
"Tofsee",
"Njrat",
"Win.trojan.installcore-877",
"Zbot",
"Fusioncore",
"Der zugriff",
"Lumen ip",
"Ransom:win32/gandcrab.h!mtb",
"Mydoom",
"Unknown malware \u2018can't access file\u2019",
"Win.trojan.ramnit-1847",
"Trojan:win32/pariham.a",
"Appleservice",
"#lowfi:lua:dllsuspiciousexport.a",
"Icedid",
"Union",
"Win.malware.elenooka-6996044-0",
"Trojandownloader:win32/cutwail",
"Blacknet",
"Win.downloader.small",
"Alf:jasyp:trojan:win32/ircbot!atmn",
"Mirai"
],
"industries": [
"Banks",
"Civil society",
"Telecommunications",
"Entertainment",
"Government",
"Telecom",
"Legal",
"Crypto",
"Financial",
"Irs",
"Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in",
"Bank",
"Education",
"Technology"
],
"unique_indicators": 266028
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/ipod.com.hk",
"whois": "http://whois.domaintools.com/ipod.com.hk",
"domain": "ipod.com.hk",
"hostname": "Unavailable"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 30,
"pulses": [
{
"id": "69e4e7cfdc3bb3cdffeecf7c",
"name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]",
"description": "",
"modified": "2026-04-19T14:33:51.385000",
"created": "2026-04-19T14:33:51.385000",
"tags": [
"ssl certificate",
"whois record",
"historical ssl",
"resolutions",
"referrer",
"communicating",
"siblings",
"file",
"hell",
"lenovo tablet",
"name servers",
"as714 apple",
"united",
"creation date",
"search",
"servers",
"date",
"moved",
"certificate",
"passive dns",
"body",
"historical",
"collections",
"contacted",
"strange",
"no data",
"tag count",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"blacklist http",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"malicious site",
"malware site",
"phishing site",
"million",
"malware",
"http attacker",
"ip address",
"algorithm",
"v3 serial",
"number",
"ist ca",
"g1 validity",
"public key",
"info",
"key algorithm",
"ec oid",
"key identifier",
"first",
"team alexa",
"downloader",
"wed apr",
"alexa",
"pony",
"name verdict",
"pattern match",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"script",
"beginstring",
"mitre att",
"null",
"unknown",
"span",
"error",
"class",
"generator",
"critical",
"meta",
"hybrid",
"general",
"local",
"click",
"strings",
"refresh",
"tools",
"malicious url",
"hostname",
"hostnames",
"phishing",
"union",
"team",
"bank",
"unsafe",
"spammer",
"node tcp",
"traffic",
"attacker",
"tor known",
"tor relayrouter",
"jul jan",
"mon sep",
"heur",
"artemis",
"iframe",
"conduit",
"crack",
"riskware",
"opencandy",
"cleaner",
"exploit",
"downldr",
"presenoker",
"wacatac",
"agent",
"fusioncore",
"applicunwnt",
"acint",
"nircmd",
"swrort",
"systweak",
"behav",
"tiggre",
"genkryptik",
"filetour",
"generic",
"patcher",
"driverpack",
"xtrat",
"softcnapp",
"cyber threat",
"dns server",
"http spammer",
"host",
"download",
"asyncrat",
"cobalt strike",
"apple",
"urls http",
"368600",
"320700",
"dc1542721039132",
"subdomains",
"noname057",
"tld count",
"urls",
"blacklist https",
"engineering",
"singapore",
"phishtank",
"suppobox",
"bambernek",
"facebook",
"zbot",
"malicious",
"zeus",
"emotet",
"ransomware",
"nymaim",
"redline stealer",
"service",
"virut",
"kraken",
"keybase",
"stealer",
"hawkeye",
"tinba",
"mirai",
"nanocore",
"bradesco",
"cve201711882",
"ip detections",
"country",
"83500",
"1602192580242",
"1602192586217",
"blog",
"1602192588844",
"1602192624796",
"303300",
"vhash",
"authentihash",
"ssdeep",
"file type",
"win32 exe",
"magic pe32",
"ms windows",
"intel",
"trid windows",
"control panel",
"file version",
"copyright",
"product",
"description",
"original name",
"internal name",
"rticon neutral",
"chi2",
"contained",
"details module",
"version id",
"typelib id",
"header target",
"machine intel",
"utc entry",
"point",
"count blacklist",
"tag tag",
"dot net",
"assembly common",
"clr version",
"assembly name",
"address",
"assembly",
"rva entry",
"streams size",
"entropy chi2",
"guid",
"applenoc",
"showing",
"record value",
"scan endpoints",
"all search",
"as20940",
"as16625 akamai",
"status",
"cname",
"china",
"as136907 huawei",
"nanjing",
"as2914 ntt",
"america",
"as7843 charter",
"as6461 zayo",
"domain",
"p155-fmfmobile.icloud.com",
"t-mobile",
"metro t-mobile",
"metro",
"metroby",
"social engineering",
"happywifehappylife",
"bot",
"darknet service",
"tsara brashears",
"jeffrey reimer",
"pixelrz",
"yandex",
"cp",
"cyber",
"red team",
"framing",
"qwest",
"cybercrime",
"cyber threat",
"sha256",
"runtime process",
"sha1",
"size",
"windows nt",
"indicator",
"svg scalable",
"accept",
"unis",
"buttons",
"overwrite",
"format",
"spyware",
"heodo",
"fri nov",
"installcore",
"installpack",
"win64",
"fakealert",
"dropper",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"dapato",
"networm",
"mediaget",
"softonic",
"trojan",
"encpk",
"qbot",
"predator",
"kraddare",
"iobit",
"dllinject",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"keygen",
"fareit",
"secrisk",
"unruy",
"floxif",
"adload",
"et cins",
"active threat",
"reputation ip",
"threats et",
"cins active",
"poor reputation",
"ip tcp",
"privacy admin",
"privacy tech",
"com laude",
"redacted for",
"server",
"priority",
"email",
"organization",
"city",
"cnapple public",
"server rsa",
"stcalifornia",
"cnapple ist",
"identity search",
"group",
"issuer criteria",
"type",
"ilike search",
"id logged",
"valid",
"no no",
"no na",
"ip security",
"apple",
"limited",
"ca id",
"lsalford",
"ocomodo ca",
"code signing",
"mozilla",
"android",
"memory checks",
"dotnet_encrypted",
"multi family rat detection",
"malware_win_zgrat"
],
"references": [
"Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7",
"p155-fmfmobile.icloud.com",
"\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193",
"developer.huawei.com",
"PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]",
"http://www.cscglobal.com/global/web/csc/digital-brand-services.html",
"Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45",
"fmfmobile.fe.apple-dns.net",
"http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/",
"http://notredamewormhoutnet.appleid.com/",
"news-publisher.pictures",
"applestore.net",
"airinthemorning.net",
"http://certs.apple.com/appleistca2g1_bc.cer",
"http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)",
"https://dc-mx.d3525d602ca2.pixelrz.com",
"http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c",
"http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)",
"http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)",
"http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)",
"http://pixelrz.com/lists/suggestions/rs485-arduino/",
"http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)",
"http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)",
"http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)",
"http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com",
"Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84",
"Resource: https://crt.sh/?q=privaterelay.appleid.com",
"\u2193Command and Control \u2193",
"CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36",
"CNC Hostname: urlspirit.spiritsoft.cn",
"Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16",
"Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com",
"Resource: https://urlscan.io/domain/privaterelay.appleid.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Systweak",
"display_name": "Systweak",
"target": null
},
{
"id": "Swrort",
"display_name": "Swrort",
"target": null
},
{
"id": "Tinba",
"display_name": "Tinba",
"target": null
},
{
"id": "XRat",
"display_name": "XRat",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Zeus",
"display_name": "Zeus",
"target": null
},
{
"id": "Tiggre",
"display_name": "Tiggre",
"target": null
},
{
"id": "FusionCore",
"display_name": "FusionCore",
"target": null
},
{
"id": "Redline",
"display_name": "Redline",
"target": null
},
{
"id": "Virus:DOS/Nanjing",
"display_name": "Virus:DOS/Nanjing",
"target": "/malware/Virus:DOS/Nanjing"
},
{
"id": "nircmd",
"display_name": "nircmd",
"target": null
},
{
"id": "noname057",
"display_name": "noname057",
"target": null
},
{
"id": "BlackNET",
"display_name": "BlackNET",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Softcnapp",
"display_name": "Softcnapp",
"target": null
},
{
"id": "Union",
"display_name": "Union",
"target": null
},
{
"id": "Bambernek",
"display_name": "Bambernek",
"target": null
},
{
"id": "Kraddare",
"display_name": "Kraddare",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "trojan.agensla/msil",
"display_name": "trojan.agensla/msil",
"target": null
},
{
"id": "Win:ZGRAT",
"display_name": "Win:ZGRAT",
"target": null
},
{
"id": "Wacatac.",
"display_name": "Wacatac.",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "656a971ab44409ecb7018428",
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1220,
"FileHash-SHA1": 613,
"FileHash-SHA256": 5010,
"URL": 13617,
"hostname": 3699,
"domain": 2783,
"email": 11,
"CVE": 23,
"CIDR": 2
},
"indicator_count": 26978,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "3 hours ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69e4e7c6ddf646eb4e645bd5",
"name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]",
"description": "",
"modified": "2026-04-19T14:33:42.400000",
"created": "2026-04-19T14:33:42.400000",
"tags": [
"ssl certificate",
"whois record",
"historical ssl",
"resolutions",
"referrer",
"communicating",
"siblings",
"file",
"hell",
"lenovo tablet",
"name servers",
"as714 apple",
"united",
"creation date",
"search",
"servers",
"date",
"moved",
"certificate",
"passive dns",
"body",
"historical",
"collections",
"contacted",
"strange",
"no data",
"tag count",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"blacklist http",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"malicious site",
"malware site",
"phishing site",
"million",
"malware",
"http attacker",
"ip address",
"algorithm",
"v3 serial",
"number",
"ist ca",
"g1 validity",
"public key",
"info",
"key algorithm",
"ec oid",
"key identifier",
"first",
"team alexa",
"downloader",
"wed apr",
"alexa",
"pony",
"name verdict",
"pattern match",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"script",
"beginstring",
"mitre att",
"null",
"unknown",
"span",
"error",
"class",
"generator",
"critical",
"meta",
"hybrid",
"general",
"local",
"click",
"strings",
"refresh",
"tools",
"malicious url",
"hostname",
"hostnames",
"phishing",
"union",
"team",
"bank",
"unsafe",
"spammer",
"node tcp",
"traffic",
"attacker",
"tor known",
"tor relayrouter",
"jul jan",
"mon sep",
"heur",
"artemis",
"iframe",
"conduit",
"crack",
"riskware",
"opencandy",
"cleaner",
"exploit",
"downldr",
"presenoker",
"wacatac",
"agent",
"fusioncore",
"applicunwnt",
"acint",
"nircmd",
"swrort",
"systweak",
"behav",
"tiggre",
"genkryptik",
"filetour",
"generic",
"patcher",
"driverpack",
"xtrat",
"softcnapp",
"cyber threat",
"dns server",
"http spammer",
"host",
"download",
"asyncrat",
"cobalt strike",
"apple",
"urls http",
"368600",
"320700",
"dc1542721039132",
"subdomains",
"noname057",
"tld count",
"urls",
"blacklist https",
"engineering",
"singapore",
"phishtank",
"suppobox",
"bambernek",
"facebook",
"zbot",
"malicious",
"zeus",
"emotet",
"ransomware",
"nymaim",
"redline stealer",
"service",
"virut",
"kraken",
"keybase",
"stealer",
"hawkeye",
"tinba",
"mirai",
"nanocore",
"bradesco",
"cve201711882",
"ip detections",
"country",
"83500",
"1602192580242",
"1602192586217",
"blog",
"1602192588844",
"1602192624796",
"303300",
"vhash",
"authentihash",
"ssdeep",
"file type",
"win32 exe",
"magic pe32",
"ms windows",
"intel",
"trid windows",
"control panel",
"file version",
"copyright",
"product",
"description",
"original name",
"internal name",
"rticon neutral",
"chi2",
"contained",
"details module",
"version id",
"typelib id",
"header target",
"machine intel",
"utc entry",
"point",
"count blacklist",
"tag tag",
"dot net",
"assembly common",
"clr version",
"assembly name",
"address",
"assembly",
"rva entry",
"streams size",
"entropy chi2",
"guid",
"applenoc",
"showing",
"record value",
"scan endpoints",
"all search",
"as20940",
"as16625 akamai",
"status",
"cname",
"china",
"as136907 huawei",
"nanjing",
"as2914 ntt",
"america",
"as7843 charter",
"as6461 zayo",
"domain",
"p155-fmfmobile.icloud.com",
"t-mobile",
"metro t-mobile",
"metro",
"metroby",
"social engineering",
"happywifehappylife",
"bot",
"darknet service",
"tsara brashears",
"jeffrey reimer",
"pixelrz",
"yandex",
"cp",
"cyber",
"red team",
"framing",
"qwest",
"cybercrime",
"cyber threat",
"sha256",
"runtime process",
"sha1",
"size",
"windows nt",
"indicator",
"svg scalable",
"accept",
"unis",
"buttons",
"overwrite",
"format",
"spyware",
"heodo",
"fri nov",
"installcore",
"installpack",
"win64",
"fakealert",
"dropper",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"dapato",
"networm",
"mediaget",
"softonic",
"trojan",
"encpk",
"qbot",
"predator",
"kraddare",
"iobit",
"dllinject",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"keygen",
"fareit",
"secrisk",
"unruy",
"floxif",
"adload",
"et cins",
"active threat",
"reputation ip",
"threats et",
"cins active",
"poor reputation",
"ip tcp",
"privacy admin",
"privacy tech",
"com laude",
"redacted for",
"server",
"priority",
"email",
"organization",
"city",
"cnapple public",
"server rsa",
"stcalifornia",
"cnapple ist",
"identity search",
"group",
"issuer criteria",
"type",
"ilike search",
"id logged",
"valid",
"no no",
"no na",
"ip security",
"apple",
"limited",
"ca id",
"lsalford",
"ocomodo ca",
"code signing",
"mozilla",
"android",
"memory checks",
"dotnet_encrypted",
"multi family rat detection",
"malware_win_zgrat"
],
"references": [
"Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7",
"p155-fmfmobile.icloud.com",
"\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193",
"developer.huawei.com",
"PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]",
"http://www.cscglobal.com/global/web/csc/digital-brand-services.html",
"Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45",
"fmfmobile.fe.apple-dns.net",
"http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/",
"http://notredamewormhoutnet.appleid.com/",
"news-publisher.pictures",
"applestore.net",
"airinthemorning.net",
"http://certs.apple.com/appleistca2g1_bc.cer",
"http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)",
"https://dc-mx.d3525d602ca2.pixelrz.com",
"http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c",
"http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)",
"http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)",
"http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)",
"http://pixelrz.com/lists/suggestions/rs485-arduino/",
"http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)",
"http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)",
"http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)",
"http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com",
"Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84",
"Resource: https://crt.sh/?q=privaterelay.appleid.com",
"\u2193Command and Control \u2193",
"CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36",
"CNC Hostname: urlspirit.spiritsoft.cn",
"Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16",
"Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com",
"Resource: https://urlscan.io/domain/privaterelay.appleid.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Systweak",
"display_name": "Systweak",
"target": null
},
{
"id": "Swrort",
"display_name": "Swrort",
"target": null
},
{
"id": "Tinba",
"display_name": "Tinba",
"target": null
},
{
"id": "XRat",
"display_name": "XRat",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Zeus",
"display_name": "Zeus",
"target": null
},
{
"id": "Tiggre",
"display_name": "Tiggre",
"target": null
},
{
"id": "FusionCore",
"display_name": "FusionCore",
"target": null
},
{
"id": "Redline",
"display_name": "Redline",
"target": null
},
{
"id": "Virus:DOS/Nanjing",
"display_name": "Virus:DOS/Nanjing",
"target": "/malware/Virus:DOS/Nanjing"
},
{
"id": "nircmd",
"display_name": "nircmd",
"target": null
},
{
"id": "noname057",
"display_name": "noname057",
"target": null
},
{
"id": "BlackNET",
"display_name": "BlackNET",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Softcnapp",
"display_name": "Softcnapp",
"target": null
},
{
"id": "Union",
"display_name": "Union",
"target": null
},
{
"id": "Bambernek",
"display_name": "Bambernek",
"target": null
},
{
"id": "Kraddare",
"display_name": "Kraddare",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "trojan.agensla/msil",
"display_name": "trojan.agensla/msil",
"target": null
},
{
"id": "Win:ZGRAT",
"display_name": "Win:ZGRAT",
"target": null
},
{
"id": "Wacatac.",
"display_name": "Wacatac.",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "656a971ab44409ecb7018428",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1220,
"FileHash-SHA1": 613,
"FileHash-SHA256": 5010,
"URL": 13617,
"hostname": 3699,
"domain": 2783,
"email": 11,
"CVE": 23,
"CIDR": 2
},
"indicator_count": 26978,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "3 hours ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "698e93e1ab02db8c49e8c3ed",
"name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
"description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
"modified": "2026-04-19T08:11:41.130000",
"created": "2026-02-13T03:00:49.872000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27678,
"FileHash-SHA256": 47676,
"FileHash-MD5": 42534,
"FileHash-SHA1": 23213,
"hostname": 33703,
"URL": 75433,
"SSLCertFingerprint": 30,
"CVE": 7582,
"email": 313,
"FileHash-IMPHASH": 8,
"CIDR": 26205,
"JA3": 1,
"IPv4": 80,
"URI": 5
},
"indicator_count": 284461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "9 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69ddeb45c45f6a3cd721397d",
"name": "Active attacks \u2022 Apple \u2022 Tulach",
"description": "Including 360+ Apple\nIoC\u2019s from Malicious Tulac.cc + Virtual Servers Pulses. Ongoing history of malicious attacks, custom malware engineer, malicious media , account control. \n\nI was blocked from VirusToltal. It was Tulach Nextcloud posse. What I am doing now s legal. \n\nReferenced below. URL: \"https://accountapple.com/\" contacted related malicious domain: \"accountapple.com\"\nCONTACTED DOMAIN: \"sqllq.com\" has been identified as malicious",
"modified": "2026-04-14T07:22:45.250000",
"created": "2026-04-14T07:22:45.250000",
"tags": [
"url http",
"ipv4",
"indicator role",
"active related",
"united",
"moved",
"gmt content",
"certificate",
"all domain",
"msie",
"chrome",
"extraction",
"data upload",
"twitter",
"cookie",
"extra",
"include data",
"review locs",
"exclude",
"suggested os",
"onlv",
"failed",
"stop data",
"read c",
"unicode",
"rgba",
"memcommit",
"delete",
"dock",
"write",
"execution",
"sc type",
"extri",
"include review",
"exclude sugges",
"typ data",
"a domains",
"present apr",
"script urls",
"files",
"files ip",
"address",
"ios",
"mac",
"apple",
"appleid",
"itunes",
"next associated",
"all ipv4",
"included ic",
"uny teade",
"type hostnar",
"hostnar hostnar",
"hostnar",
"macair",
"macairaustralia",
"ipad",
"ipod",
"cryptexportkey",
"invalid pointer",
"cryptgenkey",
"stream",
"defender",
"delphi",
"class",
"stack",
"format",
"unknown",
"united states",
"phishing",
"password",
"traffic redirected",
"service mod",
"service execution",
"youtube",
"music",
"streams",
"songs",
"played songs",
"music streams",
"most played",
"fonelab",
"indicator",
"included iocs",
"manually add",
"review ocs",
"exclude inn",
"sugges data",
"find",
"include",
"url https",
"enter sc",
"type",
"no matchme",
"search otx",
"https",
"references x",
"analyze",
"open th",
"url data",
"se http",
"no match",
"excluded iocs",
"iocs",
"ip whitelisted",
"whitelisted",
"tcp include",
"analysis date",
"file score",
"medium risk",
"yara detections",
"contacted",
"related tags",
"x vercel",
"file type",
"type indicator",
"role title",
"related pulses",
"mulch virtua",
"library loade",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugt",
"samuel tulach",
"unity engine",
"tulach",
"sa awareness",
"sabey",
"sar cut",
"autofill",
"includer review",
"portiana oney",
"targeting",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"musickit_1_.js",
"lazarus",
"injection",
"CVE-2017-8570",
"prefetch2",
"target",
"aaaa",
"ip address",
"record value",
"emails",
"samuel tuachs",
"sapev",
"review exclude",
"monitored target",
"script",
"mitre att",
"ascii text",
"span",
"path",
"iframe",
"april",
"hybrid",
"general",
"local",
"click",
"strings",
"body",
"development att",
"t1055.012 list planting",
"active"
],
"references": [
"https://trade.kraken.com/charts/KRAKEN:APT-USD>+y",
"https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/",
"https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/",
"https://podcasts.apple.com/us/podcast/lazarus",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"http://help.aiseesoft.jp/blu-ray-player",
"http://help.aiseesoft.jp/fonelab/",
"https://action.aiseesoft.jp/itunes.php",
"http://help.aiseesoft.jp/total-video-converter",
"http://help.aiseesoft.jp/total-video-converter/",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/",
"http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch",
"http://test-firstmile.digitecgalaxus.ch",
"https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/",
"No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]",
"cdn.rss.applemarketingtools.com",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"1.bing.com.cn",
"www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net",
"www.phantomcameras.cn",
"https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"",
"podcasts.apple.com \u2022 23.34.32.21",
"www.apple.com \u2022 23.34.32.199",
"js-cdn.music.apple.com \u2022 23.78.51.170",
"http://firstmile.digitecgalaxus.ch",
"Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb",
"Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca",
"Tulach.cc",
"https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8",
"www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as",
"Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains",
"asp.net domain pointer",
"developer.x.com",
"aotx.alienvault.com (aotx.?)",
"https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh",
"https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1020.001",
"name": "Traffic Duplication",
"display_name": "T1020.001 - Traffic Duplication"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591.002",
"name": "Business Relationships",
"display_name": "T1591.002 - Business Relationships"
},
{
"id": "T1591.001",
"name": "Determine Physical Locations",
"display_name": "T1591.001 - Determine Physical Locations"
},
{
"id": "T1585.001",
"name": "Social Media Accounts",
"display_name": "T1585.001 - Social Media Accounts"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1055.012",
"name": "Process Hollowing",
"display_name": "T1055.012 - Process Hollowing"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1029,
"domain": 396,
"email": 7,
"URL": 2784,
"FileHash-SHA256": 898,
"FileHash-MD5": 79,
"FileHash-SHA1": 68,
"IPv4": 35,
"CVE": 1,
"SSLCertFingerprint": 13
},
"indicator_count": 5310,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "5 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d9b0e549af1aae2975ebeb",
"name": "Virtual Servers \u2022 Tulach \u2022 Eternal Blue",
"description": "Interesting. Further research required. \n\nhttps://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=+New+Worker+Online%0A+PC:+DESKTOP-BBE3PFV%0A+User:+alien%0A+IP:+Sweden%0A+Country:+SE+\n\n\nhttps://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=\\\\xfff0\\\\xff9f\\\\xff9f\\\\xffa2+New+Worker+Online%0A\\\\xfff0\\\\xff9f\\\\xff92\\\\xffbb+PC:+DESKTOP-BBE3PFV%0A\\\\xfff0\\\\xff9f\\\\xff91\\\\xffa4+User:+alien%0A\\\\xfff0\\\\xff9f\\\\xff8c\\\\xff90+IP:+Sweden%0A\\\\xfff0\\\\xff9f\\\\xff97\\\\xffba+Country:+SE+",
"modified": "2026-04-11T02:24:37.102000",
"created": "2026-04-11T02:24:37.102000",
"tags": [
"related pulses",
"apple",
"imac",
"itunes",
"tulach",
"active",
"vercel",
"ms windows",
"intel",
"yara rule",
"lredmond",
"rsds",
"write c",
"tls sni",
"write",
"install",
"rijndael",
"malware",
"accept",
"self",
"mtb apr",
"lowfi",
"backdoor",
"antigua",
"trojandropper",
"all ipv4",
"urls",
"prometheus",
"files",
"files ip",
"address",
"united",
"unknown aaaa",
"cname",
"tags",
"keepalived",
"ip address",
"red hat",
"nat node",
"gns3",
"firefox",
"ovn network",
"instances",
"forum",
"linux",
"dynamicloader",
"exclusionpath",
"medium",
"high",
"telegram api",
"windows",
"f rl",
"highest sc",
"guard",
"april",
"powershell",
"c mar",
"virtool",
"c jan",
"c dec",
"urls show",
"url hostname",
"ransom",
"click",
"title",
"njrat",
"as64521i",
"bird",
"bgp",
"virtual private",
"virtual servers",
"et exploit",
"ms17010 echo",
"response",
"echo response",
"asnone",
"probe ms17010",
"nids",
"m2 ms17010",
"regsetvalueexa",
"service",
"wannacry",
"dock",
"unknown",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"found",
"mitre att",
"defense evasion",
"sha1",
"sha256",
"size",
"pattern match",
"ascii text",
"path",
"stop",
"hybrid",
"general",
"local",
"twitter",
"strings",
"core",
"telegram",
"tools"
],
"references": [
"Win.Ransomware.WannaCry-6313787-0 , Ransom:Win32/WannaCrypt.H IDS Detections Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) Possible ETERNALBLUE Probe MS17-010 (MSF style) ETERNALBLUE Probe Vulnerable System Response MS17-010 Possible ETERNALBLUE Probe MS17-010 (Generic Flags) Possible ETERNALBLUE MS17-010 Heap Spray More Yara Detections WannaCry_Ransomware , WannaCry_Ransomware_Gen , WannaDecryptor , stack_string , MS17_010_WanaCry_worm More Alerts nids_exploit",
"https://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=+New+Worker+Online%0A+PC:+DESKTOP-BBE3PFV%0A+User:+alien%0A+IP:+Sweden%0A+Country:+SE+ Akamai rank: #2475\t URL https://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=\\\\xfff0\\\\xff9f\\\\xff9f\\\\xffa2+New+Worker+Online%0A\\\\xfff0\\\\xff9f\\\\xff92\\\\xffbb+PC:+DESKTOP-BBE3PFV%0A\\\\xfff0\\\\xff9f\\\\xff91\\\\xffa4+User:+alien%0A\\\\xfff0\\\\xff9f\\\\xff8c\\\\xff9",
"https://go.recordedfuture.com/hubfs/reports/cta-2023-0816.pdf",
"https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f",
"Trojans: 149.154.166.110 command_and_control (build your own telegram) 208.95.112.1 command_and_control",
"prometheus.shorty.cicloinfinito.com",
"Win.Packed.njRAT-10002074-1",
"NJRat IDS Detections: Telegram API Domain in DNS Lookup",
"NJRat IDS Detections: Observed Telegram API Domain (api .telegram .org in TLS SNI)",
"NJRat IDS Detections: Telegram API Certificate Observed",
"NJRat Yara Detections: ByteCode_MSIL_Backdoor_AsyncRAT",
"NJRat Alerts: hardware_id_profiling network_cnc_https_pastesite persistence_autorun",
"NJRat Alerts: persistence_autorun_tasks binary_yara procmem_yara suricata_alert",
"NJRat Alerts: windows_defender_powershell network_document_file powershell_command_suspicious",
"NJRat Alerts: suspicious_command_tools antidebug_guardpages antisandbox_sleep",
"NJRat Alerts: dynamic_function_loading encrypted_ioc registers_vectored_exception_handler",
"NJRat Alerts: http_request reads_memory_remote_process network_cnc_https_generic reads_self",
"NJRat IP\u2019s Contacted 149.154.166.110 172.66.171.73",
"NJRat Domains Contacted pastebin.com api.telegram.org",
"192.168.122.200 BGP: Simulating Inter-network Dynamic Routing",
"EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010\", \"src_ip\": \"192.168.56.105\", \"dst_port\": 49317, \"sid\": 2025650, \"date\": \"2020/06/18 11:39:48\", \"dst_ip\": \"192.168.56.103\" }, \"type\": \"ioc\", \"description\": null }, { \"category\": \"suricata\", \"ioc\": { \"src_port\": 445, \"name\": \"ET EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010\", \"src_ip\": \"192.168.56.108\", \"dst_port\": 49324, "
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Japan",
"United States of America",
"China"
],
"malware_families": [
{
"id": "Win.Trojan.Generic-9908396-0",
"display_name": "Win.Trojan.Generic-9908396-0",
"target": null
},
{
"id": "Win.Trojan.Crypted-30",
"display_name": "Win.Trojan.Crypted-30",
"target": null
},
{
"id": "Backdoor:Win32/Berbew",
"display_name": "Backdoor:Win32/Berbew",
"target": "/malware/Backdoor:Win32/Berbew"
},
{
"id": "Win.Malware.Score-6985947-1",
"display_name": "Win.Malware.Score-6985947-1",
"target": null
},
{
"id": "ALF:PWS:MSIL/Stealgen.GC!MTB",
"display_name": "ALF:PWS:MSIL/Stealgen.GC!MTB",
"target": null
},
{
"id": "Win.Packed.Zpack-10013367-0",
"display_name": "Win.Packed.Zpack-10013367-0",
"target": null
},
{
"id": "ALF:Trojan:Win32/FormBook.F!MTB",
"display_name": "ALF:Trojan:Win32/FormBook.F!MTB",
"target": null
},
{
"id": "Win.Malware.Renos-10003934-0",
"display_name": "Win.Malware.Renos-10003934-0",
"target": null
},
{
"id": "Win.Trojan.Razy-10016933-0",
"display_name": "Win.Trojan.Razy-10016933-0",
"target": null
},
{
"id": "#Lowfi:AGGR:HSTR:Win32/PossibleKeylogger.A",
"display_name": "#Lowfi:AGGR:HSTR:Win32/PossibleKeylogger.A",
"target": null
},
{
"id": "NJRat",
"display_name": "NJRat",
"target": null
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Private Internet Access",
"display_name": "Private Internet Access",
"target": null
},
{
"id": "Malware Packed",
"display_name": "Malware Packed",
"target": null
},
{
"id": "W32/WannaCryptor.491A!tr.ransom",
"display_name": "W32/WannaCryptor.491A!tr.ransom",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1584.003",
"name": "Virtual Private Server",
"display_name": "T1584.003 - Virtual Private Server"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1144",
"name": "Gatekeeper Bypass",
"display_name": "T1144 - Gatekeeper Bypass"
},
{
"id": "T1003.008",
"name": "/etc/passwd and /etc/shadow",
"display_name": "T1003.008 - /etc/passwd and /etc/shadow"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
}
],
"industries": [
"Telecommunications",
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 556,
"domain": 206,
"URL": 863,
"FileHash-SHA256": 1589,
"IPv4": 519,
"FileHash-MD5": 472,
"FileHash-SHA1": 376,
"SSLCertFingerprint": 11,
"email": 1
},
"indicator_count": 4593,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "8 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf64eccb5d39a90a3c391e",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:32.565000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "23 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf64e1d5e06aa6207f78de",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:21.863000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "23 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699c6ef61298b57cd7275728",
"name": "Apple Support IOC\u2019s IcedID | Bloored | Mydoom worm | iOS IOC\u2019s",
"description": "A list of Apple and Apple related iOS\u2019s linked to a malicious redirect found in an apple.support.com redirect. Two separate Apple ID\u2019s on one iPhone. | Mimecast compromised with Emotet. iCloud siphoning. Related to Pulse found in references. | IOC\u2019s came from a single url.",
"modified": "2026-03-25T07:05:10.628000",
"created": "2026-02-23T15:15:02.857000",
"tags": [
"ipv4",
"http",
"passive dns",
"files domain",
"united",
"unknown ns",
"for privacy",
"ip address",
"domain",
"dynamicloader",
"antivirus",
"yara rule",
"fe ff",
"write c",
"msvisualcpp60",
"rsds",
"e8 c8",
"e8 a8",
"ff e1",
"unknown",
"worm",
"launch",
"write",
"explorer",
"february",
"push",
"service",
"files",
"reverse dns",
"america flag",
"america asn",
"url add",
"otx logo",
"all ipv4",
"searc",
"date checked",
"server response",
"results dec",
"unknown soa",
"present aug",
"present oct",
"present sep",
"present nov",
"moved",
"error",
"title",
"win32mydoom feb",
"aaaa",
"name servers",
"trojan",
"servers",
"virtool",
"united states",
"apple",
"crlf line",
"unicode text",
"utf8",
"ff d5",
"ascii text",
"ee fc",
"suspicious",
"music",
"malware",
"role title",
"ttl value",
".cc",
"d4 f5",
"msvisualcpp2002",
"msvisualcpp2005",
"apple support",
".ch",
"privaterelay",
"pattern match",
"ck id",
"mitre att",
"ck matrix",
"href",
"et info",
"general",
"local",
"path",
"click",
"learn",
"command",
"name tactics",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"present jun",
"backdoor",
"present may",
"status",
"ransom",
"high",
"medium",
"windows",
"tofsee",
"loaderid",
"lidfileupd",
"localcfg",
"rndhex",
"stream",
"delete",
"emotet",
"bot network",
"mitm",
"screenshot",
"mimecast"
],
"references": [
"http://apple.support.com/ht***** redirect",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"mac.store",
"https://icloud.ch/cn/ipod-touch/",
"https://icloud.ch/",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"Redirect: schemas.microsoft.com",
"apple.com(-inc.cc)",
"oas-japac-domains-applecomputer.cn",
"robert-aebi.appleid.com",
"smtp2.icl-privaterelay.appleid.com",
"http://audaxgroup.appleid.com/",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"iphonegermany.com",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"https://aspmx.l.google.com/",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"http://www.icloud-sms-alert.com/",
"monitoring.eurovision.net",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"monitor.kyos.ninja"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/IcedId.DI!MTB",
"display_name": "Trojan:Win32/IcedId.DI!MTB",
"target": "/malware/Trojan:Win32/IcedId.DI!MTB"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Worm:Win32/Bloored",
"display_name": "Worm:Win32/Bloored",
"target": "/malware/Worm:Win32/Bloored"
},
{
"id": "Win.Malware.Elenooka-6996044-0",
"display_name": "Win.Malware.Elenooka-6996044-0",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6031,
"hostname": 1971,
"domain": 1125,
"FileHash-SHA256": 1715,
"email": 18,
"FileHash-MD5": 317,
"FileHash-SHA1": 164
},
"indicator_count": 11341,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6962d43456bb524b17e9d5ce",
"name": "Apple MyDoom + IOC\u2019s isolated from Palantir related Pahamify Pegasus | BibleGateway App | Drive by & other targeting /.monitoring Access Attacks ",
"description": "",
"modified": "2026-02-09T22:00:25.303000",
"created": "2026-01-10T22:35:32.582000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "6962bb143187f7cb571ef6f5",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1190,
"hostname": 891,
"URL": 4201,
"FileHash-SHA256": 1555,
"email": 33,
"FileHash-MD5": 591,
"FileHash-SHA1": 400
},
"indicator_count": 8861,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://ipod.com.hk/sms.html",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://ipod.com.hk/sms.html",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776620862.2128985
}