{ "type": "URL", "indicator": "https://js.monitor.azure.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://js.monitor.azure.com", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #45", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain azure.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain azure.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3676553533, "indicator": "https://js.monitor.azure.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "69ccd2f7984fad6feebb4ca4", "name": "VirusTotal report\n for index.html", "description": "The full text of the full report-to-gws, which was published on 1 April 2026, has been published online by the Csp website, following a request from the BBC>pretext .", "modified": "2026-04-01T08:44:36.825000", "created": "2026-04-01T08:10:31.621000", "tags": [ "self", "downlink rtt", "html document", "ascii text", "crlf line", "windows", "linux", "build web", "html", "javascript", "https", "acceptencoding", "cookie", "dynamic", "authorization", "contentmd5", "wp engine", "xmsedgeref ref", "bl2edge1520 ref", "expires sun", "gmt date", "gmt xcache", "tcphit", "gmt etag", "b8glwd", "afeap", "bmxagc", "e5bfse", "bgs6mb", "bjwmce", "ciztgb", "kqhykb", "cxxawb", "fevhcf", "code", "server", "registrar abuse", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city", "redmond tech", "samesitelax", "path", "httponly", "secure", "priorityhigh", "gmt contenttype", "contentlength", "connection", "cfray", "accept", "anycast", "wifi display", "android", "hdtv", "anycast og", "anything", "big screen", "mobileoptimized", "try shopify", "platform", "businesses", "shopify fb", "shopify og", "snapchat", "chat", "snaps", "a snap", "utc google", "adobe dynamic", "tag management", "amazon", "utc amazon", "utc facebook", "connect na", "analytics na", "tag manager", "gdlname", "miss", "drupal", "miss xtimer", "ve9 xcache", "miss date", "gmt link", "build", "home og", "cloudfront", "iad6", "kb body", "sha256", "aspen", "aspen one", "return", "transformed og", "aioseo", "site kit", "google", "file type", "name file", "html internet", "unicode text", "utf8 text" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 238, "URL": 367, "domain": 80, "hostname": 155, "FileHash-MD5": 115, "FileHash-SHA1": 105, "email": 5, "IPv4": 40, "SSLCertFingerprint": 4 }, "indicator_count": 1109, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ccd2f93b5cf1fa8fcb0810", "name": "VirusTotal report\n for index.html", "description": "The full text of the full report-to-gws, which was published on 1 April 2026, has been published online by the Csp website, following a request from the BBC>pretext .", "modified": "2026-04-01T08:41:56.177000", "created": "2026-04-01T08:10:33.232000", "tags": [ "self", "downlink rtt", "html document", "ascii text", "crlf line", "windows", "linux", "build web", "html", "javascript", "https", "acceptencoding", "cookie", "dynamic", "authorization", "contentmd5", "wp engine", "xmsedgeref ref", "bl2edge1520 ref", "expires sun", "gmt date", "gmt xcache", "tcphit", "gmt etag", "b8glwd", "afeap", "bmxagc", "e5bfse", "bgs6mb", "bjwmce", "ciztgb", "kqhykb", "cxxawb", "fevhcf", "code", "server", "registrar abuse", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city", "redmond tech", "samesitelax", "path", "httponly", "secure", "priorityhigh", "gmt contenttype", "contentlength", "connection", "cfray", "accept", "anycast", "wifi display", "android", "hdtv", "anycast og", "anything", "big screen", "mobileoptimized", "try shopify", "platform", "businesses", "shopify fb", "shopify og", "snapchat", "chat", "snaps", "a snap", "utc google", "adobe dynamic", "tag management", "amazon", "utc amazon", "utc facebook", "connect na", "analytics na", "tag manager", "gdlname", "miss", "drupal", "miss xtimer", "ve9 xcache", "miss date", "gmt link", "build", "home og", "cloudfront", "iad6", "kb body", "sha256", "aspen", "aspen one", "return", "transformed og", "aioseo", "site kit", "google", "file type", "name file", "html internet", "unicode text", "utf8 text" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 181, "URL": 262, "domain": 28, "hostname": 114, "FileHash-MD5": 105, "FileHash-SHA1": 93, "email": 3, "IPv4": 34 }, "indicator_count": 820, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698904c316bc7710b967d01d", "name": "Rare Tier 1 Persistence - Critical \"Patched\", Non Patched Vulnerabilities Remain bypassing Lockdown Mode", "description": "Researcher Note (Feb 08, 2026):\nThis artifact represents a sophisticated Cross-Protocol Mesh. Observations confirm that the Cymt/Nemucod wrapper is being utilized as a delivery vehicle for a Firmware-resident ELF binary (Mirai variant).\nThe persistence is notable for its ability to survive Full DFU Restores and Faraday-isolated states, likely due to JTAG-level interaction with the Power Management IC (Chip 4799). This is not a standard opportunistic infection; it is a targeted provisioning event leveraging IDMSA (Identity Management) bridges and Verizon/Akamai Edge infrastructure.\nThe integration with CalendarKit and Maps for geofenced execution suggests a highly coordinated surveillance objective. Forensic analysts should pay specific attention to the sizeofrawdata_antidbg anomalies, which indicate a focus on bypassing Apple Lockdown Mode and Secure Enclave. \nresearcher credit: msudoSOS", "modified": "2026-03-27T09:05:26.285000", "created": "2026-02-08T21:48:49.147000", "tags": [ "#supportsitewebsiteabuse #rootcertificatefailure #cryptographicf" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 909, "URL": 1779, "CVE": 126, "domain": 659, "email": 23, "JA3": 1, "FileHash-MD5": 230, "FileHash-SHA1": 227, "FileHash-SHA256": 934, "CIDR": 13 }, "indicator_count": 4901, "is_author": false, "is_subscribing": null, "subscriber_count": 54, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c1b4992eb5a2f6cbb21a84", "name": "CAPE Sandbox", "description": "", "modified": "2026-03-23T21:58:43.943000", "created": "2026-03-23T21:46:01.180000", "tags": [ "framework", "center", "xd569xb2c8xb2e4", "info", "script", "meta", "doctype html", "start", "cvtoken", "load cascade", "download", "title" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/dd4ad645e4b48357a235c4726dd4cdfb587786e83dab43ffdec7a886bd84faca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774302565&Signature=i3hu8ImkubNWQD0sfo%2FbTMU7d53GPblauQdlllGvYz%2BQ6%2BjM6VcEDa9avXTeSNEa6P9hQaE4hgc%2BwiAoHFC4mBNUG6vnOGHA3%2BY2WSKJxaEpDAdscTpC2psmNHDnnRacbWKvk0EjBetinhY7sMCUkeqX7kw525XsW%2BcBB9%2FwQ3aYdvUazDLWV6wR7ZAPu%2BYCu5vPuXdyoPiTU%2FkysyXQyKtwHiWQQGCWffoBVfbnYqEN" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 177, "FileHash-MD5": 178, "FileHash-SHA1": 89, "FileHash-SHA256": 127, "URL": 183, "domain": 77, "hostname": 275 }, "indicator_count": 1106, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "27 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6926228c245602830fd82fe5", "name": "hxxps://www[.]cloudflare[.]com/5xx-error-landing - 11.25.25", "description": "Cloudflare Abuse", "modified": "2025-12-25T21:00:52.783000", "created": "2025-11-25T21:41:32.156000", "tags": [ "sandbox", "static analyzer", "emulation", "analyzer", "url", "scanner", "reputation", "phishing", "malware", "cloudflare", "warning icon", "share report", "domain", "systems", "host", "amazon web", "services", "varnish", "onetrust", "error", "bunny", "write", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "online", "submit", "sample", "download", "platform", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "javascript", "ansi", "runtime data", "file string", "dumps", "varchar", "null", "integer default", "localappdata", "integer not", "license", "path", "date", "facebook", "close", "roboto", "meta", "title", "span", "body", "blink", "win64", "contact", "mexico", "protect", "enterprise", "project", "suspicious", "hybrid", "mendoza", "mini", "code", "galileo", "4629", "false", "media", "critical", "fast", "stream", "cloud", "click", "hosts", "dorv", "lion", "cascade", "august", "general", "strings", "malicious" ], "references": [ "https://app.threat.zone/submission/5b29d473-2767-440f-8f03-12e48c58fd29/url-analysis-report", "https://urlquery.net/report/4eec9c27-98f9-4826-96ee-3e02a77c3646", "https://www.filescan.io/uploads/69261defaf4aba3912d48f77/reports/ad684d0b-2509-498d-8ab4-3c67a075029f/ioc", "https://hybrid-analysis.com/sample/fa4f8265e8be5eb4d59ced85c040c15fadf017ce9ae2ffe4869da356ec184582", "https://www.virustotal.com/gui/url/72220e2a2e1b36610c2efcd3585aa08ba8021ad13891821e47bbfd1f26709128/details", "https://hybrid-analysis.com/sample/fa4f8265e8be5eb4d59ced85c040c15fadf017ce9ae2ffe4869da356ec184582/64ddb54ab6da189fe1047708" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 520, "FileHash-MD5": 136, "FileHash-SHA1": 82, "domain": 120, "hostname": 275, "FileHash-SHA256": 136, "email": 12 }, "indicator_count": 1281, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "115 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688ef0516013ca78448bf4e5", "name": "Foundry \u2022 Reflected Networks Pornhub Malvertising Subsidiary", "description": "Foundry ? Pornhub\nsanfoundry.com\ncompliance.fifoundry.net- Pornhub subsidiary. Targets networks, devices, routers, used for promoting pornography and her music. Producer revealed her hooks were used for Justin Bieber & Tori Kelly songs that. A producer stated her songs had been grifted. Both Tsara Brashears & a studio were in Pegasus & attacked by \u2018Lazarus\u2019 Group. She was told in detail how her songs can be used by music insiders if they choose. Target trolled by mocking hackers re: the JB and Kelly song.. Trojan:Win32/DisableUAC.A!bit\n, MSIL:Suspicious:ScreenCapture.S01\nIDS Detections\nLokiBot Checkin\nLokiBot User-Agent (Charon/Inferno)\nLokiBot Application/Credential Data Exfiltration Detected M1\nLokiBot Request for C2 Commands Detected M1\nLokiBot Application/Credential Data Exfiltration Detected M2\nLokiBot Request for C2 Commands Detected M2\nTrojan Generic - POST To gate.php with no referer\nSSL excessive fatal alerts (possible POODLE attack against server)\nI will revisit this. Gloryhole Foundation?", "modified": "2025-09-02T04:01:31.218000", "created": "2025-08-03T05:14:57.402000", "tags": [ "united", "moved", "entries", "passive dns", "detected m1", "next associated", "mtb apr", "mtb aug", "server", "gmt content", "trojandropper", "trojan", "body", "lokibot request", "c2 commands", "detected m2", "otx telemetry", "historical otx", "twitter running", "open ports", "cves", "time", "dynamicloader", "port", "search", "show", "destination", "alerts", "copy", "dynamic", "medium", "write", "creation date", "hostmaster", "urls", "domain", "showing", "hostname add", "pulse pulses", "date", "flag", "falcon sandbox", "name server", "markmonitor", "analysis", "mitre att", "anonymous", "upgrade", "hybrid", "contact", "usa windows", "december", "input threat", "level analysis", "summary", "february", "hwp support", "january", "october", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "calls", "command", "javascript", "object model", "model", "windir", "json data", "localappdata", "ascii text", "temp", "getprocaddress", "script", "license", "runtime process", "copy md5", "facebook", "roboto", "error", "win64", "path", "blink", "meta", "factory", "general", "comspec", "click", "strings", "damage", "mini", "stop", "core", "expl", "win32", "gmt server", "ecacc saa83dd", "ipv4 add", "twitter", "cobalt strike", "mozilla" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 263, "FileHash-SHA1": 256, "FileHash-SHA256": 837, "hostname": 4415, "URL": 1918, "domain": 1884, "email": 2, "SSLCertFingerprint": 2 }, "indicator_count": 9577, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6807a1b73d7a8a363d18e37f", "name": "http://support.microsoft.com_kb_918915_content.html", "description": "https://sandbox.ti.qianxin.com/sandbox/page/detail?type=file&id=f660c13f1676da8c2c4db3253e6ce31c0612dd64", "modified": "2025-04-22T14:26:17.409000", "created": "2025-04-22T14:03:35.464000", "tags": [ "sha1", "sha512", "ssd gboki", "sha256", "whasz", "typ pliku", "plik dokumentu", "v2 dokument", "rozmiar pliku", "cieka pliku", "rozmiar", "pe1551018c18", "pe158523323", "pe1570667c14", "pe156075027", "pe1554013c16", "pe1536917c15", "pe152678525", "pe1260007c13", "pe1247614c18", "pe104615223", "windows policy", "rurawkssvc c" ], "references": [ "https://uhf.microsoft.com/images/xbox/RW4ESm.png", "525dee9e2714fffc_e2c6cbaf0af08cf203ba74bf0d0ab6d5_cbdccbfe4f7a916411c1e69bdd97bb04", "Nazwa pliku 8358ba9553e8a65c_pl-pl-strona2[1]", "\u015acie\u017cka pliku c:\\u\u017cytkownicy\\admin\\appdata\\lokalny\\microsoft\\windows\\inetcache\\ie\\7h2qg6q3\\ie_logo[1]", "Nazwa pliku c487df0c6363b9c8_recoverystore.{5774b857-1f6f-11f0-9a9f-6c4b90457b65}.dat", "Nazwa pliku 22b4df5c33045b64_mwfmdl2-v3.54[1].woff", "Nazwa pliku f96f4ebb89b2a9b5_skrypt[1]", "Nazwa pliku a4cf9c20da583d60_ae-f1ac0c[1].css", "http://support.microsoft.com/kb/918915" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 23, "FileHash-SHA256": 34, "URL": 24 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709a384e3e8573cf5ecac4", "name": "v2 - kopat electronic door security with hybrid scan data", "description": "", "modified": "2023-12-06T15:58:48.938000", "created": "2023-12-06T15:58:48.938000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1569, "URL": 3824, "email": 8, "domain": 290, "hostname": 189, "FileHash-MD5": 576, "FileHash-SHA1": 52 }, "indicator_count": 6508, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "645932281e34157197d4cbe4", "name": "v2 - kopat electronic door security with hybrid scan data", "description": "", "modified": "2023-05-08T17:32:24.648000", "created": "2023-05-08T17:32:24.648000", "tags": [ "dropped file", "null", "varchar", "gecko", "pcap", "pcap processing", "win64", "khtml", "span", "cookie", "path", "mozi", "roboto", "class", "mozilla", "body", "form", "window", "accept", "meta", "iframe", "contact", "4629", "trim", "embed", "dwis", "test", "tear", "qakbot", "tecv", "1inb", "a3ob", "u9p10dkhttps", "windir", "openurl c", "l10dkhttps", "charset", "w6t2hm", "is6bi" ], "references": [ "https://www.hybrid-analysis.com/sample/5ea6b6bdf0a82359f7f73c6095b6c8891be485234e5544ef18a000136617a1b6/645767842cd19c9c560f0381" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3824, "hostname": 189, "domain": 290, "FileHash-SHA256": 1569, "email": 8, "IPv4": 27, "FileHash-MD5": 576, "FileHash-SHA1": 52 }, "indicator_count": 6535, "is_author": false, "is_subscribing": null, "subscriber_count": 95, "modified_text": "1077 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/dd4ad645e4b48357a235c4726dd4cdfb587786e83dab43ffdec7a886bd84faca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774302565&Signature=i3hu8ImkubNWQD0sfo%2FbTMU7d53GPblauQdlllGvYz%2BQ6%2BjM6VcEDa9avXTeSNEa6P9hQaE4hgc%2BwiAoHFC4mBNUG6vnOGHA3%2BY2WSKJxaEpDAdscTpC2psmNHDnnRacbWKvk0EjBetinhY7sMCUkeqX7kw525XsW%2BcBB9%2FwQ3aYdvUazDLWV6wR7ZAPu%2BYCu5vPuXdyoPiTU%2FkysyXQyKtwHiWQQGCWffoBVfbnYqEN", "https://hybrid-analysis.com/sample/fa4f8265e8be5eb4d59ced85c040c15fadf017ce9ae2ffe4869da356ec184582", "525dee9e2714fffc_e2c6cbaf0af08cf203ba74bf0d0ab6d5_cbdccbfe4f7a916411c1e69bdd97bb04", "https://urlquery.net/report/4eec9c27-98f9-4826-96ee-3e02a77c3646", "http://support.microsoft.com/kb/918915", "https://www.virustotal.com/gui/url/72220e2a2e1b36610c2efcd3585aa08ba8021ad13891821e47bbfd1f26709128/details", "\u015acie\u017cka pliku c:\\u\u017cytkownicy\\admin\\appdata\\lokalny\\microsoft\\windows\\inetcache\\ie\\7h2qg6q3\\ie_logo[1]", "https://www.filescan.io/uploads/69261defaf4aba3912d48f77/reports/ad684d0b-2509-498d-8ab4-3c67a075029f/ioc", "https://uhf.microsoft.com/images/xbox/RW4ESm.png", "https://www.hybrid-analysis.com/sample/5ea6b6bdf0a82359f7f73c6095b6c8891be485234e5544ef18a000136617a1b6/645767842cd19c9c560f0381", "Nazwa pliku f96f4ebb89b2a9b5_skrypt[1]", "Nazwa pliku 22b4df5c33045b64_mwfmdl2-v3.54[1].woff", "Nazwa pliku a4cf9c20da583d60_ae-f1ac0c[1].css", "Nazwa pliku 8358ba9553e8a65c_pl-pl-strona2[1]", "https://app.threat.zone/submission/5b29d473-2767-440f-8f03-12e48c58fd29/url-analysis-report", "https://hybrid-analysis.com/sample/fa4f8265e8be5eb4d59ced85c040c15fadf017ce9ae2ffe4869da356ec184582/64ddb54ab6da189fe1047708", "Nazwa pliku c487df0c6363b9c8_recoverystore.{5774b857-1f6f-11f0-9a9f-6c4b90457b65}.dat" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 22905 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/azure.com", "whois": "http://whois.domaintools.com/azure.com", "domain": "azure.com", "hostname": "js.monitor.azure.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "69ccd2f7984fad6feebb4ca4", "name": "VirusTotal report\n for index.html", "description": "The full text of the full report-to-gws, which was published on 1 April 2026, has been published online by the Csp website, following a request from the BBC>pretext .", "modified": "2026-04-01T08:44:36.825000", "created": "2026-04-01T08:10:31.621000", "tags": [ "self", "downlink rtt", "html document", "ascii text", "crlf line", "windows", "linux", "build web", "html", "javascript", "https", "acceptencoding", "cookie", "dynamic", "authorization", "contentmd5", "wp engine", "xmsedgeref ref", "bl2edge1520 ref", "expires sun", "gmt date", "gmt xcache", "tcphit", "gmt etag", "b8glwd", "afeap", "bmxagc", "e5bfse", "bgs6mb", "bjwmce", "ciztgb", "kqhykb", "cxxawb", "fevhcf", "code", "server", "registrar abuse", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city", "redmond tech", "samesitelax", "path", "httponly", "secure", "priorityhigh", "gmt contenttype", "contentlength", "connection", "cfray", "accept", "anycast", "wifi display", "android", "hdtv", "anycast og", "anything", "big screen", "mobileoptimized", "try shopify", "platform", "businesses", "shopify fb", "shopify og", "snapchat", "chat", "snaps", "a snap", "utc google", "adobe dynamic", "tag management", "amazon", "utc amazon", "utc facebook", "connect na", "analytics na", "tag manager", "gdlname", "miss", "drupal", "miss xtimer", "ve9 xcache", "miss date", "gmt link", "build", "home og", "cloudfront", "iad6", "kb body", "sha256", "aspen", "aspen one", "return", "transformed og", "aioseo", "site kit", "google", "file type", "name file", "html internet", "unicode text", "utf8 text" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 238, "URL": 367, "domain": 80, "hostname": 155, "FileHash-MD5": 115, "FileHash-SHA1": 105, "email": 5, "IPv4": 40, "SSLCertFingerprint": 4 }, "indicator_count": 1109, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ccd2f93b5cf1fa8fcb0810", "name": "VirusTotal report\n for index.html", "description": "The full text of the full report-to-gws, which was published on 1 April 2026, has been published online by the Csp website, following a request from the BBC>pretext .", "modified": "2026-04-01T08:41:56.177000", "created": "2026-04-01T08:10:33.232000", "tags": [ "self", "downlink rtt", "html document", "ascii text", "crlf line", "windows", "linux", "build web", "html", "javascript", "https", "acceptencoding", "cookie", "dynamic", "authorization", "contentmd5", "wp engine", "xmsedgeref ref", "bl2edge1520 ref", "expires sun", "gmt date", "gmt xcache", "tcphit", "gmt etag", "b8glwd", "afeap", "bmxagc", "e5bfse", "bgs6mb", "bjwmce", "ciztgb", "kqhykb", "cxxawb", "fevhcf", "code", "server", "registrar abuse", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city", "redmond tech", "samesitelax", "path", "httponly", "secure", "priorityhigh", "gmt contenttype", "contentlength", "connection", "cfray", "accept", "anycast", "wifi display", "android", "hdtv", "anycast og", "anything", "big screen", "mobileoptimized", "try shopify", "platform", "businesses", "shopify fb", "shopify og", "snapchat", "chat", "snaps", "a snap", "utc google", "adobe dynamic", "tag management", "amazon", "utc amazon", "utc facebook", "connect na", "analytics na", "tag manager", "gdlname", "miss", "drupal", "miss xtimer", "ve9 xcache", "miss date", "gmt link", "build", "home og", "cloudfront", "iad6", "kb body", "sha256", "aspen", "aspen one", "return", "transformed og", "aioseo", "site kit", "google", "file type", "name file", "html internet", "unicode text", "utf8 text" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 181, "URL": 262, "domain": 28, "hostname": 114, "FileHash-MD5": 105, "FileHash-SHA1": 93, "email": 3, "IPv4": 34 }, "indicator_count": 820, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698904c316bc7710b967d01d", "name": "Rare Tier 1 Persistence - Critical \"Patched\", Non Patched Vulnerabilities Remain bypassing Lockdown Mode", "description": "Researcher Note (Feb 08, 2026):\nThis artifact represents a sophisticated Cross-Protocol Mesh. Observations confirm that the Cymt/Nemucod wrapper is being utilized as a delivery vehicle for a Firmware-resident ELF binary (Mirai variant).\nThe persistence is notable for its ability to survive Full DFU Restores and Faraday-isolated states, likely due to JTAG-level interaction with the Power Management IC (Chip 4799). This is not a standard opportunistic infection; it is a targeted provisioning event leveraging IDMSA (Identity Management) bridges and Verizon/Akamai Edge infrastructure.\nThe integration with CalendarKit and Maps for geofenced execution suggests a highly coordinated surveillance objective. Forensic analysts should pay specific attention to the sizeofrawdata_antidbg anomalies, which indicate a focus on bypassing Apple Lockdown Mode and Secure Enclave. \nresearcher credit: msudoSOS", "modified": "2026-03-27T09:05:26.285000", "created": "2026-02-08T21:48:49.147000", "tags": [ "#supportsitewebsiteabuse #rootcertificatefailure #cryptographicf" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 909, "URL": 1779, "CVE": 126, "domain": 659, "email": 23, "JA3": 1, "FileHash-MD5": 230, "FileHash-SHA1": 227, "FileHash-SHA256": 934, "CIDR": 13 }, "indicator_count": 4901, "is_author": false, "is_subscribing": null, "subscriber_count": 54, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c1b4992eb5a2f6cbb21a84", "name": "CAPE Sandbox", "description": "", "modified": "2026-03-23T21:58:43.943000", "created": "2026-03-23T21:46:01.180000", "tags": [ "framework", "center", "xd569xb2c8xb2e4", "info", "script", "meta", "doctype html", "start", "cvtoken", "load cascade", "download", "title" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/dd4ad645e4b48357a235c4726dd4cdfb587786e83dab43ffdec7a886bd84faca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774302565&Signature=i3hu8ImkubNWQD0sfo%2FbTMU7d53GPblauQdlllGvYz%2BQ6%2BjM6VcEDa9avXTeSNEa6P9hQaE4hgc%2BwiAoHFC4mBNUG6vnOGHA3%2BY2WSKJxaEpDAdscTpC2psmNHDnnRacbWKvk0EjBetinhY7sMCUkeqX7kw525XsW%2BcBB9%2FwQ3aYdvUazDLWV6wR7ZAPu%2BYCu5vPuXdyoPiTU%2FkysyXQyKtwHiWQQGCWffoBVfbnYqEN" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 177, "FileHash-MD5": 178, "FileHash-SHA1": 89, "FileHash-SHA256": 127, "URL": 183, "domain": 77, "hostname": 275 }, "indicator_count": 1106, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "27 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6926228c245602830fd82fe5", "name": "hxxps://www[.]cloudflare[.]com/5xx-error-landing - 11.25.25", "description": "Cloudflare Abuse", "modified": "2025-12-25T21:00:52.783000", "created": "2025-11-25T21:41:32.156000", "tags": [ "sandbox", "static analyzer", "emulation", "analyzer", "url", "scanner", "reputation", "phishing", "malware", "cloudflare", "warning icon", "share report", "domain", "systems", "host", "amazon web", "services", "varnish", "onetrust", "error", "bunny", "write", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "online", "submit", "sample", "download", "platform", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "javascript", "ansi", "runtime data", "file string", "dumps", "varchar", "null", "integer default", "localappdata", "integer not", "license", "path", "date", "facebook", "close", "roboto", "meta", "title", "span", "body", "blink", "win64", "contact", "mexico", "protect", "enterprise", "project", "suspicious", "hybrid", "mendoza", "mini", "code", "galileo", "4629", "false", "media", "critical", "fast", "stream", "cloud", "click", "hosts", "dorv", "lion", "cascade", "august", "general", "strings", "malicious" ], "references": [ "https://app.threat.zone/submission/5b29d473-2767-440f-8f03-12e48c58fd29/url-analysis-report", "https://urlquery.net/report/4eec9c27-98f9-4826-96ee-3e02a77c3646", "https://www.filescan.io/uploads/69261defaf4aba3912d48f77/reports/ad684d0b-2509-498d-8ab4-3c67a075029f/ioc", "https://hybrid-analysis.com/sample/fa4f8265e8be5eb4d59ced85c040c15fadf017ce9ae2ffe4869da356ec184582", "https://www.virustotal.com/gui/url/72220e2a2e1b36610c2efcd3585aa08ba8021ad13891821e47bbfd1f26709128/details", "https://hybrid-analysis.com/sample/fa4f8265e8be5eb4d59ced85c040c15fadf017ce9ae2ffe4869da356ec184582/64ddb54ab6da189fe1047708" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 520, "FileHash-MD5": 136, "FileHash-SHA1": 82, "domain": 120, "hostname": 275, "FileHash-SHA256": 136, "email": 12 }, "indicator_count": 1281, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "115 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688ef0516013ca78448bf4e5", "name": "Foundry \u2022 Reflected Networks Pornhub Malvertising Subsidiary", "description": "Foundry ? Pornhub\nsanfoundry.com\ncompliance.fifoundry.net- Pornhub subsidiary. Targets networks, devices, routers, used for promoting pornography and her music. Producer revealed her hooks were used for Justin Bieber & Tori Kelly songs that. A producer stated her songs had been grifted. Both Tsara Brashears & a studio were in Pegasus & attacked by \u2018Lazarus\u2019 Group. She was told in detail how her songs can be used by music insiders if they choose. Target trolled by mocking hackers re: the JB and Kelly song.. Trojan:Win32/DisableUAC.A!bit\n, MSIL:Suspicious:ScreenCapture.S01\nIDS Detections\nLokiBot Checkin\nLokiBot User-Agent (Charon/Inferno)\nLokiBot Application/Credential Data Exfiltration Detected M1\nLokiBot Request for C2 Commands Detected M1\nLokiBot Application/Credential Data Exfiltration Detected M2\nLokiBot Request for C2 Commands Detected M2\nTrojan Generic - POST To gate.php with no referer\nSSL excessive fatal alerts (possible POODLE attack against server)\nI will revisit this. Gloryhole Foundation?", "modified": "2025-09-02T04:01:31.218000", "created": "2025-08-03T05:14:57.402000", "tags": [ "united", "moved", "entries", "passive dns", "detected m1", "next associated", "mtb apr", "mtb aug", "server", "gmt content", "trojandropper", "trojan", "body", "lokibot request", "c2 commands", "detected m2", "otx telemetry", "historical otx", "twitter running", "open ports", "cves", "time", "dynamicloader", "port", "search", "show", "destination", "alerts", "copy", "dynamic", "medium", "write", "creation date", "hostmaster", "urls", "domain", "showing", "hostname add", "pulse pulses", "date", "flag", "falcon sandbox", "name server", "markmonitor", "analysis", "mitre att", "anonymous", "upgrade", "hybrid", "contact", "usa windows", "december", "input threat", "level analysis", "summary", "february", "hwp support", "january", "october", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "calls", "command", "javascript", "object model", "model", "windir", "json data", "localappdata", "ascii text", "temp", "getprocaddress", "script", "license", "runtime process", "copy md5", "facebook", "roboto", "error", "win64", "path", "blink", "meta", "factory", "general", "comspec", "click", "strings", "damage", "mini", "stop", "core", "expl", "win32", "gmt server", "ecacc saa83dd", "ipv4 add", "twitter", "cobalt strike", "mozilla" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 263, "FileHash-SHA1": 256, "FileHash-SHA256": 837, "hostname": 4415, "URL": 1918, "domain": 1884, "email": 2, "SSLCertFingerprint": 2 }, "indicator_count": 9577, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6807a1b73d7a8a363d18e37f", "name": "http://support.microsoft.com_kb_918915_content.html", "description": "https://sandbox.ti.qianxin.com/sandbox/page/detail?type=file&id=f660c13f1676da8c2c4db3253e6ce31c0612dd64", "modified": "2025-04-22T14:26:17.409000", "created": "2025-04-22T14:03:35.464000", "tags": [ "sha1", "sha512", "ssd gboki", "sha256", "whasz", "typ pliku", "plik dokumentu", "v2 dokument", "rozmiar pliku", "cieka pliku", "rozmiar", "pe1551018c18", "pe158523323", "pe1570667c14", "pe156075027", "pe1554013c16", "pe1536917c15", "pe152678525", "pe1260007c13", "pe1247614c18", "pe104615223", "windows policy", "rurawkssvc c" ], "references": [ "https://uhf.microsoft.com/images/xbox/RW4ESm.png", "525dee9e2714fffc_e2c6cbaf0af08cf203ba74bf0d0ab6d5_cbdccbfe4f7a916411c1e69bdd97bb04", "Nazwa pliku 8358ba9553e8a65c_pl-pl-strona2[1]", "\u015acie\u017cka pliku c:\\u\u017cytkownicy\\admin\\appdata\\lokalny\\microsoft\\windows\\inetcache\\ie\\7h2qg6q3\\ie_logo[1]", "Nazwa pliku c487df0c6363b9c8_recoverystore.{5774b857-1f6f-11f0-9a9f-6c4b90457b65}.dat", "Nazwa pliku 22b4df5c33045b64_mwfmdl2-v3.54[1].woff", "Nazwa pliku f96f4ebb89b2a9b5_skrypt[1]", "Nazwa pliku a4cf9c20da583d60_ae-f1ac0c[1].css", "http://support.microsoft.com/kb/918915" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 23, "FileHash-SHA256": 34, "URL": 24 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709a384e3e8573cf5ecac4", "name": "v2 - kopat electronic door security with hybrid scan data", "description": "", "modified": "2023-12-06T15:58:48.938000", "created": "2023-12-06T15:58:48.938000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1569, "URL": 3824, "email": 8, "domain": 290, "hostname": 189, "FileHash-MD5": 576, "FileHash-SHA1": 52 }, "indicator_count": 6508, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "645932281e34157197d4cbe4", "name": "v2 - kopat electronic door security with hybrid scan data", "description": "", "modified": "2023-05-08T17:32:24.648000", "created": "2023-05-08T17:32:24.648000", "tags": [ "dropped file", "null", "varchar", "gecko", "pcap", "pcap processing", "win64", "khtml", "span", "cookie", "path", "mozi", "roboto", "class", "mozilla", "body", "form", "window", "accept", "meta", "iframe", "contact", "4629", "trim", "embed", "dwis", "test", "tear", "qakbot", "tecv", "1inb", "a3ob", "u9p10dkhttps", "windir", "openurl c", "l10dkhttps", "charset", "w6t2hm", "is6bi" ], "references": [ "https://www.hybrid-analysis.com/sample/5ea6b6bdf0a82359f7f73c6095b6c8891be485234e5544ef18a000136617a1b6/645767842cd19c9c560f0381" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3824, "hostname": 189, "domain": 290, "FileHash-SHA256": 1569, "email": 8, "IPv4": 27, "FileHash-MD5": 576, "FileHash-SHA1": 52 }, "indicator_count": 6535, "is_author": false, "is_subscribing": null, "subscriber_count": 95, "modified_text": "1077 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://js.monitor.azure.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://js.monitor.azure.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776637449.6967237 }