{ "type": "URL", "indicator": "https://js.sparkloop.app/team", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://js.sparkloop.app/team", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4130520644, "indicator": "https://js.sparkloop.app/team", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69519fa81048ad057eb9beaa", "name": "Cart.Guru Malware Hosting - Malware Packed _Pegasus Espionage Detected (Positive)", "description": "I really love using this tool (LevelBlue -OTX) In all reality this information would have been sent to the government. CISA , NSA, Homeland Security, Citizens Lab, Canada based international organization would have been involved years ago. | \nWhere does this information goes. Citizens Lab would has been attempting to track 1000\u2019s of affected Pegasus targets. OTX detected and tagged Pegasus. I suspected it. This is from a Palantir Malware Hosting Honey Pot. \n\nWhen Pegasus was discovered in the wild , credited to those who found what the real team (T8) found, Citizens Lab then conducted tests in 2021\non the cell phone of Jamal Khashoggi, a Saudi dissident journalist. Pegasus is a kill list. \n\nVictims need help. There are a few people even on this platform that are on this list. Unless it\u2019s the US government who has ordered these actions, I don\u2019t know what is going on. The targets are not only innocent, some are crime victims, some are going mad. AT&T corporate easily confirms LevelBlue is legitimate.", "modified": "2026-01-27T21:02:45.343000", "created": "2025-12-28T21:22:48.595000", "tags": [ "united", "servers", "moved", "ip address", "record value", "encrypt", "present jul", "present jun", "trojandropper", "passive dns", "ipv4 add", "urls", "files", "virtool", "united states", "dynamicloader", "directui", "element", "classinfobase", "write c", "medium", "yara rule", "msvisualbasic60", "high", "hwndelement", "explorer", "write", "movie", "insert", "program", "python", "http traffic", "trojan generic", "search", "cnc activity", "delphi", "win32", "launcher", "pony", "fareit", "malware", "push", "msie", "windows nt", "generic", "checkin", "post", "yara detections", "rxr", "inject", "memcommit", "cryptexportkey", "invalid pointer", "regsetvalueexa", "solutions ltd", "read c", "regdword", "mozilla", "persistence", "execution", "android", "unknown", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "initial access", "defense evasion", "spawns", "t1590 gather", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "pattern match", "mitre att", "ck matrix", "href", "ascii text", "starfield", "hybrid", "general", "local", "path", "iframe", "palantir", "present nov", "present oct", "status", "present apr", "present dec", "cryp", "date", "trojan", "title", "name servers", "windows", "t1060", "disables proxy", "dock", "pegasus", "rootkit", "backdoor", "susp", "win32qqpass feb", "worm", "msr win32", "win64", "process32nextw", "findwindowa", "file execution", "writeconsolea", "procexpl", "file v2", "document", "document file", "v2 document", "lost", "tools", "pecompact", "media", "autorun", "service", "post http", "delete", "alerts", "emotet", "rkt", "autorun", "worm", "plugins", "title error", "body doctype", "html public", "w3cdtd html", "html head", "domain", "expiration date", "hostname add", "pulse pulses", "contacted hosts", "sha1", "sha256", "show technique", "strings", "t1480 execution", "signing defense", "script urls", "a domains", "unknown ns", "texas flyover", "script domains", "script script", "meta", "window", "process details", "contacted" ], "references": [ "Cart.Guru", "Yara Detections: Delphi", "Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer", "MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer", "HTTP traffic on port 443 (POST)", "IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query", "Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs", "Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http", "Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates", "Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http", "Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe", "Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check", "Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad", "Yara Detections: Nullsoft_NSIS ...", "Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat", "Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com", "Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103", "Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx", "Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy", "Emotet IDS Detections: Win32/Emotet CnC Checkin Response", "Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users" ], "public": 1, "adversary": "Palantir Pegasus", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RXR", "display_name": "RXR", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Bagsu!rfn", "display_name": "Trojan:Win32/Bagsu!rfn", "target": "/malware/Trojan:Win32/Bagsu!rfn" }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "#Lowfi:Win32/SandboxProductId", "display_name": "#Lowfi:Win32/SandboxProductId", "target": "/malware/#Lowfi:Win32/SandboxProductId" }, { "id": "Win32:Backdoor", "display_name": "Win32:Backdoor", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "ALF:Trojan:MSIL/BlackFus.C", "display_name": "ALF:Trojan:MSIL/BlackFus.C", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "TrojanProxy:Win32/Ceutv.A", "display_name": "TrojanProxy:Win32/Ceutv.A", "target": "/malware/TrojanProxy:Win32/Ceutv.A" }, { "id": "VirTool:Win32/Obfuscator.AHU", "display_name": "VirTool:Win32/Obfuscator.AHU", "target": "/malware/VirTool:Win32/Obfuscator.AHU" }, { "id": "ShellCode", "display_name": "ShellCode", "target": null }, { "id": "Win32:Rootkit", "display_name": "Win32:Rootkit", "target": null }, { "id": "VB Flash", "display_name": "VB Flash", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Win.Packed.Razy-6847895-0", "display_name": "Win.Packed.Razy-6847895-0", "target": null }, { "id": "Backdoor:Win32/Plugx.N!", "display_name": "Backdoor:Win32/Plugx.N!", "target": "/malware/Backdoor:Win32/Plugx.N!" }, { "id": "Win.Dropper.QQpass-7194329-0", "display_name": "Win.Dropper.QQpass-7194329-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win32:Agent", "display_name": "Win32:Agent", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "Win.Trojan.Emotet-7545664-0", "display_name": "Win.Trojan.Emotet-7545664-0", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2362, "domain": 449, "hostname": 710, "email": 6, "FileHash-MD5": 260, "FileHash-SHA1": 201, "FileHash-SHA256": 333, "SSLCertFingerprint": 27 }, "indicator_count": 4348, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "82 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69519fa818f84531ce6becc9", "name": "Cart.Guru Malware Hosting - Malware Packed _Pegasus Espionage Detected (Positive)", "description": "I really love using this tool (LevelBlue -OTX) In all reality this information would have been sent to the government. CISA , NSA, Homeland Security, Citizens Lab, Canada based international organization would have been involved years ago. Where does this information goes. Citizens Lab would has been attempting to track 1000\u2019s of affected Pegasus targets. OTX detected and tagged Pegasus. I suspected it. This is from a Palantir Malware Hosting Honey Pot. \n\nWhen Pegasus was discovered in the wild , credited to those who found what the real team (T8) found, Citizens Lab then conducted tests in 2021\non the cell phone of Jamal Khashoggi, a Saudi dissident journalist. Pegasus is a kill list. \n\nVictims need help. There are a few people even on this platform that are on this list. Unless it\u2019s the US government who has ordered these actions, I don\u2019t know what is going on. The targets are not only innocent, some are crime victims, some are going mad. AT&T corporate easily confirms LevelBlue is legitimate.", "modified": "2026-01-27T21:02:45.343000", "created": "2025-12-28T21:22:48.383000", "tags": [ "united", "servers", "moved", "ip address", "record value", "encrypt", "present jul", "present jun", "trojandropper", "passive dns", "ipv4 add", "urls", "files", "virtool", "united states", "dynamicloader", "directui", "element", "classinfobase", "write c", "medium", "yara rule", "msvisualbasic60", "high", "hwndelement", "explorer", "write", "movie", "insert", "program", "python", "http traffic", "trojan generic", "search", "cnc activity", "delphi", "win32", "launcher", "pony", "fareit", "malware", "push", "msie", "windows nt", "generic", "checkin", "post", "yara detections", "rxr", "inject", "memcommit", "cryptexportkey", "invalid pointer", "regsetvalueexa", "solutions ltd", "read c", "regdword", "mozilla", "persistence", "execution", "android", "unknown", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "initial access", "defense evasion", "spawns", "t1590 gather", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "pattern match", "mitre att", "ck matrix", "href", "ascii text", "starfield", "hybrid", "general", "local", "path", "iframe", "palantir", "present nov", "present oct", "status", "present apr", "present dec", "cryp", "date", "trojan", "title", "name servers", "windows", "t1060", "disables proxy", "dock", "pegasus", "rootkit", "backdoor", "susp", "win32qqpass feb", "worm", "msr win32", "win64", "process32nextw", "findwindowa", "file execution", "writeconsolea", "procexpl", "file v2", "document", "document file", "v2 document", "lost", "tools", "pecompact", "media", "autorun", "service", "post http", "delete", "alerts", "emotet", "rkt", "autorun", "worm", "plugins", "title error", "body doctype", "html public", "w3cdtd html", "html head", "domain", "expiration date", "hostname add", "pulse pulses", "contacted hosts", "sha1", "sha256", "show technique", "strings", "t1480 execution", "signing defense", "script urls", "a domains", "unknown ns", "texas flyover", "script domains", "script script", "meta", "window", "process details", "contacted" ], "references": [ "Cart.Guru", "Yara Detections: Delphi", "Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer", "MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer", "HTTP traffic on port 443 (POST)", "IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query", "Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs", "Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http", "Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates", "Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http", "Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe", "Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check", "Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad", "Yara Detections: Nullsoft_NSIS ...", "Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat", "Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com", "Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103", "Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx", "Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy", "Emotet IDS Detections: Win32/Emotet CnC Checkin Response", "Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users" ], "public": 1, "adversary": "Palantir Pegasus", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RXR", "display_name": "RXR", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Bagsu!rfn", "display_name": "Trojan:Win32/Bagsu!rfn", "target": "/malware/Trojan:Win32/Bagsu!rfn" }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "#Lowfi:Win32/SandboxProductId", "display_name": "#Lowfi:Win32/SandboxProductId", "target": "/malware/#Lowfi:Win32/SandboxProductId" }, { "id": "Win32:Backdoor", "display_name": "Win32:Backdoor", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "ALF:Trojan:MSIL/BlackFus.C", "display_name": "ALF:Trojan:MSIL/BlackFus.C", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "TrojanProxy:Win32/Ceutv.A", "display_name": "TrojanProxy:Win32/Ceutv.A", "target": "/malware/TrojanProxy:Win32/Ceutv.A" }, { "id": "VirTool:Win32/Obfuscator.AHU", "display_name": "VirTool:Win32/Obfuscator.AHU", "target": "/malware/VirTool:Win32/Obfuscator.AHU" }, { "id": "ShellCode", "display_name": "ShellCode", "target": null }, { "id": "Win32:Rootkit", "display_name": "Win32:Rootkit", "target": null }, { "id": "VB Flash", "display_name": "VB Flash", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Win.Packed.Razy-6847895-0", "display_name": "Win.Packed.Razy-6847895-0", "target": null }, { "id": "Backdoor:Win32/Plugx.N!", "display_name": "Backdoor:Win32/Plugx.N!", "target": "/malware/Backdoor:Win32/Plugx.N!" }, { "id": "Win.Dropper.QQpass-7194329-0", "display_name": "Win.Dropper.QQpass-7194329-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win32:Agent", "display_name": "Win32:Agent", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "Win.Trojan.Emotet-7545664-0", "display_name": "Win.Trojan.Emotet-7545664-0", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2362, "domain": 449, "hostname": 710, "email": 6, "FileHash-MD5": 260, "FileHash-SHA1": 201, "FileHash-SHA256": 333, "SSLCertFingerprint": 27 }, "indicator_count": 4348, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "82 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68eff833ed84ceaf611521d2", "name": "Tucker Carlson | AutInject \u2022 Zbot \u2022 CoinMiner \u2022 Zombie \u2022 Qbot affects his YouTube Channel (9.14.2025) ", "description": "", "modified": "2025-10-15T19:38:27.739000", "created": "2025-10-15T19:38:27.739000", "tags": [ "resolved ips", "parent pid", "full path", "command line", "cname", "ip address", "port", "involved direct", "country name", "nxdomain", "tcp connections", "udp connections", "data", "datacrashpad", "edge", "passive dns", "origin trial", "gmt cache", "sameorigin", "443 ma2592000", "ipv4 add", "files", "title", "date", "found", "gmt content", "hostname", "verdict", "error", "code", "present aug", "present sep", "aaaa", "search", "domain", "present apr", "present jun", "address google", "safe browsing", "present oct", "match info", "mitre att", "control ta0011", "protocol t1071", "protocol t1095", "match medium", "icmp traffic", "port t1571", "info", "c0002 wininet", "flag", "markmonitor", "domain address", "contacted hosts", "process details", "size", "iend ihdridatx", "qrmf", "qkdi", "qiyay", "kjtn8", "r0x3", "ihdridatx", "yg6qp", "kkrz", "t6 ex", "click", "windir", "openurl c", "prefetch2", "data upload", "extraction", "failed", "please", "your browser", "learn", "opera mozilla", "firefox google", "chrome remind", "privacy policy", "safety", "google llc", "youtube", "mozilla firefox", "safari google", "edge opera", "browse youtube", "file", "indicator", "pattern match", "ascii text", "ck id", "ck matrix", "href", "general", "local", "path", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "files domain", "files related", "related tags", "registrar", "files ip", "asn as15169", "address domain", "ip whois", "service address", "po box", "city hayes", "country gb", "dnssec", "domain name", "emails", "script urls", "a domains", "texas flyover", "script domains", "script script", "trojan", "meta", "window", "msie", "chrome", "twitter", "unknown aaaa", "record value", "content type", "united states", "dynamicloader", "medium", "write c", "high", "show", "digicert", "olet", "encrypt", "win64", "responder", "write", "next", "unknown", "install", "dummy", "entries", "displayname", "windows", "united", "tofsee", "copy", "stream", "malware", "hostile", "body", "hostile client", "apollo", "jaik", "code overlap", "sri lanka", "pintuck sri", "lanka", "unknown ns", "moved", "buy apparal", "win32", "trojandropper", "virtool", "susp", "ipv4", "pulse pulses", "urls", "reverse dns", "location united", "installer" ], "references": [ "https://www.youtube.com/watch?v=5KmpT-BoVf4", "https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4", "critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade", "http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net", "canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com", "docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com", "ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net", "malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf", "IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -", "Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login", "Yara Detections: RansomWin32Apollo \u2022 216.239.32.27" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Malware + Code Overlap", "display_name": "Malware + Code Overlap", "target": null }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "Trojandownloader:Win32/Upatre", "display_name": "Trojandownloader:Win32/Upatre", "target": "/malware/Trojandownloader:Win32/Upatre" }, { "id": "Trojan:BAT/Musecador", "display_name": "Trojan:BAT/Musecador", "target": "/malware/Trojan:BAT/Musecador" }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "Bancos", "display_name": "Bancos", "target": null }, { "id": "Hematite", "display_name": "Hematite", "target": null }, { "id": "Trojanspy:Win32/Banker.LY", "display_name": "Trojanspy:Win32/Banker.LY", "target": "/malware/Trojanspy:Win32/Banker.LY" }, { "id": "Trojan:Win32/Vflooder!rfn", "display_name": "Trojan:Win32/Vflooder!rfn", "target": "/malware/Trojan:Win32/Vflooder!rfn" }, { "id": "Win32:MalwareX", "display_name": "Win32:MalwareX", "target": null }, { "id": "Malwarex", "display_name": "Malwarex", "target": null }, { "id": "Virtool:Win32/CeeInject.AKZ!bit", "display_name": "Virtool:Win32/CeeInject.AKZ!bit", "target": "/malware/Virtool:Win32/CeeInject.AKZ!bit" }, { "id": "Win32:Dropper", "display_name": "Win32:Dropper", "target": null }, { "id": "Ymacco", "display_name": "Ymacco", "target": null }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Trojandownloader:Win32/Upatre.A", "display_name": "Trojandownloader:Win32/Upatre.A", "target": "/malware/Trojandownloader:Win32/Upatre.A" }, { "id": "Win32:Evo", "display_name": "Win32:Evo", "target": null }, { "id": "Trojandropper:Win32/BcryptInject.B!MSR", "display_name": "Trojandropper:Win32/BcryptInject.B!MSR", "target": "/malware/Trojandropper:Win32/BcryptInject.B!MSR" }, { "id": "Win32:TrojanX-gen\\ [Trj]", "display_name": "Win32:TrojanX-gen\\ [Trj]", "target": null }, { "id": "Win32:Cleaman-K\\ [Trj]", "display_name": "Win32:Cleaman-K\\ [Trj]", "target": null }, { "id": "Asacky", "display_name": "Asacky", "target": null }, { "id": "Backdoor:Win32/Plugx.N!dha", "display_name": "Backdoor:Win32/Plugx.N!dha", "target": "/malware/Backdoor:Win32/Plugx.N!dha" } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [ "Media" ], "TLP": "white", "cloned_from": "68c73fbd85dfbb4d41006ad1", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4746, "hostname": 1829, "domain": 913, "FileHash-MD5": 249, "FileHash-SHA1": 213, "FileHash-SHA256": 1765, "email": 3, "SSLCertFingerprint": 17 }, "indicator_count": 9735, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "186 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c73fbd85dfbb4d41006ad1", "name": "Tucker Carlson Sam Altman YouTube Interview \u2022 Qbot | Malware with. Code Overlap", "description": "Maybe it\u2019s a network issue. The TV I viewed interview from is in Arabic the every time. It\u2019s not\nmy\ntelevision or network, didn\u2019t get link from a logged in YouTube. Not a subscriber.. I viewed using (cc) close captioning. It\u2019s the only program n YouTube using another language for this interview. The only reason I\u2019ve visited this interview several time\u2019s since it\u2019s aired is to check for the same results. Every time only this interview uses another language for (cc).\n\nThere are related pulses by a few different users, experiencing similar personal issues. I\u2019d assume I\u2019d always get these results. Unclear\n\n* At the end of interview Tucker Carlson states YouTube is trying to suppress or delete this one interview.", "modified": "2025-10-14T22:26:18.109000", "created": "2025-09-14T22:20:45.617000", "tags": [ "resolved ips", "parent pid", "full path", "command line", "cname", "ip address", "port", "involved direct", "country name", "nxdomain", "tcp connections", "udp connections", "data", "datacrashpad", "edge", "passive dns", "origin trial", "gmt cache", "sameorigin", "443 ma2592000", "ipv4 add", "files", "title", "date", "found", "gmt content", "hostname", "verdict", "error", "code", "present aug", "present sep", "aaaa", "search", "domain", "present apr", "present jun", "address google", "safe browsing", "present oct", "match info", "mitre att", "control ta0011", "protocol t1071", "protocol t1095", "match medium", "icmp traffic", "port t1571", "info", "c0002 wininet", "flag", "markmonitor", "domain address", "contacted hosts", "process details", "size", "iend ihdridatx", "qrmf", "qkdi", "qiyay", "kjtn8", "r0x3", "ihdridatx", "yg6qp", "kkrz", "t6 ex", "click", "windir", "openurl c", "prefetch2", "data upload", "extraction", "failed", "please", "your browser", "learn", "opera mozilla", "firefox google", "chrome remind", "privacy policy", "safety", "google llc", "youtube", "mozilla firefox", "safari google", "edge opera", "browse youtube", "file", "indicator", "pattern match", "ascii text", "ck id", "ck matrix", "href", "general", "local", "path", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "files domain", "files related", "related tags", "registrar", "files ip", "asn as15169", "address domain", "ip whois", "service address", "po box", "city hayes", "country gb", "dnssec", "domain name", "emails", "script urls", "a domains", "texas flyover", "script domains", "script script", "trojan", "meta", "window", "msie", "chrome", "twitter", "unknown aaaa", "record value", "content type", "united states", "dynamicloader", "medium", "write c", "high", "show", "digicert", "olet", "encrypt", "win64", "responder", "write", "next", "unknown", "install", "dummy", "entries", "displayname", "windows", "united", "tofsee", "copy", "stream", "malware", "hostile", "body", "hostile client", "apollo", "jaik", "code overlap", "sri lanka", "pintuck sri", "lanka", "unknown ns", "moved", "buy apparal", "win32", "trojandropper", "virtool", "susp", "ipv4", "pulse pulses", "urls", "reverse dns", "location united", "installer" ], "references": [ "https://www.youtube.com/watch?v=5KmpT-BoVf4", "https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4", "critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade", "http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net", "canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com", "docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com", "ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net", "malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf", "IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -", "Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login", "Yara Detections: RansomWin32Apollo \u2022 216.239.32.27" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Malware + Code Overlap", "display_name": "Malware + Code Overlap", "target": null }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "Trojandownloader:Win32/Upatre", "display_name": "Trojandownloader:Win32/Upatre", "target": "/malware/Trojandownloader:Win32/Upatre" }, { "id": "Trojan:BAT/Musecador", "display_name": "Trojan:BAT/Musecador", "target": "/malware/Trojan:BAT/Musecador" }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "Bancos", "display_name": "Bancos", "target": null }, { "id": "Hematite", "display_name": "Hematite", "target": null }, { "id": "Trojanspy:Win32/Banker.LY", "display_name": "Trojanspy:Win32/Banker.LY", "target": "/malware/Trojanspy:Win32/Banker.LY" }, { "id": "Trojan:Win32/Vflooder!rfn", "display_name": "Trojan:Win32/Vflooder!rfn", "target": "/malware/Trojan:Win32/Vflooder!rfn" }, { "id": "Win32:MalwareX", "display_name": "Win32:MalwareX", "target": null }, { "id": "Malwarex", "display_name": "Malwarex", "target": null }, { "id": "Virtool:Win32/CeeInject.AKZ!bit", "display_name": "Virtool:Win32/CeeInject.AKZ!bit", "target": "/malware/Virtool:Win32/CeeInject.AKZ!bit" }, { "id": "Win32:Dropper", "display_name": "Win32:Dropper", "target": null }, { "id": "Ymacco", "display_name": "Ymacco", "target": null }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Trojandownloader:Win32/Upatre.A", "display_name": "Trojandownloader:Win32/Upatre.A", "target": "/malware/Trojandownloader:Win32/Upatre.A" }, { "id": "Win32:Evo", "display_name": "Win32:Evo", "target": null }, { "id": "Trojandropper:Win32/BcryptInject.B!MSR", "display_name": "Trojandropper:Win32/BcryptInject.B!MSR", "target": "/malware/Trojandropper:Win32/BcryptInject.B!MSR" }, { "id": "Win32:TrojanX-gen\\ [Trj]", "display_name": "Win32:TrojanX-gen\\ [Trj]", "target": null }, { "id": "Win32:Cleaman-K\\ [Trj]", "display_name": "Win32:Cleaman-K\\ [Trj]", "target": null }, { "id": "Asacky", "display_name": "Asacky", "target": null }, { "id": "Backdoor:Win32/Plugx.N!dha", "display_name": "Backdoor:Win32/Plugx.N!dha", "target": "/malware/Backdoor:Win32/Plugx.N!dha" } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [ "Media" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4746, "hostname": 1829, "domain": 913, "FileHash-MD5": 249, "FileHash-SHA1": 213, "FileHash-SHA256": 1765, "email": 3, "SSLCertFingerprint": 17 }, "indicator_count": 9735, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "187 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx", "https://www.youtube.com/watch?v=5KmpT-BoVf4", "ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net", "Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat", "HTTP traffic on port 443 (POST)", "Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103", "IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -", "Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy", "Emotet IDS Detections: Win32/Emotet CnC Checkin Response", "canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com", "Cart.Guru", "MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer", "Yara Detections: RansomWin32Apollo \u2022 216.239.32.27", "Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com", "Yara Detections: Nullsoft_NSIS ...", "Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users", "malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf", "Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs", "Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http", "Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login", "IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query", "Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer", "Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad", "http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net", "critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade", "Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe", "docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com", "Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http", "Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check", "Yara Detections: Delphi", "https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4", "Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Palantir Pegasus" ], "malware_families": [ "Trojandownloader:win32/upatre.a", "Tofsee", "Virtool:win32/ceeinject.akz!bit", "Trojandropper:win32/bcryptinject.b!msr", "Trojanproxy:win32/ceutv.a", "Win32:malwarex", "Trojan:win32/qqpass", "Alf:trojan:msil/blackfus.c", "Win32:rootkit", "Win32:evo", "Trojan:bat/musecador", "Win.malware.jaik-9968280-0", "Trojan:win32/qbot.r!mtb", "Win32:evo-gen\\ [susp]", "Win.trojan.agent", "Backdoor:win32/plugx.n!dha", "Trojanspy:win32/banker.ly", "Win32:malware", "Vb flash", "Trojandownloader:win32/upatre", "Trojan:win32/vflooder!rfn", "Win32:trojanx-gen\\ [trj]", "Ymacco", "Rxr", "#lowfienabledtcontinueafterunpacking", "Trojandownloader:win32/cutwail", "Hematite", "Pony", "Bancos", "Win32:backdoor", "Pegasus", "#lowfi:win32/sandboxproductid", "Virtool:win32/obfuscator.ahu", "Win.packed.razy-6847895-0", "Backdoor:win32/plugx.n!", "Upatre", "Asacky", "Win32:malob-bx\\ [cryp]", "Win.trojan.emotet-7545664-0", "Shellcode", "Trojan:win32/bagsu!rfn", "Virtool:win32/obfuscator", "Win32:dropper", "Malware + code overlap", "Win32:trojan", "Win32:cleaman-k\\ [trj]", "Pegasus - mob-s0005", "Win.dropper.qqpass-7194329-0", "Malwarex", "Win32:agent", "Worm:win32/autorun" ], "industries": [ "Media" ], "unique_indicators": 14332 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/sparkloop.app", "whois": "http://whois.domaintools.com/sparkloop.app", "domain": "sparkloop.app", "hostname": "js.sparkloop.app" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69519fa81048ad057eb9beaa", "name": "Cart.Guru Malware Hosting - Malware Packed _Pegasus Espionage Detected (Positive)", "description": "I really love using this tool (LevelBlue -OTX) In all reality this information would have been sent to the government. CISA , NSA, Homeland Security, Citizens Lab, Canada based international organization would have been involved years ago. | \nWhere does this information goes. Citizens Lab would has been attempting to track 1000\u2019s of affected Pegasus targets. OTX detected and tagged Pegasus. I suspected it. This is from a Palantir Malware Hosting Honey Pot. \n\nWhen Pegasus was discovered in the wild , credited to those who found what the real team (T8) found, Citizens Lab then conducted tests in 2021\non the cell phone of Jamal Khashoggi, a Saudi dissident journalist. Pegasus is a kill list. \n\nVictims need help. There are a few people even on this platform that are on this list. Unless it\u2019s the US government who has ordered these actions, I don\u2019t know what is going on. The targets are not only innocent, some are crime victims, some are going mad. AT&T corporate easily confirms LevelBlue is legitimate.", "modified": "2026-01-27T21:02:45.343000", "created": "2025-12-28T21:22:48.595000", "tags": [ "united", "servers", "moved", "ip address", "record value", "encrypt", "present jul", "present jun", "trojandropper", "passive dns", "ipv4 add", "urls", "files", "virtool", "united states", "dynamicloader", "directui", "element", "classinfobase", "write c", "medium", "yara rule", "msvisualbasic60", "high", "hwndelement", "explorer", "write", "movie", "insert", "program", "python", "http traffic", "trojan generic", "search", "cnc activity", "delphi", "win32", "launcher", "pony", "fareit", "malware", "push", "msie", "windows nt", "generic", "checkin", "post", "yara detections", "rxr", "inject", "memcommit", "cryptexportkey", "invalid pointer", "regsetvalueexa", "solutions ltd", "read c", "regdword", "mozilla", "persistence", "execution", "android", "unknown", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "initial access", "defense evasion", "spawns", "t1590 gather", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "pattern match", "mitre att", "ck matrix", "href", "ascii text", "starfield", "hybrid", "general", "local", "path", "iframe", "palantir", "present nov", "present oct", "status", "present apr", "present dec", "cryp", "date", "trojan", "title", "name servers", "windows", "t1060", "disables proxy", "dock", "pegasus", "rootkit", "backdoor", "susp", "win32qqpass feb", "worm", "msr win32", "win64", "process32nextw", "findwindowa", "file execution", "writeconsolea", "procexpl", "file v2", "document", "document file", "v2 document", "lost", "tools", "pecompact", "media", "autorun", "service", "post http", "delete", "alerts", "emotet", "rkt", "autorun", "worm", "plugins", "title error", "body doctype", "html public", "w3cdtd html", "html head", "domain", "expiration date", "hostname add", "pulse pulses", "contacted hosts", "sha1", "sha256", "show technique", "strings", "t1480 execution", "signing defense", "script urls", "a domains", "unknown ns", "texas flyover", "script domains", "script script", "meta", "window", "process details", "contacted" ], "references": [ "Cart.Guru", "Yara Detections: Delphi", "Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer", "MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer", "HTTP traffic on port 443 (POST)", "IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query", "Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs", "Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http", "Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates", "Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http", "Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe", "Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check", "Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad", "Yara Detections: Nullsoft_NSIS ...", "Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat", "Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com", "Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103", "Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx", "Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy", "Emotet IDS Detections: Win32/Emotet CnC Checkin Response", "Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users" ], "public": 1, "adversary": "Palantir Pegasus", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RXR", "display_name": "RXR", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Bagsu!rfn", "display_name": "Trojan:Win32/Bagsu!rfn", "target": "/malware/Trojan:Win32/Bagsu!rfn" }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "#Lowfi:Win32/SandboxProductId", "display_name": "#Lowfi:Win32/SandboxProductId", "target": "/malware/#Lowfi:Win32/SandboxProductId" }, { "id": "Win32:Backdoor", "display_name": "Win32:Backdoor", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "ALF:Trojan:MSIL/BlackFus.C", "display_name": "ALF:Trojan:MSIL/BlackFus.C", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "TrojanProxy:Win32/Ceutv.A", "display_name": "TrojanProxy:Win32/Ceutv.A", "target": "/malware/TrojanProxy:Win32/Ceutv.A" }, { "id": "VirTool:Win32/Obfuscator.AHU", "display_name": "VirTool:Win32/Obfuscator.AHU", "target": "/malware/VirTool:Win32/Obfuscator.AHU" }, { "id": "ShellCode", "display_name": "ShellCode", "target": null }, { "id": "Win32:Rootkit", "display_name": "Win32:Rootkit", "target": null }, { "id": "VB Flash", "display_name": "VB Flash", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Win.Packed.Razy-6847895-0", "display_name": "Win.Packed.Razy-6847895-0", "target": null }, { "id": "Backdoor:Win32/Plugx.N!", "display_name": "Backdoor:Win32/Plugx.N!", "target": "/malware/Backdoor:Win32/Plugx.N!" }, { "id": "Win.Dropper.QQpass-7194329-0", "display_name": "Win.Dropper.QQpass-7194329-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win32:Agent", "display_name": "Win32:Agent", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "Win.Trojan.Emotet-7545664-0", "display_name": "Win.Trojan.Emotet-7545664-0", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2362, "domain": 449, "hostname": 710, "email": 6, "FileHash-MD5": 260, "FileHash-SHA1": 201, "FileHash-SHA256": 333, "SSLCertFingerprint": 27 }, "indicator_count": 4348, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "82 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69519fa818f84531ce6becc9", "name": "Cart.Guru Malware Hosting - Malware Packed _Pegasus Espionage Detected (Positive)", "description": "I really love using this tool (LevelBlue -OTX) In all reality this information would have been sent to the government. CISA , NSA, Homeland Security, Citizens Lab, Canada based international organization would have been involved years ago. Where does this information goes. Citizens Lab would has been attempting to track 1000\u2019s of affected Pegasus targets. OTX detected and tagged Pegasus. I suspected it. This is from a Palantir Malware Hosting Honey Pot. \n\nWhen Pegasus was discovered in the wild , credited to those who found what the real team (T8) found, Citizens Lab then conducted tests in 2021\non the cell phone of Jamal Khashoggi, a Saudi dissident journalist. Pegasus is a kill list. \n\nVictims need help. There are a few people even on this platform that are on this list. Unless it\u2019s the US government who has ordered these actions, I don\u2019t know what is going on. The targets are not only innocent, some are crime victims, some are going mad. AT&T corporate easily confirms LevelBlue is legitimate.", "modified": "2026-01-27T21:02:45.343000", "created": "2025-12-28T21:22:48.383000", "tags": [ "united", "servers", "moved", "ip address", "record value", "encrypt", "present jul", "present jun", "trojandropper", "passive dns", "ipv4 add", "urls", "files", "virtool", "united states", "dynamicloader", "directui", "element", "classinfobase", "write c", "medium", "yara rule", "msvisualbasic60", "high", "hwndelement", "explorer", "write", "movie", "insert", "program", "python", "http traffic", "trojan generic", "search", "cnc activity", "delphi", "win32", "launcher", "pony", "fareit", "malware", "push", "msie", "windows nt", "generic", "checkin", "post", "yara detections", "rxr", "inject", "memcommit", "cryptexportkey", "invalid pointer", "regsetvalueexa", "solutions ltd", "read c", "regdword", "mozilla", "persistence", "execution", "android", "unknown", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "initial access", "defense evasion", "spawns", "t1590 gather", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "pattern match", "mitre att", "ck matrix", "href", "ascii text", "starfield", "hybrid", "general", "local", "path", "iframe", "palantir", "present nov", "present oct", "status", "present apr", "present dec", "cryp", "date", "trojan", "title", "name servers", "windows", "t1060", "disables proxy", "dock", "pegasus", "rootkit", "backdoor", "susp", "win32qqpass feb", "worm", "msr win32", "win64", "process32nextw", "findwindowa", "file execution", "writeconsolea", "procexpl", "file v2", "document", "document file", "v2 document", "lost", "tools", "pecompact", "media", "autorun", "service", "post http", "delete", "alerts", "emotet", "rkt", "autorun", "worm", "plugins", "title error", "body doctype", "html public", "w3cdtd html", "html head", "domain", "expiration date", "hostname add", "pulse pulses", "contacted hosts", "sha1", "sha256", "show technique", "strings", "t1480 execution", "signing defense", "script urls", "a domains", "unknown ns", "texas flyover", "script domains", "script script", "meta", "window", "process details", "contacted" ], "references": [ "Cart.Guru", "Yara Detections: Delphi", "Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer", "MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer", "HTTP traffic on port 443 (POST)", "IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query", "Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs", "Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http", "Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates", "Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http", "Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe", "Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check", "Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad", "Yara Detections: Nullsoft_NSIS ...", "Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat", "Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com", "Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103", "Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx", "Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy", "Emotet IDS Detections: Win32/Emotet CnC Checkin Response", "Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users" ], "public": 1, "adversary": "Palantir Pegasus", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RXR", "display_name": "RXR", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Bagsu!rfn", "display_name": "Trojan:Win32/Bagsu!rfn", "target": "/malware/Trojan:Win32/Bagsu!rfn" }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "#Lowfi:Win32/SandboxProductId", "display_name": "#Lowfi:Win32/SandboxProductId", "target": "/malware/#Lowfi:Win32/SandboxProductId" }, { "id": "Win32:Backdoor", "display_name": "Win32:Backdoor", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "ALF:Trojan:MSIL/BlackFus.C", "display_name": "ALF:Trojan:MSIL/BlackFus.C", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "TrojanProxy:Win32/Ceutv.A", "display_name": "TrojanProxy:Win32/Ceutv.A", "target": "/malware/TrojanProxy:Win32/Ceutv.A" }, { "id": "VirTool:Win32/Obfuscator.AHU", "display_name": "VirTool:Win32/Obfuscator.AHU", "target": "/malware/VirTool:Win32/Obfuscator.AHU" }, { "id": "ShellCode", "display_name": "ShellCode", "target": null }, { "id": "Win32:Rootkit", "display_name": "Win32:Rootkit", "target": null }, { "id": "VB Flash", "display_name": "VB Flash", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Win.Packed.Razy-6847895-0", "display_name": "Win.Packed.Razy-6847895-0", "target": null }, { "id": "Backdoor:Win32/Plugx.N!", "display_name": "Backdoor:Win32/Plugx.N!", "target": "/malware/Backdoor:Win32/Plugx.N!" }, { "id": "Win.Dropper.QQpass-7194329-0", "display_name": "Win.Dropper.QQpass-7194329-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win32:Agent", "display_name": "Win32:Agent", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "Win.Trojan.Emotet-7545664-0", "display_name": "Win.Trojan.Emotet-7545664-0", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2362, "domain": 449, "hostname": 710, "email": 6, "FileHash-MD5": 260, "FileHash-SHA1": 201, "FileHash-SHA256": 333, "SSLCertFingerprint": 27 }, "indicator_count": 4348, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "82 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68eff833ed84ceaf611521d2", "name": "Tucker Carlson | AutInject \u2022 Zbot \u2022 CoinMiner \u2022 Zombie \u2022 Qbot affects his YouTube Channel (9.14.2025) ", "description": "", "modified": "2025-10-15T19:38:27.739000", "created": "2025-10-15T19:38:27.739000", "tags": [ "resolved ips", "parent pid", "full path", "command line", "cname", "ip address", "port", "involved direct", "country name", "nxdomain", "tcp connections", "udp connections", "data", "datacrashpad", "edge", "passive dns", "origin trial", "gmt cache", "sameorigin", "443 ma2592000", "ipv4 add", "files", "title", "date", "found", "gmt content", "hostname", "verdict", "error", "code", "present aug", "present sep", "aaaa", "search", "domain", "present apr", "present jun", "address google", "safe browsing", "present oct", "match info", "mitre att", "control ta0011", "protocol t1071", "protocol t1095", "match medium", "icmp traffic", "port t1571", "info", "c0002 wininet", "flag", "markmonitor", "domain address", "contacted hosts", "process details", "size", "iend ihdridatx", "qrmf", "qkdi", "qiyay", "kjtn8", "r0x3", "ihdridatx", "yg6qp", "kkrz", "t6 ex", "click", "windir", "openurl c", "prefetch2", "data upload", "extraction", "failed", "please", "your browser", "learn", "opera mozilla", "firefox google", "chrome remind", "privacy policy", "safety", "google llc", "youtube", "mozilla firefox", "safari google", "edge opera", "browse youtube", "file", "indicator", "pattern match", "ascii text", "ck id", "ck matrix", "href", "general", "local", "path", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "files domain", "files related", "related tags", "registrar", "files ip", "asn as15169", "address domain", "ip whois", "service address", "po box", "city hayes", "country gb", "dnssec", "domain name", "emails", "script urls", "a domains", "texas flyover", "script domains", "script script", "trojan", "meta", "window", "msie", "chrome", "twitter", "unknown aaaa", "record value", "content type", "united states", "dynamicloader", "medium", "write c", "high", "show", "digicert", "olet", "encrypt", "win64", "responder", "write", "next", "unknown", "install", "dummy", "entries", "displayname", "windows", "united", "tofsee", "copy", "stream", "malware", "hostile", "body", "hostile client", "apollo", "jaik", "code overlap", "sri lanka", "pintuck sri", "lanka", "unknown ns", "moved", "buy apparal", "win32", "trojandropper", "virtool", "susp", "ipv4", "pulse pulses", "urls", "reverse dns", "location united", "installer" ], "references": [ "https://www.youtube.com/watch?v=5KmpT-BoVf4", "https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4", "critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade", "http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net", "canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com", "docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com", "ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net", "malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf", "IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -", "Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login", "Yara Detections: RansomWin32Apollo \u2022 216.239.32.27" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Malware + Code Overlap", "display_name": "Malware + Code Overlap", "target": null }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "Trojandownloader:Win32/Upatre", "display_name": "Trojandownloader:Win32/Upatre", "target": "/malware/Trojandownloader:Win32/Upatre" }, { "id": "Trojan:BAT/Musecador", "display_name": "Trojan:BAT/Musecador", "target": "/malware/Trojan:BAT/Musecador" }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "Bancos", "display_name": "Bancos", "target": null }, { "id": "Hematite", "display_name": "Hematite", "target": null }, { "id": "Trojanspy:Win32/Banker.LY", "display_name": "Trojanspy:Win32/Banker.LY", "target": "/malware/Trojanspy:Win32/Banker.LY" }, { "id": "Trojan:Win32/Vflooder!rfn", "display_name": "Trojan:Win32/Vflooder!rfn", "target": "/malware/Trojan:Win32/Vflooder!rfn" }, { "id": "Win32:MalwareX", "display_name": "Win32:MalwareX", "target": null }, { "id": "Malwarex", "display_name": "Malwarex", "target": null }, { "id": "Virtool:Win32/CeeInject.AKZ!bit", "display_name": "Virtool:Win32/CeeInject.AKZ!bit", "target": "/malware/Virtool:Win32/CeeInject.AKZ!bit" }, { "id": "Win32:Dropper", "display_name": "Win32:Dropper", "target": null }, { "id": "Ymacco", "display_name": "Ymacco", "target": null }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Trojandownloader:Win32/Upatre.A", "display_name": "Trojandownloader:Win32/Upatre.A", "target": "/malware/Trojandownloader:Win32/Upatre.A" }, { "id": "Win32:Evo", "display_name": "Win32:Evo", "target": null }, { "id": "Trojandropper:Win32/BcryptInject.B!MSR", "display_name": "Trojandropper:Win32/BcryptInject.B!MSR", "target": "/malware/Trojandropper:Win32/BcryptInject.B!MSR" }, { "id": "Win32:TrojanX-gen\\ [Trj]", "display_name": "Win32:TrojanX-gen\\ [Trj]", "target": null }, { "id": "Win32:Cleaman-K\\ [Trj]", "display_name": "Win32:Cleaman-K\\ [Trj]", "target": null }, { "id": "Asacky", "display_name": "Asacky", "target": null }, { "id": "Backdoor:Win32/Plugx.N!dha", "display_name": "Backdoor:Win32/Plugx.N!dha", "target": "/malware/Backdoor:Win32/Plugx.N!dha" } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [ "Media" ], "TLP": "white", "cloned_from": "68c73fbd85dfbb4d41006ad1", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4746, "hostname": 1829, "domain": 913, "FileHash-MD5": 249, "FileHash-SHA1": 213, "FileHash-SHA256": 1765, "email": 3, "SSLCertFingerprint": 17 }, "indicator_count": 9735, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "186 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c73fbd85dfbb4d41006ad1", "name": "Tucker Carlson Sam Altman YouTube Interview \u2022 Qbot | Malware with. Code Overlap", "description": "Maybe it\u2019s a network issue. The TV I viewed interview from is in Arabic the every time. It\u2019s not\nmy\ntelevision or network, didn\u2019t get link from a logged in YouTube. Not a subscriber.. I viewed using (cc) close captioning. It\u2019s the only program n YouTube using another language for this interview. The only reason I\u2019ve visited this interview several time\u2019s since it\u2019s aired is to check for the same results. Every time only this interview uses another language for (cc).\n\nThere are related pulses by a few different users, experiencing similar personal issues. I\u2019d assume I\u2019d always get these results. Unclear\n\n* At the end of interview Tucker Carlson states YouTube is trying to suppress or delete this one interview.", "modified": "2025-10-14T22:26:18.109000", "created": "2025-09-14T22:20:45.617000", "tags": [ "resolved ips", "parent pid", "full path", "command line", "cname", "ip address", "port", "involved direct", "country name", "nxdomain", "tcp connections", "udp connections", "data", "datacrashpad", "edge", "passive dns", "origin trial", "gmt cache", "sameorigin", "443 ma2592000", "ipv4 add", "files", "title", "date", "found", "gmt content", "hostname", "verdict", "error", "code", "present aug", "present sep", "aaaa", "search", "domain", "present apr", "present jun", "address google", "safe browsing", "present oct", "match info", "mitre att", "control ta0011", "protocol t1071", "protocol t1095", "match medium", "icmp traffic", "port t1571", "info", "c0002 wininet", "flag", "markmonitor", "domain address", "contacted hosts", "process details", "size", "iend ihdridatx", "qrmf", "qkdi", "qiyay", "kjtn8", "r0x3", "ihdridatx", "yg6qp", "kkrz", "t6 ex", "click", "windir", "openurl c", "prefetch2", "data upload", "extraction", "failed", "please", "your browser", "learn", "opera mozilla", "firefox google", "chrome remind", "privacy policy", "safety", "google llc", "youtube", "mozilla firefox", "safari google", "edge opera", "browse youtube", "file", "indicator", "pattern match", "ascii text", "ck id", "ck matrix", "href", "general", "local", "path", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "files domain", "files related", "related tags", "registrar", "files ip", "asn as15169", "address domain", "ip whois", "service address", "po box", "city hayes", "country gb", "dnssec", "domain name", "emails", "script urls", "a domains", "texas flyover", "script domains", "script script", "trojan", "meta", "window", "msie", "chrome", "twitter", "unknown aaaa", "record value", "content type", "united states", "dynamicloader", "medium", "write c", "high", "show", "digicert", "olet", "encrypt", "win64", "responder", "write", "next", "unknown", "install", "dummy", "entries", "displayname", "windows", "united", "tofsee", "copy", "stream", "malware", "hostile", "body", "hostile client", "apollo", "jaik", "code overlap", "sri lanka", "pintuck sri", "lanka", "unknown ns", "moved", "buy apparal", "win32", "trojandropper", "virtool", "susp", "ipv4", "pulse pulses", "urls", "reverse dns", "location united", "installer" ], "references": [ "https://www.youtube.com/watch?v=5KmpT-BoVf4", "https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4", "critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade", "http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net", "canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com", "docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com", "ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net", "malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf", "IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -", "Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login", "Yara Detections: RansomWin32Apollo \u2022 216.239.32.27" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Malware + Code Overlap", "display_name": "Malware + Code Overlap", "target": null }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "Trojandownloader:Win32/Upatre", "display_name": "Trojandownloader:Win32/Upatre", "target": "/malware/Trojandownloader:Win32/Upatre" }, { "id": "Trojan:BAT/Musecador", "display_name": "Trojan:BAT/Musecador", "target": "/malware/Trojan:BAT/Musecador" }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "Bancos", "display_name": "Bancos", "target": null }, { "id": "Hematite", "display_name": "Hematite", "target": null }, { "id": "Trojanspy:Win32/Banker.LY", "display_name": "Trojanspy:Win32/Banker.LY", "target": "/malware/Trojanspy:Win32/Banker.LY" }, { "id": "Trojan:Win32/Vflooder!rfn", "display_name": "Trojan:Win32/Vflooder!rfn", "target": "/malware/Trojan:Win32/Vflooder!rfn" }, { "id": "Win32:MalwareX", "display_name": "Win32:MalwareX", "target": null }, { "id": "Malwarex", "display_name": "Malwarex", "target": null }, { "id": "Virtool:Win32/CeeInject.AKZ!bit", "display_name": "Virtool:Win32/CeeInject.AKZ!bit", "target": "/malware/Virtool:Win32/CeeInject.AKZ!bit" }, { "id": "Win32:Dropper", "display_name": "Win32:Dropper", "target": null }, { "id": "Ymacco", "display_name": "Ymacco", "target": null }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Trojandownloader:Win32/Upatre.A", "display_name": "Trojandownloader:Win32/Upatre.A", "target": "/malware/Trojandownloader:Win32/Upatre.A" }, { "id": "Win32:Evo", "display_name": "Win32:Evo", "target": null }, { "id": "Trojandropper:Win32/BcryptInject.B!MSR", "display_name": "Trojandropper:Win32/BcryptInject.B!MSR", "target": "/malware/Trojandropper:Win32/BcryptInject.B!MSR" }, { "id": "Win32:TrojanX-gen\\ [Trj]", "display_name": "Win32:TrojanX-gen\\ [Trj]", "target": null }, { "id": "Win32:Cleaman-K\\ [Trj]", "display_name": "Win32:Cleaman-K\\ [Trj]", "target": null }, { "id": "Asacky", "display_name": "Asacky", "target": null }, { "id": "Backdoor:Win32/Plugx.N!dha", "display_name": "Backdoor:Win32/Plugx.N!dha", "target": "/malware/Backdoor:Win32/Plugx.N!dha" } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [ "Media" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4746, "hostname": 1829, "domain": 913, "FileHash-MD5": 249, "FileHash-SHA1": 213, "FileHash-SHA256": 1765, "email": 3, "SSLCertFingerprint": 17 }, "indicator_count": 9735, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "187 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://js.sparkloop.app/team", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://js.sparkloop.app/team", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776688082.11639 }