{
"type": "URL",
"indicator": "https://jsdelivr.yangzupan.com",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://jsdelivr.yangzupan.com",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3680650595,
"indicator": "https://jsdelivr.yangzupan.com",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 50,
"pulses": [
{
"id": "6a126fcffc60a71dfab01f24",
"name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs",
"description": "",
"modified": "2026-05-24T03:32:22.109000",
"created": "2026-05-24T03:26:07.144000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6688e0ffb31d4881f3238713",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4130,
"URL": 11958,
"hostname": 4644,
"domain": 4304,
"FileHash-MD5": 2256,
"FileHash-SHA1": 1161,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1,
"IPv6": 4,
"IPv4": 6
},
"indicator_count": 28500,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "7 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6a126fcc3620af2edeb95e57",
"name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs",
"description": "",
"modified": "2026-05-24T03:26:04.439000",
"created": "2026-05-24T03:26:04.439000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6688e0ffb31d4881f3238713",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4080,
"URL": 11952,
"hostname": 4638,
"domain": 4301,
"FileHash-MD5": 2236,
"FileHash-SHA1": 1140,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1
},
"indicator_count": 28384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "7 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69e940361a6e8be7e02ffe5d",
"name": "URL_File_Delivery clone by octoseek",
"description": "",
"modified": "2026-05-22T23:04:42.859000",
"created": "2026-04-22T21:40:06.671000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "64d9d1b920c9b43c1885b2e4",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1644,
"domain": 386,
"hostname": 535,
"FileHash-SHA256": 609,
"email": 5,
"URI": 9,
"FilePath": 1,
"FileHash-SHA1": 8,
"FileHash-MD5": 24
},
"indicator_count": 3221,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "8 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69aa41b0d714318bf8937184",
"name": "Credit Q.Vashti, Title [.Net Obfuscater] clone",
"description": "",
"modified": "2026-04-25T07:06:03.966000",
"created": "2026-03-06T02:53:36.216000",
"tags": [
"no expiration",
"domain",
"name",
"control flow",
"dlls",
"method parent",
"declarative",
"ms build",
"core",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"read c",
"dock",
"write",
"execution",
"capture",
"endgame",
"united",
"moved",
"ip address",
"record value",
"gate software",
"newnham house",
"expiration date",
"urls",
"url add",
"http",
"related nids",
"files location",
"flag united",
"present aug",
"present sep",
"present nov",
"present oct",
"name servers",
"emails",
"present dec",
"meta",
"passive dns",
"next associated",
"ipv4",
"url analysis",
"files",
"cookie",
"subscribe",
"unsubscribe",
"s paris",
"englewood",
"state",
"skip",
"espaol",
"summary",
"filing history",
"ireland",
"title",
"united states",
"certificate",
"colorado",
"ipv4 add",
"america flag",
"showing",
"pulse submit",
"size",
"pattern match",
"mitre att",
"ck id",
"path",
"hybrid",
"general",
"local",
"iframe",
"click",
"strings",
"cece",
"mult",
"learn",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"t1590 gather",
"victim network",
"flag",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"sha1",
"sha256",
"njmk",
"kwruymy",
"mime",
"submitted",
"process details",
"calls",
"apis",
"reads",
"defense evasion",
"model",
"getprocaddress",
"show technique",
"ck matrix",
"access type",
"value",
"api call",
"open",
"august",
"format",
"typeof symbol",
"typeof s",
"typeof c",
"function",
"symbol",
"comenabled",
"image path",
"ndex",
"ndroleextdll",
"f0f0f0",
"ff4b55",
"stop",
"span",
"show process",
"binary file",
"file",
"network traffic",
"encrypt",
"date",
"found",
"ssl certificate",
"creation date",
"hostname add",
"pulse pulses",
"files ip",
"address domain",
"data upload",
"extraction",
"ge6 mira",
"failed",
"ascii text",
"development att",
"hostname",
"files domain",
"files related",
"pulses otx",
"pulses",
"unknown aaaa",
"unknown ns",
"united states",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"a domains",
"search",
"germany unknown",
"win32",
"lowfi",
"chrome",
"susp",
"trojan",
"backdoor",
"twitter",
"virtool",
"worm",
"exploit",
"trojandropper",
"win32upatre dec",
"mtb dec",
"reverse dns",
"body",
"location united",
"asn as14618",
"less whois",
"files show",
"date hash",
"avast avg",
"initial access",
"javascript",
"root",
"enterprise",
"form",
"desktop",
"command decode",
"suricata ipv4",
"spycloud",
"robots",
"bots",
"chatbot",
"bot network",
"spy",
"mixb",
"a2fryx",
"therahand",
"typosquating"
],
"references": [
"https://www.red-gate.com/products/smartassembly",
"spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud",
"https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=",
"https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0",
"dasima-containers.palantirfoundry.com \u2022 blitzrobots.com",
"https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com",
"https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY",
"www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/",
"https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3",
"Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-",
"Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Unix.Dropper.Mirai-7135870-0",
"display_name": "Unix.Dropper.Mirai-7135870-0",
"target": null
},
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1127",
"name": "Trusted Developer Utilities Proxy Execution",
"display_name": "T1127 - Trusted Developer Utilities Proxy Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1122",
"name": "Component Object Model Hijacking",
"display_name": "T1122 - Component Object Model Hijacking"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1416",
"name": "URI Hijacking",
"display_name": "T1416 - URI Hijacking"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1116",
"name": "Code Signing",
"display_name": "T1116 - Code Signing"
},
{
"id": "T1546.015",
"name": "Component Object Model Hijacking",
"display_name": "T1546.015 - Component Object Model Hijacking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6952d4fc6910b0b866746d8a",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 341,
"FileHash-SHA1": 343,
"FileHash-SHA256": 1332,
"domain": 1062,
"hostname": 1969,
"URL": 5700,
"email": 10,
"SSLCertFingerprint": 21,
"CVE": 1
},
"indicator_count": 10779,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "36 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69a3c685d4b7c139ffe62930",
"name": "Clone Pulse Reference",
"description": "",
"modified": "2026-04-01T00:44:45.494000",
"created": "2026-03-01T04:54:29.384000",
"tags": [
"ipv4",
"active related",
"trojandropper",
"mtb jun",
"lowfi",
"trojan",
"mtb jan",
"fastly error",
"please",
"united",
"ttl value",
"get na",
"total",
"delete",
"search",
"yara detections",
"sinkhole cookie",
"value snkz",
"write",
"suspicious",
"ransom",
"malware",
"Ransom.Win32.Birele.gsg Checkin",
"AnubisNetworks Sinkhole Cookie Value Snkz",
"Possible Compromised Host",
"dynamicloader",
"delete c",
"default",
"medium",
"write c",
"settingswpad",
"intel",
"ms windows",
"users",
"number",
"title",
"installer",
"top source",
"top destination",
"source source",
"port",
"filehash",
"av detections",
"ids detections",
"yara rule",
"gravityrat",
"detectvm",
"x00 x00",
"x00x00",
"doviacmd",
"rootjob",
"getfiles",
"updateserver",
"ethernetid",
"ids signatures",
"exploits",
"sid name",
"malware cve",
"dns query",
"dnsbin demo",
"data exfil",
"exif data",
"DNS Query for Webhook/HTTP Request Inspection Service (x .pipedr",
"DNSBin Demo (requestbin .net) - Data Exfitration",
"source port",
"destination",
"present sep",
"script urls",
"script script",
"a domains",
"script domains",
"ip address",
"meta",
"present nov",
"passive dns",
"next associated",
"domain add",
"pe executable",
"entries",
"show",
"msie",
"windows nt",
"wow64",
"copy",
"present jan",
"present feb",
"domain",
"pulse pulses",
"urls",
"files",
"tam legal",
"christopher ahmann",
"https://unicef.se/assets/apple",
"treece alfrey",
"hours ago",
"information",
"report spam",
"ahmann colorado",
"state",
"special cousel",
"created",
"expiro",
"capture"
],
"references": [
"Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN",
"Fastly Error and Palantir blocked several times over the last few months.",
"Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,)",
"IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc.",
"Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN",
"Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\\ewiuer2.exe SCRIPT",
"Win.Trojan.Vundo-7170412-0\t#Lowfi:SuspiciousSectionName",
"Link below used to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage",
"https://unicef.se/assets/apple"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/Neconyd.A",
"display_name": "Trojan:Win32/Neconyd.A",
"target": "/malware/Trojan:Win32/Neconyd.A"
},
{
"id": "PWS:Win32/QQpass.FC",
"display_name": "PWS:Win32/QQpass.FC",
"target": "/malware/PWS:Win32/QQpass.FC"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Malware.Urelas-9863836-0",
"display_name": "Win.Malware.Urelas-9863836-0",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Win.Trojan.Vundo-7170412-0",
"display_name": "Win.Trojan.Vundo-7170412-0",
"target": null
},
{
"id": "#Lowfi:SuspiciousSectionName",
"display_name": "#Lowfi:SuspiciousSectionName",
"target": null
},
{
"id": "Multiple Malware\u2019s , Trojans and Rats",
"display_name": "Multiple Malware\u2019s , Trojans and Rats",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "6906bd99cadbd4140014c6af",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 909,
"domain": 454,
"hostname": 1404,
"URL": 3557,
"CIDR": 1,
"FileHash-MD5": 242,
"FileHash-SHA1": 185,
"email": 1,
"CVE": 1
},
"indicator_count": 6754,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "60 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b49ad5dd40a24d83cd6a72",
"name": "Chris P. Ahmann \u2022 PRIVATE PROPERTY Colorado State Fixer!",
"description": "",
"modified": "2026-03-13T23:16:37.716000",
"created": "2026-03-13T23:16:37.716000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "69631fbd16e306ee2b76c4da",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "78 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b496396ca4987e95ad37d1",
"name": "Chris Buzz by QVashni (wow)",
"description": "",
"modified": "2026-03-13T22:56:57.314000",
"created": "2026-03-13T22:56:57.314000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "69482caa00d327da8f0a87bc",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "78 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b49587dd104e342dda1628",
"name": "C Ahman Attorney Clone by Top Tier, Q.Vashti",
"description": "",
"modified": "2026-03-13T22:53:59.112000",
"created": "2026-03-13T22:53:59.112000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "691f4d4ef0a2a570b8b21cd2",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "78 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b92a27c47d4e28927364",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:24:26.110000",
"created": "2026-03-12T13:01:30.067000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 72,
"modified_text": "79 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b9295603a6100edfa8c8",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:24:25.387000",
"created": "2026-03-12T13:01:29.284000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 69,
"modified_text": "79 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b927aa7f10e82639d204",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:27.872000",
"created": "2026-03-12T13:01:27.872000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "79 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b927c086397130c5d114",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:27.275000",
"created": "2026-03-12T13:01:27.275000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "79 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b926871746ed8a1bc324",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:26.440000",
"created": "2026-03-12T13:01:26.440000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "79 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b925e85c948d4dd608cc",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:25.852000",
"created": "2026-03-12T13:01:25.852000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "79 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8e974189d2c41f07ed8",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:25.910000",
"created": "2026-03-12T13:00:25.910000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "79 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8e74d2b3effd55f88c3",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:23.173000",
"created": "2026-03-12T13:00:23.173000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "79 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8dfbf8426a7a1d0146d",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:15.427000",
"created": "2026-03-12T13:00:15.427000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "79 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8d7123610591625b8fb",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:07.354000",
"created": "2026-03-12T13:00:07.354000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "79 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8d61e3f64a8f1f169b6",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:06.214000",
"created": "2026-03-12T13:00:06.214000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "79 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8d24eeb4200bdb1d702",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:02.096000",
"created": "2026-03-12T13:00:02.096000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "79 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6958780c8479a9d69920c3d8",
"name": "Telnet - Mirai \u2022 Dark Nexus BusyBox iOS Attack",
"description": "There\u2019s enough here to cause an outage. I will stop here. Illegal activities to silence victim and block her from financial settlement award for permanent injuries under workers compensation in a premise and healthcare worker assault scenario. Attorneys estimated her case to be above $100 million but knew she\u2019d be tampered with. Mark Montano MD forewarned her but is culpable. Still attacking family of victim.\n[ True- otx auto generated: Adversaries may be able to gain access to a victim's network through a drive-by attack, as well as using a short-term SSL certificate, in order to target the victim.] |||\nPositive:\nT1140 - Deobfuscate/Decode Files or Information\nSuspicious IP Address\n104.21.51.140, 172.67.181.41\nLocation United States ASN\nModif AS13335 cloudflare\nAutomate Nameservers:\nns1.colocrossing.com.",
"modified": "2026-02-02T01:02:46.327000",
"created": "2026-01-03T01:59:40.530000",
"tags": [
"united",
"moved",
"title",
"passive dns",
"ipv4 add",
"urls",
"files",
"hosting",
"reverse dns",
"location united",
"hash avast",
"avg clamav",
"msdefender mar",
"read c",
"create c",
"medium",
"search",
"memcommit",
"high",
"checks",
"windows",
"execution",
"dock",
"write",
"persistence",
"capture",
"local",
"ref b",
"wed may",
"backdoor",
"mtb aug",
"next associated",
"mtb dec",
"twitter",
"smoke loader",
"malware",
"virtool",
"hacktool",
"data upload",
"present dec",
"mtb apr",
"win32",
"trojan",
"worm",
"lowfi",
"cybota",
"expiration date",
"name servers",
"ipv4",
"url analysis",
"port",
"destination",
"telnet login",
"bad login",
"gpl telnet",
"suspicious path",
"busybox",
"tcp syn",
"et telnet",
"path",
"mirai",
"filehash",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"america",
"ck id",
"name tactics",
"suspicious",
"informative",
"learn",
"t1179 hooking",
"installs",
"t1035 service",
"adversaries",
"msie",
"windows nt",
"slcc2",
"media center",
"y013",
"flag",
"span",
"accept",
"core",
"february",
"hybrid",
"malicious",
"general",
"click",
"strings",
"roboto",
"next",
"usa windows",
"finished",
"queueprogress",
"timestamp input",
"threat level",
"october",
"september",
"hwp support",
"fresh",
"win64",
"khtml",
"gecko",
"brand",
"microsoft edge",
"programfiles",
"comspec",
"model",
"iframe",
"form",
"listeners",
"initial access",
"t1590 gather",
"victim network",
"ssl certificate",
"quasi government",
"jeffrey reimer",
"palantir",
"Regis university",
"otx hp",
"apple",
"pegasus",
"h5 data center",
"florence colorado",
"brian sabey",
"target : Tsara Brasheaers",
"aig",
"industry and commerce",
"united states",
"State of Colorado.",
"date",
"status",
"domain",
"hostname add",
"pulse pulses",
"files ip",
"address",
"url https",
"url http",
"hostname",
"show",
"type indicator",
"source hostname",
"entries",
"Prometheus Intelligence Technology",
"pulse submit",
"america flag",
"body",
"dynamicloader",
"microsoft azure",
"tls issuing",
"named pipe",
"json",
"ascii text",
"lredmond",
"Apple",
"Telnet",
"BusyBox",
"Pegasus",
"Colorado State Fixer: Christopher P. Ahmann",
"Hijacker: Brian Sabey",
"For: Concentra",
"Protecting Assaulter: Jeffrey Reimer",
"For: AIG",
"For Industry and Commerce",
"For: Quasi Government",
"For: Workers Compensation",
"Authorities",
"Law Enforcement Dark",
"Silencing",
"Tampering with a Victim",
"Meta",
"Palantir",
"Google",
"Bing",
"Microsoft",
"ColoCrossing",
"Associates",
"hit men"
],
"references": [
"ET Telnet | https://www.colocrossing.com | velocity servers",
"https://www.endgamesystems.com/\t This is not a game. This is about people\u2019s lives",
"TELNET SUSPICIOUS Path to BusyBox\", TELNET login failed\", is__elf \u007fELF dead_host",
"Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)",
"(legitimate services will remain up-and-running usually) High | ID dead_host",
"ELF:Mirai-GH\\ [Trj] , Unix.Trojan.DarkNexus-7679166-0",
"IDS Detections SUSPICIOUS Path to BusyBox TELNET login failed Bad Login",
"Yara Detections is__elf",
"Alerts dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"Yara Detections is__elf , ELFHighEntropy , elf_empty_sections",
"http://appleid.apple.com.msg206.site/ http://www.icloud.com.msg206.site/ https://appleid.apple.com.msg206.site/",
"https://colocrossing.com/ \u2022 https://www.colocrossing.com/colocation\t l",
"https://prometheussteakhouse.lupi.delivery/ Thanks! I\u2019m heavy into Picinha. 2 Brazilian roasts please!",
"https://www.colocrossing.com/",
"(TLI did you do her that dirty?) Why\u2019SCS\u2019? Pure shame on you.",
"In all seriousness. The severity of injuries and outcomes 1 victim had is aligned cyber attacks by Q.Gov",
"104.21.51.140, 172.67.181.41",
"Detections Win.Packed.ImminentMonitorRAT-9892275-0 , HackTool:MSIL/Boilod.C!bit",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot",
"stealth_file cape_detected_threat injection_process_hollowing antiav_detectfile injection_runpe",
"Alerts: cape_extracted_content infostealer_cookies recon_fingerprint powershell_download",
"Alerts: dynamic_function_loading ipc_namedpipe createtoolhelp32snapshot_module_enumeration",
"IP\u2019s Contacted: 142.250.147.101 88.221.104.56 13.33.141.29 35.186.249.72 151.101.1.192",
"IP\u2019s Contacted 178.249.97.99 178.249.97.98 178.249.97.23 84.53.172.74 88.221.104.82",
"Domains Contacted: accounts.google.com chrome.cloudflare-dns.com clients2.googleusercontent.com",
"This is hard to comprehend or put into indelible words."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.DarkNexus-7679166-0",
"display_name": "Unix.Trojan.DarkNexus-7679166-0",
"target": null
},
{
"id": "HackTool:MSIL/Boilod.C!bit",
"display_name": "HackTool:MSIL/Boilod.C!bit",
"target": "/malware/HackTool:MSIL/Boilod.C!bit"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1204.002",
"name": "Malicious File",
"display_name": "T1204.002 - Malicious File"
},
{
"id": "T1462",
"name": "Malicious Software Development Tools",
"display_name": "T1462 - Malicious Software Development Tools"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1459",
"name": "Device Unlock Code Guessing or Brute Force",
"display_name": "T1459 - Device Unlock Code Guessing or Brute Force"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [
"Technology",
"Healthcare",
"Insurance",
"Civil Society"
],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6390,
"domain": 723,
"hostname": 1978,
"FileHash-SHA256": 1912,
"FileHash-MD5": 410,
"FileHash-SHA1": 306,
"email": 3,
"SSLCertFingerprint": 28,
"CVE": 3
},
"indicator_count": 11753,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "118 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6958372ef9da31513d96bebb",
"name": "Connected-IOS remotely connected to 180.4.1.2 \u2022 ocn.ad.jp -NTT Communications Corporation",
"description": "Retaliation? IOS remotely connected to 180.4.1.2 \u2022 ocn.ad.jp -NTT Communications Corporation for malicious control | found in the analytics of a highly target device: I\u2019ve included related pulses from 2 other threat responders and an Apple discussion post. Surprisingly, most of the IoC\u2019s pulsed came from one page of analytics. | \u2022 \"avconferenced\", \"procPath\" : \"\\/usr\\/libexec\\/avconferenced | 180.4.1.2 | a version of\npegasus found. | https://prometheus-pushgateway-internal.preview.tp-staging.com/\t\nhostname: prometheus.netmaker.vonnue.dev\t\nhostname: prometheus.dev.aws.finoa.io |\nSince Prometheus pulse . I realize now every Prometheus pulse illicits outrageous behavior.. Is this a secret society? Try to be more secretive. Owl heads in lawn. This behavior illicits investigation for a fix. Please STOP. I\u2019m done looking at Prometheus. Please stop leaving artifacts.",
"modified": "2026-02-01T20:00:08.812000",
"created": "2026-01-02T21:22:54.247000",
"tags": [
"syscall",
"nsrunloop",
"objcclass",
"region type",
"start",
"vsize",
"prtmax shrmod",
"region detailn",
"unused space",
"at startn",
"guard",
"urls",
"url analysis",
"verdict",
"domain",
"address",
"location japan",
"hikone",
"japan asn",
"as4713 ntt",
"related tags",
"none external",
"aaaa",
"united",
"passive dns",
"ip address",
"japan",
"present dec",
"domain add",
"files",
"japan unknown",
"present jul",
"present oct",
"present sep",
"present aug",
"present jun",
"japan showing",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"reverse dns",
"present nov",
"present",
"present may",
"present mar",
"present apr",
"data upload",
"extraction",
"failed",
"files ip",
"moved",
"gmt content",
"ipv4 add",
"location united",
"title",
"ipv4",
"dns resolutions",
"hostname add",
"asn as4713",
"all ipv4",
"google",
"ocn ntt",
"googlecl",
"http",
"amazon02",
"akamaias",
"page url",
"yahoojp",
"december",
"jp summary",
"february",
"asn15169",
"tokyo",
"kansas city",
"asn396982",
"asn30286",
"asn16509",
"cisco",
"umbrella rank",
"cisco umbrella",
"rank",
"kitashinagawa",
"sureserver ev",
"ca g3",
"domains",
"hashes",
"microsoft",
"docomo business",
"ml14325",
"as autonomous",
"asn8075",
"ip information",
"ipasns ip",
"detail domain",
"domain tree",
"links domain",
"requested",
"value",
"automatic",
"webgl",
"please",
"mr value",
"muid value",
"mjl function",
"dcmlinker",
"paq string",
"kb script",
"b image",
"b script",
"frame a344",
"redirect chain",
"kb document",
"frame",
"b xhr",
"kb image",
"fetch collect",
"request chain",
"redirected",
"http redirect",
"name servers",
"redacted for",
"servers",
"unknown aaaa",
"search",
"for privacy",
"domeny serwery",
"verdana tahoma",
"arial",
"gmt contenttype",
"meta",
"small",
"results jan",
"present jan",
"status",
"record value",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"process details",
"flag",
"japan japan",
"pattern match",
"ascii text",
"mitre att",
"ck id",
"null",
"refresh",
"span",
"hybrid",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"command",
"found",
"defense evasion",
"monitored target",
"pulse submit",
"wikipedia",
"imap",
"smtp",
"ocn open",
"discussion",
"stub",
"jprs database",
"ocnnttocn",
"maintenance",
"outages notice",
"lock status",
"state",
"connected",
"organization",
"type",
"name",
"server",
"name server",
"connected date",
"algorithm",
"key identifier",
"data",
"v3 serial",
"number",
"cjp ocybertrust",
"ev ca",
"g3 validity",
"ku ontt",
"docomo",
"record type",
"ttl value",
"thumbprint",
"emails",
"date",
"trojan",
"pegasus",
"title error",
"hostname",
"pulse pulses",
"entries",
"mtb apr",
"lowfi",
"win32",
"a domains",
"body",
"worm",
"virtool",
"cybota",
"showing",
"palantir",
"prometheus"
],
"references": [
"ocn.ne.jp \u2022 180.4.1.2 \u2022 gateway1.ocn.ad.jp",
"login.ocn.ne.jp 122.28.88.229 \u2022 outpost@alpha.ocn.ne.jp",
"ocn.ad.jp - Registrant Org: NTT Communications Corporation",
"Page Title: \u30ed\u30b0\u30a4\u30f3 | OCN\u30e1\u30fc\u30eb | OCN",
"Nippon Telegraph and Telephone Corporation one governmental now privated",
"computersandsoftware \u2022 portal sites \u2022 search engines and portals",
"(Found on targeted iOS device) mr-file-connector-193.api.auxosandbox.com",
"Guardicore by CyberHunterAutoFeed \u2022 https://otx.alienvault.com/pulse/655d47fb128a006a7d06afa2",
"Japanese Phishing Site by pingineer \u2022 https://otx.alienvault.com/pulse/61d3b380c44ee030dd092a80",
"https://discussions.apple.com/thread/255214328?sortBy=rank",
"https://urlscan.io/result/98a3575f-9b94-4ef3-ae84-8e585f882151/#indicators",
"Interesting (found in pulse) https://www.studentfinancewales.co.uk/contact",
"kalpak.palantirfedstart.com \u2022 lsauth-vault.palantirfedstart.com \u2022 sandboxes-ranunculus.palantirfedstart.com",
"swarm-foundry.com",
"When you see silly related domains it\u2019s probably Palantir kids: fuckingshitshow.org Domain kinkfuck.com \u2022 nobodycares.art",
"heavy-r.com \u2022 fartyphant.com \u2022 uglyphant.com \u2022 maciej.sztajerwald@gmail.com",
"https://hybrid-analysis.com/sample/6af451b8e64c3f8abafc84e776fe6c257888e0875b2d22c75b23b13960f46567/69580966ed3458719b0f0ed5",
"server-3-164-143-102.nrt20.r.cloudfront.net",
"ec2-3-115-135-167.ap-northeast-1.compute.amazonaws.com",
"ec2-57-181-50-85.ap-northeast-1.compute.amazonaws.com",
"https://ww41.porn25.com/",
"https://otx.alienvault.com/indicator/url/https://t.notif-laposte.info/TrackActions/NGJlYjE5NjZhZDlkODU0NzE3Yzg3Zjk3ODJkMmMxZWRjMTlkODAxZmEyMjY5YjU5YjY1MGU1OWFmZTdhMDlhMmM2YjY3ZTBiYzYwNWUwODdmMzkzZDc5ZjAwNDViODM1OGU5MTA0M2IzMjRmOGQwNTgxZGZjMmUyODFlZDI3MDYzZTQzNzg4NGVkMWJmMDgwMzM0NTA5OGRmY2M0NTVjZA",
"If something curious is found on privatelybowen property we have a constitutional right to examine it.",
"Other constitutional rights and privileges written in law where severe courses of action is allowed",
"iOS device, Update 26.2 , heavily monitored target of death threats, attempts & unfortunate outcome..",
"Device targeted with l RMS Modules by male in Denver, Co",
"Attempts to clip target at high rate of speed.Seen again at her residence in October",
"Target was monitored in store and followed home needed to stop multiple times , change routes.",
"Multiple attackers. Don\u2019t believe me, look at the pulses. Caged in by male with deauther watch.",
"Most of the people doing this are 50\u2019s plus, plus. There are youngsters but many grey haired , grandparents",
"The older the smarter the way better. These people are brilliant , ruthless and dangerous",
"Phone recently accessed, a tiny unauthorized speaker was on. Threat actors connected.",
"Malicious activity seen since a Pulse regarding school outage.",
"Location search was used to find device users address. It\u2019s with me.",
"Delete service is being used on this Threat service",
"Many indicators point to an IP this block is on.",
"It\u2019s so out of hand,m for 16 people.",
"https://prometheus-pushgateway-internal.preview.tp-staging.com/",
"prometheus.netmaker.vonnue.dev",
"prometheus.dev.aws.finoa.io",
"Prometheus - Alien God? Morality through the eyes of the immoral",
"Prometheus- allegedly related to Peter Thiel , Elon Musk and tech bro Joes who are playing God."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2879,
"domain": 1372,
"URL": 5788,
"FileHash-SHA256": 1720,
"CVE": 1,
"FileHash-MD5": 238,
"FileHash-SHA1": 241,
"email": 13
},
"indicator_count": 12252,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "118 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6952d4fc6910b0b866746d8a",
"name": ".NET Obfuscator, Error Reporting, DLL Merging | SmartAssembly | Spycloud",
"description": "*Mirai | Currently being used maliciously. Mirai botnet work in place. Obfuscation, call redirection, evasion , chatbots, spyware , cal retrieval , typosquating , and other tactics used against victim. Red hats being unethical is expected.. This team is attacking in this instance. Screen Capture 24/7. Malicious media +++ from Englewood, Co. \n\nWhen used ethically SmartAssembly protects your code and Intellectual Property with powerful obfuscation features, and provides error reports when your application crashes in the wild, as well as a range of other tools for database management and data management.\n#palantir #foundry #denver #englewood #colorado #spycloud #mirai #botnet",
"modified": "2026-01-28T18:03:54.589000",
"created": "2025-12-29T19:22:36.103000",
"tags": [
"no expiration",
"domain",
"name",
"control flow",
"dlls",
"method parent",
"declarative",
"ms build",
"core",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"read c",
"dock",
"write",
"execution",
"capture",
"endgame",
"united",
"moved",
"ip address",
"record value",
"gate software",
"newnham house",
"expiration date",
"urls",
"url add",
"http",
"related nids",
"files location",
"flag united",
"present aug",
"present sep",
"present nov",
"present oct",
"name servers",
"emails",
"present dec",
"meta",
"passive dns",
"next associated",
"ipv4",
"url analysis",
"files",
"cookie",
"subscribe",
"unsubscribe",
"s paris",
"englewood",
"state",
"skip",
"espaol",
"summary",
"filing history",
"ireland",
"title",
"united states",
"certificate",
"colorado",
"ipv4 add",
"america flag",
"showing",
"pulse submit",
"size",
"pattern match",
"mitre att",
"ck id",
"path",
"hybrid",
"general",
"local",
"iframe",
"click",
"strings",
"cece",
"mult",
"learn",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"t1590 gather",
"victim network",
"flag",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"sha1",
"sha256",
"njmk",
"kwruymy",
"mime",
"submitted",
"process details",
"calls",
"apis",
"reads",
"defense evasion",
"model",
"getprocaddress",
"show technique",
"ck matrix",
"access type",
"value",
"api call",
"open",
"august",
"format",
"typeof symbol",
"typeof s",
"typeof c",
"function",
"symbol",
"comenabled",
"image path",
"ndex",
"ndroleextdll",
"f0f0f0",
"ff4b55",
"stop",
"span",
"show process",
"binary file",
"file",
"network traffic",
"encrypt",
"date",
"found",
"ssl certificate",
"creation date",
"hostname add",
"pulse pulses",
"files ip",
"address domain",
"data upload",
"extraction",
"ge6 mira",
"failed",
"ascii text",
"development att",
"hostname",
"files domain",
"files related",
"pulses otx",
"pulses",
"unknown aaaa",
"unknown ns",
"united states",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"a domains",
"search",
"germany unknown",
"win32",
"lowfi",
"chrome",
"susp",
"trojan",
"backdoor",
"twitter",
"virtool",
"worm",
"exploit",
"trojandropper",
"win32upatre dec",
"mtb dec",
"reverse dns",
"body",
"location united",
"asn as14618",
"less whois",
"files show",
"date hash",
"avast avg",
"initial access",
"javascript",
"root",
"enterprise",
"form",
"desktop",
"command decode",
"suricata ipv4",
"spycloud",
"robots",
"bots",
"chatbot",
"bot network",
"spy",
"mixb",
"a2fryx",
"therahand",
"typosquating"
],
"references": [
"https://www.red-gate.com/products/smartassembly",
"spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud",
"https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=",
"https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0",
"dasima-containers.palantirfoundry.com \u2022 blitzrobots.com",
"https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com",
"https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY",
"www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/",
"https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3",
"Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-",
"Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Unix.Dropper.Mirai-7135870-0",
"display_name": "Unix.Dropper.Mirai-7135870-0",
"target": null
},
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1127",
"name": "Trusted Developer Utilities Proxy Execution",
"display_name": "T1127 - Trusted Developer Utilities Proxy Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1122",
"name": "Component Object Model Hijacking",
"display_name": "T1122 - Component Object Model Hijacking"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1416",
"name": "URI Hijacking",
"display_name": "T1416 - URI Hijacking"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1116",
"name": "Code Signing",
"display_name": "T1116 - Code Signing"
},
{
"id": "T1546.015",
"name": "Component Object Model Hijacking",
"display_name": "T1546.015 - Component Object Model Hijacking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 341,
"FileHash-SHA1": 343,
"FileHash-SHA256": 1332,
"domain": 1062,
"hostname": 1967,
"URL": 5699,
"email": 10,
"SSLCertFingerprint": 21,
"CVE": 1
},
"indicator_count": 10776,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "122 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6951f52a5af00a9be445ad41",
"name": "Mirai - HoneyPot | Pegasus | Therahand HoneyPot Bot Network",
"description": "A HoneyPot Bot Network created to protect a criminal who worked for a company formerly known as Therahand Wellness. This company employed an unquestioned but admittedly guilty SA\u2019r. | Name tactics used in an attempt to draw in victims to leave truthful negative reviews about Jeffrey Reimer | The website is extremely malicious. NSO Pegasus & Palantir relationship.\n\nWhat a pity there is no work done in the state of Colorado to convict medical unprofessionals unless they are poor assistants , Latin, African American or , Native. | Colorado has a known race issue. \n\nColorado ranks poor for getting rape kits tested.\nPoor possibly outranking Baltimore,MD in police brutality. \nPoor at solving it attempting to solve crimes. Law enforcement literally collects paper, evidence and turns evidence away at times. \n\nThis system allows the actual criminal\nto track victim.\nIf he wants to be the victim of this crime against persons let him be. \n\n *Pegasus & Israel and 99% of all tags auto populated by OTX.",
"modified": "2026-01-28T02:03:16.337000",
"created": "2025-12-29T03:27:38.183000",
"tags": [
"no expiration",
"expiration",
"url http",
"url https",
"iocs",
"enter source",
"url or",
"name servers",
"a domains",
"accept encoding",
"urls",
"emails",
"servers",
"url add",
"http",
"files domain",
"files related",
"related tags",
"united",
"gmt contenttype",
"ipv4 add",
"url analysis",
"files",
"present dec",
"cname",
"virtool",
"cryp",
"ip address",
"trojan",
"win32",
"therahand",
"jeffrey reimer",
"reimer dpt",
"msie",
"chrome",
"unknown ns",
"unknown cname",
"record value",
"accept",
"encrypt",
"passive dns",
"moved",
"wp engine",
"meta",
"wordpress",
"pegasus",
"america flag",
"america asn",
"reverse dns",
"flag",
"bad traffic",
"et info",
"tls handshake",
"failure",
"analysis",
"tor analysis",
"dns requests",
"united states",
"hostname",
"pulse submit",
"domain",
"files ip",
"eva lisa",
"eva reimer",
"all ipv4",
"dynamic_content",
"fingerprinting",
"size",
"pattern match",
"mitre att",
"ck id",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"status",
"hostname add",
"evasion",
"proximity",
"pulse pulses",
"address",
"learn",
"adversaries",
"name tactics",
"suspicious",
"informative",
"defense evasion",
"command",
"initial access",
"spawns",
"present mar",
"present jun",
"title",
"windows nt",
"wow64",
"slcc2",
"media center",
"data recovery",
"ms windows",
"process32nextw",
"intel",
"pe32",
"format",
"mozilla",
"installcapital",
"generic",
"write",
"unknown",
"malware",
"next",
"installer",
"template",
"div div",
"request blocked",
"helvetica neue",
"helvetica segoe",
"ui arial",
"script script",
"pragma",
"port",
"destination",
"binbusybox",
"high",
"post",
"icmp traffic",
"dns query",
"newstatusurl",
"mirai",
"prefetch8",
"ck matrix",
"localappdata",
"info",
"ssl certificate",
"czech republic",
"prefetch1",
"prefetch2",
"israel israel",
"analysis tip",
"href",
"ascii text",
"null",
"refresh",
"span",
"iframe",
"error",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"beginstring",
"windir",
"openurl c",
"programfiles",
"related nids",
"files location",
"flag united",
"dynamicloader",
"medium",
"named pipe",
"win64",
"download",
"delphi",
"smartassembly",
"m. brian sabey",
"quasi government",
"no such agency",
"facebook",
"search",
"date",
"showing",
"ukraine",
"\u2018buzz\u2019",
"alex karp",
"peter theil",
"elon musk",
"ff d5",
"yara rule",
"ee fc",
"generic http",
"exe upload",
"f0 ff",
"eb e1",
"ff bb",
"show process",
"sha1",
"sub domain",
"show technique",
"network traffic",
"class",
"starfield",
"cyber crime",
"yara detections",
"top source",
"top destination",
"source source",
"filehash",
"sha256 add",
"av detections",
"ids detections",
"alerts",
"show",
"dock",
"execution",
"present feb",
"value",
"content type",
"mirai",
"sha256",
"body",
"gmt content",
"ddos",
"mtb sep",
"hosting",
"domain robot",
"expiration date",
"welcome",
"apple",
"christopher p. ahmann",
"tsara",
"monitored target",
"github https",
"github",
"smart assembly",
"red hat",
"hackers",
"google"
],
"references": [
"https://therahand.com",
"www.socialimages.reputationdatabase.com",
"Mirai: Yara Detections SUSP_ELF_LNX_UPX_Compressed_File , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections",
"Alerts: dead_host network_icmp nolookup_communication p2p_cnc",
"Israel : https://tollfreeforwarding.com/virtual-phone-number/israel/360 \u2022 siteassets.parastorage.com",
"Palantir \u2022 NSO Group \u2022 Meta \u2022 Douglas County Sheriff \u2022 Palantir \u2022 Foundry \u2022 Therahand \u2022 Graphite \u2022 US .Government",
"Christopher P. \u2018Buzz\u2019 Ahmann \u2022 No Such Agency \u2022 Hall Render Brian Sabey via Therahand",
"https://hybrid-analysis.com/sample/489b309feb70c5267454229633f4eae3a98112498da2f78b1819ec343d938867/6951ab3dc7cfb38abf021a06",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"BinBusyBox: 0x.un5t48l3.host",
"ASN: 213.202.211.188\u2022 0x.un5t48l3.host \u2022 srv1354.dedicated.server-hosting.expert Germany",
"AS24961 MyLoc Managed IT AG",
"PSI | Planned Systems International https://www.plan-sys.com/cyber",
"Smart Assembly | https://github.com/red-gate/SmartAssembly-demo",
"https://www.red-gate.com/products/smartassembly",
"https://cdphe.colorado.gov/sexual-violence-prevention/sexual-violence-prevention-statistics-resources",
"Colorado maintains a public-facing police misconduct database via the state's",
"Peace Officer Standards and Training (POST) Board website, available at post.coag.gov.",
"Sexual Assault against both Men and Women in the State of Colorado leads the nation. Great work!"
],
"public": 1,
"adversary": "NSO Pegasus",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FakeAV.FOR",
"display_name": "FakeAV.FOR",
"target": null
},
{
"id": "Win32:MalOb-DB\\ [Cryp]",
"display_name": "Win32:MalOb-DB\\ [Cryp]",
"target": null
},
{
"id": "Win.Trojan.Agent-306281",
"display_name": "Win.Trojan.Agent-306281",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator.KI",
"display_name": "VirTool:Win32/Obfuscator.KI",
"target": "/malware/VirTool:Win32/Obfuscator.KI"
},
{
"id": "Win32:MalOb-DB\\ [Cryp]",
"display_name": "Win32:MalOb-DB\\ [Cryp]",
"target": null
},
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "ELF:Gafgyt-DZ\\ [Trj]",
"display_name": "ELF:Gafgyt-DZ\\ [Trj]",
"target": null
},
{
"id": "Unix.Trojan.Mirai-5607483-0",
"display_name": "Unix.Trojan.Mirai-5607483-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1036.005",
"name": "Match Legitimate Name or Location",
"display_name": "T1036.005 - Match Legitimate Name or Location"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 523,
"FileHash-SHA1": 402,
"FileHash-SHA256": 2165,
"URL": 4953,
"domain": 1118,
"hostname": 1951,
"email": 12,
"SSLCertFingerprint": 52,
"CVE": 2
},
"indicator_count": 11178,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "123 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6949930871afea435a774daa",
"name": "HomeASAP | Emotet CnC Activity - Bot Network",
"description": "https://HomeASAP.com is affected by Emotet CnC Activity. While I\u2019ve never heard of this app , I receive a tip re: infected devices I\u2019m currently researching and the infected search result from infected search engine. \n\nDevices infected with Pegasus and other more stealth than Pegasus, undetectable (for now) services. .",
"modified": "2026-01-21T18:00:43.637000",
"created": "2025-12-22T18:50:48.514000",
"tags": [
"per7cgvxw6k8m",
"right",
"left",
"zqwfztj",
"luptdaizzl",
"qchrk",
"brkzmji",
"igpsfvjnu",
"ibwavcm",
"uwlusjb",
"false",
"template",
"malware",
"win64",
"project",
"write",
"number",
"thu sep",
"yara detections",
"none alerts",
"contacted",
"less",
"related tags",
"title",
"emotet cnc activity",
"brian sabey",
"traps",
"christopher p. ahmann",
"united",
"czech republic",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"belgium belgium",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"ssl certificate",
"spawns",
"botnet",
"network",
"bad traffic",
"malicious email",
"pattern match",
"mitre att",
"show technique",
"ck matrix",
"ogoogle trust",
"file",
"show process",
"hybrid",
"general",
"local",
"path",
"encrypt",
"click",
"pe",
"executable"
],
"references": [
"https://about.homeasap.com",
"Bot network",
"\"vgkw.maillist-manage.com\" is probably a mail server",
"IDS Detections: Win32/Emotet CnC Activity (POST) M10",
"Suspicious EXE download from WordPress folder",
"PE EXE or DLL Windows file download HTTP",
"Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download EXE - Served Attached HTTP"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Doc.Trojan.Agent-9765752-0",
"display_name": "Doc.Trojan.Agent-9765752-0",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
}
],
"attack_ids": [
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1087.003",
"name": "Email Account",
"display_name": "T1087.003 - Email Account"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1548",
"name": "Abuse Elevation Control Mechanism",
"display_name": "T1548 - Abuse Elevation Control Mechanism"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1560,
"domain": 426,
"hostname": 655,
"FileHash-SHA1": 21,
"email": 1,
"FileHash-SHA256": 598,
"FileHash-MD5": 20,
"SSLCertFingerprint": 18,
"CVE": 2
},
"indicator_count": 3301,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "129 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "691f4d4ef0a2a570b8b21cd2",
"name": "Chris P. Ahmann Colorado State Criminal Defense Attorney",
"description": "Chris P. Ahmann Colorado State Criminal Defense attorney hired by quasi government Workers Compensation to completely destroy Tsara Brashears literally to death. None of her spinal cord injuries , and other assault injuries discussed or compensated for in rushed settlement case. Her awful racist attorney refused to represent plaintiffs in hearing. Never met with in person for no good reason. Tsara represented herself. Less that 24 hour notice. No briefings, no awareness or mention that Ahmann was representing Jeffrey Scott Reimer for assault\n case. Brashears required 24 hour care by end of life. Received 0 workers compsarion payments. But if this doesn\u2019t prove Reimer\u2019s guilt what does? Continued harassment of associated. \n\nNotice the outages? You\u2019ve cost BILLIONS? Stop threatening everyone.",
"modified": "2026-01-20T17:02:02.650000",
"created": "2025-11-20T17:18:06.929000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "130 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69482caa00d327da8f0a87bc",
"name": "Chris P.\u2019 Buzz\u2019 Ahmann Colorado State Criminal Defense Attorney (22.20.2025)",
"description": "",
"modified": "2026-01-20T17:02:02.650000",
"created": "2025-12-21T17:21:46.434000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "691f4d4ef0a2a570b8b21cd2",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "130 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "695557ee134b978b00883c29",
"name": "Chris P. Ahmann \u2022 Stay out of PRIVATE PROPERTY HITMAN! Colorado State",
"description": "",
"modified": "2026-01-20T17:02:02.650000",
"created": "2025-12-31T17:05:50.134000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "691f4d4ef0a2a570b8b21cd2",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "130 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69631fbd16e306ee2b76c4da",
"name": "Chris P. Ahmann \u2022 STAY Away!f PRIVATE PROPERTY Colorado State Fixer!",
"description": "",
"modified": "2026-01-20T17:02:02.650000",
"created": "2026-01-11T03:57:49.242000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "695557ee134b978b00883c29",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "130 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "138 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6935c92c5fc93fd873c6aa6d",
"name": "[COINBASECARTEL] - Ransomware Victim: Cinvestav - RedPacket Security | CVE-2025-11727 (New)",
"description": "Related to multiple exploits. Government Cyber Defense implications but shows as very legitimate looking masquerading. I am not positive and don\u2019t want to move to Belfast. Populated NSA [.] gov domains and subdomains (w/o no headers) lightly researched but does not assert a government identity. \n*New CVE-2025-11727",
"modified": "2026-01-06T18:04:02.620000",
"created": "2025-12-07T18:36:28.055000",
"tags": [
"memcommit",
"read c",
"t1082",
"cryptexportkey",
"invalid pointer",
"write",
"msil",
"malware",
"media",
"autorun",
"countries",
"united",
"america",
"high defense",
"evasion",
"t1055",
"ck technique",
"technique id",
"allocates",
"potential code",
"attempts",
"threatintel",
"dark web",
"coinbasecartel",
"ransomware",
"osint",
"tor",
"data breach",
"cinvestav",
"ai generated",
"ransomware leak",
"page",
"november",
"investigacin y",
"nacional",
"mexican",
"mexico",
"present nov",
"verdana",
"td tr",
"passive dns",
"ip address",
"urls",
"aaaa",
"present may",
"present oct",
"present jul",
"virtool",
"present sep",
"present jun",
"win32",
"default",
"unicode",
"png image",
"rgba",
"high",
"dock",
"execution",
"xport",
"unknown",
"data upload",
"extraction",
"will",
"data",
"name cloudflare",
"hostmaster name",
"org cloudflare",
"townsend st",
"city san",
"us creation",
"kelihos",
"ipv4",
"present dec",
"files",
"domain",
"search",
"hostname",
"verdict",
"location united",
"asn as16625",
"akamai",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"results nov",
"present aug",
"backdoor",
"msie",
"chrome",
"trojan",
"mtb aug",
"worm",
"cryp",
"junkpoly",
"twitter",
"trojandropper",
"title",
"germany unknown",
"ipv4 add",
"pulse pulses",
"hosting",
"reverse dns",
"cologne",
"search engine",
"gse compromised",
"redacted for",
"privacy admin",
"privacy tech",
"server",
"organization",
"street",
"city",
"stateprovince",
"postal code",
"country",
"resolver domain",
"cape sa",
"virustot",
"type pdf",
"name",
"lookups",
"email abuse",
"historical ssl",
"certificates",
"first",
"graph summary",
"cname",
"address",
"ip2location",
"bogon ip",
"admin",
"network",
"wifi password",
"ssid",
"demo",
"details",
"failed",
"include review",
"exclude sugges",
"onlv",
"x try",
"find s",
"typ url",
"url data",
"severity att",
"module load",
"icmp traffic",
"dns query",
"t1055 jseval",
"windows nt",
"port",
"entries",
"destination",
"medium",
"show",
"pecompact",
"june",
"service",
"next",
"xserver",
"encrypt",
"t1129",
"windows module",
"dlls",
"convention",
"windows native"
],
"references": [
"Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS",
"Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection",
"hallplan.vm05.iveins.de",
"https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c",
"Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx",
"Name : iveins.de Service : connect",
"https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com",
"phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com",
"https://otx.alienvault.com/indicator/cve/CVE-2025-11727"
],
"public": 1,
"adversary": "COINBASECARTEL",
"targeted_countries": [
"United States of America",
"Sweden",
"Bangladesh",
"Japan"
],
"malware_families": [
{
"id": "Trojan:Win32/Tiggre!rfn",
"display_name": "Trojan:Win32/Tiggre!rfn",
"target": "/malware/Trojan:Win32/Tiggre!rfn"
},
{
"id": "MSIL:Agent-DQ\\ [Trj]",
"display_name": "MSIL:Agent-DQ\\ [Trj]",
"target": null
},
{
"id": "VirTool:MSIL/Covent.A",
"display_name": "VirTool:MSIL/Covent.A",
"target": "/malware/VirTool:MSIL/Covent.A"
},
{
"id": "Trojan:Win32/Pynamer!rfn",
"display_name": "Trojan:Win32/Pynamer!rfn",
"target": "/malware/Trojan:Win32/Pynamer!rfn"
},
{
"id": "Win64:TrojanX",
"display_name": "Win64:TrojanX",
"target": null
},
{
"id": "VirTool:MSIL/Covent",
"display_name": "VirTool:MSIL/Covent",
"target": "/malware/VirTool:MSIL/Covent"
},
{
"id": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea",
"display_name": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea",
"target": null
},
{
"id": "Win32:Malware",
"display_name": "Win32:Malware",
"target": null
},
{
"id": "Kelihos",
"display_name": "Kelihos",
"target": null
},
{
"id": "CVE-2025-11727",
"display_name": "CVE-2025-11727",
"target": null
},
{
"id": "Exploit:JS/CVE-2014-0322",
"display_name": "Exploit:JS/CVE-2014-0322",
"target": "/malware/Exploit:JS/CVE-2014-0322"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
}
],
"industries": [
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 144,
"FileHash-SHA1": 117,
"FileHash-SHA256": 1746,
"URL": 5018,
"hostname": 1827,
"domain": 1072,
"CVE": 3,
"email": 2,
"SSLCertFingerprint": 9
},
"indicator_count": 9938,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "692d02f096f3ec8b5b507496",
"name": "Google Drive: Share Files Online with Secure Cloud Storage | Google Workspace",
"description": "nJRAT | Corrupted Google Drive sent to targets former device. Years long social engineering may have been involved. All\nIoC\u2019s Appears to involve years of social engineering. Google\ndrive service in question is a storage service based in Vietnam. | \n\nBotnet / Check-ins / Spyware / Cams. [Anon Sec Botnet subdomain name pulsed. Close directly related to zalo.me\nand tbtteams.com]\nRequires further research.\n\nThis pulse is a bit confusing due where and who it originated from.",
"modified": "2025-12-31T02:01:50.101000",
"created": "2025-12-01T02:52:32.483000",
"tags": [
"business",
"enterprise",
"drive",
"english",
"google drive",
"try drive",
"business small",
"workspace",
"sign",
"strong",
"find",
"life",
"tools",
"protect",
"cloud",
"simple",
"android",
"indonesia",
"video",
"mb download",
"shared may",
"shared",
"learn",
"drive drive",
"name date",
"javascript",
"dynamicloader",
"medium",
"minimal headers",
"high",
"observed get",
"get http",
"united",
"yara rule",
"http",
"write",
"guard",
"malware",
"read c",
"ms windows",
"intel",
"png image",
"rgba",
"pe32",
"get na",
"explorer",
"music",
"virlock",
"media",
"ho chi",
"minh city",
"viet nam",
"storage company",
"limited",
"google",
"address as",
"luutruso",
"cloudflar",
"domain",
"asn15169",
"asn56153",
"asn13335",
"cisco",
"umbrella rank",
"apex domain",
"url https",
"kb stylesheet",
"kb font",
"kb image",
"image",
"kb script",
"november",
"resource path",
"size",
"type mimetype",
"primary request",
"redirect chain",
"kb document",
"urls",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"t1590 gather",
"windir",
"openurl c",
"prefetch2",
"tor analysis",
"dns requests",
"domain address",
"rsdsq jfu",
"ollydbg ollydbg",
"wireshark",
"external",
"binary file",
"mitre att",
"ck matrix",
"aaaa",
"cong ty",
"co phan",
"code",
"province hcm",
"files",
"ip address",
"request",
"flag",
"country",
"contacted hosts",
"process details",
"link initial",
"t1480 execution",
"domains",
"moved",
"gmt content",
"all ipv4",
"url analysis",
"location viet",
"title",
"error",
"problem",
"url add",
"related nids",
"files location",
"flag united",
"development att",
"name server",
"markmonitor",
"localappdata",
"programfiles",
"edge",
"hyundai",
"social engineering",
".mil",
"hackers",
"phishing eml",
"summary",
"cisco umbrella",
"google safe",
"browsing",
"current dns",
"a record",
"ip information",
"ipasns ip",
"detail domain",
"domain tree",
"links apex",
"transfer",
"b script",
"b stylesheet",
"frame b830",
"b document",
"value",
"december",
"degurafregistry",
"gat object",
"jsl object",
"gapijstiming",
"iframe function",
"domainpath name",
"nid value",
"source level",
"files domain",
"files related",
"tags",
"related tags",
"virustotal",
"foundry",
"pulse otx",
"dark",
"vietnam",
"present aug",
"present nov",
"present jul",
"present sep",
"unknown aaaa",
"search",
"name servers",
"present oct",
"trojan",
"data upload",
"extraction",
"se https",
"include review",
"exclude sugges",
"find s",
"failed",
"typ don",
"faith",
"study",
"romeo\u2019s",
"juliettes",
"femme fatales",
"strategy",
"honey pot",
"honey traps",
"spy",
"helix",
"anons",
"passive dns",
"pulse pulses",
"files ip",
"address",
"location united",
"asn as400519",
"whois registrar",
"ms defender",
"files matching",
"number",
"sample analysis",
"hide samples",
"date hash",
"cameras",
"cams",
"spycam",
"botnet",
"vietnam",
"company limited",
"dnssec",
"status",
"india unknown",
"present may",
"espionage",
"hostname add",
"generic",
"cnc activity",
"backdoor",
"ipv4",
"anonsecbotnet",
"iptv"
],
"references": [
"drive.google.com/",
"https://foundry2-lbl.dvr.dn2.n-helix.com/",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9",
"zalo.me | href | Binary File | ATT&CK ID T1566.002",
"https://account.helix.com/activate/start",
"anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022",
"https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]",
"Terse Unencrypted Request for Google - Likely Connectivity Check",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6",
"cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com",
"https://hyundaibariavungtau3s.com/vehicle/stargazer",
"https://hyundaibariavungtau3s.com/vehicle/ioniq-5",
"https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue",
"https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade",
"https://hyundaibariavungtau3s.com/vehicle/hyundai-custin",
"https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/",
"https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com",
"https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/",
"https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com",
"http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/",
"http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466",
"https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam",
"feedback-pa.clients6.google.com/v1/survey/trigger/",
"https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg",
"anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Virus.Virlock-6804475-0",
"display_name": "Win.Virus.Virlock-6804475-0",
"target": null
},
{
"id": "Win.Malware.Bzub-6727003-0",
"display_name": "Win.Malware.Bzub-6727003-0",
"target": null
},
{
"id": "Win.Trojan.Generic-9801687-0",
"display_name": "Win.Trojan.Generic-9801687-0",
"target": null
},
{
"id": "NID",
"display_name": "NID",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Trojan:Win32/Floxif.E",
"display_name": "Trojan:Win32/Floxif.E",
"target": "/malware/Trojan:Win32/Floxif.E"
},
{
"id": "Win.Dropper.njRAT-10015886-0",
"display_name": "Win.Dropper.njRAT-10015886-0",
"target": null
},
{
"id": "Win.Packed.Generic-9795615-0",
"display_name": "Win.Packed.Generic-9795615-0",
"target": null
},
{
"id": "Backdoor:MSIL/Bladabindi.AJ GC!",
"display_name": "Backdoor:MSIL/Bladabindi.AJ GC!",
"target": "/malware/Backdoor:MSIL/Bladabindi.AJ GC!"
},
{
"id": "Win.Packed.Generic-9795615-0\t.",
"display_name": "Win.Packed.Generic-9795615-0\t.",
"target": null
},
{
"id": "Backdoor:MSIL/Bladabindi.AJ",
"display_name": "Backdoor:MSIL/Bladabindi.AJ",
"target": "/malware/Backdoor:MSIL/Bladabindi.AJ"
},
{
"id": "Win.Packed.Fecn-7077459-0",
"display_name": "Win.Packed.Fecn-7077459-0",
"target": null
},
{
"id": "Trojan:MSIL/Ranos.A",
"display_name": "Trojan:MSIL/Ranos.A",
"target": "/malware/Trojan:MSIL/Ranos.A"
},
{
"id": "Win.Trojan.Generic-6417450-0",
"display_name": "Win.Trojan.Generic-6417450-0",
"target": null
},
{
"id": "ALF:Backdoor:MSIL/Noancooe.KA",
"display_name": "ALF:Backdoor:MSIL/Noancooe.KA",
"target": null
},
{
"id": "Win.Packed.Msilperseus-9956592-0",
"display_name": "Win.Packed.Msilperseus-9956592-0",
"target": null
},
{
"id": "Trojan:MSIL/ClipBanker",
"display_name": "Trojan:MSIL/ClipBanker",
"target": "/malware/Trojan:MSIL/ClipBanker"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1194",
"name": "Spearphishing via Service",
"display_name": "T1194 - Spearphishing via Service"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1039",
"name": "Data from Network Shared Drive",
"display_name": "T1039 - Data from Network Shared Drive"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1567.002",
"name": "Exfiltration to Cloud Storage",
"display_name": "T1567.002 - Exfiltration to Cloud Storage"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1911,
"hostname": 714,
"FileHash-SHA256": 1304,
"FileHash-MD5": 159,
"FileHash-SHA1": 71,
"SSLCertFingerprint": 2,
"domain": 421,
"CVE": 1,
"email": 4
},
"indicator_count": 4587,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "151 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "687992eceac6f12e9cebd65f",
"name": "Operation Endgame | ThreatIntelligence | Pegasus | Mirai | Berbew | Emotet",
"description": "Operation Endgame - Mass spying on civilians suspected of involvement in illegal activity. This spying can last for years. Law enforcement and intelligence agencies use infrastructures from Google, Bing, Apple, Amazon, Coudflare, Microsoft, among other companies. Traffic can be masked in DNS and encrypted connections to go undetected. It is recommended to abandon closed-source services and software and opt for fully open-source software and install a powerful firewall. The use of a secure VPN is recommended. \nThere may be repeated indicators and some false positives due to the nature of the threats. We are working to eliminate duplicate entries and false positives. Check the comment box for important notifications. Follow our Telegram channel: @PrivacyNotACrime",
"modified": "2025-12-28T19:04:27.449000",
"created": "2025-07-18T00:18:50.968000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": null,
"export_count": 375,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 7,
"follower_count": 0,
"vote": 0,
"author": {
"username": "privacynotacrime",
"id": "349346",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 123,
"modified_text": "153 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "690e8b773dc39921d88abd44",
"name": "Nanocore - Affected",
"description": "- wmsspacer.gif\n| Photography: WMSspacer.gif, |[wmstransparent.org,]\n* YARA Detections : \nDotNET_Reactor\nSystem.Security.Cryptography.AesCryptoServiceProvider\nSystem.Security.Cryptography\nSystem.Security.Cryptography ~\nI CryptoTransform |\n Wmsspacer, i.g.sg.js..png.com, on-screen.|",
"modified": "2025-12-07T23:02:29.645000",
"created": "2025-11-08T00:14:47.600000",
"tags": [
"hgnvastlaiz",
"read c",
"medium",
"rgba",
"memcommit",
"delete",
"png image",
"unicode",
"dock",
"execution",
"malware",
"crlf line",
"speichermedium",
"productversion",
"fileversion",
"engine dll",
"internalname",
"einstellungen",
"comodo ca",
"limited st",
"yara detections",
"next pe",
"eula",
"policy",
"direct",
"opencandy",
"suspicious_write_exe",
"network_icmp",
"process_martian",
"present jun",
"present jul",
"domain",
"united",
"ip address",
"unknown ns",
"ms windows",
"intel",
"verisign",
"time stamping",
"unknown",
"class",
"write",
"markus",
"temple",
"msie",
"windows nt",
"get http",
"lehash",
"av detections",
"ids detections",
"alerts",
"file score",
"low risk",
"compromised_site_redirector_fromcharcode",
"present aug",
"passive dns",
"all ipv4",
"urls",
"files",
"hosting",
"america flag",
"win32",
"ipv4 add",
"signed file, valid signature. revoked.",
"united states",
"pws",
"atros",
"fiha",
"search",
"entries",
"present oct",
"next associated",
"show",
"high",
"wow64",
"slcc2",
"next",
"domain add",
"poland",
"poland unknown",
"ipv4",
"location poland",
"poland asn",
"et policy",
"pe exe",
"dll windows",
"amazon s3",
"location united",
"associated urls",
"date checked",
"url hostname",
"server response",
"google safe",
"results feb",
"nanocore",
"url add",
"http",
"related nids",
"files location",
"flag united",
"malicious image",
"files domain",
"files related",
"pulses otx",
"related tags",
"resources whois",
"virustotal",
"present sep",
"status",
"present nov",
"present mar",
"trojan",
"script script",
"div div",
"link",
"a li",
"meta",
"sweden",
"invalid url",
"head title",
"title head",
"reference",
"bad request",
"server",
"netherlands",
"creation date",
"date",
"running server",
"ahmann",
"christopher",
"p",
"tam",
"legal",
"treece",
"alfrey",
"muscat",
"adversaries",
"cyber crime",
"quasi",
"government"
],
"references": [
"wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87",
"ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua",
"http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022",
"www.opencandy.com",
"http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022",
"Yara Detections : compromised_site_redirector_fromcharcode",
"Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx",
"pcoptimizerpro.com \u2022 www.pcoptimizerpro.com",
"PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23",
"YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform",
"https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg",
"https://heavyfetish.com/search/CHEESE-PIZZA-porn/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Nanocore-5",
"display_name": "Win.Trojan.Nanocore-5",
"target": null
},
{
"id": "Win.Trojan.Adinstall-2",
"display_name": "Win.Trojan.Adinstall-2",
"target": null
},
{
"id": "PSW.Generic13",
"display_name": "PSW.Generic13",
"target": null
},
{
"id": "Atros.UPK",
"display_name": "Atros.UPK",
"target": null
},
{
"id": "Luhe.Fiha.A",
"display_name": "Luhe.Fiha.A",
"target": null
},
{
"id": "Pua.Optimizerpro/PCOptimizerPro",
"display_name": "Pua.Optimizerpro/PCOptimizerPro",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1491.001",
"name": "Internal Defacement",
"display_name": "T1491.001 - Internal Defacement"
},
{
"id": "T1204.003",
"name": "Malicious Image",
"display_name": "T1204.003 - Malicious Image"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 753,
"FileHash-SHA1": 622,
"FileHash-SHA256": 4336,
"URL": 2448,
"domain": 300,
"hostname": 788,
"CVE": 1,
"email": 4
},
"indicator_count": 9252,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "174 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6906bd99cadbd4140014c6af",
"name": "Espionage - Gravity RAT + | Legal entities are State owned. Attacking severely injured PT\u2019s SA victim.",
"description": "Fastly CDN for Palantir (Verizon) unless updated. Very malicious IoC\u2019s found evaluating IoC\u2019 from Christopher Ahmann - TAM Legal link.\n- Made contact with victim several times.\n- Illegal contact made with attorneys considering representing Tsara. \n- https://unicef.se/assets/apple - link related to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage.\n\nAhmann is named as special counsel but he , like Brian Sabey are \u2018ONLY\u2019 cyber attacking Tsara Brashears.\n\n- protecting Jeffrey Reimer DPT, multiple doctors, Concentra, blocked and denied care , hired a hitman/men and it would have. Even cheaper to pay her for the injuries she never sought compensation for due to aggressive attacks and threats.",
"modified": "2025-12-02T01:05:30.331000",
"created": "2025-11-02T02:10:33.546000",
"tags": [
"ipv4",
"active related",
"trojandropper",
"mtb jun",
"lowfi",
"trojan",
"mtb jan",
"fastly error",
"please",
"united",
"ttl value",
"get na",
"total",
"delete",
"search",
"yara detections",
"sinkhole cookie",
"value snkz",
"write",
"suspicious",
"ransom",
"malware",
"Ransom.Win32.Birele.gsg Checkin",
"AnubisNetworks Sinkhole Cookie Value Snkz",
"Possible Compromised Host",
"dynamicloader",
"delete c",
"default",
"medium",
"write c",
"settingswpad",
"intel",
"ms windows",
"users",
"number",
"title",
"installer",
"top source",
"top destination",
"source source",
"port",
"filehash",
"av detections",
"ids detections",
"yara rule",
"gravityrat",
"detectvm",
"x00 x00",
"x00x00",
"doviacmd",
"rootjob",
"getfiles",
"updateserver",
"ethernetid",
"ids signatures",
"exploits",
"sid name",
"malware cve",
"dns query",
"dnsbin demo",
"data exfil",
"exif data",
"DNS Query for Webhook/HTTP Request Inspection Service (x .pipedr",
"DNSBin Demo (requestbin .net) - Data Exfitration",
"source port",
"destination",
"present sep",
"script urls",
"script script",
"a domains",
"script domains",
"ip address",
"meta",
"present nov",
"passive dns",
"next associated",
"domain add",
"pe executable",
"entries",
"show",
"msie",
"windows nt",
"wow64",
"copy",
"present jan",
"present feb",
"domain",
"pulse pulses",
"urls",
"files",
"tam legal",
"christopher ahmann",
"https://unicef.se/assets/apple",
"treece alfrey",
"hours ago",
"information",
"report spam",
"ahmann colorado",
"state",
"special cousel",
"created",
"expiro",
"capture"
],
"references": [
"Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN",
"Fastly Error and Palantir blocked several times over the last few months.",
"Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,)",
"IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc.",
"Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN",
"Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\\ewiuer2.exe SCRIPT",
"Win.Trojan.Vundo-7170412-0\t#Lowfi:SuspiciousSectionName",
"Link below used to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage",
"https://unicef.se/assets/apple"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/Neconyd.A",
"display_name": "Trojan:Win32/Neconyd.A",
"target": "/malware/Trojan:Win32/Neconyd.A"
},
{
"id": "PWS:Win32/QQpass.FC",
"display_name": "PWS:Win32/QQpass.FC",
"target": "/malware/PWS:Win32/QQpass.FC"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Malware.Urelas-9863836-0",
"display_name": "Win.Malware.Urelas-9863836-0",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Win.Trojan.Vundo-7170412-0",
"display_name": "Win.Trojan.Vundo-7170412-0",
"target": null
},
{
"id": "#Lowfi:SuspiciousSectionName",
"display_name": "#Lowfi:SuspiciousSectionName",
"target": null
},
{
"id": "Multiple Malware\u2019s , Trojans and Rats",
"display_name": "Multiple Malware\u2019s , Trojans and Rats",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 909,
"domain": 449,
"hostname": 1403,
"URL": 3552,
"CIDR": 1,
"FileHash-MD5": 242,
"FileHash-SHA1": 185,
"email": 1
},
"indicator_count": 6742,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "180 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68f9288e0d98f3b44c2cb90c",
"name": "Ultrasounds attack - South African criminal group-Denver, Vo affects critical infrastructure , Oil and public safety",
"description": "South African and Ethiopian crime group with Denver , Co presence is not only infiltrating infrastructure from banking to oil, they are human traffickers, hitmen and yes, I received this tip from team member Pheona who a \u2018sassa.gov.za\u2018 South African link recurrently as a top search suggestion in a \u2018targets\u2019 browser. The most frightening piece is that a name listed is of an Ethiopian man who attempted to force a very targeted victim to go somewhere with him,, be his girlfriend and did show up outside of her residence in a different City & County. He also knew the exact name of where she purchased specific items. If you can see this. Please help the best way you can. Something is incredibly wrong. [OTX auto populated Title: We can\u2019t rely on goodwill to protect our critical infrastructure - Help Net Security]",
"modified": "2025-11-21T18:02:11.054000",
"created": "2025-10-22T18:55:10.527000",
"tags": [
"server nginx",
"date fri",
"etag w",
"urls",
"passive dns",
"acceptranges",
"contentlength",
"date thu",
"gmt expires",
"server",
"code",
"link",
"script script",
"south africa",
"ipv4",
"files",
"location south",
"accept",
"present aug",
"certificate",
"hostname add",
"domain",
"files ip",
"unknown a",
"script urls",
"ip address",
"unknown soa",
"unknown ns",
"reverse dns",
"africa flag",
"asn as16637",
"dns resolutions",
"domains top",
"level",
"unique tld",
"related pulses",
"tags none",
"indicator facts",
"title",
"ipv4 add",
"opinion",
"netacea",
"lockbit",
"wannacry attack",
"nhs trusts",
"council",
"uk government",
"protect",
"cni safe",
"acls",
"praio",
"prink",
"prsc",
"prla",
"lg2en",
"cti98",
"search",
"seiko epson",
"corporation",
"arc file",
"malware",
"delete c",
"default",
"show",
"write",
"next",
"unknown",
"united",
"tlsv1",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"as15169",
"port",
"execution",
"dock",
"capture",
"persistence",
"yara detections",
"filehash",
"md5 add",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"low risk",
"cabinet archive",
"microsoft",
"read c",
"dynamicloader",
"medium",
"ltda me",
"high",
"write c",
"entries",
"checks",
"delphi",
"win32",
"url pulse",
"data upload",
"extraction",
"find suggested",
"type",
"domain hostname",
"url add",
"http",
"related nids",
"files location",
"ireland flag",
"files domain",
"chrome",
"ireland unknown",
"pulse submit",
"url analysis",
"body",
"date",
"status",
"name servers",
"creation date",
"expiration date",
"flag united",
"destination",
"systemdrive",
"html document",
"crlf line",
"updater",
"copy",
"unknown aaaa",
"moved",
"domain add",
"extri data",
"enter sc",
"extr include",
"review exclude",
"sugges",
"present jul",
"saudi arabia",
"present mar",
"present oct",
"present jun",
"present feb",
"present nov",
"present may",
"eeee",
"eeeeeee",
"eeeeee",
"eefe",
"ebeee",
"ee eme",
"eeheee",
"eeefee e",
"eeeee e",
"vmprotect",
"push",
"local",
"defender",
"regsetvalueexa",
"utf8 unicode"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Lockbit",
"display_name": "Lockbit",
"target": null
},
{
"id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"target": null
},
{
"id": "Other Dangerous Malware",
"display_name": "Other Dangerous Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1561",
"name": "Disk Wipe",
"display_name": "T1561 - Disk Wipe"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [
"Oil"
],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 648,
"hostname": 1604,
"FileHash-SHA256": 1826,
"URL": 4153,
"FileHash-MD5": 102,
"FileHash-SHA1": 60,
"SSLCertFingerprint": 18,
"CVE": 2,
"email": 5
},
"indicator_count": 8418,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "190 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68f93b1cebf80f48450bd517",
"name": "Yuner - File deletion and Disk Wiping / Cyberstalking ",
"description": "",
"modified": "2025-11-21T18:02:11.054000",
"created": "2025-10-22T20:14:20.632000",
"tags": [
"server nginx",
"date fri",
"etag w",
"urls",
"passive dns",
"acceptranges",
"contentlength",
"date thu",
"gmt expires",
"server",
"code",
"link",
"script script",
"south africa",
"ipv4",
"files",
"location south",
"accept",
"present aug",
"certificate",
"hostname add",
"domain",
"files ip",
"unknown a",
"script urls",
"ip address",
"unknown soa",
"unknown ns",
"reverse dns",
"africa flag",
"asn as16637",
"dns resolutions",
"domains top",
"level",
"unique tld",
"related pulses",
"tags none",
"indicator facts",
"title",
"ipv4 add",
"opinion",
"netacea",
"lockbit",
"wannacry attack",
"nhs trusts",
"council",
"uk government",
"protect",
"cni safe",
"acls",
"praio",
"prink",
"prsc",
"prla",
"lg2en",
"cti98",
"search",
"seiko epson",
"corporation",
"arc file",
"malware",
"delete c",
"default",
"show",
"write",
"next",
"unknown",
"united",
"tlsv1",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"as15169",
"port",
"execution",
"dock",
"capture",
"persistence",
"yara detections",
"filehash",
"md5 add",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"low risk",
"cabinet archive",
"microsoft",
"read c",
"dynamicloader",
"medium",
"ltda me",
"high",
"write c",
"entries",
"checks",
"delphi",
"win32",
"url pulse",
"data upload",
"extraction",
"find suggested",
"type",
"domain hostname",
"url add",
"http",
"related nids",
"files location",
"ireland flag",
"files domain",
"chrome",
"ireland unknown",
"pulse submit",
"url analysis",
"body",
"date",
"status",
"name servers",
"creation date",
"expiration date",
"flag united",
"destination",
"systemdrive",
"html document",
"crlf line",
"updater",
"copy",
"unknown aaaa",
"moved",
"domain add",
"extri data",
"enter sc",
"extr include",
"review exclude",
"sugges",
"present jul",
"saudi arabia",
"present mar",
"present oct",
"present jun",
"present feb",
"present nov",
"present may",
"eeee",
"eeeeeee",
"eeeeee",
"eefe",
"ebeee",
"ee eme",
"eeheee",
"eeefee e",
"eeeee e",
"vmprotect",
"push",
"local",
"defender",
"regsetvalueexa",
"utf8 unicode"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Lockbit",
"display_name": "Lockbit",
"target": null
},
{
"id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"target": null
},
{
"id": "Other Dangerous Malware",
"display_name": "Other Dangerous Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1561",
"name": "Disk Wipe",
"display_name": "T1561 - Disk Wipe"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [
"Oil"
],
"TLP": "green",
"cloned_from": "68f9288e0d98f3b44c2cb90c",
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 648,
"hostname": 1604,
"FileHash-SHA256": 1826,
"URL": 4153,
"FileHash-MD5": 102,
"FileHash-SHA1": 60,
"SSLCertFingerprint": 18,
"CVE": 2,
"email": 5
},
"indicator_count": 8418,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "190 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68d3caa9524bb6b5460615f3",
"name": "Legacy.Trojan affects threat researchers networks & portals and/or platforms",
"description": "Legacy.Trojan affects threat researchers networks & portals and/or platforms or via platforms as a medium.\n[otx auto populated: Adversaries may be able to gain access to a victim's network through a range of techniques, as well as using a variety of other techniques to evade detection and detection.]\n#honeypot #capture #advesaries #fireeye #github",
"modified": "2025-10-24T10:01:25.310000",
"created": "2025-09-24T10:40:40.987000",
"tags": [
"text drag",
"browse to",
"select file",
"or drop",
"yara detections",
"runlevel",
"av detections",
"ids detections",
"alerts",
"analysis date",
"inject",
"stncphpphp more",
"virustotal api",
"comments",
"related tags",
"passive dns",
"republic",
"ipv4 add",
"location korea",
"korea",
"asn as9318",
"dns resolutions",
"pulses otx",
"close",
"dynamicloader",
"backdoor",
"tgt session",
"reads",
"dynamic",
"write",
"chopper",
"pho exploit",
"backdoor",
"fireeye",
"low risk",
"drop",
"create snapshot",
"hangover_appinbot",
"kns dropper",
"self",
"md5 sha256",
"google safe",
"browsing",
"server response",
"response code",
"vary",
"mimikatz",
"silence malware",
"trojanagent",
"legacy",
"password",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"initial access",
"defense evasion",
"spawns",
"copy md5",
"copy sha1",
"copy sha256",
"selection",
"ascii text",
"crlf line",
"windir",
"openurl c",
"appearance code",
"password",
"urlhttps",
"username",
"flag",
"united",
"markmonitor",
"github",
"server",
"date",
"click",
"apt 1",
"high",
"read c",
"search",
"medium",
"show",
"windows",
"cmd c",
"ms windows",
"next",
"copy",
"ver",
"businesseconomy"
],
"references": [
"Files",
"Yara : KINS_dropper , apt_win_mutex_apt1 , Hangover_Fuddol , Hangover_Tymtin_Degrab",
"Yara: Hangover_Smackdown_various , Hangover_Foler , Hangover_UpdateEx ,",
"Yara: Hangover_Smackdown_Downloader , Hangover_Vacrhan_Downloader",
"Yara: HKTL_NATBypass_Dec22_1 , power_pe_injection , Mimikatz_Logfile",
"Yara: Mimikatz_Strings , Silence_malware_2 , EquationGroup_elgingamble , EquationGroup_cmsd",
"Yara: EquationGroup_ebbshave , EquationGroup_eggbasket , EquationGroup_sambal",
"Yara: Mimikatz_Logfile SID : * NTLM : Authentication Id : wdigest : Mimikatz_Strings sekurlsa::logonpasswords"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Ireland"
],
"malware_families": [
{
"id": "Php.Exploit.C99-27",
"display_name": "Php.Exploit.C99-27",
"target": null
},
{
"id": "Backdoor:ASP/Chopper.F!dha",
"display_name": "Backdoor:ASP/Chopper.F!dha",
"target": "/malware/Backdoor:ASP/Chopper.F!dha"
},
{
"id": "Legacy.Trojan.Agent-37025",
"display_name": "Legacy.Trojan.Agent-37025",
"target": null
},
{
"id": "Ver",
"display_name": "Ver",
"target": null
}
],
"attack_ids": [
{
"id": "T1110.001",
"name": "Password Guessing",
"display_name": "T1110.001 - Password Guessing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1459",
"name": "Device Unlock Code Guessing or Brute Force",
"display_name": "T1459 - Device Unlock Code Guessing or Brute Force"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 87,
"FileHash-SHA1": 84,
"FileHash-SHA256": 1049,
"URL": 1688,
"hostname": 544,
"email": 5,
"domain": 292,
"CVE": 2
},
"indicator_count": 3751,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "219 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68abf66e97031d0ff0c04fed",
"name": "Packed sentient.industries links to a targets business website",
"description": "Very malicious link found in a targets business.\nPacked. Needs to be categorized.\n(FoundryPalantir rich?) Tracking, hacking, and serious espionage.\nAvailable public Information: \nSENTIENT INDUSTRIES\nsentient.industries\nSentient industries provides design and engineering services, from prototyping to small-batch manufacturing, empowering clients to overcome complex challenges. |\nMore about sentient\nMission sentient accelerates mission critical technology for\u2026\nSENTIENT INDUSTRIES\nAccelerating mission-critical tech for disaster response, defense ...\nContact Now\nAustin, tx 78758. United States. EMAIL us. info@sentient \n\nWorse than it looks. Spying on a several threat researchers.",
"modified": "2025-09-24T04:04:05.604000",
"created": "2025-08-25T05:36:46.327000",
"tags": [
"moved",
"body",
"x cache",
"cloudfront x",
"cph50 c2",
"certificate",
"record value",
"title",
"h1 center",
"server",
"redacted for",
"servers",
"name redacted",
"for privacy",
"name servers",
"org data",
"privacy city",
"privacy country",
"ca creation",
"passive dns",
"urls",
"files",
"ip address",
"asn as57033",
"less whois",
"registrar",
"tucows domains",
"key identifier",
"data",
"v3 serial",
"number",
"cat ozerossl",
"cnzerossl ecc",
"domain secure",
"site ca",
"validity",
"subject public",
"extraction",
"data upload",
"extra data",
"include review",
"find",
"failed",
"typ no",
"ms windows",
"intel",
"pe32",
"united",
"search",
"as16509",
"from win32bios",
"show",
"high",
"medium",
"delphi",
"copy",
"write",
"launcher",
"next",
"present aug",
"present jul",
"lowfi",
"win32",
"a div",
"div div",
"learn xml",
"babylon",
"win64",
"trojan",
"colors",
"python",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"et info",
"tls handshake",
"bad traffic",
"failure",
"date",
"august",
"hybrid",
"general",
"path",
"starfield",
"click",
"strings",
"se bethseda",
"n bethseda",
"n data",
"error",
"date checked",
"url hostname",
"server response",
"google safe",
"results aug",
"read c",
"tlsv1",
"port",
"destination",
"module load",
"execution",
"dock",
"persistence",
"malware",
"unknown",
"cname",
"aaaa",
"creation date",
"showing",
"domain",
"dga domains",
"palantirfoundry",
"foundry",
"status",
"unknown ns",
"g2 tls",
"rsa sha256",
"italy unknown",
"mtb may",
"trojandropper",
"invalid url",
"next associated",
"ddos",
"body html",
"hacktool",
"ipv4",
"url analysis",
"ukraine",
"encrypt",
"rl add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present jun",
"entries",
"title error",
"all ipv4",
"reverse dns",
"yara detections",
"top source",
"top destination",
"source source",
"sha256 add",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity amazon4",
"handle",
"canada unknown",
"content type",
"javascript src",
"script script",
"x powered",
"ipv4 add",
"pulse submit",
"submit url",
"analysis",
"url add",
"related nids",
"files location",
"canada flag",
"canada hostname",
"unknown aaaa",
"ascii text",
"user agent",
"powershell",
"agent",
"czechia unknown",
"domain add",
"dynamicloader",
"hostname add",
"pentagon",
"defense"
],
"references": [
"sentient.industries affects independent artists. Affects several others.",
"Bethseda Map - Yara Detections Delphi , InnoSetupInstaller",
"Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions",
"Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook",
"Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files",
"Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware",
"Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p",
"https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe",
"https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers",
"prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022",
"talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com",
"Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty",
"Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html",
"http://link.monetizer101.com/widget/custom-2.0.2/templates/1",
"https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget",
"widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/",
"http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022",
"https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js",
"https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js",
"https://link.monetizer101.com/widget/code/dailystaruk.js",
"https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe",
"https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)",
"Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical",
"(Can't access file- Malware infection files)",
"Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront",
"constellation.pcfrpegaservice.net (Pegasus related? idk)",
"On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service",
"TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]",
"I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post",
"Remotewd.com devices",
"If you find anything interesting please research it."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "nUFS_inno",
"display_name": "nUFS_inno",
"target": null
},
{
"id": "#Lowfi:HSTR:MSIL/Malicious",
"display_name": "#Lowfi:HSTR:MSIL/Malicious",
"target": null
},
{
"id": "ALF:JASYP:PUA:Win32/Bibado",
"display_name": "ALF:JASYP:PUA:Win32/Bibado",
"target": null
},
{
"id": "Trojan:Win32/Toga",
"display_name": "Trojan:Win32/Toga",
"target": "/malware/Trojan:Win32/Toga"
},
{
"id": "Win32:Downloader-GJK\\ [Trj]",
"display_name": "Win32:Downloader-GJK\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.109205-1",
"display_name": "Win.Downloader.109205-1",
"target": null
},
{
"id": "Custom Malware",
"display_name": "Custom Malware",
"target": null
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "Win32:Downloader-GJK\\ [Trj]",
"display_name": "Win32:Downloader-GJK\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.109205-1",
"display_name": "Win.Downloader.109205-1",
"target": null
},
{
"id": "Win.Trojan.Jorik-149",
"display_name": "Win.Trojan.Jorik-149",
"target": null
},
{
"id": "#LowFiDetectsVmWare",
"display_name": "#LowFiDetectsVmWare",
"target": null
},
{
"id": "Win.Trojan.Jorik-130",
"display_name": "Win.Trojan.Jorik-130",
"target": null
},
{
"id": "Win.Trojan.Fakecodecs-119",
"display_name": "Win.Trojan.Fakecodecs-119",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Trojan.Bulz-9860169-0",
"display_name": "Win.Trojan.Bulz-9860169-0",
"target": null
},
{
"id": "Win.Malware.Midie-6847892-0",
"display_name": "Win.Malware.Midie-6847892-0",
"target": null
},
{
"id": "TrojanDropper:Win32/Muldrop.V!MTB",
"display_name": "TrojanDropper:Win32/Muldrop.V!MTB",
"target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB"
},
{
"id": "Win.Packed.Razy-9785185-0",
"display_name": "Win.Packed.Razy-9785185-0",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.MT!MTB",
"display_name": "Trojan:Win32/Glupteba.MT!MTB",
"target": "/malware/Trojan:Win32/Glupteba.MT!MTB"
},
{
"id": "PWS",
"display_name": "PWS",
"target": null
},
{
"id": "DDOS:Win32/Stormser.A",
"display_name": "DDOS:Win32/Stormser.A",
"target": "/malware/DDOS:Win32/Stormser.A"
},
{
"id": "ALF:HSTR:DotNET",
"display_name": "ALF:HSTR:DotNET",
"target": null
},
{
"id": "DotNET",
"display_name": "DotNET",
"target": null
},
{
"id": "Script Exploit",
"display_name": "Script Exploit",
"target": null
},
{
"id": "HackTool:Win32/AutoKMS",
"display_name": "HackTool:Win32/AutoKMS",
"target": "/malware/HackTool:Win32/AutoKMS"
},
{
"id": "Xanfpezes.A",
"display_name": "Xanfpezes.A",
"target": null
},
{
"id": "Trojan:Win32/Gandcrab",
"display_name": "Trojan:Win32/Gandcrab",
"target": "/malware/Trojan:Win32/Gandcrab"
},
{
"id": "Win.Trojan.Generic-9862772-0",
"display_name": "Win.Trojan.Generic-9862772-0",
"target": null
},
{
"id": "Trojan:Win32/Zbot.SIBL!MTB",
"display_name": "Trojan:Win32/Zbot.SIBL!MTB",
"target": "/malware/Trojan:Win32/Zbot.SIBL!MTB"
},
{
"id": "Win32/Nemucod",
"display_name": "Win32/Nemucod",
"target": null
},
{
"id": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn",
"display_name": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn",
"target": null
},
{
"id": "Trojan:Win32/Blihan.A",
"display_name": "Trojan:Win32/Blihan.A",
"target": "/malware/Trojan:Win32/Blihan.A"
},
{
"id": "TrojanDropper:Win32/Muldrop",
"display_name": "TrojanDropper:Win32/Muldrop",
"target": "/malware/TrojanDropper:Win32/Muldrop"
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"target": null
},
{
"id": "Win.Malware.Kolab-9885903-0",
"display_name": "Win.Malware.Kolab-9885903-0",
"target": null
},
{
"id": "Win.Malware (30)",
"display_name": "Win.Malware (30)",
"target": null
},
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
},
{
"id": "#Lowfi:HSTR:MSIL/Malicious.Decryption",
"display_name": "#Lowfi:HSTR:MSIL/Malicious.Decryption",
"target": null
},
{
"id": "E5",
"display_name": "E5",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1003.008",
"name": "/etc/passwd and /etc/shadow",
"display_name": "T1003.008 - /etc/passwd and /etc/shadow"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 40,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 6232,
"URL": 24908,
"hostname": 7993,
"FileHash-SHA256": 11128,
"email": 6,
"FileHash-MD5": 1054,
"FileHash-SHA1": 932,
"SSLCertFingerprint": 14,
"CIDR": 3,
"CVE": 3
},
"indicator_count": 52273,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 152,
"modified_text": "249 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "689b9b9fab42ca4f016a226f",
"name": "Elastic's Al-driven Endpoint Security - Red Team Malicious (moved?)",
"description": "Endgame - Unruy Activity -System infection | (Moved) Endpoint security (MOVED) from Elastic\nElastic's Al-driven security analytics empowers you with comprehensive endpoint protection. Detect, investigate, and respond to threats faster with a single agent and unified console. Gain actionable insights for a proactive defense posture. All built on the Search\nAl platform.\n| Used maliciously against monitored non-criminal targets. |\n{ virus - https://universitycenter.uccs.edu/}\n#unruy #activity #monitored_target #red_team_malicious #trojan #worm #moved\n#ai #adversarial #custom_malware #ransom #crypt #guardrails #dns #cnc #evasive #domain_generation #remote_access #devices #remotewd #virus #custom_malware #rip #endgame \n\u2022 TrojanDropper\t\t\t\n\u2022 Win32:Evo-gen\t\u2022 Cassini\n\u2022 RansomX-gen\u2022 Zombie.A\n\u2022 win32:MalwareX-gen\t\u2022 Win32:Malware-gen \u2022 Nymeria\n\u2022 Forcud +",
"modified": "2025-09-11T13:03:18.814000",
"created": "2025-08-12T19:53:03.953000",
"tags": [
"url http",
"url https",
"indicator role",
"title added",
"active related",
"pulses url",
"entries",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"mitre att",
"ck techniques",
"evasion att",
"href",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"show technique",
"ck matrix",
"null",
"refresh",
"body",
"span",
"general",
"local",
"path",
"iframe",
"click",
"date",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"united",
"unknown ns",
"ip address",
"creation date",
"search",
"present sep",
"moved",
"domain add",
"encrypt",
"accept",
"please",
"passive dns",
"msie",
"next associated",
"html",
"background",
"unknown site",
"div div",
"trojan",
"zeus",
"process32nextw",
"read c",
"show",
"shellexecuteexw",
"windows nt",
"wow64",
"copy",
"dock",
"write",
"malware",
"unknown",
"defense evasion",
"t1480 execution",
"file defense",
"august",
"hybrid",
"port",
"destination",
"tlsv1",
"as15169",
"ogoogle trust",
"cngts ca",
"execution",
"next",
"persistence",
"data upload",
"extraction",
"win32",
"ransom",
"trojandropper",
"mtb nov",
"forcud",
"files show",
"date hash",
"avast avg"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 29,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4179,
"domain": 774,
"hostname": 1673,
"FileHash-MD5": 169,
"FileHash-SHA1": 110,
"FileHash-SHA256": 2073,
"email": 1,
"SSLCertFingerprint": 13,
"CVE": 1
},
"indicator_count": 8993,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "261 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "685186035e5fb63846d29e45",
"name": "Regarding Minority Report 2.0 | Aggresive Remote device tracking (multiple) | Network Rat",
"description": "Abuse.\nWhy is so much of this in plain sight? .\nMalicious tactics abused by preemptive policing recently implemented by Tech Bros under current Trump administration.\nThee governing Cyber Defense / AI / Data collection firm. | foundry2-lbl.dvr.dn2.n-helix.com | \nhttp://foundry2-lbl.dvr.dn2.n-helix.com |\nhttps://foundry2-lbl.dvr.dn2.n-helix.com |\nhttps://nl.cyberriskalliance.com/assets/icons/twitter.png |\nhttps://axis.snxd.com/track/0\n| track.getbuilt.com | \nRelates to Denver female \u2018allegedly\u2019 injured \u2018in PT.\nA malicious prosecution case against alleged victim after a Detective brought \u2018MTI\u2019 case to controlled Denver DA was dismissed by judge. Injured victim paid a pathetic settlement; especially considering the seriousness of the response of the government. \nThis type\nof tracking silencing is critically dangerous. \nHosanna make no haste to rescue all\nof victims of civilian & victim targeting.\n*Crowdsourced",
"modified": "2025-07-17T14:01:34.245000",
"created": "2025-06-17T15:13:07.233000",
"tags": [
"body",
"cps https",
"location",
"urls server",
"cloudfront",
"united",
"unknown aaaa",
"search",
"digital press",
"moved",
"digital culture",
"ip address",
"creation date",
"record value",
"entries",
"date",
"meta",
"urls",
"http",
"passive dns",
"unique",
"pulse pulses",
"related nids",
"files location",
"flag united",
"showing",
"rich content",
"system",
"cdn amazon",
"amazons3 tls",
"certificate",
"redirects",
"ua9385760744",
"utc na",
"utc google",
"tag manager",
"gk4vnlmd3b9",
"server",
"amazon",
"net1832001",
"net18160001",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity amazon4",
"handle",
"present mar",
"present feb",
"unknown cname",
"urls show",
"date checked",
"url hostname",
"server response",
"aaaa"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 48,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2075,
"URL": 5471,
"hostname": 1531,
"domain": 1013,
"FileHash-MD5": 55,
"FileHash-SHA1": 53,
"CVE": 1,
"SSLCertFingerprint": 1,
"email": 1,
"CIDR": 2
},
"indicator_count": 10203,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "317 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "685186983a4dd00c2b45b255",
"name": "Source:\thttps://cloud.samsara.com/o/79639/flee",
"description": "",
"modified": "2025-07-17T14:01:34.245000",
"created": "2025-06-17T15:15:36.505000",
"tags": [
"body",
"cps https",
"location",
"urls server",
"cloudfront",
"united",
"unknown aaaa",
"search",
"digital press",
"moved",
"digital culture",
"ip address",
"creation date",
"record value",
"entries",
"date",
"meta",
"urls",
"http",
"passive dns",
"unique",
"pulse pulses",
"related nids",
"files location",
"flag united",
"showing",
"rich content",
"system",
"cdn amazon",
"amazons3 tls",
"certificate",
"redirects",
"ua9385760744",
"utc na",
"utc google",
"tag manager",
"gk4vnlmd3b9",
"server",
"amazon",
"net1832001",
"net18160001",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity amazon4",
"handle",
"present mar",
"present feb",
"unknown cname",
"urls show",
"date checked",
"url hostname",
"server response",
"aaaa"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "685186035e5fb63846d29e45",
"export_count": 47,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2075,
"URL": 5471,
"hostname": 1531,
"domain": 1013,
"FileHash-MD5": 55,
"FileHash-SHA1": 53,
"CVE": 1,
"SSLCertFingerprint": 1,
"email": 1,
"CIDR": 2
},
"indicator_count": 10203,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "317 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68743733a69ce827f6156f5c",
"name": "W3.org | Google Spy engine | Tracking, Malware Repository | www.W3.org https://www.searchw3.com/ > ww.google.com.uy",
"description": "",
"modified": "2025-07-13T22:46:11.685000",
"created": "2025-07-13T22:46:11.685000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6688e0ffb31d4881f3238713",
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4080,
"URL": 11952,
"hostname": 4638,
"domain": 4301,
"FileHash-MD5": 2236,
"FileHash-SHA1": 1140,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1
},
"indicator_count": 28384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 147,
"modified_text": "321 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6802db5065a2d5648af92de3",
"name": "Pegasus Spyware",
"description": "If you see one of these IP addresses on your Android device, know this: the government is spying on you. It is recommended to perform a clean install of the latest version of Android, without Google services and with a proper firewall. Don't forget to disable RCS to decrease the attack surface.",
"modified": "2025-05-20T10:00:22.858000",
"created": "2025-04-18T23:08:00.201000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "esjsonexe",
"id": "320409",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 255,
"hostname": 318,
"URL": 762,
"FileHash-SHA256": 288
},
"indicator_count": 1623,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 18,
"modified_text": "376 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "67ebfc921491771b15be63e3",
"name": "CnC Spyware | Pegasus Related | Ciberespionage Campaign | Skynet | Samsung | Google | DNS Hijacking",
"description": "Presume ser una campa\u00f1a de ciberespionaje orquestada por una organizaci\u00f3n gubernamental, dirigida hacia m\u00faltiples objetivos individuales (civiles) que consideran sospechosos. El software utilizado es similar a Pegasus, Skynet, Graphite para dispositivos Android y Mirai, Emotet, Berbew para dispositivos Linux y Windows. Los \"modus operandi\" abarcan m\u00faltiples tipos de ataques en los que participan ISP's y empresas grandes como Google. La propagaci\u00f3n de malware se realiza a trav\u00e9s de SMS con un enlace que dirige a una web con un exploit de d\u00eda cero, o tambi\u00e9n al abrir un PDF malicioso con las mismas caracter\u00edsticas. La ingenier\u00eda social juega un papel fundamental en este tipo de ataques. El tr\u00e1fico parece ser enmascarado en DNS 8.8.8.8 para no ser detectado.",
"modified": "2025-05-05T16:00:41.799000",
"created": "2025-04-01T14:47:46.507000",
"tags": [
"Government",
"Pegasus",
"Graphite",
"Skynet",
"Malware",
"Campaign",
"Samsung",
"Android",
"Unix",
"Linux",
"Browser",
"Windows",
"Zeroday",
"Trojan"
],
"references": [],
"public": 1,
"adversary": "Government",
"targeted_countries": [
"Spain",
"United States of America"
],
"malware_families": [
{
"id": "Pegasus for Android - S0316",
"display_name": "Pegasus for Android - S0316",
"target": null
},
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Backdoor:Win32/Mirai",
"display_name": "Backdoor:Win32/Mirai",
"target": "/malware/Backdoor:Win32/Mirai"
},
{
"id": "DDoS:Linux/Mirai",
"display_name": "DDoS:Linux/Mirai",
"target": "/malware/DDoS:Linux/Mirai"
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Backdoor:Win32/Berbew",
"display_name": "Backdoor:Win32/Berbew",
"target": "/malware/Backdoor:Win32/Berbew"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "TEL:Spyware:AndroidOS/SpyMax",
"display_name": "TEL:Spyware:AndroidOS/SpyMax",
"target": null
},
{
"id": "AndroRAT - MOB-S0008",
"display_name": "AndroRAT - MOB-S0008",
"target": null
},
{
"id": "Samsung",
"display_name": "Samsung",
"target": null
},
{
"id": "GoogleDrive RAT",
"display_name": "GoogleDrive RAT",
"target": null
},
{
"id": "#Lowfi:HSTR:BrowserModifier:ConsentBypass",
"display_name": "#Lowfi:HSTR:BrowserModifier:ConsentBypass",
"target": null
},
{
"id": "Backdoor:Win32/DnsDoor",
"display_name": "Backdoor:Win32/DnsDoor",
"target": "/malware/Backdoor:Win32/DnsDoor"
},
{
"id": "DNSpionage",
"display_name": "DNSpionage",
"target": null
},
{
"id": "Trojan:JS/DNSChanger",
"display_name": "Trojan:JS/DNSChanger",
"target": "/malware/Trojan:JS/DNSChanger"
},
{
"id": "#PowerShell:EncodedCommand",
"display_name": "#PowerShell:EncodedCommand",
"target": null
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
}
],
"attack_ids": [
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1590.002",
"name": "DNS",
"display_name": "T1590.002 - DNS"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1184",
"name": "SSH Hijacking",
"display_name": "T1184 - SSH Hijacking"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1069.001",
"name": "Local Groups",
"display_name": "T1069.001 - Local Groups"
},
{
"id": "T1568.001",
"name": "Fast Flux DNS",
"display_name": "T1568.001 - Fast Flux DNS"
},
{
"id": "T1048.003",
"name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
"display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1404",
"name": "Exploit OS Vulnerability",
"display_name": "T1404 - Exploit OS Vulnerability"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1211",
"name": "Exploitation for Defense Evasion",
"display_name": "T1211 - Exploitation for Defense Evasion"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1003.004",
"name": "LSA Secrets",
"display_name": "T1003.004 - LSA Secrets"
},
{
"id": "T1038",
"name": "DLL Search Order Hijacking",
"display_name": "T1038 - DLL Search Order Hijacking"
},
{
"id": "T1055.003",
"name": "Thread Execution Hijacking",
"display_name": "T1055.003 - Thread Execution Hijacking"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1076",
"name": "Remote Desktop Protocol",
"display_name": "T1076 - Remote Desktop Protocol"
}
],
"industries": [
"Government",
"Civil",
"Healthcare"
],
"TLP": "white",
"cloned_from": null,
"export_count": 42,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "depdgaus",
"id": "315837",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3592,
"domain": 712,
"hostname": 1246,
"FileHash-SHA256": 900
},
"indicator_count": 6450,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 10,
"modified_text": "390 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "674248a40f08120e523708eb",
"name": "cqbpy.nakula.fun (enriched)",
"description": "",
"modified": "2024-12-23T21:01:08.932000",
"created": "2024-11-23T21:27:00.332000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "skocherhan",
"id": "249290",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2,
"FileHash-SHA1": 2,
"FileHash-SHA256": 60,
"hostname": 383,
"domain": 63,
"URL": 487
},
"indicator_count": 997,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 182,
"modified_text": "523 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "67264874826a7c8efb017e83",
"name": "unfamiiiiardates (enriched)",
"description": "",
"modified": "2024-12-02T15:01:26.132000",
"created": "2024-11-02T15:42:44.989000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "skocherhan",
"id": "249290",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2,
"FileHash-SHA1": 2,
"FileHash-SHA256": 94,
"hostname": 67,
"domain": 70,
"URL": 212
},
"indicator_count": 447,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 182,
"modified_text": "544 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6523344e4adc85389899504c",
"name": "Unsupported IE 404 account running BotNet Command & Control [by OctoSeek]",
"description": "",
"modified": "2024-10-13T03:00:28.081000",
"created": "2023-10-08T22:59:26.040000",
"tags": [
"united",
"contacted urls",
"whois record",
"contacted",
"malicious site",
"malware",
"phishing site",
"anonymizer",
"heur",
"control server",
"facebook",
"cobalt strike",
"execution",
"installcore",
"phishing",
"service",
"core",
"metro",
"icmp",
"hacktool",
"download",
"relic",
"monitoring",
"installer",
"steam",
"bank",
"dnspionage",
"crack",
"unsafe",
"ramnit",
"emotet",
"malware site",
"proxy",
"exploit",
"fakealert",
"team",
"redline stealer",
"laplasclipper",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"alexa",
"downloader",
"opencandy",
"generic",
"presenoker",
"maltiverse",
"trojanspy",
"date",
"unknown",
"windir",
"markmonitor",
"name server",
"av detection",
"september",
"default browser",
"guest system",
"hybrid",
"general",
"click",
"strings",
"class",
"critical",
"blacklist",
"union",
"Embarcadero Delphi",
"whois whois",
"referrer",
"ssl certificate",
"communicating",
"resolutions",
"parent parent",
"dropped",
"stealer",
"banker",
"keylogger",
"attack",
"apple",
"detection list",
"ip address",
"netsky",
"firehol proxy",
"noname057",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"FireHol",
"Proxy",
"Pexee",
"Bank of America Corporation Malware Download",
"CVE-2017-11882",
"Alexa SANS Internet Storm Center",
"MCI Verizon Block",
"NaN"
],
"references": [
"http://ww1.tsx.org/_fd",
"https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)",
"Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)",
"http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)",
"http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)",
"http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)",
"Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)",
"https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)",
"firebaseremoteconfig.googleapis.com (remote hacking)",
"remote.telegrafix.com (remote hacking)",
"fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d",
"remote.haverhillcc.com (remote hacking)",
"http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml",
"http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409",
"http://init-p01st.push.apple.com/bag (remote hacking)",
"https://support.apple.com/en-us/HT201265. Targets (iOS ID)",
"apple.com. (malicious version/header)",
"https://www.apple.com/sitemap/",
"https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)",
"http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409",
"init.ess.apple.com (remote hacking)",
"applepaydayloans.com",
"www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)",
"https://applepaydayloans.com/",
"https://sinister.ly/Thread-Apple-empty-box?page=13",
"7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)",
"https://support.Apple.com/de",
"http://www.Apple.com/quicktime/download",
"http://www.Apple.com/quicktime/download/standalone.html",
"https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05",
"https://www.roseoubleu.fr/panier (phishing)",
"Roksit.net",
"stagelight.pl (malicious/ pattern match)",
"www.jamesbgriffinlaw.com (malicious host)",
"Data Analytics",
"Behavior Pattern Match Analysis",
"45.159.189.105 (Command and Control)",
"http://45.159.189.105/bot/regex (Bot Command)",
"151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21",
"AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server",
"DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data",
"(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "TEL:Delphi/Obfuscator",
"display_name": "TEL:Delphi/Obfuscator",
"target": "/malware/TEL:Delphi/Obfuscator"
},
{
"id": "LaplasClipper",
"display_name": "LaplasClipper",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger",
"display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger",
"target": null
},
{
"id": "SLFPER:InstallCore",
"display_name": "SLFPER:InstallCore",
"target": null
},
{
"id": "RedLine Stealer",
"display_name": "RedLine Stealer",
"target": null
},
{
"id": "ALF:Program:OpenCandy:Remnant",
"display_name": "ALF:Program:OpenCandy:Remnant",
"target": null
},
{
"id": "Ramnit",
"display_name": "Ramnit",
"target": null
},
{
"id": "Relic",
"display_name": "Relic",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "generic.malware",
"display_name": "generic.malware",
"target": null
},
{
"id": "Anonymizer",
"display_name": "Anonymizer",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/Mimikatz",
"display_name": "#HSTR:HackTool:Win32/Mimikatz",
"target": null
},
{
"id": "PWS:MSIL/Steam",
"display_name": "PWS:MSIL/Steam",
"target": "/malware/PWS:MSIL/Steam"
},
{
"id": "Trojan.HTML.Agent",
"display_name": "Trojan.HTML.Agent",
"target": null
},
{
"id": "Gen:Variant.Zusy",
"display_name": "Gen:Variant.Zusy",
"target": null
},
{
"id": "Worm:Win32/Netsky",
"display_name": "Worm:Win32/Netsky",
"target": "/malware/Worm:Win32/Netsky"
},
{
"id": "Sodin Ransomware",
"display_name": "Sodin Ransomware",
"target": null
},
{
"id": "Keyloggers",
"display_name": "Keyloggers",
"target": null
},
{
"id": "Proxy",
"display_name": "Proxy",
"target": null
},
{
"id": "TEL:Trojan:Win32/Emotet",
"display_name": "TEL:Trojan:Win32/Emotet",
"target": null
},
{
"id": "Cobalt Strike - S0154",
"display_name": "Cobalt Strike - S0154",
"target": null
},
{
"id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat",
"display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat",
"target": null
},
{
"id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar",
"display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar",
"target": null
},
{
"id": "AdwareSig [Adw] ml.Generic",
"display_name": "AdwareSig [Adw] ml.Generic",
"target": null
},
{
"id": "W32.Hack.Generic",
"display_name": "W32.Hack.Generic",
"target": null
},
{
"id": "Trojan.Ole2.Vbs",
"display_name": "Trojan.Ole2.Vbs",
"target": null
},
{
"id": "QVM20.1.8D80.Malware",
"display_name": "QVM20.1.8D80.Malware",
"target": null
},
{
"id": "Generic.Malware",
"display_name": "Generic.Malware",
"target": null
},
{
"id": "Backdoor.Mokes",
"display_name": "Backdoor.Mokes",
"target": null
},
{
"id": "AdWare.DropWare",
"display_name": "AdWare.DropWare",
"target": null
},
{
"id": "Gen:Variant.Razy",
"display_name": "Gen:Variant.Razy",
"target": null
},
{
"id": "Generic.31fcc75f",
"display_name": "Generic.31fcc75f",
"target": null
},
{
"id": "Trojan.Generic",
"display_name": "Trojan.Generic",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "malware.generic",
"display_name": "malware.generic",
"target": null
},
{
"id": "Gen:Variant.Bulz",
"display_name": "Gen:Variant.Bulz",
"target": null
},
{
"id": "GameHack.DR",
"display_name": "GameHack.DR",
"target": null
},
{
"id": "Dropper.Binder",
"display_name": "Dropper.Binder",
"target": null
},
{
"id": "malicious.22a4c0",
"display_name": "malicious.22a4c0",
"target": null
},
{
"id": "SdBot.CAOC",
"display_name": "SdBot.CAOC",
"target": null
},
{
"id": "ml.Generic",
"display_name": "ml.Generic",
"target": null
},
{
"id": "Trojan.Ransom.GenericKD",
"display_name": "Trojan.Ransom.GenericKD",
"target": null
},
{
"id": "Phish.AB",
"display_name": "Phish.AB",
"target": null
},
{
"id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea",
"display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "6506b48d699080b4bfd334c5",
"export_count": 74,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 7761,
"CVE": 6,
"FileHash-MD5": 285,
"FileHash-SHA1": 165,
"FileHash-SHA256": 5059,
"domain": 987,
"hostname": 2399
},
"indicator_count": 16662,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "595 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "656aafd0e93efa420f74123c",
"name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
"description": "",
"modified": "2024-10-12T01:00:47.836000",
"created": "2023-12-02T04:17:20.189000",
"tags": [
"ssl certificate",
"contacted",
"threat roundup",
"whois record",
"communicating",
"subdomains",
"resolutions",
"june",
"july",
"october",
"august",
"noname057",
"generic malware",
"ice fog",
"tag count",
"thu nov",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"first",
"generic",
"detection list",
"blacklist http",
"cisco umbrella",
"site",
"heur",
"alexa top",
"safe site",
"million",
"malware",
"alexa",
"malware site",
"malicious site",
"unsafe",
"artemis",
"fakealert",
"exploit",
"opencandy",
"riskware",
"genkryptik",
"iframe",
"tiggre",
"presenoker",
"agent",
"conduit",
"wacatac",
"phishing",
"redline stealer",
"dropper",
"cobalt strike",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"filetour",
"cleaner",
"installpack",
"xrat",
"fusioncore",
"azorult",
"service",
"runescape",
"facebook",
"bank",
"download",
"blacknet rat",
"stealer",
"maltiverse",
"webtoolbar",
"trojanspy",
"united",
"engineering",
"cyber threat",
"phishing site",
"america",
"emotet",
"zbot",
"malicious",
"steam",
"team",
"indonesia",
"miner",
"ransomware",
"ramnit",
"pe resource",
"historical ssl",
"execution",
"hacktool",
"metasploit",
"relic",
"monitoring",
"android",
"skynet",
"et",
"anonymizer",
"trojanx",
"back",
"laplasclipper",
"win64",
"trojan",
"ghost rat",
"suppobox",
"asyncrat",
"union",
"samples",
"blacklist",
"malicious url",
"hostname",
"hostnames",
"tsara brashears",
"reinsurance",
"pinnacol insurance",
"industry and commerce",
"state",
"danger",
"warning",
"nr-data.net",
"apple",
"data.net",
"asp.net",
"domains",
"hashes",
"reverse dns",
"general full",
"resource",
"software",
"asn15169",
"google",
"url http",
"server",
"hash",
"get h2",
"main",
"cookie",
"thu dec",
"germany",
"frankfurt",
"netherlands",
"asn20446",
"highwinds3",
"page url",
"search live",
"api blog",
"docs pricing",
"tags",
"november",
"us summary",
"http",
"google safe",
"browsing",
"adware",
"xtrat",
"firehol",
"microsoft",
"control server",
"services",
"msil",
"hiloti",
"asn16509",
"amazon02",
"fastly",
"asn54113",
"prague",
"login",
"listen live",
"centura health",
"colorado jobs",
"eeo public",
"filing url",
"blacklist https",
"mimikatz",
"beach research",
"de indicators",
"copyright",
"gmbh version",
"follow",
"softcnapp",
"philadelphia",
"gamehack",
"value",
"line",
"variables",
"nreum",
"postrelease",
"url https",
"security tls",
"protocol h2",
"name value",
"scam",
"gesponsert url",
"outputldjh",
"oid2",
"uhis2",
"uh1200",
"uw1600",
"uah1200",
"uaw1600",
"ucd24",
"usd1",
"utz60",
"no data",
"coinminer",
"ip address",
"exchange",
"http attacker",
"states",
"jimburkedentistry",
"leder-family",
"adam lee",
"erika lee",
"malvertizing"
],
"references": [
"http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
"https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source",
"http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com",
"http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567",
"http://tracks.theleders.family",
"photos.theleders.family",
"http://45.159.189.105/bot/regex (tracks Tsara Brashears)",
"45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)",
"http://mobtrack.trkclk.net",
"https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"nr-data.net",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"103.233.208.9 (CNC IP)",
"apex.jquery.com (scammer | works for who?)",
"api.useragentswitch.com",
"bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)",
"dns.google (DNS client services - Doug Cole)",
"https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/",
"https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839",
"apple-dns.net",
"emails.redvue.com (apple DNS w/amvima)",
"142.250.180.4 (init.ess)",
"init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)",
"freeimdatingsites.thomasdobo.eu",
"https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators",
"https://urlscan.io/domain/maxwam.tk",
"https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "States",
"display_name": "States",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "6562908e28e6cdc237fbf8db",
"export_count": 107,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1956,
"FileHash-SHA1": 867,
"FileHash-SHA256": 3895,
"URL": 11195,
"domain": 2959,
"hostname": 3575,
"CVE": 16,
"SSLCertFingerprint": 1,
"email": 1
},
"indicator_count": 24465,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 233,
"modified_text": "596 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue",
"Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"https://link.monetizer101.com/widget/code/dailystaruk.js",
"http://45.159.189.105/bot/regex (Bot Command)",
"https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam",
"IDS Detections SUSPICIOUS Path to BusyBox TELNET login failed Bad Login",
"server-3-164-143-102.nrt20.r.cloudfront.net",
"Behavior Pattern Match Analysis",
"www.opencandy.com",
"Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot",
"http://www.Apple.com/quicktime/download/standalone.html",
"If someone is believed to be a threat they have right to due process.",
"https://www.colocrossing.com/",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"Yara Detections is__elf , ELFHighEntropy , elf_empty_sections",
"http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
"prometheus.netmaker.vonnue.dev",
"bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022",
"fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d",
"phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com",
"https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/",
"http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022",
"http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook",
"Palantir \u2022 NSO Group \u2022 Meta \u2022 Douglas County Sheriff \u2022 Palantir \u2022 Foundry \u2022 Therahand \u2022 Graphite \u2022 US .Government",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget",
"https://www.sweetheartvideo.com/scenes?models=63710",
"Device targeted with l RMS Modules by male in Denver, Co",
"nr-data.net",
"Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com",
"(Found on targeted iOS device) mr-file-connector-193.api.auxosandbox.com",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"Can the DoD no questions asked target a SA victim",
"Alerts: cape_extracted_content infostealer_cookies recon_fingerprint powershell_download",
"www.jamesbgriffinlaw.com (malicious host)",
"The older the smarter the way better. These people are brilliant , ruthless and dangerous",
"https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05",
"remote.telegrafix.com (remote hacking)",
"Link below used to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage",
"On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png",
"IP\u2019s Contacted: 142.250.147.101 88.221.104.56 13.33.141.29 35.186.249.72 151.101.1.192",
"https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)",
"Domains Contacted: accounts.google.com chrome.cloudflare-dns.com clients2.googleusercontent.com",
"Guardicore by CyberHunterAutoFeed \u2022 https://otx.alienvault.com/pulse/655d47fb128a006a7d06afa2",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post",
"104.21.51.140, 172.67.181.41",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,)",
"https://unicef.se/assets/apple",
"https://hybrid-analysis.com/sample/489b309feb70c5267454229633f4eae3a98112498da2f78b1819ec343d938867/6951ab3dc7cfb38abf021a06",
"apple-dns.net",
"Yara : KINS_dropper , apt_win_mutex_apt1 , Hangover_Fuddol , Hangover_Tymtin_Degrab",
"There is fear in silence or speaking out",
"Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-",
"https://foundry2-lbl.dvr.dn2.n-helix.com/",
"https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"Yara: Hangover_Smackdown_Downloader , Hangover_Vacrhan_Downloader",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://therahand.com",
"Alerts: dead_host network_icmp nolookup_communication p2p_cnc",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)",
"widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"IP\u2019s Contacted 178.249.97.99 178.249.97.98 178.249.97.23 84.53.172.74 88.221.104.82",
"Mirai: Yara Detections SUSP_ELF_LNX_UPX_Compressed_File , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections",
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml",
"AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server",
"45.159.189.105 (Command and Control)",
"https://account.helix.com/activate/start",
"init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)",
"BinBusyBox: 0x.un5t48l3.host",
"https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY",
"https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js",
"https://prometheussteakhouse.lupi.delivery/ Thanks! I\u2019m heavy into Picinha. 2 Brazilian roasts please!",
"http://tracks.theleders.family",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Remotewd.com devices",
"talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com",
"\"vgkw.maillist-manage.com\" is probably a mail server",
"https://sinister.ly/Thread-Apple-empty-box?page=13",
"Bethseda Map - Yara Detections Delphi , InnoSetupInstaller",
"https://ww41.porn25.com/",
"Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p",
"iamrobert.com Y.A.S.",
"IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc.",
"ocn.ad.jp - Registrant Org: NTT Communications Corporation",
"https://applepaydayloans.com/",
"https://www.vgt.pl/favicon.ico",
"drive.google.com/",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"Data Analytics",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Yara Detections is__elf",
"swarm-foundry.com",
"Malicious activity seen since a Pulse regarding school outage.",
"Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS",
"computersandsoftware \u2022 portal sites \u2022 search engines and portals",
"www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/",
"Phone recently accessed, a tiny unauthorized speaker was on. Threat actors connected.",
"If something curious is found on privatelybowen property we have a constitutional right to examine it.",
"TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]",
"https://www.apple.com/sitemap/",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"http://watchhers.net/index.php",
"apex.jquery.com (scammer | works for who?)",
"Interesting (found in pulse) https://www.studentfinancewales.co.uk/contact",
"https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx",
"Colorado maintains a public-facing police misconduct database via the state's",
"Yara Detections : compromised_site_redirector_fromcharcode",
"Alerts dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23",
"This is hard to comprehend or put into indelible words.",
"Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"ocn.ne.jp \u2022 180.4.1.2 \u2022 gateway1.ocn.ad.jp",
"anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022",
"dns.google (DNS client services - Doug Cole)",
"Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download EXE - Served Attached HTTP",
"remote.haverhillcc.com (remote hacking)",
"Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN",
"heavy-r.com \u2022 fartyphant.com \u2022 uglyphant.com \u2022 maciej.sztajerwald@gmail.com",
"Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront",
"http://init-p01st.push.apple.com/bag (remote hacking)",
"https://es.pornhat.com/models/the-sex-creator/",
"I am very upset. Whoever is doing this is sick.",
"YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform",
"Page Title: \u30ed\u30b0\u30a4\u30f3 | OCN\u30e1\u30fc\u30eb | OCN",
"https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com",
"Target agreed and complied with all lie detector measures.",
"wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87",
"https://hyundaibariavungtau3s.com/vehicle/hyundai-custin",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"Delete service is being used on this Threat service",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"hallplan.vm05.iveins.de",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"AS24961 MyLoc Managed IT AG",
"emails.redvue.com (apple DNS w/amvima)",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"applepaydayloans.com",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"https://hyundaibariavungtau3s.com/vehicle/stargazer",
"Most of the people doing this are 50\u2019s plus, plus. There are youngsters but many grey haired , grandparents",
"stealth_file cape_detected_threat injection_process_hollowing antiav_detectfile injection_runpe",
"https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"feedback-pa.clients6.google.com/v1/survey/trigger/",
"(Can't access file- Malware infection files)",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/",
"Yara: Hangover_Smackdown_various , Hangover_Foler , Hangover_UpdateEx ,",
"https://otx.alienvault.com/indicator/url/https://t.notif-laposte.info/TrackActions/NGJlYjE5NjZhZDlkODU0NzE3Yzg3Zjk3ODJkMmMxZWRjMTlkODAxZmEyMjY5YjU5YjY1MGU1OWFmZTdhMDlhMmM2YjY3ZTBiYzYwNWUwODdmMzkzZDc5ZjAwNDViODM1OGU5MTA0M2IzMjRmOGQwNTgxZGZjMmUyODFlZDI3MDYzZTQzNzg4NGVkMWJmMDgwMzM0NTA5OGRmY2M0NTVjZA",
"https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"firebaseremoteconfig.googleapis.com (remote hacking)",
"ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Sexual Assault against both Men and Women in the State of Colorado leads the nation. Great work!",
"http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"Suspicious EXE download from WordPress folder",
"Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files",
"pcoptimizerpro.com \u2022 www.pcoptimizerpro.com",
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"https://heavyfetish.com/search/CHEESE-PIZZA-porn/",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://about.homeasap.com",
"Peace Officer Standards and Training (POST) Board website, available at post.coag.gov.",
"Other constitutional rights and privileges written in law where severe courses of action is allowed",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"In all seriousness. The severity of injuries and outcomes 1 victim had is aligned cyber attacks by Q.Gov",
"Multiple attackers. Don\u2019t believe me, look at the pulses. Caged in by male with deauther watch.",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"https://www.red-gate.com/products/smartassembly",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)",
"ELF:Mirai-GH\\ [Trj] , Unix.Trojan.DarkNexus-7679166-0",
"https://support.apple.com/en-us/HT201265. Targets (iOS ID)",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com",
"https://urlscan.io/domain/maxwam.tk",
"https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"Prometheus - Alien God? Morality through the eyes of the immoral",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg",
"ASN: 213.202.211.188\u2022 0x.un5t48l3.host \u2022 srv1354.dedicated.server-hosting.expert Germany",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"Prometheus- allegedly related to Peter Thiel , Elon Musk and tech bro Joes who are playing God.",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"IDS Detections: Win32/Emotet CnC Activity (POST) M10",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN",
"https://www.endgamesystems.com/\t This is not a game. This is about people\u2019s lives",
"Target was monitored in store and followed home needed to stop multiple times , change routes.",
"https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)",
"http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409",
"http://link.monetizer101.com/widget/custom-2.0.2/templates/1",
"Yara: HKTL_NATBypass_Dec22_1 , power_pe_injection , Mimikatz_Logfile",
"Japanese Phishing Site by pingineer \u2022 https://otx.alienvault.com/pulse/61d3b380c44ee030dd092a80",
"zalo.me | href | Binary File | ATT&CK ID T1566.002",
"https://cdphe.colorado.gov/sexual-violence-prevention/sexual-violence-prevention-statistics-resources",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"Nippon Telegraph and Telephone Corporation one governmental now privated",
"anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net",
"Yara: Mimikatz_Strings , Silence_malware_2 , EquationGroup_elgingamble , EquationGroup_cmsd",
"dasima-containers.palantirfoundry.com \u2022 blitzrobots.com",
"https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=",
"142.250.180.4 (init.ess)",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"IP\u2019s Contacted: 192.124.249.187",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"Bot network",
"https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg",
"http://www.Apple.com/quicktime/download",
"It\u2019s so out of hand,m for 16 people.",
"(TLI did you do her that dirty?) Why\u2019SCS\u2019? Pure shame on you.",
"constellation.pcfrpegaservice.net (Pegasus related? idk)",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"When you see silly related domains it\u2019s probably Palantir kids: fuckingshitshow.org Domain kinkfuck.com \u2022 nobodycares.art",
"Yara: Mimikatz_Logfile SID : * NTLM : Authentication Id : wdigest : Mimikatz_Strings sekurlsa::logonpasswords",
"Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\\ewiuer2.exe SCRIPT",
"Yara: EquationGroup_ebbshave , EquationGroup_eggbasket , EquationGroup_sambal",
"prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022",
"Christopher P. \u2018Buzz\u2019 Ahmann \u2022 No Such Agency \u2022 Hall Render Brian Sabey via Therahand",
"photos.theleders.family",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud",
"ec2-57-181-50-85.ap-northeast-1.compute.amazonaws.com",
"Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical",
"prometheus.dev.aws.finoa.io",
"https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6",
"https://prometheus-pushgateway-internal.preview.tp-staging.com/",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"Terse Unencrypted Request for Google - Likely Connectivity Check",
"https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com",
"151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21",
"PE EXE or DLL Windows file download HTTP",
"http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)",
"TELNET SUSPICIOUS Path to BusyBox\", TELNET login failed\", is__elf \u007fELF dead_host",
"Location search was used to find device users address. It\u2019s with me.",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"(legitimate services will remain up-and-running usually) High | ID dead_host",
"www.socialimages.reputationdatabase.com",
"Smart Assembly | https://github.com/red-gate/SmartAssembly-demo",
"https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js",
"DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]",
"cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com",
"Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators",
"https://hyundaibariavungtau3s.com/vehicle/ioniq-5",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"Files",
"Win.Trojan.Vundo-7170412-0\t#Lowfi:SuspiciousSectionName",
"http://appleid.apple.com.msg206.site/ http://www.icloud.com.msg206.site/ https://appleid.apple.com.msg206.site/",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com",
"https://meumundogay-com.sexogratis.page/locker",
"Alerts: dynamic_function_loading ipc_namedpipe createtoolhelp32snapshot_module_enumeration",
"kalpak.palantirfedstart.com \u2022 lsauth-vault.palantirfedstart.com \u2022 sandboxes-ranunculus.palantirfedstart.com",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"Attempts to clip target at high rate of speed.Seen again at her residence in October",
"api.useragentswitch.com",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)",
"iOS device, Update 26.2 , heavily monitored target of death threats, attempts & unfortunate outcome..",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"103.233.208.9 (CNC IP)",
"ec2-3-115-135-167.ap-northeast-1.compute.amazonaws.com",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"http://45.159.189.105/bot/regex (tracks Tsara Brashears)",
"https://discussions.apple.com/thread/255214328?sortBy=rank",
"https://colocrossing.com/ \u2022 https://www.colocrossing.com/colocation\t l",
"Roksit.net",
"https://support.Apple.com/de",
"Fastly Error and Palantir blocked several times over the last few months.",
"PSI | Planned Systems International https://www.plan-sys.com/cyber",
"https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"login.ocn.ne.jp 122.28.88.229 \u2022 outpost@alpha.ocn.ne.jp",
"https://www.roseoubleu.fr/panier (phishing)",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions",
"http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567",
"Many indicators point to an IP this block is on.",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"Detections Win.Packed.ImminentMonitorRAT-9892275-0 , HackTool:MSIL/Boilod.C!bit",
"https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"sentient.industries affects independent artists. Affects several others.",
"Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection",
"stagelight.pl (malicious/ pattern match)",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"remotewd.com device local",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"Israel : https://tollfreeforwarding.com/virtual-phone-number/israel/360 \u2022 siteassets.parastorage.com",
"Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware",
"init.ess.apple.com (remote hacking)",
"https://urlscan.io/result/98a3575f-9b94-4ef3-ae84-8e585f882151/#indicators",
"apple.com. (malicious version/header)",
"http://ww1.tsx.org/_fd",
"freeimdatingsites.thomasdobo.eu",
"https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)",
"https://otx.alienvault.com/indicator/cve/CVE-2025-11727",
"Name : iveins.de Service : connect",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://hybrid-analysis.com/sample/6af451b8e64c3f8abafc84e776fe6c257888e0875b2d22c75b23b13960f46567/69580966ed3458719b0f0ed5",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"If you find anything interesting please research it.",
"http://mobtrack.trkclk.net",
"ET Telnet | https://www.colocrossing.com | velocity servers"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"Government",
"NSO Pegasus",
"COINBASECARTEL"
],
"malware_families": [
"Pegasus for android - s0316",
"#lowfi:siga:trojandownloader:msil/genmaldow",
"Custom malware",
"Trojan.ole2.vbs",
"Samsung",
"Virtool:msil/covent.a",
"Mirai",
"Win.packed.generic-9795615-0\t.",
"Worm:win32/autorun",
"Cve-2025-11727",
"Worm:win32/netsky",
"Malicious.22a4c0",
"Mirai (windows)",
"Phish.ab",
"Backdoor:msil/bladabindi.aj gc!",
"Win.malware.kolab-9885903-0",
"W32.hack.generic",
"Alf:backdoor:msil/noancooe.ka",
"Trojan:win32/neconyd.a",
"Win.trojan.jorik-130",
"Virtool:msil/covent",
"Backdoor:win32/dnsdoor",
"Sodin ransomware",
"Gamehack",
"Ver",
"Msil:agent-dq\\ [trj]",
"Trojan.html.agent",
"Win.trojan.generic-6417450-0",
"Zeroaccess - s0027",
"Keyloggers",
"Win.malware.urelas-9863836-0",
"Trojan:win32/qshell",
"Alf:program:opencandy:remnant",
"Graphite (pegasus variant)",
"Win.trojan.adinstall-2",
"Malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tunsafe.ai_score_98% 1\tmobigame 1\tbanker,evasive,retefe 1\tprogram.unwanted 1\tmalicious.high.ml 1\tkryptik.dawvk 1\tunsafe.ai_score_91% 1\tadwar",
"Dnspionage",
"Backdoor:linux/mirai",
"Alf:backdoor:java/webshell",
"Pegasus for ios - s0289",
"Trojan:win32/pynamer!rfn",
"Adware.dropware",
"Win.trojan.fakecodecs-119",
"Trojan:msil/clipbanker",
"Html smuggling",
"Ransom",
"Redline stealer",
"Win.packed.razy-9785185-0",
"Win.packed.generic-9795615-0",
"Dotnet",
"Trojan:win32/gandcrab",
"Backdoor:win32/mirai",
"#lowfi:hstr:browsermodifier:consentbypass",
"Pegasus for mac",
"Alf:backdoor:powershell/reverseshell",
"#lowfi:hstr:msil/malicious.decryption",
"#lowfi:siga:trojanspy:msil/keylogger",
"Trojan:js/dnschanger",
"Qvm20.1.8d80.malware",
"Legacy.trojan.agent-37025",
"Tel:spyware:androidos/spymax",
"Adwaresig [adw] ml.generic",
"Beach research",
"Pegasus",
"Xloader for ios - s0490",
"Win.dropper.njrat-10015886-0",
"Trojan:msil/ranos.a",
"Script exploit",
"Maltiverse",
"Win32:malware",
"Apnic",
"Generic.malware",
"Trojanspy",
"Php.exploit.c99-27",
"Win.trojan.jorik-149",
"Elf:mirai-gh\\ [trj]",
"Webtoolbar",
"Pws:win32/qqpass.fc",
"Fakeav.for",
"Exploit:js/cve-2014-0322",
"#lowfitrojan:html/iframe",
"#lowfienabledtcontinueafterunpacking",
"Unix.trojan.mirai-5607483-0",
"Xanfpezes.a",
"Dropper.binder",
"Win32/nemucod",
"#lowfi:hstr:msil/malicious",
"Win.downloader.109205-1",
"Multiple malware\u2019s , trojans and rats",
"Win.trojan.generic-9801687-0",
"Trojan.generic",
"Careto",
"#lowfi:hstr:win32/mediadownloader",
"States",
"Skynet",
"Starfighter (javascript)",
"Virtool:win32/obfuscator.ki",
"Psw.generic13",
"Trojan:win32/glupteba.mt!mtb",
"Cobalt strike - s0154",
"Win32:malob-db\\ [cryp]",
"Tel:trojan:win32/emotet",
"Trojan:win32/tiggre!rfn",
"Lockbit",
"Backdoor:msil/bladabindi.aj",
"Elf:gafgyt-dz\\ [trj]",
"Trojan:win32/mydoom",
"Pua.optimizerpro/pcoptimizerpro",
"Trojan:js/berbew",
"Nufs_inno",
"Artemis",
"Emotet",
"Win.malware.bzub-6727003-0",
"#hstr:hacktool:win32/mimikatz",
"Gen:variant.zusy",
"Unix.trojan.darknexus-7679166-0",
"Alf:heraklezeval:trojan:win32/ymacco.aa47",
"Hacktool:msil/boilod.c!bit",
"Tofsee",
"Pws:msil/steam",
"Proxy",
"Backdoor.mokes",
"Alf:heraklezeval:trojandownloader:html/adodb!rfn",
"Other malware",
"Win32:downloader-gjk\\ [trj]",
"Et",
"Trojan:win32/toga",
"Paragon (pegasus variant)",
"#hstr:hacktool:win32/remoteshell",
"Alf:hstr:dotnet",
"Win.trojan.bulz-9860169-0",
"Trojan:win32/zbot.sibl!mtb",
"Win.virus.virlock-6804475-0",
"Anonymizer",
"Trojan.ransom.generickd",
"Gen:variant.razy",
"Ddos:linux/mirai",
"Hacktool:win32/autokms",
"Win.trojan.nanocore-5",
"Trojandropper:win32/muldrop.v!mtb",
"Trojandownloader:linux/mirai",
"Gen:variant.bulz",
"#powershell:encodedcommand",
"Androrat - mob-s0008",
"Relic",
"Backdoor:asp/chopper.f!dha",
"Win.packed.msilperseus-9956592-0",
"Redline",
"Malware",
"Googledrive rat",
"Alf:html/phishing",
"Trojan:win32/zombie.a",
"Trojandropper:win32/muldrop",
"Ddos:win32/stormser.a",
"Sdbot.caoc",
"Trojanspy:win32/nivdort",
"Kelihos",
"Unix.dropper.mirai-7135870-0",
"Win.trojan.vundo-7170412-0",
"Pws",
"Pegasus for android - mob-s0032",
"Ramnit",
"Malware.generic",
"Generic.asmalws malicious_confidence_70% 1\til:trojan.msilzilla 1\tfilerepmalware 1\transom.sabsik 1\tbehaveslike.dropper 1\tmicrosoft phishing 1\tbackdoor.mokes 1\tphishing bank of america corporat",
"Generic.31fcc75f",
"Win.trojan.agent-306281",
"#lowfi:exploit:java/cve-2012-0507",
"Luhe.fiha.a",
"#lowfidetectsvmware",
"Tel:delphi/obfuscator",
"E5",
"Alf:heraklezeval:trojan:msil/gravityrat!rfn",
"Cl0p",
"Nid",
"Slfper:installcore",
"Atros.upk",
"Pegasus rdp module for windows",
"Win64:trojanx",
"Win.malware (30)",
"Other dangerous malware",
"Jaik",
"Win.malware.midie-6847892-0",
"Alf:heraklezeval:pua:win32/ultradownloads",
"Gamehack.dr",
"#lowfi:hstr:msil/obfuscator.deepsea",
"Ml.generic",
"Alf:jasyp:pua:win32/bibado",
"Undefined 1\tms 1\txyz 1\tgl 1\tnet tld aggregation com ms xyz gl net 20% 20% 20% 20% 20% tld\tcount com\t1 undefined\tnan ms\t1 xyz\t1 gl\t1 net\t1 combined blacklist timeline hybrid-analysis maltiverse resea",
"#lowfi:suspicioussectionname",
"Backdoor:win32/berbew",
"Doc.trojan.agent-9765752-0",
"Win.packed.fecn-7077459-0",
"Win.trojan.generic-9862772-0",
"Generic",
"Trojan:win32/blihan.a",
"Mydoom",
"Laplasclipper",
"Trojan:win32/floxif.e"
],
"industries": [
"Civil",
"People",
"Healthcare",
"Government",
"Insurance",
"Technology",
"Education",
"Oil",
"Civilians",
"Civil society"
],
"unique_indicators": 528299
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/yangzupan.com",
"whois": "http://whois.domaintools.com/yangzupan.com",
"domain": "yangzupan.com",
"hostname": "jsdelivr.yangzupan.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 50,
"pulses": [
{
"id": "6a126fcffc60a71dfab01f24",
"name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs",
"description": "",
"modified": "2026-05-24T03:32:22.109000",
"created": "2026-05-24T03:26:07.144000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6688e0ffb31d4881f3238713",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4130,
"URL": 11958,
"hostname": 4644,
"domain": 4304,
"FileHash-MD5": 2256,
"FileHash-SHA1": 1161,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1,
"IPv6": 4,
"IPv4": 6
},
"indicator_count": 28500,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "7 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6a126fcc3620af2edeb95e57",
"name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs",
"description": "",
"modified": "2026-05-24T03:26:04.439000",
"created": "2026-05-24T03:26:04.439000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6688e0ffb31d4881f3238713",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4080,
"URL": 11952,
"hostname": 4638,
"domain": 4301,
"FileHash-MD5": 2236,
"FileHash-SHA1": 1140,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1
},
"indicator_count": 28384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "7 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69e940361a6e8be7e02ffe5d",
"name": "URL_File_Delivery clone by octoseek",
"description": "",
"modified": "2026-05-22T23:04:42.859000",
"created": "2026-04-22T21:40:06.671000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "64d9d1b920c9b43c1885b2e4",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1644,
"domain": 386,
"hostname": 535,
"FileHash-SHA256": 609,
"email": 5,
"URI": 9,
"FilePath": 1,
"FileHash-SHA1": 8,
"FileHash-MD5": 24
},
"indicator_count": 3221,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "8 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69aa41b0d714318bf8937184",
"name": "Credit Q.Vashti, Title [.Net Obfuscater] clone",
"description": "",
"modified": "2026-04-25T07:06:03.966000",
"created": "2026-03-06T02:53:36.216000",
"tags": [
"no expiration",
"domain",
"name",
"control flow",
"dlls",
"method parent",
"declarative",
"ms build",
"core",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"read c",
"dock",
"write",
"execution",
"capture",
"endgame",
"united",
"moved",
"ip address",
"record value",
"gate software",
"newnham house",
"expiration date",
"urls",
"url add",
"http",
"related nids",
"files location",
"flag united",
"present aug",
"present sep",
"present nov",
"present oct",
"name servers",
"emails",
"present dec",
"meta",
"passive dns",
"next associated",
"ipv4",
"url analysis",
"files",
"cookie",
"subscribe",
"unsubscribe",
"s paris",
"englewood",
"state",
"skip",
"espaol",
"summary",
"filing history",
"ireland",
"title",
"united states",
"certificate",
"colorado",
"ipv4 add",
"america flag",
"showing",
"pulse submit",
"size",
"pattern match",
"mitre att",
"ck id",
"path",
"hybrid",
"general",
"local",
"iframe",
"click",
"strings",
"cece",
"mult",
"learn",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"t1590 gather",
"victim network",
"flag",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"sha1",
"sha256",
"njmk",
"kwruymy",
"mime",
"submitted",
"process details",
"calls",
"apis",
"reads",
"defense evasion",
"model",
"getprocaddress",
"show technique",
"ck matrix",
"access type",
"value",
"api call",
"open",
"august",
"format",
"typeof symbol",
"typeof s",
"typeof c",
"function",
"symbol",
"comenabled",
"image path",
"ndex",
"ndroleextdll",
"f0f0f0",
"ff4b55",
"stop",
"span",
"show process",
"binary file",
"file",
"network traffic",
"encrypt",
"date",
"found",
"ssl certificate",
"creation date",
"hostname add",
"pulse pulses",
"files ip",
"address domain",
"data upload",
"extraction",
"ge6 mira",
"failed",
"ascii text",
"development att",
"hostname",
"files domain",
"files related",
"pulses otx",
"pulses",
"unknown aaaa",
"unknown ns",
"united states",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"a domains",
"search",
"germany unknown",
"win32",
"lowfi",
"chrome",
"susp",
"trojan",
"backdoor",
"twitter",
"virtool",
"worm",
"exploit",
"trojandropper",
"win32upatre dec",
"mtb dec",
"reverse dns",
"body",
"location united",
"asn as14618",
"less whois",
"files show",
"date hash",
"avast avg",
"initial access",
"javascript",
"root",
"enterprise",
"form",
"desktop",
"command decode",
"suricata ipv4",
"spycloud",
"robots",
"bots",
"chatbot",
"bot network",
"spy",
"mixb",
"a2fryx",
"therahand",
"typosquating"
],
"references": [
"https://www.red-gate.com/products/smartassembly",
"spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud",
"https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=",
"https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0",
"dasima-containers.palantirfoundry.com \u2022 blitzrobots.com",
"https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com",
"https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY",
"www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/",
"https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3",
"Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-",
"Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Unix.Dropper.Mirai-7135870-0",
"display_name": "Unix.Dropper.Mirai-7135870-0",
"target": null
},
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1127",
"name": "Trusted Developer Utilities Proxy Execution",
"display_name": "T1127 - Trusted Developer Utilities Proxy Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1122",
"name": "Component Object Model Hijacking",
"display_name": "T1122 - Component Object Model Hijacking"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1416",
"name": "URI Hijacking",
"display_name": "T1416 - URI Hijacking"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1116",
"name": "Code Signing",
"display_name": "T1116 - Code Signing"
},
{
"id": "T1546.015",
"name": "Component Object Model Hijacking",
"display_name": "T1546.015 - Component Object Model Hijacking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6952d4fc6910b0b866746d8a",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 341,
"FileHash-SHA1": 343,
"FileHash-SHA256": 1332,
"domain": 1062,
"hostname": 1969,
"URL": 5700,
"email": 10,
"SSLCertFingerprint": 21,
"CVE": 1
},
"indicator_count": 10779,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "36 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69a3c685d4b7c139ffe62930",
"name": "Clone Pulse Reference",
"description": "",
"modified": "2026-04-01T00:44:45.494000",
"created": "2026-03-01T04:54:29.384000",
"tags": [
"ipv4",
"active related",
"trojandropper",
"mtb jun",
"lowfi",
"trojan",
"mtb jan",
"fastly error",
"please",
"united",
"ttl value",
"get na",
"total",
"delete",
"search",
"yara detections",
"sinkhole cookie",
"value snkz",
"write",
"suspicious",
"ransom",
"malware",
"Ransom.Win32.Birele.gsg Checkin",
"AnubisNetworks Sinkhole Cookie Value Snkz",
"Possible Compromised Host",
"dynamicloader",
"delete c",
"default",
"medium",
"write c",
"settingswpad",
"intel",
"ms windows",
"users",
"number",
"title",
"installer",
"top source",
"top destination",
"source source",
"port",
"filehash",
"av detections",
"ids detections",
"yara rule",
"gravityrat",
"detectvm",
"x00 x00",
"x00x00",
"doviacmd",
"rootjob",
"getfiles",
"updateserver",
"ethernetid",
"ids signatures",
"exploits",
"sid name",
"malware cve",
"dns query",
"dnsbin demo",
"data exfil",
"exif data",
"DNS Query for Webhook/HTTP Request Inspection Service (x .pipedr",
"DNSBin Demo (requestbin .net) - Data Exfitration",
"source port",
"destination",
"present sep",
"script urls",
"script script",
"a domains",
"script domains",
"ip address",
"meta",
"present nov",
"passive dns",
"next associated",
"domain add",
"pe executable",
"entries",
"show",
"msie",
"windows nt",
"wow64",
"copy",
"present jan",
"present feb",
"domain",
"pulse pulses",
"urls",
"files",
"tam legal",
"christopher ahmann",
"https://unicef.se/assets/apple",
"treece alfrey",
"hours ago",
"information",
"report spam",
"ahmann colorado",
"state",
"special cousel",
"created",
"expiro",
"capture"
],
"references": [
"Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN",
"Fastly Error and Palantir blocked several times over the last few months.",
"Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,)",
"IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc.",
"Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN",
"Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\\ewiuer2.exe SCRIPT",
"Win.Trojan.Vundo-7170412-0\t#Lowfi:SuspiciousSectionName",
"Link below used to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage",
"https://unicef.se/assets/apple"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/Neconyd.A",
"display_name": "Trojan:Win32/Neconyd.A",
"target": "/malware/Trojan:Win32/Neconyd.A"
},
{
"id": "PWS:Win32/QQpass.FC",
"display_name": "PWS:Win32/QQpass.FC",
"target": "/malware/PWS:Win32/QQpass.FC"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Malware.Urelas-9863836-0",
"display_name": "Win.Malware.Urelas-9863836-0",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Win.Trojan.Vundo-7170412-0",
"display_name": "Win.Trojan.Vundo-7170412-0",
"target": null
},
{
"id": "#Lowfi:SuspiciousSectionName",
"display_name": "#Lowfi:SuspiciousSectionName",
"target": null
},
{
"id": "Multiple Malware\u2019s , Trojans and Rats",
"display_name": "Multiple Malware\u2019s , Trojans and Rats",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "6906bd99cadbd4140014c6af",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 909,
"domain": 454,
"hostname": 1404,
"URL": 3557,
"CIDR": 1,
"FileHash-MD5": 242,
"FileHash-SHA1": 185,
"email": 1,
"CVE": 1
},
"indicator_count": 6754,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "60 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b49ad5dd40a24d83cd6a72",
"name": "Chris P. Ahmann \u2022 PRIVATE PROPERTY Colorado State Fixer!",
"description": "",
"modified": "2026-03-13T23:16:37.716000",
"created": "2026-03-13T23:16:37.716000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "69631fbd16e306ee2b76c4da",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "78 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b496396ca4987e95ad37d1",
"name": "Chris Buzz by QVashni (wow)",
"description": "",
"modified": "2026-03-13T22:56:57.314000",
"created": "2026-03-13T22:56:57.314000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "69482caa00d327da8f0a87bc",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "78 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b49587dd104e342dda1628",
"name": "C Ahman Attorney Clone by Top Tier, Q.Vashti",
"description": "",
"modified": "2026-03-13T22:53:59.112000",
"created": "2026-03-13T22:53:59.112000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "691f4d4ef0a2a570b8b21cd2",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "78 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b92a27c47d4e28927364",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:24:26.110000",
"created": "2026-03-12T13:01:30.067000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 72,
"modified_text": "79 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b9295603a6100edfa8c8",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:24:25.387000",
"created": "2026-03-12T13:01:29.284000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 69,
"modified_text": "79 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://jsdelivr.yangzupan.com",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://jsdelivr.yangzupan.com",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780226196.8872287
}