{ "type": "URL", "indicator": "https://kibana.fenix-batch-1.udtgroup.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://kibana.fenix-batch-1.udtgroup.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4172328738, "indicator": "https://kibana.fenix-batch-1.udtgroup.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69efc567ae24b8285a71099d", "name": "Enemy of the State: Order in the Court \u2022 Part 4 - World Media", "description": "Critical, out of control targeting. Suspected Pegasus related campaign seen in State of Colorado court and Hospital systems+++. The answer is NO. The crime victim / survivor was never going to be given a chance to bring forward a case of any type of. Silenced. Not allowed to pursue justice. Car accident. No. Robbed. No Assault. No. Either the State is heavily involved or systems are manipulated by adversaries.\n\nCVE found more than a year ago, Original OTX researchers Pulses not found.\nCVE Overview:\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.", "modified": "2026-05-27T18:05:26.880000", "created": "2026-04-27T20:21:59.824000", "tags": [ "wifi id", "april", "extraction", "enter sc", "type ol", "data upload", "extra", "referen", "wifi data", "wifi", "ntgraph xe", "dynamicloader", "high", "port", "a8 f0", "c0 a0", "c4 d8", "a4 c4", "cache", "yara rule", "write", "music", "explorer", "guard", "tracker", "media", "default", "file", "id login", "mwdb", "bazaar", "sha3384", "ssdeep", "xport", "accept", "agent", "shutdown", "pe file", "network info", "sample", "aslr", "program", "mitre attack", "processes extra", "overview zenbox", "verdict", "iocs", "extra data", "included iocs", "indicator", "review iocs", "find", "dr wifi", "include review", "exclude sugges", "find s", "failed", "typ url", "registrant name", "all domain", "passive dns", "urls", "files", "access", "all ipv4", "america flag", "des moines", "level", "zeppelin", "domain add", "united states", "active", "msie", "windows nt", "united", "search", "medium", "as16509", "unknown", "upatre", "malware", "next", "ip address", "pty ltd", "url analysis", "trojan", "write c", "suspicious", "tt tr", "ultradns client", "service", "name servers", "emails", "world media", "contacted", "post", "u001b4nu0017", "powershell", "sc data", "type", "enter", "data", "cre pul", "enric", "extraction data", "denver courts", "hacking", "mitm_attacks", "injustice", "tracking", "ai", "ee fc", "ff d5", "domain", "australia", "files ip", "script script", "set cookie", "cookie", "related pulses", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "javascript", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "title", "look", "verify", "restart", "australia asn", "as9714 vocus", "body", "certificate", "present may", "japan unknown", "a domains", "value", "content type", "location japan", "shibuya", "japan asn", "as2497 internet", "dns resolutions", "domains top", "united states", "ipv4", "targeting", "tsara brashears", "state colorado", "critical", "pornhub", "tulach", "sabey", "poleass", "foundrypalantir", "pegasus", "state", "quasi", "shhh", "denver", "dougco", "jeffrey reimer", "reimer gropes", "christopher ahmann", "workers compensation", "commerce industry", "aig", "industry commerce", "confluence" ], "references": [ "[DR] Wifi ID Login v1.3 [03 April 2014].exe", "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a", "bell.ca", "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http", "https://welcome.indonesiawifi.net/wifi.id/flexizone", "SLF:MSIL/PSTAnomaly.A SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb", "A target pursued post criminal assault on Pinnacol Assuranve insured premises", "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD", "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...", "Yara Detections: PWSWin32Kegotip , VirusWin32Gogo , VirusWin32Hala , VirusWin32Wholdor", "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect", "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep dynamic_function_loading", "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx", "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters", "IP\u2019s Contacted: 143.204.237.45 58.138.175.188 65.38.128.10 147.21.128.26 78.41.204.31 132.148.77.44", "IP\u2019s Contacted: 185.104.29.148 92.122.107.204 139.76.134.15 184.150.211.195", "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net", "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au", "Backdoor.Win32.Pushdo.s Checkin", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)", "Name Servers PDNS1.ULTRADNS.NET Org", "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #", "https://otx.alienvault.com/indicator/cve/CVE-2022-26134", "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO", "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado", "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected", "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration", "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png", "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms", "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY", "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH", "CVE-2022-26134 \u2022 PRIVILEGES REQUIRED: NONE" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "SLF:MSIL/PSTAnomaly.A", "display_name": "SLF:MSIL/PSTAnomaly.A", "target": "/malware/SLF:MSIL/PSTAnomaly.A" }, { "id": "Win.Trojan.Pushdo-20", "display_name": "Win.Trojan.Pushdo-20", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Cutwail.BV", "display_name": "TrojanDownloader:Win32/Cutwail.BV", "target": "/malware/TrojanDownloader:Win32/Cutwail.BV" }, { "id": "World Media", "display_name": "World Media", "target": null }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Legal", "Judicial", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1037, "hostname": 865, "domain": 685, "URL": 2224, "FileHash-MD5": 131, "FileHash-SHA1": 94, "CVE": 1, "email": 8, "SSLCertFingerprint": 6 }, "indicator_count": 5051, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69efc7a6778f84c179d27073", "name": "Credit Q.Vashti - Cloned Pulse [\"Enemy of the State: Order in the Court\"]", "description": "", "modified": "2026-05-27T18:05:26.880000", "created": "2026-04-27T20:31:34.221000", "tags": [ "wifi id", "april", "extraction", "enter sc", "type ol", "data upload", "extra", "referen", "wifi data", "wifi", "ntgraph xe", "dynamicloader", "high", "port", "a8 f0", "c0 a0", "c4 d8", "a4 c4", "cache", "yara rule", "write", "music", "explorer", "guard", "tracker", "media", "default", "file", "id login", "mwdb", "bazaar", "sha3384", "ssdeep", "xport", "accept", "agent", "shutdown", "pe file", "network info", "sample", "aslr", "program", "mitre attack", "processes extra", "overview zenbox", "verdict", "iocs", "extra data", "included iocs", "indicator", "review iocs", "find", "dr wifi", "include review", "exclude sugges", "find s", "failed", "typ url", "registrant name", "all domain", "passive dns", "urls", "files", "access", "all ipv4", "america flag", "des moines", "level", "zeppelin", "domain add", "united states", "active", "msie", "windows nt", "united", "search", "medium", "as16509", "unknown", "upatre", "malware", "next", "ip address", "pty ltd", "url analysis", "trojan", "write c", "suspicious", "tt tr", "ultradns client", "service", "name servers", "emails", "world media", "contacted", "post", "u001b4nu0017", "powershell", "sc data", "type", "enter", "data", "cre pul", "enric", "extraction data", "denver courts", "hacking", "mitm_attacks", "injustice", "tracking", "ai", "ee fc", "ff d5", "domain", "australia", "files ip", "script script", "set cookie", "cookie", "related pulses", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "javascript", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "title", "look", "verify", "restart", "australia asn", "as9714 vocus", "body", "certificate", "present may", "japan unknown", "a domains", "value", "content type", "location japan", "shibuya", "japan asn", "as2497 internet", "dns resolutions", "domains top", "united states", "ipv4", "targeting", "tsara brashears", "state colorado", "critical", "pornhub", "tulach", "sabey", "poleass", "foundrypalantir", "pegasus", "state", "quasi", "shhh", "denver", "dougco", "jeffrey reimer", "reimer gropes", "christopher ahmann", "workers compensation", "commerce industry", "aig", "industry commerce", "confluence" ], "references": [ "[DR] Wifi ID Login v1.3 [03 April 2014].exe", "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a", "bell.ca", "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http", "https://welcome.indonesiawifi.net/wifi.id/flexizone", "SLF:MSIL/PSTAnomaly.A SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb", "A target pursued post criminal assault on Pinnacol Assuranve insured premises", "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD", "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...", "Yara Detections: PWSWin32Kegotip , VirusWin32Gogo , VirusWin32Hala , VirusWin32Wholdor", "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect", "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep dynamic_function_loading", "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx", "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters", "IP\u2019s Contacted: 143.204.237.45 58.138.175.188 65.38.128.10 147.21.128.26 78.41.204.31 132.148.77.44", "IP\u2019s Contacted: 185.104.29.148 92.122.107.204 139.76.134.15 184.150.211.195", "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net", "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au", "Backdoor.Win32.Pushdo.s Checkin", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)", "Name Servers PDNS1.ULTRADNS.NET Org", "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #", "https://otx.alienvault.com/indicator/cve/CVE-2022-26134", "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO", "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado", "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected", "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration", "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png", "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms", "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY", "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH", "CVE-2022-26134 \u2022 PRIVILEGES REQUIRED: NONE" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "SLF:MSIL/PSTAnomaly.A", "display_name": "SLF:MSIL/PSTAnomaly.A", "target": "/malware/SLF:MSIL/PSTAnomaly.A" }, { "id": "Win.Trojan.Pushdo-20", "display_name": "Win.Trojan.Pushdo-20", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Cutwail.BV", "display_name": "TrojanDownloader:Win32/Cutwail.BV", "target": "/malware/TrojanDownloader:Win32/Cutwail.BV" }, { "id": "World Media", "display_name": "World Media", "target": null }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Legal", "Judicial", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "69efc567ae24b8285a71099d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1039, "hostname": 868, "domain": 687, "URL": 2226, "FileHash-MD5": 133, "FileHash-SHA1": 96, "CVE": 1, "email": 8, "SSLCertFingerprint": 6 }, "indicator_count": 5064, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d9b0e549af1aae2975ebeb", "name": "Virtual Servers \u2022 Tulach \u2022 Eternal Blue", "description": "Interesting. Further research required. \n\nhttps://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=+New+Worker+Online%0A+PC:+DESKTOP-BBE3PFV%0A+User:+alien%0A+IP:+Sweden%0A+Country:+SE+\n\n\nhttps://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=\\\\xfff0\\\\xff9f\\\\xff9f\\\\xffa2+New+Worker+Online%0A\\\\xfff0\\\\xff9f\\\\xff92\\\\xffbb+PC:+DESKTOP-BBE3PFV%0A\\\\xfff0\\\\xff9f\\\\xff91\\\\xffa4+User:+alien%0A\\\\xfff0\\\\xff9f\\\\xff8c\\\\xff90+IP:+Sweden%0A\\\\xfff0\\\\xff9f\\\\xff97\\\\xffba+Country:+SE+", "modified": "2026-05-11T02:31:44.768000", "created": "2026-04-11T02:24:37.102000", "tags": [ "related pulses", "apple", "imac", "itunes", "tulach", "active", "vercel", "ms windows", "intel", "yara rule", "lredmond", "rsds", "write c", "tls sni", "write", "install", "rijndael", "malware", "accept", "self", "mtb apr", "lowfi", "backdoor", "antigua", "trojandropper", "all ipv4", "urls", "prometheus", "files", "files ip", "address", "united", "unknown aaaa", "cname", "tags", "keepalived", "ip address", "red hat", "nat node", "gns3", "firefox", "ovn network", "instances", "forum", "linux", "dynamicloader", "exclusionpath", "medium", "high", "telegram api", "windows", "f rl", "highest sc", "guard", "april", "powershell", "c mar", "virtool", "c jan", "c dec", "urls show", "url hostname", "ransom", "click", "title", "njrat", "as64521i", "bird", "bgp", "virtual private", "virtual servers", "et exploit", "ms17010 echo", "response", "echo response", "asnone", "probe ms17010", "nids", "m2 ms17010", "regsetvalueexa", "service", "wannacry", "dock", "unknown", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "mitre att", "defense evasion", "sha1", "sha256", "size", "pattern match", "ascii text", "path", "stop", "hybrid", "general", "local", "twitter", "strings", "core", "telegram", "tools" ], "references": [ "Win.Ransomware.WannaCry-6313787-0 , Ransom:Win32/WannaCrypt.H IDS Detections Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) Possible ETERNALBLUE Probe MS17-010 (MSF style) ETERNALBLUE Probe Vulnerable System Response MS17-010 Possible ETERNALBLUE Probe MS17-010 (Generic Flags) Possible ETERNALBLUE MS17-010 Heap Spray More Yara Detections WannaCry_Ransomware , WannaCry_Ransomware_Gen , WannaDecryptor , stack_string , MS17_010_WanaCry_worm More Alerts nids_exploit", "https://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=+New+Worker+Online%0A+PC:+DESKTOP-BBE3PFV%0A+User:+alien%0A+IP:+Sweden%0A+Country:+SE+ Akamai rank: #2475\t URL https://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=\\\\xfff0\\\\xff9f\\\\xff9f\\\\xffa2+New+Worker+Online%0A\\\\xfff0\\\\xff9f\\\\xff92\\\\xffbb+PC:+DESKTOP-BBE3PFV%0A\\\\xfff0\\\\xff9f\\\\xff91\\\\xffa4+User:+alien%0A\\\\xfff0\\\\xff9f\\\\xff8c\\\\xff9", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0816.pdf", "https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f", "Trojans: 149.154.166.110 command_and_control (build your own telegram) 208.95.112.1 command_and_control", "prometheus.shorty.cicloinfinito.com", "Win.Packed.njRAT-10002074-1", "NJRat IDS Detections: Telegram API Domain in DNS Lookup", "NJRat IDS Detections: Observed Telegram API Domain (api .telegram .org in TLS SNI)", "NJRat IDS Detections: Telegram API Certificate Observed", "NJRat Yara Detections: ByteCode_MSIL_Backdoor_AsyncRAT", "NJRat Alerts: hardware_id_profiling network_cnc_https_pastesite persistence_autorun", "NJRat Alerts: persistence_autorun_tasks binary_yara procmem_yara suricata_alert", "NJRat Alerts: windows_defender_powershell network_document_file powershell_command_suspicious", "NJRat Alerts: suspicious_command_tools antidebug_guardpages antisandbox_sleep", "NJRat Alerts: dynamic_function_loading encrypted_ioc registers_vectored_exception_handler", "NJRat Alerts: http_request reads_memory_remote_process network_cnc_https_generic reads_self", "NJRat IP\u2019s Contacted 149.154.166.110 172.66.171.73", "NJRat Domains Contacted pastebin.com api.telegram.org", "192.168.122.200 BGP: Simulating Inter-network Dynamic Routing", "EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010\", \"src_ip\": \"192.168.56.105\", \"dst_port\": 49317, \"sid\": 2025650, \"date\": \"2020/06/18 11:39:48\", \"dst_ip\": \"192.168.56.103\" }, \"type\": \"ioc\", \"description\": null }, { \"category\": \"suricata\", \"ioc\": { \"src_port\": 445, \"name\": \"ET EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010\", \"src_ip\": \"192.168.56.108\", \"dst_port\": 49324, " ], "public": 1, "adversary": "", "targeted_countries": [ "Japan", "United States of America", "China" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908396-0", "display_name": "Win.Trojan.Generic-9908396-0", "target": null }, { "id": "Win.Trojan.Crypted-30", "display_name": "Win.Trojan.Crypted-30", "target": null }, { "id": "Backdoor:Win32/Berbew", "display_name": "Backdoor:Win32/Berbew", "target": "/malware/Backdoor:Win32/Berbew" }, { "id": "Win.Malware.Score-6985947-1", "display_name": "Win.Malware.Score-6985947-1", "target": null }, { "id": "ALF:PWS:MSIL/Stealgen.GC!MTB", "display_name": "ALF:PWS:MSIL/Stealgen.GC!MTB", "target": null }, { "id": "Win.Packed.Zpack-10013367-0", "display_name": "Win.Packed.Zpack-10013367-0", "target": null }, { "id": "ALF:Trojan:Win32/FormBook.F!MTB", "display_name": "ALF:Trojan:Win32/FormBook.F!MTB", "target": null }, { "id": "Win.Malware.Renos-10003934-0", "display_name": "Win.Malware.Renos-10003934-0", "target": null }, { "id": "Win.Trojan.Razy-10016933-0", "display_name": "Win.Trojan.Razy-10016933-0", "target": null }, { "id": "#Lowfi:AGGR:HSTR:Win32/PossibleKeylogger.A", "display_name": "#Lowfi:AGGR:HSTR:Win32/PossibleKeylogger.A", "target": null }, { "id": "NJRat", "display_name": "NJRat", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Private Internet Access", "display_name": "Private Internet Access", "target": null }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null }, { "id": "W32/WannaCryptor.491A!tr.ransom", "display_name": "W32/WannaCryptor.491A!tr.ransom", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1584.003", "name": "Virtual Private Server", "display_name": "T1584.003 - Virtual Private Server" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1144", "name": "Gatekeeper Bypass", "display_name": "T1144 - Gatekeeper Bypass" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [ "Telecommunications", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 556, "domain": 206, "URL": 863, "FileHash-SHA256": 1589, "FileHash-MD5": 472, "FileHash-SHA1": 376, "SSLCertFingerprint": 11, "email": 1 }, "indicator_count": 4074, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69560fa62bddc3d965359168", "name": "Mirai H5DATACENTERS.COM \u2022 Regis University Blackout | Extranet", "description": "It was Data Center 5. \nH5DATACENTERS.COM \u2022 Regis University Blackout PrometheusIntelligenceTechnology.com - Extranet. Forced out of RU for finding malicious link that targeted , tracked ,conversations , behavior, etc., \u201cNo one willingly signed up to be tracked.\u201dis what Tsara told Dean Archer. He said he\u2019d never seen anything like this in his life. RU ignored the risks Tsara cautioned could irreparably damage incoming students college experience and negatively impact their future. I just hope the many students who attended do not continue to suffer. Guess who the villain was? The truth teller. \n\nToday activity has stepped up. Somehow the PIT Pulse has caused a crusade of aggressive following and investigation. \n\nThere may be 10,000 vs 1 in this battle. But the One is God.", "modified": "2026-01-31T03:04:09.490000", "created": "2026-01-01T06:09:42.057000", "tags": [ "http", "files related", "related tags", "ipv4", "ccus asnas20029", "urls", "domain", "files ip", "address domain", "ip whois", "passive dns", "gmt path", "hostname add", "files", "united", "a li", "trackingpin a", "ip address", "unknown aaaa", "error", "back", "darkness", "present sep", "a domains", "script urls", "unknown ns", "script domains", "meta", "apache", "body doctype", "gmt server", "url analysis", "path", "accept", "pragma", "west domains", "present dec", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "data upload", "extraction", "found", "datacenter", "hosting", "vps reverse", "america united", "america asn", "as398101", "body html", "head title", "title", "status", "name servers", "failed", "all se", "enter sc", "type", "extra data", "referen", "manualv add", "indicator data", "port", "destination", "south korea", "china as4134", "taiwan as3462", "as3786 lg", "as4766 korea", "as9318 sk", "high", "tcp syn", "trojan", "pegasus", "malware", "unknown", "search", "present jan", "pur sta", "uni idc", "cao oti", "dsp cor", "body", "win32", "united states", "pulse tags", "palantir", "ad maven", "technology", "url https", "url http", "indicator role", "title added", "active related", "Palantir", "Ad-Maven", "Palantir", "Ad- Maven", "Prometheus Intelligence Technology", "skynet", "starfield tech", "flock", "report spam", "palantir ad", "maven", "botnet", "created", "days ago", "education", "tsara", "mirai", "regis", "brashears", "discovery", "universities", "tsara brashears", "close", "stop", "ransom", "capture", "denver" ], "references": [ "H5DATACENTERS.COM Name Servers: NS74.DOMAINCONTROL.COM", "https://prometheusintelligencetechnology.com/pit/", "https://prometheusintelligencetechnology.com/404javascript.js", "https://www.secureserver.net/default404.aspx", "http://ocsp.starfieldtech.com/ 443 Certificate", "https://www.secureserver.net/default404.aspx Server: Microsoft-IIS/7.0", "Set-Cookie: market=en-US; domain=secureserver.net; expires=path=/ P3P:", "\u201cCNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR OUR IND\"", "Powered-By: ARR/2.5 X-Powered-By: ASP.NET", "href= here /a . /h2 /body /html 443 Header \u2022 HTTP/1.1 302 Found Content-Length: 161", "Location: policyref=\"/w3c/p3p.xml\", CP=\"COM X-P3P: policyref=\"/w3c/p3p.xml\", CP=\"COM", "\u201cCNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND\"", "(Date: Tue, 13 Jun 2017 10:21:34 GMT 443 )", "Certificate Crldistributionpoints", "http://crl.starfieldtech.com/sfig2s2-0.crl 443", "Certificate Subjectaltname\t*.secureserver.net 443 Certificate Subjectaltname\tsecureserver.net", "443 Certificate Notbefore\tAug 25 16:21:59 2014 GMT 443 Certificate Caissuers", "Serialnumber\t27B78B2246C9C1 443 Certificate Notafter \u2022 Aug 25 16:21:59 2017 GMT 443", "Certificate Version 3 443 Certificate Subject\tUS 443 Certificate Subject\tArizona 443", "Certificate Subject Scottsdale 443 Certificate Subject\tSpecial Domain Services, LLC 443", "Certificate Issuer\tStarfield Technologies, Inc. 443 Certificate Issuer", "http://certs.starfieldtech.com/repository/ 443", "Certificate Issuer: Starfield Secure Certificate Authority - G2 443 Title: Object moved 443", "A Domains \u2022 www.secureserver.net 443 Certificate", "Object moved /title /head body h2 Object moved to a href= http://www.secureserver.net/default404.aspx", "80 Body\t here /a . /h2 /body /html 80 Header\tHTTP/1.1 302 Found Cache-Control: private", "Content-Length: 160 Location: http://www.secureserver.net/default404.aspx", "Server: Microsoft-IIS/7.0 Set-Cookie: market=en-US; domain=secureserver.net;", "expires=Wed, 13-Jun-2018 10:21:35 GMT; path=/ P3P: policyref=\"/w3c/p3p.xml\",", "CP=\"COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR OUR IND\"", "X-Powered-By: ARR/2.5 X-Powered-By: ASP.NET P3P: policyref=\"/w3c/p3p.xml\", CP=\"", "\u201cCOM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND\"", "Date: Tue, 13 Jun 2017 10:21:34 GMT", "Sha1 :e4ca8288d5e4912a00482418765b58a2e22fd5dc", "TrackingPin (Error) A Domains: trackingpin.com \u2022 Domains: forum.trackingpin.org", "PDNS11.DOMAINCONTROL.COM", "https://otx.alienvault.com/indicator/domain/secureserver.net", "Unix.TrojanMirai-7640640-0 IDS Detections Bad Login root login Yara Detections is__elf", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication", "https://den.h5datacenters.com/", "http://prometheusintelligencetechnology.com/pitframeitem=22fsbout-regis-univer", "register.blackgirldroneworld.com (Is this racist)", "https://stetsed.xyz/apple", "Palantir Ad-Maven Palantir, Ad- Maven, Prometheus Intelligence Technology", "Review: Jeffrey Reimer DPT assaulted & egregiously injured a patient at AMS Concentra in Denver, Co", "It\u2019s was sexual and violent. Patient was under the oversight of Mark Montano MD and John T. Sacha MD", "Patient/ Victim unaware of her workers compensation rights.", "Do you line how they spend your tax dollars? Attacking victims? Protecting Corporations!", "Quasi Government, Meta, Twitter , Palantir , Gotham , Christopher P. Ahmann , Brian Sabey", "I haven\u2019t mentioned the hit men they hired.", "Fastly.com", "www.skynetsoftware.com", "http://www.skynetsoftware.com/SNSAuth/appauth.aspx?app=myPlayerDroid&ver=1.999&key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&platform=Android®=&devId=92841014150fc3fd&devInfo=&devEmail=&width=480&height=764&owner=19&model=Lenovo A360t", "http://www.skynetsoftware.com/SNSAuth/appauth.aspx?app=myPlayerDroidPro&ver=2.800&key=2w6i4y1r0sdz6q9gchjcpkal0oaiem4u8ncy3bct1vcr8e6x2w&platform=Android&devId=92841014150fc3fd&width=480&height=764&owner=19&model=Lenovo%20A360t", "http://www.skynetsoftware.com/SNSAuth/appauth.aspx?app=myPlayerDroidPro&ver=3.700&key=53dbnf9wrz8vc0m5xfve2q1w2r4x8fv0g1b8sfg7qi0rdxck2j&platform=Android&devId=dc9c9a616665e073&width=800&height=561&owner=19&model=VirtualBox", "http://www.skynetsoftware.com/myPlayer/myPlayerDroid.xml" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Virus:Win32/Triusor.A", "display_name": "Virus:Win32/Triusor.A", "target": "/malware/Virus:Win32/Triusor.A" }, { "id": "!InstallCreatorPro_2_0", "display_name": "!InstallCreatorPro_2_0", "target": null }, { "id": "Unix.Trojan.Mirai-7640640-0", "display_name": "Unix.Trojan.Mirai-7640640-0", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win.Downloader", "display_name": "Win.Downloader", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Education", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2817, "domain": 487, "hostname": 983, "FileHash-SHA256": 611, "FileHash-MD5": 107, "FileHash-SHA1": 106, "email": 2 }, "indicator_count": 5113, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "120 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IP\u2019s Contacted: 185.104.29.148 92.122.107.204 139.76.134.15 184.150.211.195", "https://prometheusintelligencetechnology.com/404javascript.js", "prometheus.shorty.cicloinfinito.com", "(Date: Tue, 13 Jun 2017 10:21:34 GMT 443 )", "Fastly.com", "Certificate Subject Scottsdale 443 Certificate Subject\tSpecial Domain Services, LLC 443", "http://www.skynetsoftware.com/SNSAuth/appauth.aspx?app=myPlayerDroid&ver=1.999&key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&platform=Android®=&devId=92841014150fc3fd&devInfo=&devEmail=&width=480&height=764&owner=19&model=Lenovo A360t", "Content-Length: 160 Location: http://www.secureserver.net/default404.aspx", "Unix.TrojanMirai-7640640-0 IDS Detections Bad Login root login Yara Detections is__elf", "NJRat Yara Detections: ByteCode_MSIL_Backdoor_AsyncRAT", "expires=Wed, 13-Jun-2018 10:21:35 GMT; path=/ P3P: policyref=\"/w3c/p3p.xml\",", "CVE-2022-26134 \u2022 PRIVILEGES REQUIRED: NONE", "http://crl.starfieldtech.com/sfig2s2-0.crl 443", "\u201cCOM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND\"", "NJRat IDS Detections: Telegram API Domain in DNS Lookup", "Quasi Government, Meta, Twitter , Palantir , Gotham , Christopher P. Ahmann , Brian Sabey", "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a", "https://www.secureserver.net/default404.aspx", "https://prometheusintelligencetechnology.com/pit/", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0816.pdf", "https://www.secureserver.net/default404.aspx Server: Microsoft-IIS/7.0", "Certificate Issuer: Starfield Secure Certificate Authority - G2 443 Title: Object moved 443", "I haven\u2019t mentioned the hit men they hired.", "Win.Packed.njRAT-10002074-1", "192.168.122.200 BGP: Simulating Inter-network Dynamic Routing", "NJRat IDS Detections: Observed Telegram API Domain (api .telegram .org in TLS SNI)", "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp", "A target pursued post criminal assault on Pinnacol Assuranve insured premises", "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http", "Patient/ Victim unaware of her workers compensation rights.", "Date: Tue, 13 Jun 2017 10:21:34 GMT", "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au", "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication", "A Domains \u2022 www.secureserver.net 443 Certificate", "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx", "https://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=+New+Worker+Online%0A+PC:+DESKTOP-BBE3PFV%0A+User:+alien%0A+IP:+Sweden%0A+Country:+SE+ Akamai rank: #2475\t URL https://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=\\\\xfff0\\\\xff9f\\\\xff9f\\\\xffa2+New+Worker+Online%0A\\\\xfff0\\\\xff9f\\\\xff92\\\\xffbb+PC:+DESKTOP-BBE3PFV%0A\\\\xfff0\\\\xff9f\\\\xff91\\\\xffa4+User:+alien%0A\\\\xfff0\\\\xff9f\\\\xff8c\\\\xff9", "\u201cCNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND\"", "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep dynamic_function_loading", "http://www.skynetsoftware.com/SNSAuth/appauth.aspx?app=myPlayerDroidPro&ver=3.700&key=53dbnf9wrz8vc0m5xfve2q1w2r4x8fv0g1b8sfg7qi0rdxck2j&platform=Android&devId=dc9c9a616665e073&width=800&height=561&owner=19&model=VirtualBox", "443 Certificate Notbefore\tAug 25 16:21:59 2014 GMT 443 Certificate Caissuers", "bell.ca", "Server: Microsoft-IIS/7.0 Set-Cookie: market=en-US; domain=secureserver.net;", "Location: policyref=\"/w3c/p3p.xml\", CP=\"COM X-P3P: policyref=\"/w3c/p3p.xml\", CP=\"COM", "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters", "NJRat Alerts: hardware_id_profiling network_cnc_https_pastesite persistence_autorun", "IP\u2019s Contacted: 143.204.237.45 58.138.175.188 65.38.128.10 147.21.128.26 78.41.204.31 132.148.77.44", "Certificate Issuer\tStarfield Technologies, Inc. 443 Certificate Issuer", "Powered-By: ARR/2.5 X-Powered-By: ASP.NET", "Do you line how they spend your tax dollars? Attacking victims? Protecting Corporations!", "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #", "[DR] Wifi ID Login v1.3 [03 April 2014].exe", "http://www.skynetsoftware.com/myPlayer/myPlayerDroid.xml", "NJRat IDS Detections: Telegram API Certificate Observed", "NJRat Alerts: suspicious_command_tools antidebug_guardpages antisandbox_sleep", "NJRat Alerts: dynamic_function_loading encrypted_ioc registers_vectored_exception_handler", "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH", "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect", "Certificate Crldistributionpoints", "www.skynetsoftware.com", "https://stetsed.xyz/apple", "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration", "Trojans: 149.154.166.110 command_and_control (build your own telegram) 208.95.112.1 command_and_control", "Certificate Version 3 443 Certificate Subject\tUS 443 Certificate Subject\tArizona 443", "http://ocsp.starfieldtech.com/ 443 Certificate", "Sha1 :e4ca8288d5e4912a00482418765b58a2e22fd5dc", "TrackingPin (Error) A Domains: trackingpin.com \u2022 Domains: forum.trackingpin.org", "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net", "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png", "http://certs.starfieldtech.com/repository/ 443", "CP=\"COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR OUR IND\"", "NJRat IP\u2019s Contacted 149.154.166.110 172.66.171.73", "NJRat Alerts: http_request reads_memory_remote_process network_cnc_https_generic reads_self", "Review: Jeffrey Reimer DPT assaulted & egregiously injured a patient at AMS Concentra in Denver, Co", "Backdoor.Win32.Pushdo.s Checkin", "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado", "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms", "Name Servers PDNS1.ULTRADNS.NET Org", "https://den.h5datacenters.com/", "https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f", "register.blackgirldroneworld.com (Is this racist)", "Set-Cookie: market=en-US; domain=secureserver.net; expires=path=/ P3P:", "NJRat Domains Contacted pastebin.com api.telegram.org", "https://welcome.indonesiawifi.net/wifi.id/flexizone", "X-Powered-By: ARR/2.5 X-Powered-By: ASP.NET P3P: policyref=\"/w3c/p3p.xml\", CP=\"", "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected", "H5DATACENTERS.COM Name Servers: NS74.DOMAINCONTROL.COM", "Certificate Subjectaltname\t*.secureserver.net 443 Certificate Subjectaltname\tsecureserver.net", "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO", "Serialnumber\t27B78B2246C9C1 443 Certificate Notafter \u2022 Aug 25 16:21:59 2017 GMT 443", "https://otx.alienvault.com/indicator/cve/CVE-2022-26134", "Object moved /title /head body h2 Object moved to a href= http://www.secureserver.net/default404.aspx", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD", "Yara Detections: PWSWin32Kegotip , VirusWin32Gogo , VirusWin32Hala , VirusWin32Wholdor", "EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010\", \"src_ip\": \"192.168.56.105\", \"dst_port\": 49317, \"sid\": 2025650, \"date\": \"2020/06/18 11:39:48\", \"dst_ip\": \"192.168.56.103\" }, \"type\": \"ioc\", \"description\": null }, { \"category\": \"suricata\", \"ioc\": { \"src_port\": 445, \"name\": \"ET EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010\", \"src_ip\": \"192.168.56.108\", \"dst_port\": 49324, ", "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY", "http://www.skynetsoftware.com/SNSAuth/appauth.aspx?app=myPlayerDroidPro&ver=2.800&key=2w6i4y1r0sdz6q9gchjcpkal0oaiem4u8ncy3bct1vcr8e6x2w&platform=Android&devId=92841014150fc3fd&width=480&height=764&owner=19&model=Lenovo%20A360t", "NJRat Alerts: persistence_autorun_tasks binary_yara procmem_yara suricata_alert", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)", "80 Body\t here /a . /h2 /body /html 80 Header\tHTTP/1.1 302 Found Cache-Control: private", "It\u2019s was sexual and violent. Patient was under the oversight of Mark Montano MD and John T. Sacha MD", "NJRat Alerts: windows_defender_powershell network_document_file powershell_command_suspicious", "href= here /a . /h2 /body /html 443 Header \u2022 HTTP/1.1 302 Found Content-Length: 161", "Win.Ransomware.WannaCry-6313787-0 , Ransom:Win32/WannaCrypt.H IDS Detections Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) Possible ETERNALBLUE Probe MS17-010 (MSF style) ETERNALBLUE Probe Vulnerable System Response MS17-010 Possible ETERNALBLUE Probe MS17-010 (Generic Flags) Possible ETERNALBLUE MS17-010 Heap Spray More Yara Detections WannaCry_Ransomware , WannaCry_Ransomware_Gen , WannaDecryptor , stack_string , MS17_010_WanaCry_worm More Alerts nids_exploit", "http://prometheusintelligencetechnology.com/pitframeitem=22fsbout-regis-univer", "SLF:MSIL/PSTAnomaly.A SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb", "PDNS11.DOMAINCONTROL.COM", "\u201cCNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR OUR IND\"", "Palantir Ad-Maven Palantir, Ad- Maven, Prometheus Intelligence Technology", "https://otx.alienvault.com/indicator/domain/secureserver.net" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win.downloader", "Trojandownloader:win32/cutwail.bv", "Win.trojan.generic-9908396-0", "Unix.trojan.mirai-7640640-0", "Mirai", "Win.packed.zpack-10013367-0", "Win.malware.score-6985947-1", "#lowfienabledtcontinueafterunpacking", "Alf:pws:msil/stealgen.gc!mtb", "Win.trojan.razy-10016933-0", "#lowfi:aggr:hstr:win32/possiblekeylogger.a", "Malware packed", "Private internet access", "Virus:win32/triusor.a", "!installcreatorpro_2_0", "W32/wannacryptor.491a!tr.ransom", "Alf:trojan:win32/formbook.f!mtb", "Win.trojan.pushdo-20", "Win.trojan.crypted-30", "Et", "Nids", "World media", "Win.malware.renos-10003934-0", "Trojandownloader:win32/cutwail.bs", "Backdoor:win32/berbew", "Cve-2022-26134", "Njrat", "Slf:msil/pstanomaly.a" ], "industries": [ "Technology", "Education", "Judicial", "Civil society", "Government", "Telecommunications", "Legal" ], "unique_indicators": 14815 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/udtgroup.com", "whois": "http://whois.domaintools.com/udtgroup.com", "domain": "udtgroup.com", "hostname": "kibana.fenix-batch-1.udtgroup.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69efc567ae24b8285a71099d", "name": "Enemy of the State: Order in the Court \u2022 Part 4 - World Media", "description": "Critical, out of control targeting. Suspected Pegasus related campaign seen in State of Colorado court and Hospital systems+++. The answer is NO. The crime victim / survivor was never going to be given a chance to bring forward a case of any type of. Silenced. Not allowed to pursue justice. Car accident. No. Robbed. No Assault. No. Either the State is heavily involved or systems are manipulated by adversaries.\n\nCVE found more than a year ago, Original OTX researchers Pulses not found.\nCVE Overview:\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.", "modified": "2026-05-27T18:05:26.880000", "created": "2026-04-27T20:21:59.824000", "tags": [ "wifi id", "april", "extraction", "enter sc", "type ol", "data upload", "extra", "referen", "wifi data", "wifi", "ntgraph xe", "dynamicloader", "high", "port", "a8 f0", "c0 a0", "c4 d8", "a4 c4", "cache", "yara rule", "write", "music", "explorer", "guard", "tracker", "media", "default", "file", "id login", "mwdb", "bazaar", "sha3384", "ssdeep", "xport", "accept", "agent", "shutdown", "pe file", "network info", "sample", "aslr", "program", "mitre attack", "processes extra", "overview zenbox", "verdict", "iocs", "extra data", "included iocs", "indicator", "review iocs", "find", "dr wifi", "include review", "exclude sugges", "find s", "failed", "typ url", "registrant name", "all domain", "passive dns", "urls", "files", "access", "all ipv4", "america flag", "des moines", "level", "zeppelin", "domain add", "united states", "active", "msie", "windows nt", "united", "search", "medium", "as16509", "unknown", "upatre", "malware", "next", "ip address", "pty ltd", "url analysis", "trojan", "write c", "suspicious", "tt tr", "ultradns client", "service", "name servers", "emails", "world media", "contacted", "post", "u001b4nu0017", "powershell", "sc data", "type", "enter", "data", "cre pul", "enric", "extraction data", "denver courts", "hacking", "mitm_attacks", "injustice", "tracking", "ai", "ee fc", "ff d5", "domain", "australia", "files ip", "script script", "set cookie", "cookie", "related pulses", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "javascript", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "title", "look", "verify", "restart", "australia asn", "as9714 vocus", "body", "certificate", "present may", "japan unknown", "a domains", "value", "content type", "location japan", "shibuya", "japan asn", "as2497 internet", "dns resolutions", "domains top", "united states", "ipv4", "targeting", "tsara brashears", "state colorado", "critical", "pornhub", "tulach", "sabey", "poleass", "foundrypalantir", "pegasus", "state", "quasi", "shhh", "denver", "dougco", "jeffrey reimer", "reimer gropes", "christopher ahmann", "workers compensation", "commerce industry", "aig", "industry commerce", "confluence" ], "references": [ "[DR] Wifi ID Login v1.3 [03 April 2014].exe", "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a", "bell.ca", "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http", "https://welcome.indonesiawifi.net/wifi.id/flexizone", "SLF:MSIL/PSTAnomaly.A SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb", "A target pursued post criminal assault on Pinnacol Assuranve insured premises", "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD", "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...", "Yara Detections: PWSWin32Kegotip , VirusWin32Gogo , VirusWin32Hala , VirusWin32Wholdor", "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect", "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep dynamic_function_loading", "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx", "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters", "IP\u2019s Contacted: 143.204.237.45 58.138.175.188 65.38.128.10 147.21.128.26 78.41.204.31 132.148.77.44", "IP\u2019s Contacted: 185.104.29.148 92.122.107.204 139.76.134.15 184.150.211.195", "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net", "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au", "Backdoor.Win32.Pushdo.s Checkin", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)", "Name Servers PDNS1.ULTRADNS.NET Org", "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #", "https://otx.alienvault.com/indicator/cve/CVE-2022-26134", "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO", "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado", "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected", "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration", "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png", "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms", "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY", "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH", "CVE-2022-26134 \u2022 PRIVILEGES REQUIRED: NONE" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "SLF:MSIL/PSTAnomaly.A", "display_name": "SLF:MSIL/PSTAnomaly.A", "target": "/malware/SLF:MSIL/PSTAnomaly.A" }, { "id": "Win.Trojan.Pushdo-20", "display_name": "Win.Trojan.Pushdo-20", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Cutwail.BV", "display_name": "TrojanDownloader:Win32/Cutwail.BV", "target": "/malware/TrojanDownloader:Win32/Cutwail.BV" }, { "id": "World Media", "display_name": "World Media", "target": null }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Legal", "Judicial", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1037, "hostname": 865, "domain": 685, "URL": 2224, "FileHash-MD5": 131, "FileHash-SHA1": 94, "CVE": 1, "email": 8, "SSLCertFingerprint": 6 }, "indicator_count": 5051, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69efc7a6778f84c179d27073", "name": "Credit Q.Vashti - Cloned Pulse [\"Enemy of the State: Order in the Court\"]", "description": "", "modified": "2026-05-27T18:05:26.880000", "created": "2026-04-27T20:31:34.221000", "tags": [ "wifi id", "april", "extraction", "enter sc", "type ol", "data upload", "extra", "referen", "wifi data", "wifi", "ntgraph xe", "dynamicloader", "high", "port", "a8 f0", "c0 a0", "c4 d8", "a4 c4", "cache", "yara rule", "write", "music", "explorer", "guard", "tracker", "media", "default", "file", "id login", "mwdb", "bazaar", "sha3384", "ssdeep", "xport", "accept", "agent", "shutdown", "pe file", "network info", "sample", "aslr", "program", "mitre attack", "processes extra", "overview zenbox", "verdict", "iocs", "extra data", "included iocs", "indicator", "review iocs", "find", "dr wifi", "include review", "exclude sugges", "find s", "failed", "typ url", "registrant name", "all domain", "passive dns", "urls", "files", "access", "all ipv4", "america flag", "des moines", "level", "zeppelin", "domain add", "united states", "active", "msie", "windows nt", "united", "search", "medium", "as16509", "unknown", "upatre", "malware", "next", "ip address", "pty ltd", "url analysis", "trojan", "write c", "suspicious", "tt tr", "ultradns client", "service", "name servers", "emails", "world media", "contacted", "post", "u001b4nu0017", "powershell", "sc data", "type", "enter", "data", "cre pul", "enric", "extraction data", "denver courts", "hacking", "mitm_attacks", "injustice", "tracking", "ai", "ee fc", "ff d5", "domain", "australia", "files ip", "script script", "set cookie", "cookie", "related pulses", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "javascript", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "title", "look", "verify", "restart", "australia asn", "as9714 vocus", "body", "certificate", "present may", "japan unknown", "a domains", "value", "content type", "location japan", "shibuya", "japan asn", "as2497 internet", "dns resolutions", "domains top", "united states", "ipv4", "targeting", "tsara brashears", "state colorado", "critical", "pornhub", "tulach", "sabey", "poleass", "foundrypalantir", "pegasus", "state", "quasi", "shhh", "denver", "dougco", "jeffrey reimer", "reimer gropes", "christopher ahmann", "workers compensation", "commerce industry", "aig", "industry commerce", "confluence" ], "references": [ "[DR] Wifi ID Login v1.3 [03 April 2014].exe", "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a", "bell.ca", "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http", "https://welcome.indonesiawifi.net/wifi.id/flexizone", "SLF:MSIL/PSTAnomaly.A SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb", "A target pursued post criminal assault on Pinnacol Assuranve insured premises", "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD", "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...", "Yara Detections: PWSWin32Kegotip , VirusWin32Gogo , VirusWin32Hala , VirusWin32Wholdor", "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect", "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep dynamic_function_loading", "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx", "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters", "IP\u2019s Contacted: 143.204.237.45 58.138.175.188 65.38.128.10 147.21.128.26 78.41.204.31 132.148.77.44", "IP\u2019s Contacted: 185.104.29.148 92.122.107.204 139.76.134.15 184.150.211.195", "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net", "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au", "Backdoor.Win32.Pushdo.s Checkin", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)", "Name Servers PDNS1.ULTRADNS.NET Org", "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #", "https://otx.alienvault.com/indicator/cve/CVE-2022-26134", "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO", "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado", "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected", "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration", "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png", "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms", "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY", "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH", "CVE-2022-26134 \u2022 PRIVILEGES REQUIRED: NONE" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "SLF:MSIL/PSTAnomaly.A", "display_name": "SLF:MSIL/PSTAnomaly.A", "target": "/malware/SLF:MSIL/PSTAnomaly.A" }, { "id": "Win.Trojan.Pushdo-20", "display_name": "Win.Trojan.Pushdo-20", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Cutwail.BV", "display_name": "TrojanDownloader:Win32/Cutwail.BV", "target": "/malware/TrojanDownloader:Win32/Cutwail.BV" }, { "id": "World Media", "display_name": "World Media", "target": null }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Legal", "Judicial", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "69efc567ae24b8285a71099d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1039, "hostname": 868, "domain": 687, "URL": 2226, "FileHash-MD5": 133, "FileHash-SHA1": 96, "CVE": 1, "email": 8, "SSLCertFingerprint": 6 }, "indicator_count": 5064, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d9b0e549af1aae2975ebeb", "name": "Virtual Servers \u2022 Tulach \u2022 Eternal Blue", "description": "Interesting. Further research required. \n\nhttps://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=+New+Worker+Online%0A+PC:+DESKTOP-BBE3PFV%0A+User:+alien%0A+IP:+Sweden%0A+Country:+SE+\n\n\nhttps://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=\\\\xfff0\\\\xff9f\\\\xff9f\\\\xffa2+New+Worker+Online%0A\\\\xfff0\\\\xff9f\\\\xff92\\\\xffbb+PC:+DESKTOP-BBE3PFV%0A\\\\xfff0\\\\xff9f\\\\xff91\\\\xffa4+User:+alien%0A\\\\xfff0\\\\xff9f\\\\xff8c\\\\xff90+IP:+Sweden%0A\\\\xfff0\\\\xff9f\\\\xff97\\\\xffba+Country:+SE+", "modified": "2026-05-11T02:31:44.768000", "created": "2026-04-11T02:24:37.102000", "tags": [ "related pulses", "apple", "imac", "itunes", "tulach", "active", "vercel", "ms windows", "intel", "yara rule", "lredmond", "rsds", "write c", "tls sni", "write", "install", "rijndael", "malware", "accept", "self", "mtb apr", "lowfi", "backdoor", "antigua", "trojandropper", "all ipv4", "urls", "prometheus", "files", "files ip", "address", "united", "unknown aaaa", "cname", "tags", "keepalived", "ip address", "red hat", "nat node", "gns3", "firefox", "ovn network", "instances", "forum", "linux", "dynamicloader", "exclusionpath", "medium", "high", "telegram api", "windows", "f rl", "highest sc", "guard", "april", "powershell", "c mar", "virtool", "c jan", "c dec", "urls show", "url hostname", "ransom", "click", "title", "njrat", "as64521i", "bird", "bgp", "virtual private", "virtual servers", "et exploit", "ms17010 echo", "response", "echo response", "asnone", "probe ms17010", "nids", "m2 ms17010", "regsetvalueexa", "service", "wannacry", "dock", "unknown", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "mitre att", "defense evasion", "sha1", "sha256", "size", "pattern match", "ascii text", "path", "stop", "hybrid", "general", "local", "twitter", "strings", "core", "telegram", "tools" ], "references": [ "Win.Ransomware.WannaCry-6313787-0 , Ransom:Win32/WannaCrypt.H IDS Detections Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) Possible ETERNALBLUE Probe MS17-010 (MSF style) ETERNALBLUE Probe Vulnerable System Response MS17-010 Possible ETERNALBLUE Probe MS17-010 (Generic Flags) Possible ETERNALBLUE MS17-010 Heap Spray More Yara Detections WannaCry_Ransomware , WannaCry_Ransomware_Gen , WannaDecryptor , stack_string , MS17_010_WanaCry_worm More Alerts nids_exploit", "https://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=+New+Worker+Online%0A+PC:+DESKTOP-BBE3PFV%0A+User:+alien%0A+IP:+Sweden%0A+Country:+SE+ Akamai rank: #2475\t URL https://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=\\\\xfff0\\\\xff9f\\\\xff9f\\\\xffa2+New+Worker+Online%0A\\\\xfff0\\\\xff9f\\\\xff92\\\\xffbb+PC:+DESKTOP-BBE3PFV%0A\\\\xfff0\\\\xff9f\\\\xff91\\\\xffa4+User:+alien%0A\\\\xfff0\\\\xff9f\\\\xff8c\\\\xff9", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0816.pdf", "https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f", "Trojans: 149.154.166.110 command_and_control (build your own telegram) 208.95.112.1 command_and_control", "prometheus.shorty.cicloinfinito.com", "Win.Packed.njRAT-10002074-1", "NJRat IDS Detections: Telegram API Domain in DNS Lookup", "NJRat IDS Detections: Observed Telegram API Domain (api .telegram .org in TLS SNI)", "NJRat IDS Detections: Telegram API Certificate Observed", "NJRat Yara Detections: ByteCode_MSIL_Backdoor_AsyncRAT", "NJRat Alerts: hardware_id_profiling network_cnc_https_pastesite persistence_autorun", "NJRat Alerts: persistence_autorun_tasks binary_yara procmem_yara suricata_alert", "NJRat Alerts: windows_defender_powershell network_document_file powershell_command_suspicious", "NJRat Alerts: suspicious_command_tools antidebug_guardpages antisandbox_sleep", "NJRat Alerts: dynamic_function_loading encrypted_ioc registers_vectored_exception_handler", "NJRat Alerts: http_request reads_memory_remote_process network_cnc_https_generic reads_self", "NJRat IP\u2019s Contacted 149.154.166.110 172.66.171.73", "NJRat Domains Contacted pastebin.com api.telegram.org", "192.168.122.200 BGP: Simulating Inter-network Dynamic Routing", "EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010\", \"src_ip\": \"192.168.56.105\", \"dst_port\": 49317, \"sid\": 2025650, \"date\": \"2020/06/18 11:39:48\", \"dst_ip\": \"192.168.56.103\" }, \"type\": \"ioc\", \"description\": null }, { \"category\": \"suricata\", \"ioc\": { \"src_port\": 445, \"name\": \"ET EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010\", \"src_ip\": \"192.168.56.108\", \"dst_port\": 49324, " ], "public": 1, "adversary": "", "targeted_countries": [ "Japan", "United States of America", "China" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908396-0", "display_name": "Win.Trojan.Generic-9908396-0", "target": null }, { "id": "Win.Trojan.Crypted-30", "display_name": "Win.Trojan.Crypted-30", "target": null }, { "id": "Backdoor:Win32/Berbew", "display_name": "Backdoor:Win32/Berbew", "target": "/malware/Backdoor:Win32/Berbew" }, { "id": "Win.Malware.Score-6985947-1", "display_name": "Win.Malware.Score-6985947-1", "target": null }, { "id": "ALF:PWS:MSIL/Stealgen.GC!MTB", "display_name": "ALF:PWS:MSIL/Stealgen.GC!MTB", "target": null }, { "id": "Win.Packed.Zpack-10013367-0", "display_name": "Win.Packed.Zpack-10013367-0", "target": null }, { "id": "ALF:Trojan:Win32/FormBook.F!MTB", "display_name": "ALF:Trojan:Win32/FormBook.F!MTB", "target": null }, { "id": "Win.Malware.Renos-10003934-0", "display_name": "Win.Malware.Renos-10003934-0", "target": null }, { "id": "Win.Trojan.Razy-10016933-0", "display_name": "Win.Trojan.Razy-10016933-0", "target": null }, { "id": "#Lowfi:AGGR:HSTR:Win32/PossibleKeylogger.A", "display_name": "#Lowfi:AGGR:HSTR:Win32/PossibleKeylogger.A", "target": null }, { "id": "NJRat", "display_name": "NJRat", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Private Internet Access", "display_name": "Private Internet Access", "target": null }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null }, { "id": "W32/WannaCryptor.491A!tr.ransom", "display_name": "W32/WannaCryptor.491A!tr.ransom", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1584.003", "name": "Virtual Private Server", "display_name": "T1584.003 - Virtual Private Server" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1144", "name": "Gatekeeper Bypass", "display_name": "T1144 - Gatekeeper Bypass" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [ "Telecommunications", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 556, "domain": 206, "URL": 863, "FileHash-SHA256": 1589, "FileHash-MD5": 472, "FileHash-SHA1": 376, "SSLCertFingerprint": 11, "email": 1 }, "indicator_count": 4074, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69560fa62bddc3d965359168", "name": "Mirai H5DATACENTERS.COM \u2022 Regis University Blackout | Extranet", "description": "It was Data Center 5. \nH5DATACENTERS.COM \u2022 Regis University Blackout PrometheusIntelligenceTechnology.com - Extranet. Forced out of RU for finding malicious link that targeted , tracked ,conversations , behavior, etc., \u201cNo one willingly signed up to be tracked.\u201dis what Tsara told Dean Archer. He said he\u2019d never seen anything like this in his life. RU ignored the risks Tsara cautioned could irreparably damage incoming students college experience and negatively impact their future. I just hope the many students who attended do not continue to suffer. Guess who the villain was? The truth teller. \n\nToday activity has stepped up. Somehow the PIT Pulse has caused a crusade of aggressive following and investigation. \n\nThere may be 10,000 vs 1 in this battle. But the One is God.", "modified": "2026-01-31T03:04:09.490000", "created": "2026-01-01T06:09:42.057000", "tags": [ "http", "files related", "related tags", "ipv4", "ccus asnas20029", "urls", "domain", "files ip", "address domain", "ip whois", "passive dns", "gmt path", "hostname add", "files", "united", "a li", "trackingpin a", "ip address", "unknown aaaa", "error", "back", "darkness", "present sep", "a domains", "script urls", "unknown ns", "script domains", "meta", "apache", "body doctype", "gmt server", "url analysis", "path", "accept", "pragma", "west domains", "present dec", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "data upload", "extraction", "found", "datacenter", "hosting", "vps reverse", "america united", "america asn", "as398101", "body html", "head title", "title", "status", "name servers", "failed", "all se", "enter sc", "type", "extra data", "referen", "manualv add", "indicator data", "port", "destination", "south korea", "china as4134", "taiwan as3462", "as3786 lg", "as4766 korea", "as9318 sk", "high", "tcp syn", "trojan", "pegasus", "malware", "unknown", "search", "present jan", "pur sta", "uni idc", "cao oti", "dsp cor", "body", "win32", "united states", "pulse tags", "palantir", "ad maven", "technology", "url https", "url http", "indicator role", "title added", "active related", "Palantir", "Ad-Maven", "Palantir", "Ad- Maven", "Prometheus Intelligence Technology", "skynet", "starfield tech", "flock", "report spam", "palantir ad", "maven", "botnet", "created", "days ago", "education", "tsara", "mirai", "regis", "brashears", "discovery", "universities", "tsara brashears", "close", "stop", "ransom", "capture", "denver" ], "references": [ "H5DATACENTERS.COM Name Servers: NS74.DOMAINCONTROL.COM", "https://prometheusintelligencetechnology.com/pit/", "https://prometheusintelligencetechnology.com/404javascript.js", "https://www.secureserver.net/default404.aspx", "http://ocsp.starfieldtech.com/ 443 Certificate", "https://www.secureserver.net/default404.aspx Server: Microsoft-IIS/7.0", "Set-Cookie: market=en-US; domain=secureserver.net; expires=path=/ P3P:", "\u201cCNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR OUR IND\"", "Powered-By: ARR/2.5 X-Powered-By: ASP.NET", "href= here /a . /h2 /body /html 443 Header \u2022 HTTP/1.1 302 Found Content-Length: 161", "Location: policyref=\"/w3c/p3p.xml\", CP=\"COM X-P3P: policyref=\"/w3c/p3p.xml\", CP=\"COM", "\u201cCNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND\"", "(Date: Tue, 13 Jun 2017 10:21:34 GMT 443 )", "Certificate Crldistributionpoints", "http://crl.starfieldtech.com/sfig2s2-0.crl 443", "Certificate Subjectaltname\t*.secureserver.net 443 Certificate Subjectaltname\tsecureserver.net", "443 Certificate Notbefore\tAug 25 16:21:59 2014 GMT 443 Certificate Caissuers", "Serialnumber\t27B78B2246C9C1 443 Certificate Notafter \u2022 Aug 25 16:21:59 2017 GMT 443", "Certificate Version 3 443 Certificate Subject\tUS 443 Certificate Subject\tArizona 443", "Certificate Subject Scottsdale 443 Certificate Subject\tSpecial Domain Services, LLC 443", "Certificate Issuer\tStarfield Technologies, Inc. 443 Certificate Issuer", "http://certs.starfieldtech.com/repository/ 443", "Certificate Issuer: Starfield Secure Certificate Authority - G2 443 Title: Object moved 443", "A Domains \u2022 www.secureserver.net 443 Certificate", "Object moved /title /head body h2 Object moved to a href= http://www.secureserver.net/default404.aspx", "80 Body\t here /a . /h2 /body /html 80 Header\tHTTP/1.1 302 Found Cache-Control: private", "Content-Length: 160 Location: http://www.secureserver.net/default404.aspx", "Server: Microsoft-IIS/7.0 Set-Cookie: market=en-US; domain=secureserver.net;", "expires=Wed, 13-Jun-2018 10:21:35 GMT; path=/ P3P: policyref=\"/w3c/p3p.xml\",", "CP=\"COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR OUR IND\"", "X-Powered-By: ARR/2.5 X-Powered-By: ASP.NET P3P: policyref=\"/w3c/p3p.xml\", CP=\"", "\u201cCOM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND\"", "Date: Tue, 13 Jun 2017 10:21:34 GMT", "Sha1 :e4ca8288d5e4912a00482418765b58a2e22fd5dc", "TrackingPin (Error) A Domains: trackingpin.com \u2022 Domains: forum.trackingpin.org", "PDNS11.DOMAINCONTROL.COM", "https://otx.alienvault.com/indicator/domain/secureserver.net", "Unix.TrojanMirai-7640640-0 IDS Detections Bad Login root login Yara Detections is__elf", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication", "https://den.h5datacenters.com/", "http://prometheusintelligencetechnology.com/pitframeitem=22fsbout-regis-univer", "register.blackgirldroneworld.com (Is this racist)", "https://stetsed.xyz/apple", "Palantir Ad-Maven Palantir, Ad- Maven, Prometheus Intelligence Technology", "Review: Jeffrey Reimer DPT assaulted & egregiously injured a patient at AMS Concentra in Denver, Co", "It\u2019s was sexual and violent. Patient was under the oversight of Mark Montano MD and John T. Sacha MD", "Patient/ Victim unaware of her workers compensation rights.", "Do you line how they spend your tax dollars? Attacking victims? Protecting Corporations!", "Quasi Government, Meta, Twitter , Palantir , Gotham , Christopher P. Ahmann , Brian Sabey", "I haven\u2019t mentioned the hit men they hired.", "Fastly.com", "www.skynetsoftware.com", "http://www.skynetsoftware.com/SNSAuth/appauth.aspx?app=myPlayerDroid&ver=1.999&key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&platform=Android®=&devId=92841014150fc3fd&devInfo=&devEmail=&width=480&height=764&owner=19&model=Lenovo A360t", "http://www.skynetsoftware.com/SNSAuth/appauth.aspx?app=myPlayerDroidPro&ver=2.800&key=2w6i4y1r0sdz6q9gchjcpkal0oaiem4u8ncy3bct1vcr8e6x2w&platform=Android&devId=92841014150fc3fd&width=480&height=764&owner=19&model=Lenovo%20A360t", "http://www.skynetsoftware.com/SNSAuth/appauth.aspx?app=myPlayerDroidPro&ver=3.700&key=53dbnf9wrz8vc0m5xfve2q1w2r4x8fv0g1b8sfg7qi0rdxck2j&platform=Android&devId=dc9c9a616665e073&width=800&height=561&owner=19&model=VirtualBox", "http://www.skynetsoftware.com/myPlayer/myPlayerDroid.xml" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Virus:Win32/Triusor.A", "display_name": "Virus:Win32/Triusor.A", "target": "/malware/Virus:Win32/Triusor.A" }, { "id": "!InstallCreatorPro_2_0", "display_name": "!InstallCreatorPro_2_0", "target": null }, { "id": "Unix.Trojan.Mirai-7640640-0", "display_name": "Unix.Trojan.Mirai-7640640-0", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win.Downloader", "display_name": "Win.Downloader", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Education", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2817, "domain": 487, "hostname": 983, "FileHash-SHA256": 611, "FileHash-MD5": 107, "FileHash-SHA1": 106, "email": 2 }, "indicator_count": 5113, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "120 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://kibana.fenix-batch-1.udtgroup.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://kibana.fenix-batch-1.udtgroup.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780215687.138995 }