{
"type": "URL",
"indicator": "https://l.us-1.a.mimecastprotect.com/l",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://l.us-1.a.mimecastprotect.com/l",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4079095692,
"indicator": "https://l.us-1.a.mimecastprotect.com/l",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 32,
"pulses": [
{
"id": "6a132a7a71682c83e9c17835",
"name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox",
"description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa",
"modified": "2026-05-26T06:44:42.987000",
"created": "2026-05-24T16:42:34.355000",
"tags": [
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"csv text",
"altitude",
"south shore",
"uas imagery",
"massachusetts",
"marshfield",
"scituate",
"hingham",
"norwell",
"hanover",
"pembroke",
"epub document",
"structure ebook",
"zip document",
"epub",
"nigel poulton",
"docker deep",
"nielson book",
"docker",
"single book",
"anna",
"dive",
"dive zero",
"deep dive",
"zero",
"script",
"ieedge",
"squarespace",
"drones",
"title",
"secchuamodel",
"link",
"static",
"supporte",
"marshfield ldap",
"marshfield ssl",
"certificate",
"common name",
"issued",
"charter",
"llc united",
"statesunited",
"new london",
"diesel",
"comcast ip",
"derry village",
"ssl certificate",
"encrypt",
"comcast cable",
"communications",
"boston",
"key identifier",
"x509v3 subject",
"full name",
"cus odigicert",
"inc cndigicert",
"global g2",
"tls rsa",
"ca1 validity",
"cus stnew",
"range",
"cidr",
"network name",
"type",
"status",
"whois server",
"entity squar30",
"handle",
"net198",
"net1980000",
"squar30",
"varick st",
"city",
"new york",
"stateprov",
"postalcode",
"orgtechhandle",
"orgtechref",
"orgabusehandle",
"orgabuseref",
"orgnochandle",
"orgnocref",
"p version",
"address range",
"span",
"google public",
"form",
"doctype html",
"google",
"public dns",
"head",
"public",
"footer",
"body",
"file type",
"ascii text",
"python script",
"python",
"writes shell",
"unicode text",
"utf8 text",
"ascii",
"writes",
"sample",
"persistence",
"defense evasion",
"info",
"next",
"performs dns",
"united",
"urls",
"found",
"https",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"layer protocol",
"phishing",
"headers age",
"homenet",
"et info",
"file hosting",
"service domain",
"domain",
"dns lookup",
"clientendpoint",
"perimeter",
"high",
"informational",
"domain related",
"as54113",
"top source",
"top destination",
"source source",
"status domain",
"tcp include",
"udp include",
"country united",
"unique",
"ja3 clients",
"destination ip",
"dest port",
"ja3 ja3",
"digest",
"cache",
"california",
"san francisco",
"fastly",
"globalsign",
"title pypi",
"package",
"a domains",
"accept",
"showing",
"entries",
"previous",
"domains show",
"search",
"amazon ec2",
"orgnocemail",
"net75",
"net750000",
"amazon web",
"services",
"ip routing",
"nethandle",
"amazo4",
"aws rpki",
"historical ssl",
"certificates",
"first",
"thumbprint",
"graph summary",
"algorithm",
"number",
"issuer",
"cus cnlet",
"x3 olet",
"subject public",
"key info",
"key algorithm",
"pdf document",
"adobe portable",
"document format",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"sha1",
"acrongl integ",
"adc4240758",
"shutdown",
"sqlite version",
"sqlite rollback",
"utf8",
"json",
"creates",
"journal",
"malicious",
"resolutions",
"date",
"detection",
"hostmaster",
"amazon legal",
"dept",
"amazon",
"code",
"email",
"icann whois",
"nv admin",
"phone",
"stateprovince",
"tech",
"gatsby",
"golf",
"hrhrhr"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf",
"https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx",
"https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo",
"https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp",
"https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Norwell",
"display_name": "Norwell",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1765,
"URL": 1325,
"hostname": 1489,
"FileHash-MD5": 224,
"FileHash-SHA1": 268,
"IPv4": 152,
"domain": 1177,
"CIDR": 4,
"email": 11,
"IPv6": 1,
"URI": 3,
"CVE": 2,
"SSLCertFingerprint": 2,
"Mutex": 2
},
"indicator_count": 6425,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "7 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6a132a7a34bcc860b0e44ffc",
"name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox",
"description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa",
"modified": "2026-05-24T16:42:34.350000",
"created": "2026-05-24T16:42:34.350000",
"tags": [
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"csv text",
"altitude",
"south shore",
"uas imagery",
"massachusetts",
"marshfield",
"scituate",
"hingham",
"norwell",
"hanover",
"pembroke",
"epub document",
"structure ebook",
"zip document",
"epub",
"nigel poulton",
"docker deep",
"nielson book",
"docker",
"single book",
"anna",
"dive",
"dive zero",
"deep dive",
"zero",
"script",
"ieedge",
"squarespace",
"drones",
"title",
"secchuamodel",
"link",
"static",
"supporte",
"marshfield ldap",
"marshfield ssl",
"certificate",
"common name",
"issued",
"charter",
"llc united",
"statesunited",
"new london",
"diesel",
"comcast ip",
"derry village",
"ssl certificate",
"encrypt",
"comcast cable",
"communications",
"boston",
"key identifier",
"x509v3 subject",
"full name",
"cus odigicert",
"inc cndigicert",
"global g2",
"tls rsa",
"ca1 validity",
"cus stnew",
"range",
"cidr",
"network name",
"type",
"status",
"whois server",
"entity squar30",
"handle",
"net198",
"net1980000",
"squar30",
"varick st",
"city",
"new york",
"stateprov",
"postalcode",
"orgtechhandle",
"orgtechref",
"orgabusehandle",
"orgabuseref",
"orgnochandle",
"orgnocref",
"p version",
"address range",
"span",
"google public",
"form",
"doctype html",
"google",
"public dns",
"head",
"public",
"footer",
"body",
"file type",
"ascii text",
"python script",
"python",
"writes shell",
"unicode text",
"utf8 text",
"ascii",
"writes",
"sample",
"persistence",
"defense evasion",
"info",
"next",
"performs dns",
"united",
"urls",
"found",
"https",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"layer protocol",
"phishing",
"headers age",
"homenet",
"et info",
"file hosting",
"service domain",
"domain",
"dns lookup",
"clientendpoint",
"perimeter",
"high",
"informational",
"domain related",
"as54113",
"top source",
"top destination",
"source source",
"status domain",
"tcp include",
"udp include",
"country united",
"unique",
"ja3 clients",
"destination ip",
"dest port",
"ja3 ja3",
"digest",
"cache",
"california",
"san francisco",
"fastly",
"globalsign",
"title pypi",
"package",
"a domains",
"accept",
"showing",
"entries",
"previous",
"domains show",
"search",
"amazon ec2",
"orgnocemail",
"net75",
"net750000",
"amazon web",
"services",
"ip routing",
"nethandle",
"amazo4",
"aws rpki",
"historical ssl",
"certificates",
"first",
"thumbprint",
"graph summary",
"algorithm",
"number",
"issuer",
"cus cnlet",
"x3 olet",
"subject public",
"key info",
"key algorithm",
"pdf document",
"adobe portable",
"document format",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"sha1",
"acrongl integ",
"adc4240758",
"shutdown",
"sqlite version",
"sqlite rollback",
"utf8",
"json",
"creates",
"journal",
"malicious",
"resolutions",
"date",
"detection",
"hostmaster",
"amazon legal",
"dept",
"amazon",
"code",
"email",
"icann whois",
"nv admin",
"phone",
"stateprovince",
"tech",
"gatsby",
"golf",
"hrhrhr"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf",
"https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx",
"https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo",
"https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp",
"https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Norwell",
"display_name": "Norwell",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1686,
"URL": 1309,
"hostname": 1474,
"FileHash-MD5": 166,
"FileHash-SHA1": 204,
"IPv4": 152,
"domain": 1177,
"CIDR": 3,
"email": 11,
"IPv6": 1,
"URI": 1,
"CVE": 1,
"SSLCertFingerprint": 2,
"Mutex": 2
},
"indicator_count": 6189,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "8 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6a132a7762cac9a1007d9ece",
"name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox",
"description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa",
"modified": "2026-05-24T16:42:31.294000",
"created": "2026-05-24T16:42:31.294000",
"tags": [
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"csv text",
"altitude",
"south shore",
"uas imagery",
"massachusetts",
"marshfield",
"scituate",
"hingham",
"norwell",
"hanover",
"pembroke",
"epub document",
"structure ebook",
"zip document",
"epub",
"nigel poulton",
"docker deep",
"nielson book",
"docker",
"single book",
"anna",
"dive",
"dive zero",
"deep dive",
"zero",
"script",
"ieedge",
"squarespace",
"drones",
"title",
"secchuamodel",
"link",
"static",
"supporte",
"marshfield ldap",
"marshfield ssl",
"certificate",
"common name",
"issued",
"charter",
"llc united",
"statesunited",
"new london",
"diesel",
"comcast ip",
"derry village",
"ssl certificate",
"encrypt",
"comcast cable",
"communications",
"boston",
"key identifier",
"x509v3 subject",
"full name",
"cus odigicert",
"inc cndigicert",
"global g2",
"tls rsa",
"ca1 validity",
"cus stnew",
"range",
"cidr",
"network name",
"type",
"status",
"whois server",
"entity squar30",
"handle",
"net198",
"net1980000",
"squar30",
"varick st",
"city",
"new york",
"stateprov",
"postalcode",
"orgtechhandle",
"orgtechref",
"orgabusehandle",
"orgabuseref",
"orgnochandle",
"orgnocref",
"p version",
"address range",
"span",
"google public",
"form",
"doctype html",
"google",
"public dns",
"head",
"public",
"footer",
"body",
"file type",
"ascii text",
"python script",
"python",
"writes shell",
"unicode text",
"utf8 text",
"ascii",
"writes",
"sample",
"persistence",
"defense evasion",
"info",
"next",
"performs dns",
"united",
"urls",
"found",
"https",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"layer protocol",
"phishing",
"headers age",
"homenet",
"et info",
"file hosting",
"service domain",
"domain",
"dns lookup",
"clientendpoint",
"perimeter",
"high",
"informational",
"domain related",
"as54113",
"top source",
"top destination",
"source source",
"status domain",
"tcp include",
"udp include",
"country united",
"unique",
"ja3 clients",
"destination ip",
"dest port",
"ja3 ja3",
"digest",
"cache",
"california",
"san francisco",
"fastly",
"globalsign",
"title pypi",
"package",
"a domains",
"accept",
"showing",
"entries",
"previous",
"domains show",
"search",
"amazon ec2",
"orgnocemail",
"net75",
"net750000",
"amazon web",
"services",
"ip routing",
"nethandle",
"amazo4",
"aws rpki",
"historical ssl",
"certificates",
"first",
"thumbprint",
"graph summary",
"algorithm",
"number",
"issuer",
"cus cnlet",
"x3 olet",
"subject public",
"key info",
"key algorithm",
"pdf document",
"adobe portable",
"document format",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"sha1",
"acrongl integ",
"adc4240758",
"shutdown",
"sqlite version",
"sqlite rollback",
"utf8",
"json",
"creates",
"journal",
"malicious",
"resolutions",
"date",
"detection",
"hostmaster",
"amazon legal",
"dept",
"amazon",
"code",
"email",
"icann whois",
"nv admin",
"phone",
"stateprovince",
"tech",
"gatsby",
"golf",
"hrhrhr"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf",
"https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx",
"https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo",
"https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp",
"https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Norwell",
"display_name": "Norwell",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1686,
"URL": 1309,
"hostname": 1474,
"FileHash-MD5": 166,
"FileHash-SHA1": 204,
"IPv4": 152,
"domain": 1177,
"CIDR": 3,
"email": 11,
"IPv6": 1,
"URI": 1,
"CVE": 1,
"SSLCertFingerprint": 2,
"Mutex": 2
},
"indicator_count": 6189,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "8 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6a132a66fa217054f3e57883",
"name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox",
"description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa",
"modified": "2026-05-24T16:42:14.218000",
"created": "2026-05-24T16:42:14.218000",
"tags": [
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"csv text",
"altitude",
"south shore",
"uas imagery",
"massachusetts",
"marshfield",
"scituate",
"hingham",
"norwell",
"hanover",
"pembroke",
"epub document",
"structure ebook",
"zip document",
"epub",
"nigel poulton",
"docker deep",
"nielson book",
"docker",
"single book",
"anna",
"dive",
"dive zero",
"deep dive",
"zero",
"script",
"ieedge",
"squarespace",
"drones",
"title",
"secchuamodel",
"link",
"static",
"supporte",
"marshfield ldap",
"marshfield ssl",
"certificate",
"common name",
"issued",
"charter",
"llc united",
"statesunited",
"new london",
"diesel",
"comcast ip",
"derry village",
"ssl certificate",
"encrypt",
"comcast cable",
"communications",
"boston",
"key identifier",
"x509v3 subject",
"full name",
"cus odigicert",
"inc cndigicert",
"global g2",
"tls rsa",
"ca1 validity",
"cus stnew",
"range",
"cidr",
"network name",
"type",
"status",
"whois server",
"entity squar30",
"handle",
"net198",
"net1980000",
"squar30",
"varick st",
"city",
"new york",
"stateprov",
"postalcode",
"orgtechhandle",
"orgtechref",
"orgabusehandle",
"orgabuseref",
"orgnochandle",
"orgnocref",
"p version",
"address range",
"span",
"google public",
"form",
"doctype html",
"google",
"public dns",
"head",
"public",
"footer",
"body",
"file type",
"ascii text",
"python script",
"python",
"writes shell",
"unicode text",
"utf8 text",
"ascii",
"writes",
"sample",
"persistence",
"defense evasion",
"info",
"next",
"performs dns",
"united",
"urls",
"found",
"https",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"layer protocol",
"phishing",
"headers age",
"homenet",
"et info",
"file hosting",
"service domain",
"domain",
"dns lookup",
"clientendpoint",
"perimeter",
"high",
"informational",
"domain related",
"as54113",
"top source",
"top destination",
"source source",
"status domain",
"tcp include",
"udp include",
"country united",
"unique",
"ja3 clients",
"destination ip",
"dest port",
"ja3 ja3",
"digest",
"cache",
"california",
"san francisco",
"fastly",
"globalsign",
"title pypi",
"package",
"a domains",
"accept",
"showing",
"entries",
"previous",
"domains show",
"search",
"amazon ec2",
"orgnocemail",
"net75",
"net750000",
"amazon web",
"services",
"ip routing",
"nethandle",
"amazo4",
"aws rpki",
"historical ssl",
"certificates",
"first",
"thumbprint",
"graph summary",
"algorithm",
"number",
"issuer",
"cus cnlet",
"x3 olet",
"subject public",
"key info",
"key algorithm",
"pdf document",
"adobe portable",
"document format",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"sha1",
"acrongl integ",
"adc4240758",
"shutdown",
"sqlite version",
"sqlite rollback",
"utf8",
"json",
"creates",
"journal",
"malicious",
"resolutions",
"date",
"detection",
"hostmaster",
"amazon legal",
"dept",
"amazon",
"code",
"email",
"icann whois",
"nv admin",
"phone",
"stateprovince",
"tech",
"gatsby",
"golf",
"hrhrhr"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf",
"https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx",
"https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo",
"https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp",
"https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Norwell",
"display_name": "Norwell",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1686,
"URL": 1309,
"hostname": 1474,
"FileHash-MD5": 166,
"FileHash-SHA1": 204,
"IPv4": 152,
"domain": 1177,
"CIDR": 3,
"email": 11,
"IPv6": 1,
"URI": 1,
"CVE": 1,
"SSLCertFingerprint": 2,
"Mutex": 2
},
"indicator_count": 6189,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "8 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6a132a577896901b2c0b993b",
"name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox",
"description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa",
"modified": "2026-05-24T16:41:59.005000",
"created": "2026-05-24T16:41:59.005000",
"tags": [
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"csv text",
"altitude",
"south shore",
"uas imagery",
"massachusetts",
"marshfield",
"scituate",
"hingham",
"norwell",
"hanover",
"pembroke",
"epub document",
"structure ebook",
"zip document",
"epub",
"nigel poulton",
"docker deep",
"nielson book",
"docker",
"single book",
"anna",
"dive",
"dive zero",
"deep dive",
"zero",
"script",
"ieedge",
"squarespace",
"drones",
"title",
"secchuamodel",
"link",
"static",
"supporte",
"marshfield ldap",
"marshfield ssl",
"certificate",
"common name",
"issued",
"charter",
"llc united",
"statesunited",
"new london",
"diesel",
"comcast ip",
"derry village",
"ssl certificate",
"encrypt",
"comcast cable",
"communications",
"boston",
"key identifier",
"x509v3 subject",
"full name",
"cus odigicert",
"inc cndigicert",
"global g2",
"tls rsa",
"ca1 validity",
"cus stnew",
"range",
"cidr",
"network name",
"type",
"status",
"whois server",
"entity squar30",
"handle",
"net198",
"net1980000",
"squar30",
"varick st",
"city",
"new york",
"stateprov",
"postalcode",
"orgtechhandle",
"orgtechref",
"orgabusehandle",
"orgabuseref",
"orgnochandle",
"orgnocref",
"p version",
"address range",
"span",
"google public",
"form",
"doctype html",
"google",
"public dns",
"head",
"public",
"footer",
"body",
"file type",
"ascii text",
"python script",
"python",
"writes shell",
"unicode text",
"utf8 text",
"ascii",
"writes",
"sample",
"persistence",
"defense evasion",
"info",
"next",
"performs dns",
"united",
"urls",
"found",
"https",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"layer protocol",
"phishing",
"headers age",
"homenet",
"et info",
"file hosting",
"service domain",
"domain",
"dns lookup",
"clientendpoint",
"perimeter",
"high",
"informational",
"domain related",
"as54113",
"top source",
"top destination",
"source source",
"status domain",
"tcp include",
"udp include",
"country united",
"unique",
"ja3 clients",
"destination ip",
"dest port",
"ja3 ja3",
"digest",
"cache",
"california",
"san francisco",
"fastly",
"globalsign",
"title pypi",
"package",
"a domains",
"accept",
"showing",
"entries",
"previous",
"domains show",
"search",
"amazon ec2",
"orgnocemail",
"net75",
"net750000",
"amazon web",
"services",
"ip routing",
"nethandle",
"amazo4",
"aws rpki",
"historical ssl",
"certificates",
"first",
"thumbprint",
"graph summary",
"algorithm",
"number",
"issuer",
"cus cnlet",
"x3 olet",
"subject public",
"key info",
"key algorithm",
"pdf document",
"adobe portable",
"document format",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"sha1",
"acrongl integ",
"adc4240758",
"shutdown",
"sqlite version",
"sqlite rollback",
"utf8",
"json",
"creates",
"journal",
"malicious",
"resolutions",
"date",
"detection",
"hostmaster",
"amazon legal",
"dept",
"amazon",
"code",
"email",
"icann whois",
"nv admin",
"phone",
"stateprovince",
"tech",
"gatsby",
"golf",
"hrhrhr"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf",
"https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx",
"https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo",
"https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp",
"https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Norwell",
"display_name": "Norwell",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1686,
"URL": 1309,
"hostname": 1474,
"FileHash-MD5": 166,
"FileHash-SHA1": 204,
"IPv4": 152,
"domain": 1177,
"CIDR": 3,
"email": 11,
"IPv6": 1,
"URI": 1,
"CVE": 1,
"SSLCertFingerprint": 2,
"Mutex": 2
},
"indicator_count": 6189,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "8 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69ddeb45c45f6a3cd721397d",
"name": "Active attacks \u2022 Apple \u2022 Tulach",
"description": "Including 360+ Apple\nIoC\u2019s from Malicious Tulac.cc + Virtual Servers Pulses. Ongoing history of malicious attacks, custom malware engineer, malicious media , account control. \n\nI was blocked from VirusToltal. It was Tulach Nextcloud posse. What I am doing now s legal. \n\nReferenced below. URL: \"https://accountapple.com/\" contacted related malicious domain: \"accountapple.com\"\nCONTACTED DOMAIN: \"sqllq.com\" has been identified as malicious",
"modified": "2026-05-14T06:03:18.470000",
"created": "2026-04-14T07:22:45.250000",
"tags": [
"url http",
"ipv4",
"indicator role",
"active related",
"united",
"moved",
"gmt content",
"certificate",
"all domain",
"msie",
"chrome",
"extraction",
"data upload",
"twitter",
"cookie",
"extra",
"include data",
"review locs",
"exclude",
"suggested os",
"onlv",
"failed",
"stop data",
"read c",
"unicode",
"rgba",
"memcommit",
"delete",
"dock",
"write",
"execution",
"sc type",
"extri",
"include review",
"exclude sugges",
"typ data",
"a domains",
"present apr",
"script urls",
"files",
"files ip",
"address",
"ios",
"mac",
"apple",
"appleid",
"itunes",
"next associated",
"all ipv4",
"included ic",
"uny teade",
"type hostnar",
"hostnar hostnar",
"hostnar",
"macair",
"macairaustralia",
"ipad",
"ipod",
"cryptexportkey",
"invalid pointer",
"cryptgenkey",
"stream",
"defender",
"delphi",
"class",
"stack",
"format",
"unknown",
"united states",
"phishing",
"password",
"traffic redirected",
"service mod",
"service execution",
"youtube",
"music",
"streams",
"songs",
"played songs",
"music streams",
"most played",
"fonelab",
"indicator",
"included iocs",
"manually add",
"review ocs",
"exclude inn",
"sugges data",
"find",
"include",
"url https",
"enter sc",
"type",
"no matchme",
"search otx",
"https",
"references x",
"analyze",
"open th",
"url data",
"se http",
"no match",
"excluded iocs",
"iocs",
"ip whitelisted",
"whitelisted",
"tcp include",
"analysis date",
"file score",
"medium risk",
"yara detections",
"contacted",
"related tags",
"x vercel",
"file type",
"type indicator",
"role title",
"related pulses",
"mulch virtua",
"library loade",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugt",
"samuel tulach",
"unity engine",
"tulach",
"sa awareness",
"sabey",
"sar cut",
"autofill",
"includer review",
"portiana oney",
"targeting",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"musickit_1_.js",
"lazarus",
"injection",
"CVE-2017-8570",
"prefetch2",
"target",
"aaaa",
"ip address",
"record value",
"emails",
"samuel tuachs",
"sapev",
"review exclude",
"monitored target",
"script",
"mitre att",
"ascii text",
"span",
"path",
"iframe",
"april",
"hybrid",
"general",
"local",
"click",
"strings",
"body",
"development att",
"t1055.012 list planting",
"active"
],
"references": [
"https://trade.kraken.com/charts/KRAKEN:APT-USD>+y",
"https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/",
"https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/",
"https://podcasts.apple.com/us/podcast/lazarus",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"http://help.aiseesoft.jp/blu-ray-player",
"http://help.aiseesoft.jp/fonelab/",
"https://action.aiseesoft.jp/itunes.php",
"http://help.aiseesoft.jp/total-video-converter",
"http://help.aiseesoft.jp/total-video-converter/",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/",
"http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch",
"http://test-firstmile.digitecgalaxus.ch",
"https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/",
"No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]",
"cdn.rss.applemarketingtools.com",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"1.bing.com.cn",
"www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net",
"www.phantomcameras.cn",
"https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"",
"podcasts.apple.com \u2022 23.34.32.21",
"www.apple.com \u2022 23.34.32.199",
"js-cdn.music.apple.com \u2022 23.78.51.170",
"http://firstmile.digitecgalaxus.ch",
"Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb",
"Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca",
"Tulach.cc",
"https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8",
"www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as",
"Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains",
"asp.net domain pointer",
"developer.x.com",
"aotx.alienvault.com (aotx.?)",
"https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh",
"https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1020.001",
"name": "Traffic Duplication",
"display_name": "T1020.001 - Traffic Duplication"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591.002",
"name": "Business Relationships",
"display_name": "T1591.002 - Business Relationships"
},
{
"id": "T1591.001",
"name": "Determine Physical Locations",
"display_name": "T1591.001 - Determine Physical Locations"
},
{
"id": "T1585.001",
"name": "Social Media Accounts",
"display_name": "T1585.001 - Social Media Accounts"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1055.012",
"name": "Process Hollowing",
"display_name": "T1055.012 - Process Hollowing"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1029,
"domain": 396,
"email": 7,
"URL": 2784,
"FileHash-SHA256": 898,
"FileHash-MD5": 79,
"FileHash-SHA1": 68,
"CVE": 1,
"SSLCertFingerprint": 13
},
"indicator_count": 5275,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "19 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf261cc4e399447d78776c",
"name": "Cyber Bully Attackers | Revenge Attacks | Remote attackers | Malware Packed |",
"description": "Several government entities, attorneys have sought porn revenge including physical violence, attempted crimes, malicious prosecution case , harassment when a female patient of man formerly known as Jeffrey Scott Reimer of Chester Springs, PA, violently, critically injured patient in a sexually charged assault [URL\thttp://foundry2-lbl.dvr.dn2.n-helix.com\t\t\t\nhttps://foundry2-lbl.dvr.dn2.n-helix.com\t\tfoundry2-lbl.dvr.dn2.n-helix.com\t\t\t\t\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\nhttp://datafoundry.com\t\t\t\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\thttps://209-99-40-223.fwd.datafoundry.com\t\t\t\ndatafoundry.com",
"modified": "2026-04-20T21:01:07.869000",
"created": "2026-03-21T23:13:32.760000",
"tags": [
"sc data",
"data upload",
"please sub",
"include data",
"extraction",
"failed",
"sc pulse",
"idron anv",
"extr please",
"include review",
"exclude sugges",
"stop show",
"typ domain",
"united",
"virtool",
"name servers",
"cryp",
"emails",
"win32",
"ip address",
"worm",
"trojan",
"learn",
"suspicious",
"informative",
"ck id",
"name tactics",
"command",
"adversaries",
"spawns",
"ssl certificate",
"initial access",
"link initial",
"prefetch8",
"mitre att",
"ck matrix",
"flag",
"windows nt",
"win64",
"accept",
"encrypt",
"form",
"hybrid",
"bypass",
"general",
"path",
"iframe",
"click",
"strings",
"anchor https",
"anchor",
"liberal",
"sabey",
"liberal friends",
"meta",
"html internet",
"html document",
"unicode text",
"utf8 text",
"info initial",
"access ta0001",
"compromise",
"t1189 network",
"communication",
"get http",
"artifacts v",
"full reports",
"v get",
"help dns",
"resolutions",
"ip traffic",
"extr data",
"enter sc",
"extra data",
"referen",
"broth",
"passive dns",
"urls",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"none google",
"safe browsing",
"inquest labs",
"lucas acha",
"code integrity",
"checks creation",
"otx logo",
"all hostname",
"files",
"domain",
"protect",
"date",
"title",
"exchange",
"se http",
"present jan",
"present feb",
"present dec",
"backdoor",
"certificate",
"all domain",
"alibaba cloud",
"hichina",
"porkbun llc",
"cloudflare",
"namecheap inc",
"namecheap",
"domains",
"dynadot llc",
"ascio",
"denmark",
"url https",
"filehashsha256",
"url http",
"dopple ai",
"snit",
"iocs",
"otx description",
"information",
"report spam",
"delete service",
"poem",
"hunter",
"malicious",
"porn revenge",
"brian sabeys",
"all report",
"spam delete",
"rl http",
"https",
"expiration http",
"spam brian",
"swipper",
"type indicator",
"role title",
"added active",
"related pulses",
"filehashmd5",
"filehashsha1",
"sha256",
"scan",
"learn more",
"indicators show",
"tbmvid",
"sourcelnms",
"zx1724209326040",
"xxx videos",
"xxxvideohd",
"adversary",
"packing",
"palantir.com",
"discovery",
"victim won case",
"doin it",
"palantirian abuse",
"apple",
"sabey data centers",
"insurance",
"quasi government",
"the brother sabey",
"reimer",
"law enforcement",
"vessel state",
"sabey porn",
"hall evans",
"christopher ahmann",
"defamation",
"google"
],
"references": [
"The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/",
"http://watchhers.net/index.php",
"http://212.33.237.86/images/1/report.php",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://webmail.police.govmm.org/owa/",
"https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl",
"https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215",
"Mark Brian Sabey",
"Melvin Sabey",
"Christopher P \u2018Buzz\u2019 Ahmann",
"Ronda Cordova",
"Unknown Persons impersonating Private Investigators (plural)",
"Quasi Government Case",
"Victim silenced. Struck by Car Driven by male police let walk",
"Denver Police let this attempted murder walk. Cited him as a ghost driver",
"Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora",
"Sexual and Physical Assaulter - Jeffrey Scott Reimer",
"Reimer was a PT. Unknown whereabouts , name or job description",
"Denver Police Department Major Crimes closed investigation",
"Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim",
"I bring up the personal nature of the crime because a delete service has been used",
"More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed",
"All IoC\u2019s originate from sources named. There are some unknown attackers",
"This is a serious crime. I\u2019m certain God WILL pay them.",
"https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com",
"http://palantirwww.sweetheartvideo.com/ (weirdness)",
"http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com",
"foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx",
"https://www.datafoundry.com/data-center-contamination-control/",
"https://www.datafoundry.com/data-center-contamination-control/",
"https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/",
"http://foundry2-lbl.dvr.dn2.n-helix.com/",
"https://207-207-25-201.fwd.datafoundry.com/",
"http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd",
"http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"https://rdweb.datafoundry.com/",
"https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/",
"http://foundry2sdbl.dvr.dn2.n-helix.com/",
"Updated | What\u2019s left after theft",
"207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com",
"207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com",
"https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse",
"https://www.datafoundry.com/category/news/press-releases/",
"207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com",
"209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com",
"www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com",
"http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com",
"http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/",
"https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022",
"https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/",
"https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com",
"Some may may find this content is very disturbing and offensive"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Porn Revenge",
"display_name": "Porn Revenge",
"target": null
},
{
"id": "Tons of Malware",
"display_name": "Tons of Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1132.001",
"name": "Standard Encoding",
"display_name": "T1132.001 - Standard Encoding"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1495",
"name": "Firmware Corruption",
"display_name": "T1495 - Firmware Corruption"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1586.001",
"name": "Social Media Accounts",
"display_name": "T1586.001 - Social Media Accounts"
},
{
"id": "T1593.001",
"name": "Social Media",
"display_name": "T1593.001 - Social Media"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6034,
"domain": 1422,
"FileHash-MD5": 274,
"FileHash-SHA1": 252,
"FileHash-SHA256": 3378,
"email": 11,
"hostname": 2753,
"CVE": 1,
"SSLCertFingerprint": 9
},
"indicator_count": 14134,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "42 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699c6ef61298b57cd7275728",
"name": "Apple Support IOC\u2019s IcedID | Bloored | Mydoom worm | iOS IOC\u2019s",
"description": "A list of Apple and Apple related iOS\u2019s linked to a malicious redirect found in an apple.support.com redirect. Two separate Apple ID\u2019s on one iPhone. | Mimecast compromised with Emotet. iCloud siphoning. Related to Pulse found in references. | IOC\u2019s came from a single url.",
"modified": "2026-03-25T07:05:10.628000",
"created": "2026-02-23T15:15:02.857000",
"tags": [
"ipv4",
"http",
"passive dns",
"files domain",
"united",
"unknown ns",
"for privacy",
"ip address",
"domain",
"dynamicloader",
"antivirus",
"yara rule",
"fe ff",
"write c",
"msvisualcpp60",
"rsds",
"e8 c8",
"e8 a8",
"ff e1",
"unknown",
"worm",
"launch",
"write",
"explorer",
"february",
"push",
"service",
"files",
"reverse dns",
"america flag",
"america asn",
"url add",
"otx logo",
"all ipv4",
"searc",
"date checked",
"server response",
"results dec",
"unknown soa",
"present aug",
"present oct",
"present sep",
"present nov",
"moved",
"error",
"title",
"win32mydoom feb",
"aaaa",
"name servers",
"trojan",
"servers",
"virtool",
"united states",
"apple",
"crlf line",
"unicode text",
"utf8",
"ff d5",
"ascii text",
"ee fc",
"suspicious",
"music",
"malware",
"role title",
"ttl value",
".cc",
"d4 f5",
"msvisualcpp2002",
"msvisualcpp2005",
"apple support",
".ch",
"privaterelay",
"pattern match",
"ck id",
"mitre att",
"ck matrix",
"href",
"et info",
"general",
"local",
"path",
"click",
"learn",
"command",
"name tactics",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"present jun",
"backdoor",
"present may",
"status",
"ransom",
"high",
"medium",
"windows",
"tofsee",
"loaderid",
"lidfileupd",
"localcfg",
"rndhex",
"stream",
"delete",
"emotet",
"bot network",
"mitm",
"screenshot",
"mimecast"
],
"references": [
"http://apple.support.com/ht***** redirect",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"mac.store",
"https://icloud.ch/cn/ipod-touch/",
"https://icloud.ch/",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"Redirect: schemas.microsoft.com",
"apple.com(-inc.cc)",
"oas-japac-domains-applecomputer.cn",
"robert-aebi.appleid.com",
"smtp2.icl-privaterelay.appleid.com",
"http://audaxgroup.appleid.com/",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"iphonegermany.com",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"https://aspmx.l.google.com/",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"http://www.icloud-sms-alert.com/",
"monitoring.eurovision.net",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"monitor.kyos.ninja"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/IcedId.DI!MTB",
"display_name": "Trojan:Win32/IcedId.DI!MTB",
"target": "/malware/Trojan:Win32/IcedId.DI!MTB"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Worm:Win32/Bloored",
"display_name": "Worm:Win32/Bloored",
"target": "/malware/Worm:Win32/Bloored"
},
{
"id": "Win.Malware.Elenooka-6996044-0",
"display_name": "Win.Malware.Elenooka-6996044-0",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6031,
"hostname": 1971,
"domain": 1125,
"FileHash-SHA256": 1715,
"email": 18,
"FileHash-MD5": 317,
"FileHash-SHA1": 164
},
"indicator_count": 11341,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "69 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "69 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf27fc6d31ed143807e1db",
"name": "Apple abuse by law firm - remote attackers.",
"description": "They will put you in many botnets. Remote attacks on Apple products.http://thebrotherssabey.com/\t\t\t\nhttps://thebrotherssabey.com/\t\t\t\nthebrotherssabey.com",
"modified": "2026-03-21T23:21:32.200000",
"created": "2026-03-21T23:21:32.200000",
"tags": [
"active related",
"thebrotherssabey",
"apple"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 196,
"domain": 11,
"hostname": 79,
"FileHash-SHA256": 20
},
"indicator_count": 306,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "72 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6958372ef9da31513d96bebb",
"name": "Connected-IOS remotely connected to 180.4.1.2 \u2022 ocn.ad.jp -NTT Communications Corporation",
"description": "Retaliation? IOS remotely connected to 180.4.1.2 \u2022 ocn.ad.jp -NTT Communications Corporation for malicious control | found in the analytics of a highly target device: I\u2019ve included related pulses from 2 other threat responders and an Apple discussion post. Surprisingly, most of the IoC\u2019s pulsed came from one page of analytics. | \u2022 \"avconferenced\", \"procPath\" : \"\\/usr\\/libexec\\/avconferenced | 180.4.1.2 | a version of\npegasus found. | https://prometheus-pushgateway-internal.preview.tp-staging.com/\t\nhostname: prometheus.netmaker.vonnue.dev\t\nhostname: prometheus.dev.aws.finoa.io |\nSince Prometheus pulse . I realize now every Prometheus pulse illicits outrageous behavior.. Is this a secret society? Try to be more secretive. Owl heads in lawn. This behavior illicits investigation for a fix. Please STOP. I\u2019m done looking at Prometheus. Please stop leaving artifacts.",
"modified": "2026-02-01T20:00:08.812000",
"created": "2026-01-02T21:22:54.247000",
"tags": [
"syscall",
"nsrunloop",
"objcclass",
"region type",
"start",
"vsize",
"prtmax shrmod",
"region detailn",
"unused space",
"at startn",
"guard",
"urls",
"url analysis",
"verdict",
"domain",
"address",
"location japan",
"hikone",
"japan asn",
"as4713 ntt",
"related tags",
"none external",
"aaaa",
"united",
"passive dns",
"ip address",
"japan",
"present dec",
"domain add",
"files",
"japan unknown",
"present jul",
"present oct",
"present sep",
"present aug",
"present jun",
"japan showing",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"reverse dns",
"present nov",
"present",
"present may",
"present mar",
"present apr",
"data upload",
"extraction",
"failed",
"files ip",
"moved",
"gmt content",
"ipv4 add",
"location united",
"title",
"ipv4",
"dns resolutions",
"hostname add",
"asn as4713",
"all ipv4",
"google",
"ocn ntt",
"googlecl",
"http",
"amazon02",
"akamaias",
"page url",
"yahoojp",
"december",
"jp summary",
"february",
"asn15169",
"tokyo",
"kansas city",
"asn396982",
"asn30286",
"asn16509",
"cisco",
"umbrella rank",
"cisco umbrella",
"rank",
"kitashinagawa",
"sureserver ev",
"ca g3",
"domains",
"hashes",
"microsoft",
"docomo business",
"ml14325",
"as autonomous",
"asn8075",
"ip information",
"ipasns ip",
"detail domain",
"domain tree",
"links domain",
"requested",
"value",
"automatic",
"webgl",
"please",
"mr value",
"muid value",
"mjl function",
"dcmlinker",
"paq string",
"kb script",
"b image",
"b script",
"frame a344",
"redirect chain",
"kb document",
"frame",
"b xhr",
"kb image",
"fetch collect",
"request chain",
"redirected",
"http redirect",
"name servers",
"redacted for",
"servers",
"unknown aaaa",
"search",
"for privacy",
"domeny serwery",
"verdana tahoma",
"arial",
"gmt contenttype",
"meta",
"small",
"results jan",
"present jan",
"status",
"record value",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"process details",
"flag",
"japan japan",
"pattern match",
"ascii text",
"mitre att",
"ck id",
"null",
"refresh",
"span",
"hybrid",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"command",
"found",
"defense evasion",
"monitored target",
"pulse submit",
"wikipedia",
"imap",
"smtp",
"ocn open",
"discussion",
"stub",
"jprs database",
"ocnnttocn",
"maintenance",
"outages notice",
"lock status",
"state",
"connected",
"organization",
"type",
"name",
"server",
"name server",
"connected date",
"algorithm",
"key identifier",
"data",
"v3 serial",
"number",
"cjp ocybertrust",
"ev ca",
"g3 validity",
"ku ontt",
"docomo",
"record type",
"ttl value",
"thumbprint",
"emails",
"date",
"trojan",
"pegasus",
"title error",
"hostname",
"pulse pulses",
"entries",
"mtb apr",
"lowfi",
"win32",
"a domains",
"body",
"worm",
"virtool",
"cybota",
"showing",
"palantir",
"prometheus"
],
"references": [
"ocn.ne.jp \u2022 180.4.1.2 \u2022 gateway1.ocn.ad.jp",
"login.ocn.ne.jp 122.28.88.229 \u2022 outpost@alpha.ocn.ne.jp",
"ocn.ad.jp - Registrant Org: NTT Communications Corporation",
"Page Title: \u30ed\u30b0\u30a4\u30f3 | OCN\u30e1\u30fc\u30eb | OCN",
"Nippon Telegraph and Telephone Corporation one governmental now privated",
"computersandsoftware \u2022 portal sites \u2022 search engines and portals",
"(Found on targeted iOS device) mr-file-connector-193.api.auxosandbox.com",
"Guardicore by CyberHunterAutoFeed \u2022 https://otx.alienvault.com/pulse/655d47fb128a006a7d06afa2",
"Japanese Phishing Site by pingineer \u2022 https://otx.alienvault.com/pulse/61d3b380c44ee030dd092a80",
"https://discussions.apple.com/thread/255214328?sortBy=rank",
"https://urlscan.io/result/98a3575f-9b94-4ef3-ae84-8e585f882151/#indicators",
"Interesting (found in pulse) https://www.studentfinancewales.co.uk/contact",
"kalpak.palantirfedstart.com \u2022 lsauth-vault.palantirfedstart.com \u2022 sandboxes-ranunculus.palantirfedstart.com",
"swarm-foundry.com",
"When you see silly related domains it\u2019s probably Palantir kids: fuckingshitshow.org Domain kinkfuck.com \u2022 nobodycares.art",
"heavy-r.com \u2022 fartyphant.com \u2022 uglyphant.com \u2022 maciej.sztajerwald@gmail.com",
"https://hybrid-analysis.com/sample/6af451b8e64c3f8abafc84e776fe6c257888e0875b2d22c75b23b13960f46567/69580966ed3458719b0f0ed5",
"server-3-164-143-102.nrt20.r.cloudfront.net",
"ec2-3-115-135-167.ap-northeast-1.compute.amazonaws.com",
"ec2-57-181-50-85.ap-northeast-1.compute.amazonaws.com",
"https://ww41.porn25.com/",
"https://otx.alienvault.com/indicator/url/https://t.notif-laposte.info/TrackActions/NGJlYjE5NjZhZDlkODU0NzE3Yzg3Zjk3ODJkMmMxZWRjMTlkODAxZmEyMjY5YjU5YjY1MGU1OWFmZTdhMDlhMmM2YjY3ZTBiYzYwNWUwODdmMzkzZDc5ZjAwNDViODM1OGU5MTA0M2IzMjRmOGQwNTgxZGZjMmUyODFlZDI3MDYzZTQzNzg4NGVkMWJmMDgwMzM0NTA5OGRmY2M0NTVjZA",
"If something curious is found on privatelybowen property we have a constitutional right to examine it.",
"Other constitutional rights and privileges written in law where severe courses of action is allowed",
"iOS device, Update 26.2 , heavily monitored target of death threats, attempts & unfortunate outcome..",
"Device targeted with l RMS Modules by male in Denver, Co",
"Attempts to clip target at high rate of speed.Seen again at her residence in October",
"Target was monitored in store and followed home needed to stop multiple times , change routes.",
"Multiple attackers. Don\u2019t believe me, look at the pulses. Caged in by male with deauther watch.",
"Most of the people doing this are 50\u2019s plus, plus. There are youngsters but many grey haired , grandparents",
"The older the smarter the way better. These people are brilliant , ruthless and dangerous",
"Phone recently accessed, a tiny unauthorized speaker was on. Threat actors connected.",
"Malicious activity seen since a Pulse regarding school outage.",
"Location search was used to find device users address. It\u2019s with me.",
"Delete service is being used on this Threat service",
"Many indicators point to an IP this block is on.",
"It\u2019s so out of hand,m for 16 people.",
"https://prometheus-pushgateway-internal.preview.tp-staging.com/",
"prometheus.netmaker.vonnue.dev",
"prometheus.dev.aws.finoa.io",
"Prometheus - Alien God? Morality through the eyes of the immoral",
"Prometheus- allegedly related to Peter Thiel , Elon Musk and tech bro Joes who are playing God."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2879,
"domain": 1372,
"URL": 5788,
"FileHash-SHA256": 1720,
"CVE": 1,
"FileHash-MD5": 238,
"FileHash-SHA1": 241,
"email": 13
},
"indicator_count": 12252,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "120 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69519fa818f84531ce6becc9",
"name": "Cart.Guru Malware Hosting - Malware Packed _Pegasus Espionage Detected (Positive)",
"description": "I really love using this tool (LevelBlue -OTX) In all reality this information would have been sent to the government. CISA , NSA, Homeland Security, Citizens Lab, Canada based international organization would have been involved years ago. Where does this information goes. Citizens Lab would has been attempting to track 1000\u2019s of affected Pegasus targets. OTX detected and tagged Pegasus. I suspected it. This is from a Palantir Malware Hosting Honey Pot. \n\nWhen Pegasus was discovered in the wild , credited to those who found what the real team (T8) found, Citizens Lab then conducted tests in 2021\non the cell phone of Jamal Khashoggi, a Saudi dissident journalist. Pegasus is a kill list. \n\nVictims need help. There are a few people even on this platform that are on this list. Unless it\u2019s the US government who has ordered these actions, I don\u2019t know what is going on. The targets are not only innocent, some are crime victims, some are going mad. AT&T corporate easily confirms LevelBlue is legitimate.",
"modified": "2026-01-27T21:02:45.343000",
"created": "2025-12-28T21:22:48.383000",
"tags": [
"united",
"servers",
"moved",
"ip address",
"record value",
"encrypt",
"present jul",
"present jun",
"trojandropper",
"passive dns",
"ipv4 add",
"urls",
"files",
"virtool",
"united states",
"dynamicloader",
"directui",
"element",
"classinfobase",
"write c",
"medium",
"yara rule",
"msvisualbasic60",
"high",
"hwndelement",
"explorer",
"write",
"movie",
"insert",
"program",
"python",
"http traffic",
"trojan generic",
"search",
"cnc activity",
"delphi",
"win32",
"launcher",
"pony",
"fareit",
"malware",
"push",
"msie",
"windows nt",
"generic",
"checkin",
"post",
"yara detections",
"rxr",
"inject",
"memcommit",
"cryptexportkey",
"invalid pointer",
"regsetvalueexa",
"solutions ltd",
"read c",
"regdword",
"mozilla",
"persistence",
"execution",
"android",
"unknown",
"learn",
"suspicious",
"informative",
"adversaries",
"ck id",
"name tactics",
"command",
"initial access",
"defense evasion",
"spawns",
"t1590 gather",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"pattern match",
"mitre att",
"ck matrix",
"href",
"ascii text",
"starfield",
"hybrid",
"general",
"local",
"path",
"iframe",
"palantir",
"present nov",
"present oct",
"status",
"present apr",
"present dec",
"cryp",
"date",
"trojan",
"title",
"name servers",
"windows",
"t1060",
"disables proxy",
"dock",
"pegasus",
"rootkit",
"backdoor",
"susp",
"win32qqpass feb",
"worm",
"msr win32",
"win64",
"process32nextw",
"findwindowa",
"file execution",
"writeconsolea",
"procexpl",
"file v2",
"document",
"document file",
"v2 document",
"lost",
"tools",
"pecompact",
"media",
"autorun",
"service",
"post http",
"delete",
"alerts",
"emotet",
"rkt",
"autorun",
"worm",
"plugins",
"title error",
"body doctype",
"html public",
"w3cdtd html",
"html head",
"domain",
"expiration date",
"hostname add",
"pulse pulses",
"contacted hosts",
"sha1",
"sha256",
"show technique",
"strings",
"t1480 execution",
"signing defense",
"script urls",
"a domains",
"unknown ns",
"texas flyover",
"script domains",
"script script",
"meta",
"window",
"process details",
"contacted"
],
"references": [
"Cart.Guru",
"Yara Detections: Delphi",
"Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer",
"MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer",
"HTTP traffic on port 443 (POST)",
"IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query",
"Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs",
"Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http",
"Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates",
"Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http",
"Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe",
"Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check",
"Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad",
"Yara Detections: Nullsoft_NSIS ...",
"Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat",
"Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com",
"Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103",
"Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx",
"Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy",
"Emotet IDS Detections: Win32/Emotet CnC Checkin Response",
"Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users"
],
"public": 1,
"adversary": "Palantir Pegasus",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "RXR",
"display_name": "RXR",
"target": null
},
{
"id": "Pony",
"display_name": "Pony",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator",
"display_name": "VirTool:Win32/Obfuscator",
"target": "/malware/VirTool:Win32/Obfuscator"
},
{
"id": "Trojan:Win32/Bagsu!rfn",
"display_name": "Trojan:Win32/Bagsu!rfn",
"target": "/malware/Trojan:Win32/Bagsu!rfn"
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "Win32:MalOb-BX\\ [Cryp]",
"display_name": "Win32:MalOb-BX\\ [Cryp]",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "#Lowfi:Win32/SandboxProductId",
"display_name": "#Lowfi:Win32/SandboxProductId",
"target": "/malware/#Lowfi:Win32/SandboxProductId"
},
{
"id": "Win32:Backdoor",
"display_name": "Win32:Backdoor",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "ALF:Trojan:MSIL/BlackFus.C",
"display_name": "ALF:Trojan:MSIL/BlackFus.C",
"target": null
},
{
"id": "Win32:Malware",
"display_name": "Win32:Malware",
"target": null
},
{
"id": "TrojanProxy:Win32/Ceutv.A",
"display_name": "TrojanProxy:Win32/Ceutv.A",
"target": "/malware/TrojanProxy:Win32/Ceutv.A"
},
{
"id": "VirTool:Win32/Obfuscator.AHU",
"display_name": "VirTool:Win32/Obfuscator.AHU",
"target": "/malware/VirTool:Win32/Obfuscator.AHU"
},
{
"id": "ShellCode",
"display_name": "ShellCode",
"target": null
},
{
"id": "Win32:Rootkit",
"display_name": "Win32:Rootkit",
"target": null
},
{
"id": "VB Flash",
"display_name": "VB Flash",
"target": null
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Win.Packed.Razy-6847895-0",
"display_name": "Win.Packed.Razy-6847895-0",
"target": null
},
{
"id": "Backdoor:Win32/Plugx.N!",
"display_name": "Backdoor:Win32/Plugx.N!",
"target": "/malware/Backdoor:Win32/Plugx.N!"
},
{
"id": "Win.Dropper.QQpass-7194329-0",
"display_name": "Win.Dropper.QQpass-7194329-0",
"target": null
},
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Win32:Agent",
"display_name": "Win32:Agent",
"target": null
},
{
"id": "Win.Trojan.Agent",
"display_name": "Win.Trojan.Agent",
"target": null
},
{
"id": "Win.Trojan.Emotet-7545664-0",
"display_name": "Win.Trojan.Emotet-7545664-0",
"target": null
},
{
"id": "Pegasus - MOB-S0005",
"display_name": "Pegasus - MOB-S0005",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1054",
"name": "Indicator Blocking",
"display_name": "T1054 - Indicator Blocking"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2362,
"domain": 449,
"hostname": 710,
"email": 6,
"FileHash-MD5": 260,
"FileHash-SHA1": 201,
"FileHash-SHA256": 333,
"SSLCertFingerprint": 27
},
"indicator_count": 4348,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "125 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69519fa81048ad057eb9beaa",
"name": "Cart.Guru Malware Hosting - Malware Packed _Pegasus Espionage Detected (Positive)",
"description": "I really love using this tool (LevelBlue -OTX) In all reality this information would have been sent to the government. CISA , NSA, Homeland Security, Citizens Lab, Canada based international organization would have been involved years ago. | \nWhere does this information goes. Citizens Lab would has been attempting to track 1000\u2019s of affected Pegasus targets. OTX detected and tagged Pegasus. I suspected it. This is from a Palantir Malware Hosting Honey Pot. \n\nWhen Pegasus was discovered in the wild , credited to those who found what the real team (T8) found, Citizens Lab then conducted tests in 2021\non the cell phone of Jamal Khashoggi, a Saudi dissident journalist. Pegasus is a kill list. \n\nVictims need help. There are a few people even on this platform that are on this list. Unless it\u2019s the US government who has ordered these actions, I don\u2019t know what is going on. The targets are not only innocent, some are crime victims, some are going mad. AT&T corporate easily confirms LevelBlue is legitimate.",
"modified": "2026-01-27T21:02:45.343000",
"created": "2025-12-28T21:22:48.595000",
"tags": [
"united",
"servers",
"moved",
"ip address",
"record value",
"encrypt",
"present jul",
"present jun",
"trojandropper",
"passive dns",
"ipv4 add",
"urls",
"files",
"virtool",
"united states",
"dynamicloader",
"directui",
"element",
"classinfobase",
"write c",
"medium",
"yara rule",
"msvisualbasic60",
"high",
"hwndelement",
"explorer",
"write",
"movie",
"insert",
"program",
"python",
"http traffic",
"trojan generic",
"search",
"cnc activity",
"delphi",
"win32",
"launcher",
"pony",
"fareit",
"malware",
"push",
"msie",
"windows nt",
"generic",
"checkin",
"post",
"yara detections",
"rxr",
"inject",
"memcommit",
"cryptexportkey",
"invalid pointer",
"regsetvalueexa",
"solutions ltd",
"read c",
"regdword",
"mozilla",
"persistence",
"execution",
"android",
"unknown",
"learn",
"suspicious",
"informative",
"adversaries",
"ck id",
"name tactics",
"command",
"initial access",
"defense evasion",
"spawns",
"t1590 gather",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"pattern match",
"mitre att",
"ck matrix",
"href",
"ascii text",
"starfield",
"hybrid",
"general",
"local",
"path",
"iframe",
"palantir",
"present nov",
"present oct",
"status",
"present apr",
"present dec",
"cryp",
"date",
"trojan",
"title",
"name servers",
"windows",
"t1060",
"disables proxy",
"dock",
"pegasus",
"rootkit",
"backdoor",
"susp",
"win32qqpass feb",
"worm",
"msr win32",
"win64",
"process32nextw",
"findwindowa",
"file execution",
"writeconsolea",
"procexpl",
"file v2",
"document",
"document file",
"v2 document",
"lost",
"tools",
"pecompact",
"media",
"autorun",
"service",
"post http",
"delete",
"alerts",
"emotet",
"rkt",
"autorun",
"worm",
"plugins",
"title error",
"body doctype",
"html public",
"w3cdtd html",
"html head",
"domain",
"expiration date",
"hostname add",
"pulse pulses",
"contacted hosts",
"sha1",
"sha256",
"show technique",
"strings",
"t1480 execution",
"signing defense",
"script urls",
"a domains",
"unknown ns",
"texas flyover",
"script domains",
"script script",
"meta",
"window",
"process details",
"contacted"
],
"references": [
"Cart.Guru",
"Yara Detections: Delphi",
"Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer",
"MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer",
"HTTP traffic on port 443 (POST)",
"IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query",
"Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs",
"Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http",
"Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates",
"Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http",
"Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe",
"Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check",
"Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad",
"Yara Detections: Nullsoft_NSIS ...",
"Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat",
"Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com",
"Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103",
"Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx",
"Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy",
"Emotet IDS Detections: Win32/Emotet CnC Checkin Response",
"Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users"
],
"public": 1,
"adversary": "Palantir Pegasus",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "RXR",
"display_name": "RXR",
"target": null
},
{
"id": "Pony",
"display_name": "Pony",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator",
"display_name": "VirTool:Win32/Obfuscator",
"target": "/malware/VirTool:Win32/Obfuscator"
},
{
"id": "Trojan:Win32/Bagsu!rfn",
"display_name": "Trojan:Win32/Bagsu!rfn",
"target": "/malware/Trojan:Win32/Bagsu!rfn"
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "Win32:MalOb-BX\\ [Cryp]",
"display_name": "Win32:MalOb-BX\\ [Cryp]",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "#Lowfi:Win32/SandboxProductId",
"display_name": "#Lowfi:Win32/SandboxProductId",
"target": "/malware/#Lowfi:Win32/SandboxProductId"
},
{
"id": "Win32:Backdoor",
"display_name": "Win32:Backdoor",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "ALF:Trojan:MSIL/BlackFus.C",
"display_name": "ALF:Trojan:MSIL/BlackFus.C",
"target": null
},
{
"id": "Win32:Malware",
"display_name": "Win32:Malware",
"target": null
},
{
"id": "TrojanProxy:Win32/Ceutv.A",
"display_name": "TrojanProxy:Win32/Ceutv.A",
"target": "/malware/TrojanProxy:Win32/Ceutv.A"
},
{
"id": "VirTool:Win32/Obfuscator.AHU",
"display_name": "VirTool:Win32/Obfuscator.AHU",
"target": "/malware/VirTool:Win32/Obfuscator.AHU"
},
{
"id": "ShellCode",
"display_name": "ShellCode",
"target": null
},
{
"id": "Win32:Rootkit",
"display_name": "Win32:Rootkit",
"target": null
},
{
"id": "VB Flash",
"display_name": "VB Flash",
"target": null
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Win.Packed.Razy-6847895-0",
"display_name": "Win.Packed.Razy-6847895-0",
"target": null
},
{
"id": "Backdoor:Win32/Plugx.N!",
"display_name": "Backdoor:Win32/Plugx.N!",
"target": "/malware/Backdoor:Win32/Plugx.N!"
},
{
"id": "Win.Dropper.QQpass-7194329-0",
"display_name": "Win.Dropper.QQpass-7194329-0",
"target": null
},
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Win32:Agent",
"display_name": "Win32:Agent",
"target": null
},
{
"id": "Win.Trojan.Agent",
"display_name": "Win.Trojan.Agent",
"target": null
},
{
"id": "Win.Trojan.Emotet-7545664-0",
"display_name": "Win.Trojan.Emotet-7545664-0",
"target": null
},
{
"id": "Pegasus - MOB-S0005",
"display_name": "Pegasus - MOB-S0005",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1054",
"name": "Indicator Blocking",
"display_name": "T1054 - Indicator Blocking"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2362,
"domain": 449,
"hostname": 710,
"email": 6,
"FileHash-MD5": 260,
"FileHash-SHA1": 201,
"FileHash-SHA256": 333,
"SSLCertFingerprint": 27
},
"indicator_count": 4348,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "125 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "692f23547b713b128b9c8156",
"name": "Indicator Deletion Attack | Chris P. Ahmann Esq still utilizes parking crews to execute cyber attacks",
"description": "Unable to open malware indicators at this time. These attackers use Parking Crews for their exploits, leasing parked domains for the amount of time needed to execute an attack. The attack last predate me ever using Level Blue. I have to review indicators reports more closely but, I do see a the multitude of attacks against target TLB and an intersection of attacks concerning Disable_Duck (Alberta) Chris Ahmann , Colorado government indicated. \n\n[OTX auto populated - Adversaries may use techniques to evade detection in their malware or tools, as well as using techniques such as code signing, encryption, and other techniques for avoiding detection and monitoring of their activities.]",
"modified": "2026-01-01T17:01:48.163000",
"created": "2025-12-02T17:35:15.203000",
"tags": [
"data upload",
"extraction",
"failed",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"development att",
"united",
"flag",
"poland poland",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"mitre att",
"ck matrix",
"pattern match",
"ascii text",
"show process",
"network traffic",
"t1057",
"general",
"local",
"path",
"encrypt",
"hosts ip",
"details",
"ssl certificate",
"sha256",
"sha1",
"size",
"unicode text",
"crlf",
"utf8",
"lf line",
"server",
"command decode",
"markmonitor",
"amazon",
"ltd dba",
"com laude",
"organization",
"click",
"show technique",
"brand",
"microsoft edge",
"windows nt",
"win64",
"khtml",
"gecko",
"submitted",
"prefetch1",
"name server",
"misc attack",
"et tor",
"known tor",
"relayrouter",
"contacted hosts",
"google",
"pornhub",
"ip address",
"t1480 execution",
"file defense",
"passive dns",
"related nids",
"urls",
"files location",
"flag united"
],
"references": [
"deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev",
"Amazon.com \u2022 Google.com \u2022YouTube.com, Apple.com , etc Exploited",
"cloudendpointsapis.com \u2022 https://www.vgt.pl/style/style.css \u2022 ceidg.gov.pl",
"pl.wikipedia.org \u2022 fontawesome.io \u2022 opensource.org \u2022 videojet.com",
"https://discoverreceiver.gurus.vmicrosoft.com/ \u2022 account.live.com \u2022 acctcdn.msauth.net",
"https://www.milehighmedia.com/legal/2257",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://twitter.com/PORNO_SEXYBABES",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.Id=7a025cc6",
"(Delete app that removed YoiTube views) www.youtube.com/watch?v=GyuMozsVyYs",
"http://watchhers.net/index.php",
"everesttech.net \u2022 aws.amazon.com \u2022 cm.everesttech.net \u2022 dpm.demdex.net \u2022 s3.amazonaws.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1358,
"FileHash-MD5": 100,
"FileHash-SHA1": 102,
"FileHash-SHA256": 1682,
"URL": 2497,
"CVE": 2,
"domain": 400,
"SSLCertFingerprint": 6,
"email": 3
},
"indicator_count": 6150,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "151 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6920c43c3772bb24f26f70cc",
"name": "Xred_Malware \u2022 Dark Comet \u2022 Darkgate \u2022 Elex \u2022 Glassworm | AutoRun",
"description": "Attack originates from government contractors/ quasi governmental entities. Criminal Defense and Government contracted Law firms commonly abuse these tactics. Targeting. Found in data of a target. Focused on (1) FILE HASH and (1) IP address .[referenced] *XRed _Mal\n* EXE Infection | OTX auto populated - Adversaries may be able to gain access to victim systems using a variety of techniques to evade detection and conceal their actions. and their intentions, as well as using other techniques, to avoid detection.",
"modified": "2025-12-21T18:01:07.268000",
"created": "2025-11-21T19:57:48.145000",
"tags": [
"dynamicloader",
"write c",
"write",
"high",
"yara rule",
"myapp",
"delphi",
"worm",
"win32",
"error",
"code",
"malware",
"defender",
"medium",
"binary file",
"heavensgate",
"bochs",
"dynamic",
"td td",
"td tr",
"united",
"a td",
"a domains",
"dynamic dns",
"static dns",
"dd wrt",
"twitter",
"trojan",
"trojandropper",
"null",
"enough",
"simple",
"click",
"easy",
"premium",
"associated urls",
"server response",
"google safe",
"results nov",
"avast avg",
"11.21.2025",
"11.20.2025",
"borland delphi",
"pe32",
"intel",
"ms windows",
"inno setup",
"win32 exe",
"pecompact",
"delphi generic",
"pe32 compiler",
"dark comet",
"dark gate",
"glassworm",
"md5 code",
"data",
"porkbun llc",
"windows match",
"getprocaddress",
"peb idrdata",
"match peb",
"t1547",
"t1059 t1112",
"shared modules",
"t1129",
"boot",
"logon autostart",
"execu",
"t1134 boot",
"encoding",
"capture e1113",
"file attributes",
"analysis ob0001",
"b0001 software",
"virtual machine",
"detection b0009",
"analysis ob0002",
"ob0003 screen",
"windows get",
"check",
"encode",
"check internet",
"wininet set",
"clear file",
"enumerate gui",
"get hostname",
"get keyboard",
"set registry",
"find",
"capture",
"url http",
"consolefoundry",
"console foundry",
"foundry",
"malware catalog tree",
"autorun keys",
"modification",
"alexander karp",
"peter theil",
"christoper ahmann",
"christopher pool",
"mercedes",
"apple",
"palantir",
"adversarial",
"adversaries",
"hostile",
"quasi",
"empty hash",
"denver",
"mal_xred_backdoor",
"backdoor",
"xred",
"brian sabey",
"first-send-petikvx",
"stop",
"glassworm",
"elex",
"darkgate",
"dark-comet",
"search",
"entries",
"show",
"yara detections",
"icmp traffic",
"rtf file",
"top source",
"top destination",
"format",
"host",
"copy",
"next",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"found",
"access att",
"font",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"ascii text",
"pattern match",
"sha256",
"mitre att",
"title",
"meta",
"hybrid",
"local",
"path",
"strings",
"body",
"contact",
"trace",
"form",
"bitcoin",
"core",
"jeffrey reimer",
"exe infection",
"cve",
"porn"
],
"references": [
"FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop",
"Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,",
"Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi",
"Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns",
"Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert",
"Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep",
"Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading",
"Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn",
"Alerts: packer_unknown",
"Malicious IP Contacted: 69.42.215.252",
"Abused Domains Contacted: xred.mooo.com freedns.afraid.org",
"IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org",
"IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com",
"IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com",
"Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access",
"consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry",
"Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below",
"by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"http://freedns.afraid.org/images/apple.gif",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"https://www.mumuplayer.com/redirect/customerservice/_wig",
"https://www.mumuplayer.com/redirect/customerservice/fB)y",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth",
"https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"http://consolefoundry.date/one/gate.php",
"https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453",
"display_name": "Win.Trojan.Emotet-9850453",
"target": null
},
{
"id": "Win.Trojan.BlackNetRAT-7838854-0",
"display_name": "Win.Trojan.BlackNetRAT-7838854-0",
"target": null
},
{
"id": "Win.Dropper.Nanocore-10021490-0",
"display_name": "Win.Dropper.Nanocore-10021490-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Win.Packed.Remcos-10024510-0",
"display_name": "Win.Packed.Remcos-10024510-0",
"target": null
},
{
"id": "Code Overlap",
"display_name": "Code Overlap",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "PSW:Win32/VB.CU",
"display_name": "PSW:Win32/VB.CU",
"target": "/malware/PSW:Win32/VB.CU"
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1541",
"name": "Foreground Persistence",
"display_name": "T1541 - Foreground Persistence"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1470",
"name": "Obtain Device Cloud Backups",
"display_name": "T1470 - Obtain Device Cloud Backups"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 460,
"FileHash-SHA1": 437,
"FileHash-SHA256": 4483,
"SSLCertFingerprint": 2,
"URL": 6487,
"hostname": 1772,
"domain": 652,
"CVE": 3,
"email": 5
},
"indicator_count": 14301,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "162 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69138a8144a8bf8040a92711",
"name": "Lawyers & Lazarus | Apple Spy : Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Counsel for egregious criminal acts \u2022 Christopher P. Ahmann attorney at Large",
"description": "",
"modified": "2025-12-09T17:03:48.645000",
"created": "2025-11-11T19:12:01.843000",
"tags": [
"url http",
"apple",
"california",
"apple public",
"server rsa",
"organization",
"stateprovince",
"ocsp",
"nids united",
"files",
"united",
"unknown ns",
"ip address",
"domain",
"urls files",
"passive dns",
"found title",
"sf hello",
"myriad set",
"pro myriad",
"set lucida",
"grande arial",
"sf mono",
"ipv4",
"location united",
"america flag",
"america asn",
"verdict",
"files ip",
"address",
"as42 woodynet",
"domain add",
"ipv4 add",
"reverse dns",
"trojan",
"name servers",
"emails",
"for privacy",
"ltd dba",
"com laude",
"servers",
"expiration date",
"urls",
"meta",
"a domains",
"country code",
"store home",
"title",
"accept",
"espaol",
"english",
"evil corp",
"see all",
"cyber hack",
"republic",
"canada",
"season",
"joe tidy",
"sarah rainsford",
"podcast",
"bank",
"ukraine",
"dead",
"indonesia",
"police",
"premium",
"napoleon",
"revolution",
"michelangelo",
"mozart",
"global",
"solid",
"lazarus",
"jabber zeus",
"harrods",
"ta markmonitor",
"markmonitor",
"search",
"present aug",
"unknown aaaa",
"unknown soa",
"win32",
"invalid url",
"trojanspy",
"mtb apr",
"backdoor",
"next associated",
"win64",
"trojandropper",
"twitter",
"virtool",
"ransom",
"worm",
"dynamicloader",
"tlsv1",
"high",
"globalc",
"medium",
"windows",
"cmd c",
"delete c",
"stream",
"write",
"next",
"process32nextw",
"http host",
"dns query",
"likely gandcrab",
"et trojan",
"windows nt",
"wow64",
"malware",
"ms windows",
"as16509",
"as54113",
"yara rule",
"pe32 executable",
"as15169",
"powershell",
"unknown",
"response ip",
"address google",
"safe browsing",
"hostname add",
"port",
"destination",
"pe32",
"intel",
"error",
"show",
"delphi",
"dcom",
"form",
"canvas",
"united kingdom",
"content type",
"security",
"moved",
"great britain",
"unknown a",
"body doctype",
"html public",
"ietfdtd html",
"showing",
"packing t1045",
"bytes",
"read",
"default",
"christoper p ahmann",
"target",
"victims",
"tsara brashears",
"url https",
"type indicator",
"role title",
"added active",
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"present nov",
"present oct",
"date",
"tcpmemhit",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"sha256",
"sha1",
"mitre att",
"pattern match",
"show technique",
"ck matrix",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"tools",
"look",
"verify",
"restart",
"palantir",
"foundry",
"hitmen",
"quasi",
"government contracts",
"jeffrey reimer",
"hallrender",
"workers compensation",
"record value",
"certificate"
],
"references": [
"apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC",
"https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"bpc-old.palantirfoundry.com",
"OTX auto populated targeted groups.",
"You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists",
"Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint",
"Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support",
"Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.",
"They blatantly steal from citizens , blame foreign entities.",
"This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents."
],
"public": 1,
"adversary": "Lazarus",
"targeted_countries": [
"Bangladesh",
"Japan",
"United States of America"
],
"malware_families": [
{
"id": "ALF:SpikeAexR.PEVPSZL",
"display_name": "ALF:SpikeAexR.PEVPSZL",
"target": null
},
{
"id": "Ransom:MSIL/GandCrab",
"display_name": "Ransom:MSIL/GandCrab",
"target": "/malware/Ransom:MSIL/GandCrab"
},
{
"id": "Zeus",
"display_name": "Zeus",
"target": null
},
{
"id": "Ransom:Win32/Gandcrab.H!MTB",
"display_name": "Ransom:Win32/Gandcrab.H!MTB",
"target": "/malware/Ransom:Win32/Gandcrab.H!MTB"
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [
"Banks",
"Crypto",
"Entertainment",
"Bank"
],
"TLP": "white",
"cloned_from": "6910cafb096eae0dcb39a800",
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4572,
"FileHash-MD5": 196,
"domain": 1523,
"hostname": 1393,
"FileHash-SHA256": 2400,
"FileHash-SHA1": 175,
"email": 18,
"SSLCertFingerprint": 8
},
"indicator_count": 10285,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "174 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6910cafb096eae0dcb39a800",
"name": "Lawyers & Lazarus | Apple Spy : Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious",
"description": "Chronicles of how quasi government , a State owned criminal defense attorney , protects sexual assaulter Jeffrey Reimer DPT. victim Palantir harassed, withheld healthcare , diagnoses, justice, monetary award for injured, stole insurance policies, hacked Denver artists, sold music her to artists whom profited, hacked Denver music studios, hired stalkers, human, controlled phone , car and everything in targets life including , doctors, attorneys, hospitals. It\u2019s always been clear to coming us that Anonymous and Lazarus are the police, judge , lawyer, ransom racist.\nThis group alone has cost the US billions! Responsible for 2014 Sony hack , FMOE.\nDirect Link. by phone , email in person contact , forced settlement hearing,. Adversarial Christopher P. Ahmann , relationship w / Lazarus group, hitmen , cyber crime and other crimes against persons.\n #rip #christopher_ahmann #palantir #lazarus #target_tsara_brashears",
"modified": "2025-12-09T17:03:48.645000",
"created": "2025-11-09T17:10:19.498000",
"tags": [
"url http",
"apple",
"california",
"apple public",
"server rsa",
"organization",
"stateprovince",
"ocsp",
"nids united",
"files",
"united",
"unknown ns",
"ip address",
"domain",
"urls files",
"passive dns",
"found title",
"sf hello",
"myriad set",
"pro myriad",
"set lucida",
"grande arial",
"sf mono",
"ipv4",
"location united",
"america flag",
"america asn",
"verdict",
"files ip",
"address",
"as42 woodynet",
"domain add",
"ipv4 add",
"reverse dns",
"trojan",
"name servers",
"emails",
"for privacy",
"ltd dba",
"com laude",
"servers",
"expiration date",
"urls",
"meta",
"a domains",
"country code",
"store home",
"title",
"accept",
"espaol",
"english",
"evil corp",
"see all",
"cyber hack",
"republic",
"canada",
"season",
"joe tidy",
"sarah rainsford",
"podcast",
"bank",
"ukraine",
"dead",
"indonesia",
"police",
"premium",
"napoleon",
"revolution",
"michelangelo",
"mozart",
"global",
"solid",
"lazarus",
"jabber zeus",
"harrods",
"ta markmonitor",
"markmonitor",
"search",
"present aug",
"unknown aaaa",
"unknown soa",
"win32",
"invalid url",
"trojanspy",
"mtb apr",
"backdoor",
"next associated",
"win64",
"trojandropper",
"twitter",
"virtool",
"ransom",
"worm",
"dynamicloader",
"tlsv1",
"high",
"globalc",
"medium",
"windows",
"cmd c",
"delete c",
"stream",
"write",
"next",
"process32nextw",
"http host",
"dns query",
"likely gandcrab",
"et trojan",
"windows nt",
"wow64",
"malware",
"ms windows",
"as16509",
"as54113",
"yara rule",
"pe32 executable",
"as15169",
"powershell",
"unknown",
"response ip",
"address google",
"safe browsing",
"hostname add",
"port",
"destination",
"pe32",
"intel",
"error",
"show",
"delphi",
"dcom",
"form",
"canvas",
"united kingdom",
"content type",
"security",
"moved",
"great britain",
"unknown a",
"body doctype",
"html public",
"ietfdtd html",
"showing",
"packing t1045",
"bytes",
"read",
"default",
"christoper p ahmann",
"target",
"victims",
"tsara brashears",
"url https",
"type indicator",
"role title",
"added active",
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"present nov",
"present oct",
"date",
"tcpmemhit",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"sha256",
"sha1",
"mitre att",
"pattern match",
"show technique",
"ck matrix",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"tools",
"look",
"verify",
"restart",
"palantir",
"foundry",
"hitmen",
"quasi",
"government contracts",
"jeffrey reimer",
"hallrender",
"workers compensation",
"record value",
"certificate"
],
"references": [
"apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC",
"https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"bpc-old.palantirfoundry.com",
"OTX auto populated targeted groups.",
"You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists",
"Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint",
"Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support",
"Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.",
"They blatantly steal from citizens , blame foreign entities.",
"This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents."
],
"public": 1,
"adversary": "Lazarus",
"targeted_countries": [
"Bangladesh",
"Japan",
"United States of America"
],
"malware_families": [
{
"id": "ALF:SpikeAexR.PEVPSZL",
"display_name": "ALF:SpikeAexR.PEVPSZL",
"target": null
},
{
"id": "Ransom:MSIL/GandCrab",
"display_name": "Ransom:MSIL/GandCrab",
"target": "/malware/Ransom:MSIL/GandCrab"
},
{
"id": "Zeus",
"display_name": "Zeus",
"target": null
},
{
"id": "Ransom:Win32/Gandcrab.H!MTB",
"display_name": "Ransom:Win32/Gandcrab.H!MTB",
"target": "/malware/Ransom:Win32/Gandcrab.H!MTB"
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [
"Banks",
"Crypto",
"Entertainment",
"Bank"
],
"TLP": "white",
"cloned_from": null,
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4572,
"FileHash-MD5": 196,
"domain": 1523,
"hostname": 1393,
"FileHash-SHA256": 2400,
"FileHash-SHA1": 175,
"email": 18,
"SSLCertFingerprint": 8
},
"indicator_count": 10285,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "174 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "690e8b773dc39921d88abd44",
"name": "Nanocore - Affected",
"description": "- wmsspacer.gif\n| Photography: WMSspacer.gif, |[wmstransparent.org,]\n* YARA Detections : \nDotNET_Reactor\nSystem.Security.Cryptography.AesCryptoServiceProvider\nSystem.Security.Cryptography\nSystem.Security.Cryptography ~\nI CryptoTransform |\n Wmsspacer, i.g.sg.js..png.com, on-screen.|",
"modified": "2025-12-07T23:02:29.645000",
"created": "2025-11-08T00:14:47.600000",
"tags": [
"hgnvastlaiz",
"read c",
"medium",
"rgba",
"memcommit",
"delete",
"png image",
"unicode",
"dock",
"execution",
"malware",
"crlf line",
"speichermedium",
"productversion",
"fileversion",
"engine dll",
"internalname",
"einstellungen",
"comodo ca",
"limited st",
"yara detections",
"next pe",
"eula",
"policy",
"direct",
"opencandy",
"suspicious_write_exe",
"network_icmp",
"process_martian",
"present jun",
"present jul",
"domain",
"united",
"ip address",
"unknown ns",
"ms windows",
"intel",
"verisign",
"time stamping",
"unknown",
"class",
"write",
"markus",
"temple",
"msie",
"windows nt",
"get http",
"lehash",
"av detections",
"ids detections",
"alerts",
"file score",
"low risk",
"compromised_site_redirector_fromcharcode",
"present aug",
"passive dns",
"all ipv4",
"urls",
"files",
"hosting",
"america flag",
"win32",
"ipv4 add",
"signed file, valid signature. revoked.",
"united states",
"pws",
"atros",
"fiha",
"search",
"entries",
"present oct",
"next associated",
"show",
"high",
"wow64",
"slcc2",
"next",
"domain add",
"poland",
"poland unknown",
"ipv4",
"location poland",
"poland asn",
"et policy",
"pe exe",
"dll windows",
"amazon s3",
"location united",
"associated urls",
"date checked",
"url hostname",
"server response",
"google safe",
"results feb",
"nanocore",
"url add",
"http",
"related nids",
"files location",
"flag united",
"malicious image",
"files domain",
"files related",
"pulses otx",
"related tags",
"resources whois",
"virustotal",
"present sep",
"status",
"present nov",
"present mar",
"trojan",
"script script",
"div div",
"link",
"a li",
"meta",
"sweden",
"invalid url",
"head title",
"title head",
"reference",
"bad request",
"server",
"netherlands",
"creation date",
"date",
"running server",
"ahmann",
"christopher",
"p",
"tam",
"legal",
"treece",
"alfrey",
"muscat",
"adversaries",
"cyber crime",
"quasi",
"government"
],
"references": [
"wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87",
"ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua",
"http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022",
"www.opencandy.com",
"http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022",
"Yara Detections : compromised_site_redirector_fromcharcode",
"Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx",
"pcoptimizerpro.com \u2022 www.pcoptimizerpro.com",
"PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23",
"YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform",
"https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg",
"https://heavyfetish.com/search/CHEESE-PIZZA-porn/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Nanocore-5",
"display_name": "Win.Trojan.Nanocore-5",
"target": null
},
{
"id": "Win.Trojan.Adinstall-2",
"display_name": "Win.Trojan.Adinstall-2",
"target": null
},
{
"id": "PSW.Generic13",
"display_name": "PSW.Generic13",
"target": null
},
{
"id": "Atros.UPK",
"display_name": "Atros.UPK",
"target": null
},
{
"id": "Luhe.Fiha.A",
"display_name": "Luhe.Fiha.A",
"target": null
},
{
"id": "Pua.Optimizerpro/PCOptimizerPro",
"display_name": "Pua.Optimizerpro/PCOptimizerPro",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1491.001",
"name": "Internal Defacement",
"display_name": "T1491.001 - Internal Defacement"
},
{
"id": "T1204.003",
"name": "Malicious Image",
"display_name": "T1204.003 - Malicious Image"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 753,
"FileHash-SHA1": 622,
"FileHash-SHA256": 4336,
"URL": 2448,
"domain": 300,
"hostname": 788,
"CVE": 1,
"email": 4
},
"indicator_count": 9252,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "176 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "690a2c38de1708af54217faa",
"name": "Access Token used to steal security credentials & hack and ride DND of targeted individuals",
"description": "- https://shift.gearboxsoftware.com/link\n- Found embedded in targets phone.\n\nAccess Token used to steal security credentials & hack and ride DND of targeted individuals device. \nTAM Legal \u2022 Tulach \u2022 Hall Render \u2022 Quasi Government | Some type of Foundry user account found. \n\nStop illegally \n stalking, harassment, attempts, hacking, death threats. . Because the Colorado government allowing entities like this to operate without any type of rules, oversight or boundaries \nMILLION$ were wasted in your own fraud, waste in abuse scheme. AT&T , CrowdStrike , United Healthcare , UC Healthcare, Intermountain Health, T-Mobile, Amazon East, the Colorado Government itself, Medicare and Medicaid. For what? You have zero talent so you take it from those who do. You have nothing coming to you so you steal it from those who do. Is this somehow legal? \n#contacted #all_hosts backdoor #ransomware #cve #usa #american_terrorists #workers_compenstation_abuse #silencing #targeting #hitmen #illegal #malvertizing #aws_dns",
"modified": "2025-12-04T15:01:02.531000",
"created": "2025-11-04T16:39:20.035000",
"tags": [
"present aug",
"moved",
"encrypt",
"present jul",
"passive dns",
"ipv4 add",
"reverse dns",
"united states",
"present may",
"ip address",
"gmt content",
"ipv4",
"all ipv4",
"america",
"united",
"present oct",
"name servers",
"redacted for",
"emails",
"for privacy",
"unknown ns",
"unknown aaaa",
"dynamicloader",
"focus region",
"unicode text",
"utf16",
"ms windows",
"bokeh onlycanon",
"zeiss jena",
"mcsonnar",
"high",
"win64",
"stream",
"write",
"smartassembly",
"trailer",
"next",
"search",
"medium",
"as15169",
"write c",
"reads",
"team",
"malware",
"local",
"yara detections",
"delphi",
"strings",
"dcom",
"form",
"trojandropper",
"mtb nov",
"backdoor",
"otx telemetry",
"trojan",
"type",
"data upload",
"extraction",
"ol rop",
"hash avast",
"avg clamav",
"msdefender nov",
"win32upatre nov",
"win32berbew nov",
"dynamic",
"pe section",
"error",
"close",
"status",
"urls",
"expiration date",
"hostname",
"url analysis",
"yara rule",
"show",
"binary file",
"wine emulator",
"mtb oct",
"files",
"denmark asn",
"as32934",
"candyopen",
"possible",
"smoke loader",
"trojanspy",
"filehash",
"pulses otx",
"related tags",
"file type",
"no analysis",
"available",
"api key",
"screenshots",
"present nov",
"aaaa",
"mtb may",
"mexico",
"hostname add",
"registrar",
"domain add",
"location united",
"email add",
"none related",
"domains",
"email domain",
"service",
"domain",
"america flag",
"body",
"title",
"aws dns",
"next associated",
"risepro",
"guard",
"v full",
"reports v",
"t1059 shared",
"modules",
"t1129 system",
"t1569",
"help v",
"t1179 boot",
"logon autost",
"encoding",
"packing f0001",
"hidden files",
"e1203 windows",
"file attributes",
"registry value",
"catalog tree",
"analysis ob0001",
"evasion b0003",
"virtual machine",
"ip traffic",
"memory pattern",
"pattern urls",
"tls sni",
"get https",
"post https",
"named pipe",
"delete c",
"radar",
"defender",
"format",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"mitre att",
"ck techniques",
"evasion att",
"country",
"contacted hosts",
"process details",
"flag",
"globalc",
"intel",
"win32",
"worm",
"path",
"explorer",
"script",
"href",
"external",
"html content",
"tulach",
"hallrender",
"tam legal",
"brian sabey",
"christopher ahmann",
"apple",
"msie",
"chrome",
"ascio",
"creation date",
"date",
"germany unknown",
"germany asn",
"files ip",
"address",
"asn as24940",
"less",
"script urls",
"a domains",
"prox",
"dennis schrder",
"meta",
"apache",
"99u25f.exe",
"entries",
"as24940 hetzner",
"dns resolutions",
"status code",
"body length",
"kb body",
"software/ hardware",
"external-resources",
"password-input",
"overview",
"colorado"
],
"references": [
"https://shift.gearboxsoftware.com/link",
"https://tulach.cc/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 alohatube.xyz \u2022 1001pornvideos.com",
"x402.porn \u2022 http://alohatube.xyz/search/tsara-brashears \u2022 \thttps://ufovpn.io/blog/is-eporner-safe",
"https://www.turbo.net/run/videolan/vlc",
"http://www.forensickb.com/2013/03/file-entropy-explained.html",
"https://www.xlabs.com.br/blog/cve-2013-3304-dell-equallogic-directory-traversal/ \u2022 http://cve.phidias.com/",
"Overview \"Keeping money\" by the Colorado workers' compensation system can refer to",
"legal deductions, legitimate reasons for payment delays or denial, or potential issues that require legal",
"counsel. The system does not \"keep\" money without a valid reason.Lies. they\u2019ve Ben in trouble before ."
],
"public": 1,
"adversary": "Colorado Quasi Government | Workerk Compensation",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Generic-9878032-0",
"display_name": "Win.Trojan.Generic-9878032-0",
"target": null
},
{
"id": "Win.Trojan.Starter-171",
"display_name": "Win.Trojan.Starter-171",
"target": null
},
{
"id": "GravityRAT",
"display_name": "GravityRAT",
"target": null
},
{
"id": "Backdoor:Win32/Berbew.AA!MTB",
"display_name": "Backdoor:Win32/Berbew.AA!MTB",
"target": "/malware/Backdoor:Win32/Berbew.AA!MTB"
},
{
"id": "Trojan:MSIL/AgentTesla.DW!MTB",
"display_name": "Trojan:MSIL/AgentTesla.DW!MTB",
"target": "/malware/Trojan:MSIL/AgentTesla.DW!MTB"
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Trojandropper:Win32/VB.IL",
"display_name": "Trojandropper:Win32/VB.IL",
"target": "/malware/Trojandropper:Win32/VB.IL"
},
{
"id": "Nemucod",
"display_name": "Nemucod",
"target": null
},
{
"id": "Berbew",
"display_name": "Berbew",
"target": null
},
{
"id": "PWS:Win32/Zbot.MS!MTB",
"display_name": "PWS:Win32/Zbot.MS!MTB",
"target": "/malware/PWS:Win32/Zbot.MS!MTB"
},
{
"id": "Win.Trojan.Barys-10005825-0",
"display_name": "Win.Trojan.Barys-10005825-0",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Exploit.Rozena-10038302-0",
"display_name": "Win.Exploit.Rozena-10038302-0",
"target": null
},
{
"id": "Zombie",
"display_name": "Zombie",
"target": null
},
{
"id": "Trojan:Win32/Zombie",
"display_name": "Trojan:Win32/Zombie",
"target": "/malware/Trojan:Win32/Zombie"
},
{
"id": "Muldrop",
"display_name": "Muldrop",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Dorv",
"display_name": "Dorv",
"target": null
},
{
"id": "Win.Malware.Pits-10035540-0",
"display_name": "Win.Malware.Pits-10035540-0",
"target": null
},
{
"id": "Win.Ransomware.Msilzilla-10014498-0",
"display_name": "Win.Ransomware.Msilzilla-10014498-0",
"target": null
},
{
"id": "CVE-2023-4966",
"display_name": "CVE-2023-4966",
"target": null
},
{
"id": "Exploit:Linux/CVE-2017-17215",
"display_name": "Exploit:Linux/CVE-2017-17215",
"target": "/malware/Exploit:Linux/CVE-2017-17215"
},
{
"id": "Ransom:Win32/CVE-2017-0147",
"display_name": "Ransom:Win32/CVE-2017-0147",
"target": "/malware/Ransom:Win32/CVE-2017-0147"
},
{
"id": "CVE-2022-26134",
"display_name": "CVE-2022-26134",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1569",
"name": "System Services",
"display_name": "T1569 - System Services"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6051,
"hostname": 2627,
"FileHash-MD5": 401,
"FileHash-SHA1": 257,
"email": 11,
"domain": 1838,
"FileHash-SHA256": 1742,
"CVE": 4,
"SSLCertFingerprint": 3
},
"indicator_count": 12934,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "179 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68be65e95645ef1a6c8a898d",
"name": "Apple affected by Tofsee at least 4 remote devices. DEAD Apple products",
"description": "Such a hacked device. Victims phone remotely accessed the night it was purchased. A man wearing a jammer/ deauth watch was part of an aggressive caravan of followers. Will repost related pulse. \n South Africa became customer service once again for every external service called. Target was aware. \n\nIt must be nice to SA someone, and have a racist mafia of silencers behind because the corporation didn\u2019t want bad press and the Sheriff was friends with the MD who threatened victim with future retaliation.\n\nNo one helps because this is obviously abuse by law enforcement. He is the victim. She simply suffered from life threatening injuries until the end. This should be illegal. Denied justice, representation, medical care, emergency care of any kind, diagnos3s and followed and monitored 24/7.",
"modified": "2025-10-08T04:04:41.943000",
"created": "2025-09-08T05:13:13.781000",
"tags": [
"mtb oct",
"trojandropper",
"avast avg",
"backdoor",
"trojan",
"ubuntu",
"passive dns",
"federation flag",
"asn as49505",
"dns resolutions",
"domains top",
"level",
"unique tlds",
"dynamicloader",
"high",
"medium",
"port",
"delete c",
"windows",
"displayname",
"tofsee",
"grum",
"stream",
"powershell",
"write",
"malware",
"hostile",
"misa",
"ipv4 add",
"urls",
"files",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"found",
"command",
"defense evasion",
"adversaries",
"spawns",
"united",
"orc5",
"flag",
"rhur3d",
"title",
"click",
"strings",
"refresh",
"aids",
"dzan",
"sumo",
"miny",
"judi",
"pattern match",
"mitre att",
"show technique",
"ck matrix",
"ascii text",
"show process",
"hybrid",
"general",
"local",
"path",
"t1480 execution",
"null",
"span",
"error",
"tools",
"look",
"verify",
"restart",
"domain secure",
"windows nt",
"ogoogle trust",
"zerossl ecc",
"site ca0x1ex17r",
"win64",
"unknown",
"encrypt",
"search",
"entries",
"destination",
"push",
"next",
"apple",
"moved",
"gmt content",
"type",
"content length",
"ipv4",
"date",
"handle",
"address range",
"cidr",
"network name",
"allocation type",
"assigned pi",
"status",
"whois server",
"entity ipripe",
"apnic",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"ip address",
"related nids",
"files location",
"flag united",
"unknown ns",
"name servers",
"creation date",
"emails",
"pulse pulses",
"pulses none",
"none google",
"safe browsing",
"external",
"location united",
"asn as714",
"less whois",
"registrar",
"ios",
"iphone",
"ipad",
"australia",
"dead host"
],
"references": [
"https://idmsa.apple.com/ \u2022 account.apple.com \u2022 appleid.apple.com \u2022 http://www.apple.com/filenotfound",
"https://176.113.115.136/ohhiiiii/",
"https://appleid.apple.com/cgi-bin/WebObjects/MyAppleIdCVE",
"https://ipadaustralia.com/mim/93tkkjy9zc9fv796398p4e8425id90u4u727g7094724c0a9i8",
"palantir-staging.staging.candidate.app.paulsjob.ai",
"pornhub.com\t \u2022 www.pornhub.com",
"appleaustralia.com",
"https://hybrid-analysis.com/sample/a871c76756ddf6d18d728b668d011e9d04e9db9c79734450a562f1f4b6ba2cdc/68be456cd90e6cbdf30d2afb",
"https://hybrid-analysis.com/sample/35dce2c9c408e751622991b0655871f35ab97106fa87c233dfa2b135b4014df4/68be451808aeabd5cc0e9e85"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Muldrop",
"display_name": "Muldrop",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Win.Packer.pkr_ce1a-9980177-0",
"display_name": "Win.Packer.pkr_ce1a-9980177-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1003.008",
"name": "/etc/passwd and /etc/shadow",
"display_name": "T1003.008 - /etc/passwd and /etc/shadow"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [
"Telecommunications",
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1273,
"FileHash-MD5": 347,
"domain": 606,
"hostname": 778,
"FileHash-SHA256": 2724,
"FileHash-SHA1": 322,
"email": 9,
"SSLCertFingerprint": 14,
"CIDR": 3
},
"indicator_count": 6076,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "237 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68aff672de7f1b65a97c00b1",
"name": "WarzoneRAT impacts Social Media of users with compromised systems",
"description": "Injection affects compromised user/s social media accounts including YouTube. Uploads to social media accounts from infected systems divert to adversary\u2019s alt YouTube media center labeled \u2018watch\u2019 instead of YouTube . Remote access observed. Threat actor has full access , cnc , devices, personal information, images, contacts, network, private information including all financial information. \n \nAlt / adversarial Pinterest, Tumblr, YouTube, Facebook, Twitter / X, Instagram , LinkedIn",
"modified": "2025-09-27T05:00:09.125000",
"created": "2025-08-28T06:25:54.794000",
"tags": [
"d10927",
"mp41",
"mp41 connection",
"r connection",
"ip address",
"dynamicloader",
"write c",
"globalc",
"medium",
"high",
"write",
"dll read",
"trojan",
"delphi",
"win32",
"dialer",
"tracking",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"defense evasion",
"spawns",
"t1590 gather",
"mitre att",
"ck matrix",
"null",
"click",
"title",
"span",
"meta",
"general",
"local",
"path",
"strings",
"refresh",
"tools",
"virgin islands",
"united",
"unknown ns",
"a domains",
"montserrat",
"passive dns",
"ipv4",
"urls",
"files",
"hosting",
"trojandropper",
"location virgin",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"item",
"has description",
"unknown",
"explorer",
"error",
"powershell",
"yara rule",
"windows",
"t1055",
"warzonerat",
"avemaria",
"virtool",
"netwire",
"malware",
"hostile",
"autoit",
"defender",
"date",
"bq aug",
"next associated",
"ipv4 add",
"resolved ips",
"get http",
"request",
"win64",
"khtml",
"gecko",
"resolutions",
"number",
"ja3s",
"algorithm",
"cnr12 cus",
"cname",
"accept",
"port",
"gmt ifnonematch",
"screenshots no",
"involved dns",
"name response",
"nxdomain",
"tcp connections",
"involved direct",
"country name",
"moved",
"alone email",
"body doctype",
"gmt server",
"content type",
"service privacy",
"cve"
],
"references": [
"http://remote.edikamin.com/",
"http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C",
"http://deposito.hostance.net/dialer/",
"Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT",
"Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net",
"DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net",
"Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1",
"simswap.in (possible Mirai or relationship to)"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Virgin Islands, British"
],
"malware_families": [
{
"id": "Trojan:Win32/Diamin.F",
"display_name": "Trojan:Win32/Diamin.F",
"target": "/malware/Trojan:Win32/Diamin.F"
},
{
"id": "Dialer",
"display_name": "Dialer",
"target": null
},
{
"id": "Win32:CabMod\\ [Drp]",
"display_name": "Win32:CabMod\\ [Drp]",
"target": null
},
{
"id": "TrojanDropper:Win32/Hupigon.gen!A",
"display_name": "TrojanDropper:Win32/Hupigon.gen!A",
"target": "/malware/TrojanDropper:Win32/Hupigon.gen!A"
},
{
"id": "ALF:HeraklezEval:PUA:Win32/Keygen",
"display_name": "ALF:HeraklezEval:PUA:Win32/Keygen",
"target": null
},
{
"id": "Trojan:Win32/Startpage.AEA",
"display_name": "Trojan:Win32/Startpage.AEA",
"target": "/malware/Trojan:Win32/Startpage.AEA"
},
{
"id": "Banload",
"display_name": "Banload",
"target": null
},
{
"id": "TrojanDownloader:Win32/Banload.D",
"display_name": "TrojanDownloader:Win32/Banload.D",
"target": "/malware/TrojanDownloader:Win32/Banload.D"
},
{
"id": "Win32:Evo-gen",
"display_name": "Win32:Evo-gen",
"target": null
},
{
"id": "!#AddsCopy-ToStartup",
"display_name": "!#AddsCopy-ToStartup",
"target": null
},
{
"id": "VirTool:Win32/AutInject.CZ!bit",
"display_name": "VirTool:Win32/AutInject.CZ!bit",
"target": "/malware/VirTool:Win32/AutInject.CZ!bit"
},
{
"id": "Win.Trojan.Agent-316098",
"display_name": "Win.Trojan.Agent-316098",
"target": null
},
{
"id": "virtool:Win32/Injector.gen!BQ",
"display_name": "virtool:Win32/Injector.gen!BQ",
"target": "/malware/virtool:Win32/Injector.gen!BQ"
},
{
"id": "WarzoneRAT - S0670",
"display_name": "WarzoneRAT - S0670",
"target": null
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
}
],
"industries": [
"Technology",
"Telecommunications",
"Media"
],
"TLP": "white",
"cloned_from": null,
"export_count": 34,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4194,
"hostname": 1563,
"FileHash-SHA256": 2494,
"domain": 624,
"FileHash-MD5": 274,
"FileHash-SHA1": 226,
"email": 1,
"CVE": 1
},
"indicator_count": 9377,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "248 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68a23eef53f1124e8dc273fc",
"name": "Sign in to your account - Anorocuriv",
"description": "Short link sent to an iPhone user possibly by accident or maybe not. Unraveled :[https://ns4.whichkill.net/]\n[https://l.us-1.a.mimecastprotect.com/l]\n[https://api-glintstage.glintinc.com/api/client/tiaa/token/saml2/consume/includeDeskLink]\n\n[https://api.glintinc.com/api/client/tiaa/token/saml2/consume/includeDeskLink]\t\n\n*api.us1.glintinc.com #malta\n*ALF:Trojan:Win32/Anorocuriv.A.#virtool #LowFI:HookwowLow \n#tracking #tiaa #locate recording #userpics #movies #audio #screen #mobile_assets #https://biccerija.gov.mt/en/contact/",
"modified": "2025-09-16T20:00:00.565000",
"created": "2025-08-17T20:43:27.502000",
"tags": [
"url http",
"url https",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"showing",
"entries",
"status",
"msie",
"chrome",
"passive dns",
"urls",
"date",
"pulse pulses",
"files",
"domain",
"files ip",
"body",
"http",
"hostname",
"files domain",
"present jan",
"present dec",
"united",
"present aug",
"present jun",
"unknown aaaa",
"present mar",
"present may",
"present feb",
"present jul",
"error",
"a domains",
"gmt content",
"accept encoding",
"config nocache",
"hostname add",
"pulse submit",
"content type",
"certificate",
"ip address",
"cookie",
"mita",
"next associated",
"please",
"x msedge",
"ipv4 add",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"defense evasion",
"t1480 execution",
"signing defense",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"size",
"pattern match",
"mitre att",
"ascii text",
"null",
"click",
"august",
"hybrid",
"general",
"local",
"path",
"strings",
"refresh",
"tools",
"meta",
"onload",
"span",
"adversaries",
"ssl certificate",
"logo",
"av detection",
"default browser",
"guest system",
"professional",
"falcon sandbox",
"response risk",
"ck techniques",
"detection",
"show process",
"prefetch8",
"windows nt",
"win64",
"khtml",
"gecko",
"post collect",
"microsoft edge",
"nota",
"brand",
"class",
"facebook",
"ascii",
"hex dump",
"extraction",
"failed",
"data upload",
"pul data",
"enter",
"s data",
"type",
"extr error",
"href",
"mask",
"extra",
"uta support",
"include review",
"exclude sugges",
"find",
"wow64",
"show",
"observed dns",
"query",
"unknown",
"virtool",
"copy",
"write",
"defender",
"expiro",
"malware",
"next",
"lowfi",
"hookwowlow dec",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"trojan",
"trojandropper",
"http request",
"delete",
"yara detections",
"pe exe",
"dll windows",
"minimal http",
"february",
"guard",
"alerts",
"analysis date",
"file score",
"detections alf",
"detections http",
"http executable",
"retrieved",
"location united",
"america flag",
"america asn",
"urls show",
"date checked",
"url hostname",
"server response"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 16,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 853,
"hostname": 1835,
"URL": 7127,
"email": 3,
"FileHash-SHA256": 1470,
"FileHash-MD5": 293,
"FileHash-SHA1": 284,
"SSLCertFingerprint": 426,
"CVE": 1
},
"indicator_count": 12292,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "258 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6893eee9bf1b30e08d1a6d8e",
"name": "Ransom:Win32/CVE - Denver \u2022 Community Lifestyle Neighborhood",
"description": "*Ransom:Win32/CVE - * Win.Dropper.Stone-9856966-0,\nDenver \u2022 Community Lifestyle Neighborhood. \nCorporate & Leasing Office corrupted with spyware. There is a single verified monitored target. All technology devices corrupted, at least 2 phones monitored, YouTube is courtesy of hackers. Several in person and phone investigations, staff change and they know nothing about leasing apartments, townhomes , etiquette, poor communication. Target also investigated. It appears to be harassment, intimidation and monitoring for unspecified reasons. The parking lot is stacked with obvious people sitting in their vehicles for hours. It\u2019s unclear if the staffing change is legitimate or part of an investigation.",
"modified": "2025-09-05T23:02:52.811000",
"created": "2025-08-07T00:10:17.696000",
"tags": [
"address google",
"safe browsing",
"united",
"typeof",
"passive dns",
"body doctype",
"nreum",
"date",
"gmt server",
"apache x",
"cnection",
"content type",
"span",
"ok transfer",
"encoding",
"x powered",
"unknown soa",
"unknown ns",
"showing",
"entries",
"next associated",
"urls show",
"body",
"encrypt",
"search",
"ip address",
"creation date",
"record value",
"present jul",
"present may",
"present apr",
"certificate",
"present aug",
"present feb",
"present dec",
"present nov",
"error",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"found",
"development att",
"sha1",
"copy md5",
"copy sha1",
"copy sha256",
"mitre att",
"show technique",
"ck matrix",
"pattern match",
"ascii text",
"august",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"itre att",
"accept",
"sha256",
"size",
"type data",
"utf8 text",
"document file",
"flag",
"server",
"european union",
"name server",
"tor analysis",
"dns requests",
"domain address",
"ii llc",
"windir",
"openurl c",
"prefetch2",
"show process",
"ogoogle trust",
"network traffic",
"organization",
"elton avundano",
"object",
"title object",
"header http2",
"returnurl",
"texas",
"rsa ov",
"ssl ca",
"status",
"australia",
"netherlands",
"urls",
"gmt path",
"hostname add",
"pulse submit",
"present oct",
"e safe",
"results jul",
"response ip",
"present jan",
"name servers",
"verdict",
"domain",
"files ip",
"address domain",
"xhr start",
"xhr load",
"aaaa",
"read c",
"show",
"port",
"destination",
"high",
"delete",
"outbound m3",
"copy",
"write",
"persistence",
"execution",
"malware",
"generic",
"unknown",
"present mar",
"dynamicloader",
"wine emulator",
"dynamic",
"medium",
"read",
"associated urls",
"date checked",
"url hostname",
"server response",
"google safe",
"dnssec",
"domain name",
"solutions",
"llc status",
"next passive",
"dns status",
"hostname query",
"files show",
"date hash",
"avast avg",
"overview ip",
"address",
"related nids",
"files location",
"flag united",
"hostname",
"files domain",
"win32",
"mtb feb",
"trojan",
"susp",
"trojandropper",
"msr feb",
"trojanspy",
"virtool",
"win64",
"defense evasion",
"t1480 execution",
"file defense",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"file discovery",
"utf8",
"crlf line",
"a domains",
"script urls",
"link",
"unknown aaaa",
"meta",
"atom",
"results jan",
"present",
"present sep",
"akamai",
"asn as16625",
"less whois",
"registrar",
"http",
"france flag",
"france hostname",
"files related",
"url analysis",
"files",
"location france",
"detailed error",
"sec ch",
"ch ua",
"ua full",
"ua platform",
"moved",
"name",
"perfect privacy",
"error jul",
"next related",
"domains show",
"domain related",
"url add",
"pulse pulses",
"hosting",
"reverse dns",
"france asn",
"as16276",
"dns resolutions",
"datacenter",
"regopenkeyexa",
"regsetvalueexa",
"windows nt",
"regdword",
"hostile",
"service",
"delphi",
"next",
"pulses none",
"related tags",
"ua bitness",
"ua arch",
"version sec",
"mobile sec",
"model sec",
"review",
"data upload",
"extraction",
"khtml",
"gecko",
"olet",
"cnlet",
"tlsv1",
"hacktool",
"push",
"ms windows",
"intel",
"pe32",
"users",
"precreate read",
"ransom",
"code",
"installer",
"june",
"media",
"autorun",
"next yara",
"detections name",
"aspackv2xxx",
"eu alexey",
"alerts",
"pe file",
"filehash",
"sha256 add",
"av detections",
"ids detections",
"yara detections",
"analysis date",
"april",
"packing t1045",
"t1045",
"t1060",
"registry run",
"keys",
"user execution",
"icmp traffic"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1132,
"URL": 6245,
"hostname": 2264,
"FileHash-SHA256": 1857,
"FileHash-SHA1": 491,
"email": 9,
"FileHash-MD5": 573,
"SSLCertFingerprint": 16
},
"indicator_count": 12587,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "269 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "687f33a5ddf830e2f3e5acac",
"name": "Trojan Dropper | Espionage | Keylogger affecting medical centers",
"description": "PII and PHI at risk. Highest access spyware available infiltrates a small niche medical center. \ntrojandropper, keyloggers, advanced spyware, monitored rooms , mitre att, ||\nIDS: PROTOCOL-ICMP PATH MTU denial of service attempt \u2022 PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set\n\n\u2022 https://foundry2sdbl.dvr.dn2.n-helix.com/\n\u2022 https://www.pegasustech.net/products/mobility-barcode-scanning/Data-collector-mobile-computer\n\n\u2022 \nrobloxlogger.com\n\u2022\n\nhttps://video.welnext.com\n\u2022\nhttps://app1.oceantg.com/sta40/views/personnelscreenview.aspx",
"modified": "2025-08-21T06:00:20.607000",
"created": "2025-07-22T06:45:57.499000",
"tags": [
"pegasus",
"report spam",
"gotham foundry",
"espionage",
"spinal cord",
"injured created",
"minutes ago",
"strange",
"foundry",
"palantir",
"alexa",
"service",
"url http",
"url https",
"type indicator",
"role title",
"added active",
"related pulses",
"ipv4",
"united",
"germany",
"singapore",
"netherlands",
"iran",
"india",
"search",
"domain",
"hostname",
"filehashmd5",
"filehashsha1",
"extraction",
"data upload",
"sc type",
"dren aeu",
"extr source",
"ur data",
"include",
"review exclude",
"sugges",
"mtu denial",
"matches rule",
"needed",
"df bit",
"unique rule",
"catalog tree",
"c0002 wininet",
"ta0005 command",
"control ta0011",
"get http",
"resolved ips",
"dns resolutions",
"cloudflare",
"flag",
"server",
"date",
"contacted hosts",
"ip address",
"process details",
"t1158",
"hidden",
"t1031",
"modify existing",
"t1053",
"taskjob",
"t1060",
"run keys",
"startup",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"command",
"found",
"itre att",
"show process",
"prefetch8",
"mitre att",
"show technique",
"ck matrix",
"windows nt",
"win64",
"khtml",
"gecko",
"april",
"hybrid",
"general",
"path",
"click",
"strings",
"entries",
"unknown ns",
"creation date",
"record value",
"showing",
"gmt content",
"accept encoding",
"encrypt",
"checked url",
"hostname server",
"response ip",
"address google",
"safe browsing",
"present jan"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2628,
"domain": 472,
"hostname": 880,
"FileHash-SHA256": 805,
"FileHash-MD5": 151,
"FileHash-SHA1": 128,
"CIDR": 1,
"SSLCertFingerprint": 3,
"email": 1
},
"indicator_count": 5069,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "285 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "687f0f210ec1de4316b22522",
"name": "Strange Medical Facility with Overt Bad Actors Spying on Disabled",
"description": "Strange Medical Facility with Overt Bad Actors already Spying on Disabled. Everything including bathroom is monitored.\nfounderintech.com\nwww.galbutfamilyfoundation.com\t\nwpengine.com\t\nhttps://foundry2sdbl.dvr.dn2.n-helix.com\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\npegasusthruster.com\t\nhttps://www.pegasusthruster.com/\t\nsmtp.pegasustech.net\nhttp://pegasusthruster.com/shoppegasus/includes/att",
"modified": "2025-08-21T03:02:43.704000",
"created": "2025-07-22T04:10:09.158000",
"tags": [
"date",
"submit url",
"analysis",
"passive dns",
"urls",
"files",
"ip address",
"asn as13335",
"whois registrar",
"creation date",
"extraction",
"data",
"extri",
"include review",
"iocs",
"data upload",
"united",
"unknown aaaa",
"search",
"showing",
"moved",
"a domains",
"record value",
"body"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6560,
"FileHash-MD5": 121,
"FileHash-SHA1": 125,
"FileHash-SHA256": 3989,
"domain": 1616,
"hostname": 1876,
"email": 3,
"CVE": 2
},
"indicator_count": 14292,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "285 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "687d91b1a8f414040bfba430",
"name": "Spyware",
"description": "And I've been walking, talking\nBelieving the things that are true\nAnd I've been finding\nThe difference between right and wrong, bad and good\nSee me put things together\nPut them back where they belong\nWhen I look at each other\nHave I always been singing the same song?\n\nShe said\nThis is a perfect world\nRiding on an incline\nI'm staring in your face\nYou'll photograph mine\n\nI-I-I-I-I\nWhoo, ah-ha-ha\nHa-ha-ha-ha-ha-ha\n\nSomebody said that it happens all over the world\nI do believe that it's true (\u2022o\u2022)\n#spyware #MaaS #malvertizing #bullyfor$ #unethical #dangerous_tool",
"modified": "2025-08-20T00:01:59.498000",
"created": "2025-07-21T01:02:41.049000",
"tags": [
"serving ip",
"address",
"status",
"utc na",
"utc google",
"utc facebook",
"custom audience",
"tag manager",
"ua748443502",
"utc gtmwrp73mt",
"utc gsrdlm5jnx1",
"utc aw937838002",
"adsense na",
"connect",
"file type",
"status code",
"body length",
"kb body",
"sha256",
"powershell",
"b file",
"ta0004 defense",
"evasion ta0005",
"command",
"control ta0011",
"c0002 wininet",
"number",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"corporation cus",
"algorithm",
"cndigicert sha2",
"secure server",
"ca odigicert",
"inc cus",
"subject",
"cnwe1 ogoogle",
"trust",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft",
"get http",
"request",
"windows nt",
"win64",
"khtml",
"gecko",
"response",
"united",
"search",
"creation date",
"expiration date",
"name servers",
"unknown soa",
"germany unknown",
"entries",
"pulse submit",
"url analysis",
"date"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 304,
"hostname": 796,
"URL": 2590,
"FileHash-SHA256": 2735,
"FileHash-MD5": 253,
"FileHash-SHA1": 144,
"email": 1
},
"indicator_count": 6823,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "286 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6875e98438889e51b3fdd18f",
"name": "Critical \u2022 Schedule system process - Mirai | Foundry Overwatch",
"description": "",
"modified": "2025-08-14T05:04:16.839000",
"created": "2025-07-15T05:39:16.652000",
"tags": [
"win32 exe",
"country",
"include review",
"exclude",
"defense evasion",
"access ta0006",
"command",
"control ta0011",
"impact ta0040",
"impact ob0008",
"file system",
"system oc0008",
"match unknown",
"adversaries",
"match info",
"info",
"execution flow",
"t1574 dll",
"tries",
"registry",
"modify system",
"process t1543",
"unknown",
"window",
"ob0009 install",
"ob0012 install",
"insecure",
"b0047 modify",
"registry e1112",
"hidden files",
"registry run",
"keys",
"startup folder",
"f0012 file",
"critical",
"united",
"as15169",
"delete c",
"as16509",
"show",
"search",
"intel",
"ms windows",
"entries",
"medium",
"worm",
"copy",
"write",
"explorer",
"malware",
"next",
"present jul",
"status",
"date",
"ip address",
"domain",
"servers",
"showing",
"unknown ns",
"related pulses",
"pulses",
"tags",
"related tags",
"more file",
"type",
"date april",
"am size",
"sha1 sha256",
"as14618",
"united kingdom",
"as54113",
"as15133 verizon",
"top source",
"top destination",
"status domain",
"ip whitelisted",
"whitelisted",
"tcp include",
"source source",
"oamazon",
"cnamazon rsa",
"odigicert inc",
"sweden as20940",
"as20940",
"entries tls",
"ip destination",
"encrypt",
"aaaa",
"found",
"certificate",
"next associated",
"urls show",
"date checked",
"error",
"windows",
"high",
"yara detections",
"installs",
"checks",
"filehash",
"sha256 add",
"themida",
"data upload",
"extraction",
"md5 add",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"win32",
"ddos",
"passive dns",
"activity",
"checkin",
"win64",
"mtb jan",
"lowfi",
"trojan",
"ransom",
"trojandropper",
"yara",
"nsis",
"nss bv",
"su data",
"windo alerts",
"andariel",
"malware traffic",
"nids",
"icmp traffic",
"dns query",
"id deadhost",
"connects",
"andariel high",
"richhash",
"external",
"virustotal api",
"screenshots",
"failed",
"auurtonany data",
"themida andarie",
"present may",
"japan unknown",
"unknown cname",
"domain add",
"urls",
"files",
"http headers",
"msie",
"windows nt",
"tcp syn",
"resolverror",
"externalport",
"internalport",
"wget command",
"devices home",
"execution",
"foundry",
"home networks",
"mirai",
"x.com",
"porn",
"monitored target",
"d link",
"targets"
],
"references": [
"TJprojMain.exe {79c7303a1a49b85569245a8ca1c1a26be720387845af9391fa1e4677308bd6b6}",
"Crowdsourced Signa: Schedule system process by Joe Security",
"Sigma \u2022 Suspicious Process Masquerading As SvcHost.EXE by Swachchhanda Shrawan Poudel",
"Sigma \u2022 System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)",
"Yara \u2022 NSIS from ruleset NSIS by kevoreilly",
"Yara \u2022 rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)",
"Yara \u2022 Windows_Generic_Threat_7526f106 from ruleset Windows_Generic_Threat by Elastic Security",
"Alerts: persistence_autorun \u2022 persistence_autorun_tasks stealth_hiddenreg \u2022 suspicious_command",
"IDS : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI",
"Mirai - ]1.0.0.0 - Unix.Trojan.Mirai-6981169-0",
"*Themida_2xx. Oreans,Technologies",
"*Andariel Backdoor Activity (Checkin)",
"Alert: dead_host nids_malware_alert network_icmp nolookup_communication",
"IDS: WGET Command Specifying Output in HTTP Headers",
"IDS: D-Link Devices Home Network Administration Protocol Command Execution",
"foundry2-lbl.dvr.dn2.n-helix.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://foundry2sdbl",
"https://xn--72c9abh1f8ad1lzc.com/video_tag/pornthai/ \u2022 https://ro.theskinnyfoodco.com/en-fr/blogs/recipes/pornstar-martini-recipe \u2022 m.pornsexer.xxx.3.1.adiosfil.roksit.net",
"x.com \u2022 nr-data.net \u2022 apple.k8s.joewa.com",
"http://apple.cc.lvlid.com/ \u2022 http://apple.cc.lvlid.com/ios/ \u2022 http://www.apple.cc.lvlid.com/ios",
"Devices remotely connected, tracked , monitored"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Unix.Trojan.Mirai-6981169-0",
"display_name": "Unix.Trojan.Mirai-6981169-0",
"target": null
},
{
"id": "Win.Malware.Ursu-9856871-0",
"display_name": "Win.Malware.Ursu-9856871-0",
"target": null
},
{
"id": "ELF:DDoS-Y\\ [Trj]",
"display_name": "ELF:DDoS-Y\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [
"Healthcare",
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 23,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 448,
"FileHash-SHA1": 435,
"FileHash-SHA256": 5851,
"hostname": 2580,
"domain": 1176,
"URL": 7133,
"SSLCertFingerprint": 30,
"email": 3,
"CVE": 3
},
"indicator_count": 17659,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "292 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6872f4c510c590b7cdc5ff6a",
"name": "Crowdsourced Collection of PayPal Mafia Monster - Foundry\u2019s Palantair",
"description": "Americans are investing in what Edward Snowden foretold of\u2026 your future from beginning to end will predict how you will be treated. Preemptively policing people even if you have to make up a past.. |\n\nThe New York Times\nMay 30, 2025 \u2014 The Trump administration has expanded Palantir's work with the government, spreading the company's technology \u2014 which could easily merge data on ...\nFormer Palantir workers condemn company's work with ...\n\nNPR\nMay 5, 2025 \u2014 Thirteen former employees of influential data-mining firm Palantir are condemning the company's work with the Trump administration.\nWyden AOC Palantir Letter 061725\n\nSenate Finance (.gov)\nJun 17, 2025 \u2014 The Trump Administration has spent taxpayer dollars on Palantir software at numerous other government agencies and paid it billions of dollars ...\n#foundry #rip #palantir #jeffreyreimerdpt #lawenforcement #twitter #tsarabrashearsblessed #apple #privacynow #fightforprivacy #sabey #hallrender",
"modified": "2025-08-11T23:02:24.583000",
"created": "2025-07-12T23:50:29.847000",
"tags": [
"url https",
"url http",
"type indicator",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses",
"enter source",
"urior exirag",
"diri type",
"data upload",
"extraction",
"failed",
"included iocs",
"review iocs",
"find sugge",
"extr extract",
"in data",
"extract",
"type",
"u extractio",
"extra",
"review ic",
"ipv4",
"pulses hostname",
"accountunlock",
"united",
"ireland",
"canada",
"brazil",
"sweden",
"australia",
"search",
"scan",
"iocs",
"learn more",
"filehashsha1",
"filehashmd5",
"types of",
"extra data",
"included review",
"china",
"colombia",
"filepath https",
"enter sc",
"extr data",
"include review",
"exclude sugges",
"filehashsha256",
"hostname",
"dicators japan",
"url tor",
"extrac data",
"ic excluded",
"suggeste",
"stop",
"type no",
"no entrie",
"included",
"review locc",
"excluded data",
"sc data",
"extri data",
"includec review",
"exclude data",
"suggested",
"se extra",
"suggest",
"manaiv add",
"indicator",
"review lace",
"extri",
"find s",
"typ no",
"no entdi",
"ous u",
"dron aew",
"avtrat",
"extre data",
"manually",
"add indicator",
"pulses url",
"url url",
"typ host",
"host url",
"include",
"z6911541",
"extraction fail",
"enter souf",
"s type",
"ur extraction",
"extraction data",
"jul all",
"pulse data",
"report external",
"review",
"extre please",
"se extraction",
"report spam",
"all t8",
"firmip",
"bofa",
"wikileaks",
"tmobile",
"dish",
"capture",
"cookie",
"enter s",
"please sub",
"include outroov",
"excludel sugges",
"extra please",
"high priority",
"alerts ids",
"priority alerts",
"cnc beacon",
"winver",
"digitalmistica",
"november",
"pulse",
"palantir",
"foundry twitter",
"arkei stealer",
"config",
"install",
"downloader",
"cidr",
"domain",
"indicators hong",
"kong",
"ukraine",
"status no",
"object",
"unruy",
"http",
"remote",
"keylogger",
"foundry created",
"days ago",
"white keylogger",
"apple",
"foundry tech",
"mafia",
"t1045",
"packing",
"t1060",
"run keys",
"startup",
"folder",
"t1457",
"showing",
"types",
"indicators show",
"dicator role",
"tsara brashears",
"tsara",
"porn",
"porn videos",
"pornhub https",
"searchtsar",
"watch tsara",
"most relevant",
"open threat",
"green",
"love",
"daily",
"videos",
"free porn",
"hybrid analysis",
"falcon sandbox",
"top tsara",
"brashears porn",
"stream",
"spice",
"download",
"hybrid",
"njrat",
"threat network",
"https",
"created",
"years ago",
"modified",
"months ago",
"tinynote",
"douglas county",
"co sheriff",
"office",
"pegasus attacks",
"sa victim",
"octoseek public",
"white",
"excludedocs",
"sugges",
"stop data",
"tsara lynn",
"brashears les",
"lynn brashears",
"translate",
"pornhub page",
"emotet",
"se review",
"typ url",
"dom hos",
"hostname data",
"harmful",
"octoseekpulse",
"attacks sa",
"bandit stealer",
"flubot",
"agent tesla",
"qbot",
"qakbot",
"ursnif",
"azorult",
"djvu",
"hacktool",
"maze",
"dark",
"linux",
"android10",
"khtml",
"costcpc",
"userosandroid",
"bannerid2738231",
"india",
"enter so",
"please subr",
"suggest data",
"netherlands",
"russia",
"america malware",
"families",
"sc type",
"please",
"show",
"url data",
"fanec",
"include failed",
"review exclude",
"extre",
"includea",
"exclude toosrou",
"sugges data",
"typ data",
"information",
"cobalt strike",
"ransomexx",
"quackbot",
"comspec",
"span",
"idn1",
"sendimage0",
"refts0",
"include data",
"uny inuuue",
"fileh fileh",
"exclude suggest",
"uniy",
"type fileh",
"extr please",
"ineluderc\u0660",
"review data",
"excludedlocs"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1051",
"name": "Shared Webroot",
"display_name": "T1051 - Shared Webroot"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1085",
"name": "Rundll32",
"display_name": "T1085 - Rundll32"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1506",
"name": "Web Session Cookie",
"display_name": "T1506 - Web Session Cookie"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1065",
"name": "Uncommonly Used Port",
"display_name": "T1065 - Uncommonly Used Port"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1588",
"name": "Obtain Capabilities",
"display_name": "T1588 - Obtain Capabilities"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 58,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12679,
"domain": 1134,
"hostname": 3543,
"FileHash-MD5": 251,
"email": 7,
"FileHash-SHA256": 1927,
"FileHash-SHA1": 232,
"CVE": 1,
"CIDR": 1,
"URI": 1
},
"indicator_count": 19776,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "294 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "686e17b1ac7253ec7e12f1e8",
"name": "FT Adviser | Foundry - platform.twitter.com + Apple + T-Mobile",
"description": "FT Adviser | Foundry - platform.twitter.com + Apple + T-Mobile | ImFurther investigation of familiar IoC\u2019s in Tethering T-mobile to iOS research. \n\nPalantir is the the Cyber Defense Firm that provides the weapons, man force, military, false arrest records ,reputation damage, the man who drove her off the road, constant stalking and the marketing of her music in other media.\n Realize this hot stock you\u2019re investing is a domestic and international terrorist organization. There are several\nPeople here being 24/7/365 monitored.\nThey have fulfillment centers from Amazon and can provide food to medicine, they have the entire military, all\ngovernment contracts and their own physicians. \n\n#malware #foundry #rip #palantir # twitter #paypalmafia #quasi #government # workerscompensation #law_enforcement # #jeffreyreimer #sabey #tsarabrashearslivesinourhearts",
"modified": "2025-08-08T06:00:40.325000",
"created": "2025-07-09T07:18:09.062000",
"tags": [
"present jun",
"united",
"status",
"present may",
"present sep",
"search",
"date",
"entries",
"trojan",
"name servers",
"ransom",
"twitter",
"redacted for",
"showing",
"passive dns",
"urls",
"softlayer",
"internet",
"encrypt",
"record value",
"body",
"service",
"russia",
"spain",
"germany",
"netherlands",
"aaaa",
"france",
"virtool",
"creation date",
"expiration date",
"servers",
"hostname add",
"pulse pulses",
"files",
"present aug",
"ip address",
"applenoc",
"unknown ns",
"next associated",
"urls show",
"date checked",
"url hostname",
"server response",
"unknown aaaa",
"secure server",
"msie",
"chrome",
"moved",
"title",
"gmt content",
"type",
"pulse submit",
"http",
"hostname",
"files domain",
"files related",
"pulses otx",
"pulses",
"related tags",
"google safe",
"indicator role",
"title added",
"active related",
"url https",
"dynamicloader",
"write c",
"windows nt",
"wow64",
"slcc2",
"media center",
"html",
"as15169",
"write",
"xport",
"copy",
"guard",
"malware",
"suspicious",
"next",
"extraction",
"data upload",
"failed",
"extri data",
"include review",
"exclude",
"sugges",
"stop x",
"s data",
"extr data",
"extraction data",
"enter soudcetdi",
"ad tevdag",
"cadad ad",
"draie",
"extri include",
"review",
"done",
"levelblue",
"exclude sugges",
"uny inuuue",
"find s",
"typ hos",
"script urls",
"canada unknown",
"script domains",
"a domains"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 181,
"FileHash-SHA1": 154,
"FileHash-SHA256": 1857,
"domain": 1424,
"email": 13,
"hostname": 1304,
"URL": 4168,
"CVE": 1,
"SSLCertFingerprint": 4
},
"indicator_count": 9106,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "298 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "686cb7673e4d5a0067758fd7",
"name": "2nd Attempt- VirusTotal Ransomware and Device destruction Attack",
"description": "I hope this generates results. I continue to be unable to annotate. Witnesses attack and 5 very relevant graphs taken. \n#phishing #malware #trojan #ransom #virustotal",
"modified": "2025-08-07T05:01:52.697000",
"created": "2025-07-08T06:15:03.501000",
"tags": [
"no expiration",
"filehashmd5",
"filehashsha1",
"filehashsha256",
"iocs",
"review iocs",
"pulse show",
"search",
"type indicator",
"role title",
"expiration",
"url http",
"url https",
"text drag",
"drop or",
"enter source",
"url or",
"hostname",
"ipv4",
"related pulses",
"showing",
"entries",
"drop",
"domain",
"enter",
"extract",
"browse to",
"domain xn",
"select file",
"pdf report",
"pcap",
"stix",
"openioc",
"indicator role",
"pulses url"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 840,
"FileHash-SHA1": 725,
"FileHash-SHA256": 863,
"URL": 1663,
"SSLCertFingerprint": 17,
"domain": 520,
"hostname": 734,
"email": 11
},
"indicator_count": 5373,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "299 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "686cb765dc6737fd1e882630",
"name": "2nd Attempt- VirusTotal Ransomware and Device destruction Attack",
"description": "I hope this generates results. I continue to be unable to annotate. Witnesses attack and 5 very relevant graphs taken. \n#phishing #malware #trojan #ransom #virustotal",
"modified": "2025-08-07T05:01:52.697000",
"created": "2025-07-08T06:15:01.296000",
"tags": [
"no expiration",
"filehashmd5",
"filehashsha1",
"filehashsha256",
"iocs",
"review iocs",
"pulse show",
"search",
"type indicator",
"role title",
"expiration",
"url http",
"url https",
"text drag",
"drop or",
"enter source",
"url or",
"hostname",
"ipv4",
"related pulses",
"showing",
"entries",
"drop",
"domain",
"enter",
"extract",
"browse to",
"domain xn",
"select file",
"pdf report",
"pcap",
"stix",
"openioc",
"indicator role",
"pulses url"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 840,
"FileHash-SHA1": 725,
"FileHash-SHA256": 863,
"URL": 1663,
"SSLCertFingerprint": 17,
"domain": 520,
"hostname": 734,
"email": 11
},
"indicator_count": 5373,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "299 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68632c19dd335ce48dbc3798",
"name": "Apple Zombie- Multi Malware/ Ransom attack affects Upscale Networks | Devices",
"description": "Apple IoC\u2019s Isolated from Lifestyle Community\n\u2022 Win.Packer.pkr_ce1a-9980177-0\n\u2022 Antivirus Detections\nWin.Dropper.Zombie-10044469-0\n, \nTrojan:Win32/Zombie.A |\nAlerts:\n\u2022 ransomware_file_modifications\n\u2022 polymorphic\n\u2022 procmem_yara\n\u2022 static_pe_anomaly\n\u2022 anomalous_deletefile\n#remote #device #dns #dead_host #pointers\n#active #targeting #ops #more\u2026",
"modified": "2025-07-31T00:00:48.083000",
"created": "2025-07-01T00:30:17.324000",
"tags": [
"dynamicloader",
"vx10",
"nxd2xebwx87",
"wx10",
"mxd78x8b",
"port",
"x0cqpyx0c",
"delete c",
"yara rule",
"high",
"tofsee",
"grum",
"copy",
"stream",
"powershell",
"write",
"malware",
"push",
"united",
"name servers",
"search",
"creation date",
"servers",
"moved",
"passive dns",
"urls",
"domain",
"record value",
"date",
"body",
"users",
"intel",
"ms windows",
"pe32",
"number",
"pe32 executable",
"ascii text",
"crlf line",
"database",
"installer",
"template",
"trojan"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 202,
"hostname": 217,
"FileHash-SHA256": 852,
"FileHash-MD5": 238,
"FileHash-SHA1": 164,
"SSLCertFingerprint": 3,
"URL": 947,
"email": 3
},
"indicator_count": 2626,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "306 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT",
"https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8",
"cloudendpointsapis.com \u2022 https://www.vgt.pl/style/style.css \u2022 ceidg.gov.pl",
"monitor.kyos.ninja",
"*Andariel Backdoor Activity (Checkin)",
"login.ocn.ne.jp 122.28.88.229 \u2022 outpost@alpha.ocn.ne.jp",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy",
"www.opencandy.com",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/",
"PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23",
"deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev",
"TJprojMain.exe {79c7303a1a49b85569245a8ca1c1a26be720387845af9391fa1e4677308bd6b6}",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"https://urlscan.io/result/98a3575f-9b94-4ef3-ae84-8e585f882151/#indicators",
"Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check",
"https://hybrid-analysis.com/sample/a871c76756ddf6d18d728b668d011e9d04e9db9c79734450a562f1f4b6ba2cdc/68be456cd90e6cbdf30d2afb",
"iphonegermany.com",
"http://help.aiseesoft.jp/total-video-converter",
"https://webmail.police.govmm.org/owa/",
"Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http",
"div>
",
"https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp",
"Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com",
"monitoring.eurovision.net",
"http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch",
"Device targeted with l RMS Modules by male in Denver, Co",
"https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f",
"https://ww41.porn25.com/",
"http://212.33.237.86/images/1/report.php",
"Page Title: \u30ed\u30b0\u30a4\u30f3 | OCN\u30e1\u30fc\u30eb | OCN",
"Denver Police let this attempted murder walk. Cited him as a ghost driver",
"http://consolefoundry.date/one/gate.php",
"Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains",
"Updated | What\u2019s left after theft",
"Yara Detections : compromised_site_redirector_fromcharcode",
"asp.net domain pointer",
"IDS: WGET Command Specifying Output in HTTP Headers",
"x402.porn \u2022 http://alohatube.xyz/search/tsara-brashears \u2022 \thttps://ufovpn.io/blog/is-eporner-safe",
"https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy",
"https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh",
"www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019",
"Multiple attackers. Don\u2019t believe me, look at the pulses. Caged in by male with deauther watch.",
"https://l.us-1.a.mimecastprotect.com/l",
"Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe",
"(Delete app that removed YoiTube views) www.youtube.com/watch?v=GyuMozsVyYs",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"Guardicore by CyberHunterAutoFeed \u2022 https://otx.alienvault.com/pulse/655d47fb128a006a7d06afa2",
"Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net",
"cdn.rss.applemarketingtools.com",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://207-207-25-201.fwd.datafoundry.com/",
"http://www.icloud-sms-alert.com/",
"https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html",
"https://discoverreceiver.gurus.vmicrosoft.com/ \u2022 account.live.com \u2022 acctcdn.msauth.net",
"http://firstmile.digitecgalaxus.ch",
"http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.Id=7a025cc6",
"Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103",
"When you see silly related domains it\u2019s probably Palantir kids: fuckingshitshow.org Domain kinkfuck.com \u2022 nobodycares.art",
"Devices remotely connected, tracked , monitored",
"Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1",
"https://discussions.apple.com/thread/255214328?sortBy=rank",
"http://apple.support.com/ht***** redirect",
"Mirai - ]1.0.0.0 - Unix.Trojan.Mirai-6981169-0",
"https://rdweb.datafoundry.com/",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF",
"Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access",
"Sigma \u2022 Suspicious Process Masquerading As SvcHost.EXE by Swachchhanda Shrawan Poudel",
"https://www.datafoundry.com/category/news/press-releases/",
"https://aspmx.l.google.com/",
"https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com",
"https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK",
"http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022",
"No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]",
"Ronda Cordova",
"207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com",
"http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C",
"Malicious activity seen since a Pulse regarding school outage.",
"IDS: D-Link Devices Home Network Administration Protocol Command Execution",
"Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi",
"computersandsoftware \u2022 portal sites \u2022 search engines and portals",
"appleaustralia.com",
"Same legal , and quasi governmental pattern identified",
"If something curious is found on privatelybowen property we have a constitutional right to examine it.",
"Abused Domains Contacted: xred.mooo.com freedns.afraid.org",
"I bring up the personal nature of the crime because a delete service has been used",
"prometheus.dev.aws.finoa.io",
"This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents.",
"Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support",
"legal deductions, legitimate reasons for payment delays or denial, or potential issues that require legal",
"1.bing.com.cn",
"IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query",
"Melvin Sabey",
"http://help.aiseesoft.jp/fonelab/",
"Alerts: persistence_autorun \u2022 persistence_autorun_tasks stealth_hiddenreg \u2022 suspicious_command",
"http://foundry2sdbl.dvr.dn2.n-helix.com/",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"pcoptimizerpro.com \u2022 www.pcoptimizerpro.com",
"https://action.aiseesoft.jp/itunes.php",
"https://ipadaustralia.com/mim/93tkkjy9zc9fv796398p4e8425id90u4u727g7094724c0a9i8",
"Many indicators point to an IP this block is on.",
"(Found on targeted iOS device) mr-file-connector-193.api.auxosandbox.com",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"Prometheus- allegedly related to Peter Thiel , Elon Musk and tech bro Joes who are playing God.",
"http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com",
"The older the smarter the way better. These people are brilliant , ruthless and dangerous",
"Yara Detections: Nullsoft_NSIS ...",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"Malicious IP Contacted: 69.42.215.252",
"palantir-staging.staging.candidate.app.paulsjob.ai",
"Denver Police Department Major Crimes closed investigation",
"Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ",
"http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/",
"Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop",
"https://twitter.com/PORNO_SEXYBABES",
"podcasts.apple.com \u2022 23.34.32.21",
"https://hybrid-analysis.com/sample/6af451b8e64c3f8abafc84e776fe6c257888e0875b2d22c75b23b13960f46567/69580966ed3458719b0f0ed5",
"http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"smtp2.icl-privaterelay.appleid.com",
"http://www.forensickb.com/2013/03/file-entropy-explained.html",
"iOS device, Update 26.2 , heavily monitored target of death threats, attempts & unfortunate outcome..",
"*Themida_2xx. Oreans,Technologies",
"ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 alohatube.xyz \u2022 1001pornvideos.com",
"Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad",
"https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com",
"Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim",
"https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215",
"Nippon Telegraph and Telephone Corporation one governmental now privated",
"Most of the people doing this are 50\u2019s plus, plus. There are youngsters but many grey haired , grandparents",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"https://www.turbo.net/run/videolan/vlc",
"Interesting (found in pulse) https://www.studentfinancewales.co.uk/contact",
"It\u2019s so out of hand,m for 16 people.",
"Crowdsourced Signa: Schedule system process by Joe Security",
"https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022",
"https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as",
"by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg",
"http://freedns.afraid.org/images/apple.gif",
"http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"Mark Brian Sabey",
"The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/",
"https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/",
"https://www.mumuplayer.com/redirect/customerservice/_wig",
"oas-japac-domains-applecomputer.cn",
"Overview \"Keeping money\" by the Colorado workers' compensation system can refer to",
"Unknown Persons impersonating Private Investigators (plural)",
"IDS : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI",
"Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer",
"https://www.milehighmedia.com/legal/2257",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.",
"Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep",
"Prometheus - Alien God? Morality through the eyes of the immoral",
"http://palantirwww.sweetheartvideo.com/ (weirdness)",
"ec2-57-181-50-85.ap-northeast-1.compute.amazonaws.com",
"js-cdn.music.apple.com \u2022 23.78.51.170",
"IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com",
"Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs",
"Requires further research.",
"https://hybrid-analysis.com/sample/35dce2c9c408e751622991b0655871f35ab97106fa87c233dfa2b135b4014df4/68be451808aeabd5cc0e9e85",
"prometheus.netmaker.vonnue.dev",
"https://appleid.apple.com/cgi-bin/WebObjects/MyAppleIdCVE",
"Tulach.cc",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io",
"wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87",
"https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx",
"http://help.aiseesoft.jp/blu-ray-player",
"consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"www.phantomcameras.cn",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo",
"https://www.datafoundry.com/data-center-contamination-control/",
"All IoC\u2019s originate from sources named. There are some unknown attackers",
"Amazon.com \u2022 Google.com \u2022YouTube.com, Apple.com , etc Exploited",
"https://otx.alienvault.com/indicator/url/https://t.notif-laposte.info/TrackActions/NGJlYjE5NjZhZDlkODU0NzE3Yzg3Zjk3ODJkMmMxZWRjMTlkODAxZmEyMjY5YjU5YjY1MGU1OWFmZTdhMDlhMmM2YjY3ZTBiYzYwNWUwODdmMzkzZDc5ZjAwNDViODM1OGU5MTA0M2IzMjRmOGQwNTgxZGZjMmUyODFlZDI3MDYzZTQzNzg4NGVkMWJmMDgwMzM0NTA5OGRmY2M0NTVjZA",
"FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"Alerts: packer_unknown",
"Delete service is being used on this Threat service",
"apple.com(-inc.cc)",
"IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org",
"This is a serious crime. I\u2019m certain God WILL pay them.",
"robert-aebi.appleid.com",
"swarm-foundry.com",
"http://remote.edikamin.com/",
"https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022",
"Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert",
"Sexual and Physical Assaulter - Jeffrey Scott Reimer",
"https://www.xlabs.com.br/blog/cve-2013-3304-dell-equallogic-directory-traversal/ \u2022 http://cve.phidias.com/",
"http://watchhers.net/index.php",
"Cart.Guru",
"It appears there are 5-7 known affected that I was able to find",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"x.com \u2022 nr-data.net \u2022 apple.k8s.joewa.com",
"foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users",
"https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"",
"http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth",
"www.apple.com \u2022 23.34.32.199",
"http://test-firstmile.digitecgalaxus.ch",
"https://podcasts.apple.com/us/podcast/lazarus",
"Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates",
"Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,",
"Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb",
"Target was monitored in store and followed home needed to stop multiple times , change routes.",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"foundry2-lbl.dvr.dn2.n-helix.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://foundry2sdbl",
"https://shift.gearboxsoftware.com/link",
"simswap.in (possible Mirai or relationship to)",
"kalpak.palantirfedstart.com \u2022 lsauth-vault.palantirfedstart.com \u2022 sandboxes-ranunculus.palantirfedstart.com",
"http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com",
"http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com",
"http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022",
"http://apple.cc.lvlid.com/ \u2022 http://apple.cc.lvlid.com/ios/ \u2022 http://www.apple.cc.lvlid.com/ios",
"Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint",
"https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354",
"counsel. The system does not \"keep\" money without a valid reason.Lies. they\u2019ve Ben in trouble before .",
"https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl",
"ec2-3-115-135-167.ap-northeast-1.compute.amazonaws.com",
"You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists",
"Yara \u2022 rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)",
"Other constitutional rights and privileges written in law where severe courses of action is allowed",
"aotx.alienvault.com (aotx.?)",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"https://icloud.ch/cn/ipod-touch/",
"http://deposito.hostance.net/dialer/",
"https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx",
"pl.wikipedia.org \u2022 fontawesome.io \u2022 opensource.org \u2022 videojet.com",
"Attempts to clip target at high rate of speed.Seen again at her residence in October",
"Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"https://xn--72c9abh1f8ad1lzc.com/video_tag/pornthai/ \u2022 https://ro.theskinnyfoodco.com/en-fr/blogs/recipes/pornstar-martini-recipe \u2022 m.pornsexer.xxx.3.1.adiosfil.roksit.net",
"Reimer was a PT. Unknown whereabouts , name or job description",
"https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/",
"http://audaxgroup.appleid.com/",
"https://heavyfetish.com/search/CHEESE-PIZZA-porn/",
"Yara \u2022 Windows_Generic_Threat_7526f106 from ruleset Windows_Generic_Threat by Elastic Security",
"Alert: dead_host nids_malware_alert network_icmp nolookup_communication",
"https://prometheus-pushgateway-internal.preview.tp-staging.com/",
"Japanese Phishing Site by pingineer \u2022 https://otx.alienvault.com/pulse/61d3b380c44ee030dd092a80",
"pornhub.com\t \u2022 www.pornhub.com",
"Sigma \u2022 System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"Phone recently accessed, a tiny unauthorized speaker was on. Threat actors connected.",
"Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca",
"https://idmsa.apple.com/ \u2022 account.apple.com \u2022 appleid.apple.com \u2022 http://www.apple.com/filenotfound",
"Quasi Government Case",
"https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse",
"YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform",
"I apologize for the lack of reference.",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf",
"Victim silenced. Struck by Car Driven by male police let walk",
"Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http",
"HTTP traffic on port 443 (POST)",
"bpc-old.palantirfoundry.com",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net",
"apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC",
"ocn.ad.jp - Registrant Org: NTT Communications Corporation",
"Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx",
"everesttech.net \u2022 aws.amazon.com \u2022 cm.everesttech.net \u2022 dpm.demdex.net \u2022 s3.amazonaws.com",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX",
"http://help.aiseesoft.jp/total-video-converter/",
"More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed",
"Yara \u2022 NSIS from ruleset NSIS by kevoreilly",
"Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat",
"207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com",
"http://foundry2-lbl.dvr.dn2.n-helix.com/",
"developer.x.com",
"They blatantly steal from citizens , blame foreign entities.",
"209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com",
"https://tulach.cc/",
"Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below",
"Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading",
"MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer",
"Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora",
"mac.store",
"heavy-r.com \u2022 fartyphant.com \u2022 uglyphant.com \u2022 maciej.sztajerwald@gmail.com",
"www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net",
"Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn",
"Redirect: schemas.microsoft.com",
"Christopher P \u2018Buzz\u2019 Ahmann",
"server-3-164-143-102.nrt20.r.cloudfront.net",
"OTX auto populated targeted groups.",
"ocn.ne.jp \u2022 180.4.1.2 \u2022 gateway1.ocn.ad.jp",
"https://trade.kraken.com/charts/KRAKEN:APT-USD>+y",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Delphi",
"https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/",
"Location search was used to find device users address. It\u2019s with me.",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"https://176.113.115.136/ohhiiiii/",
"https://www.mumuplayer.com/redirect/customerservice/fB)y",
"Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns",
"IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com",
"https://icloud.ch/",
"Emotet IDS Detections: Win32/Emotet CnC Checkin Response",
"Some may may find this content is very disturbing and offensive"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"Palantir Pegasus",
"Lazarus",
"Colorado Quasi Government | Workerk Compensation"
],
"malware_families": [
"Unix.trojan.mirai-6981169-0",
"Warzonerat - s0670",
"Emotet",
"Virtool:win32/obfuscator.ahu",
"Trojan:win32/smkldr.h!mtb",
"Cve-2023-22518",
"Virtool:win32/injector.gen!bq",
"Win.trojan.barys-10005825-0",
"Win32:malware",
"Cve-2023-4966",
"Banload",
"Pegasus",
"Win.trojan.starter-171",
"Trojan:win32/diamin.f",
"Win.trojan.blacknetrat-7838854-0",
"Worm:win32/mofksys.rnd!mtb",
"Cve-2022-26134",
"Win.dropper.qqpass-7194329-0",
"Win32:evo-gen\\ [susp]",
"Win.trojan.agent",
"Win32:malob-bx\\ [cryp]",
"Trojan:win32/qqpass",
"Win.trojan.adinstall-2",
"Trojan:msil/agenttesla.dw!mtb",
"Elf:ddos-y\\ [trj]",
"Rxr",
"Trojan:win32/bagsu!rfn",
"Tons of malware",
"#lowfienabledtcontinueafterunpacking",
"Icedid",
"Worm:win32/autorun",
"Backdoor:win32/berbew.aa!mtb",
"Apnic",
"Win32:evo-gen",
"Pegasus - mob-s0005",
"Win.dropper.nanocore-10021490-0",
"Alf:spikeaexr.pevpszl",
"!#addscopy-tostartup",
"Alf:heraklezeval:pua:win32/keygen",
"Mydoom",
"Win.trojan.emotet-7545664-0",
"Alf:trojan:msil/blackfus.c",
"Porn revenge",
"Shellcode",
"Alf:heraklezeval:trojan:msil/gravityrat!rfn",
"#lowfi:lua:dllsuspiciousexport.a",
"Vb flash",
"Win32:backdoor",
"Gravityrat",
"Norwell",
"Trojandropper:win32/hupigon.gen!a",
"Atros.upk",
"Exploit:linux/cve-2017-17215",
"Ransom:win32/gandcrab.h!mtb",
"Zeus",
"Win.packed.razy-6847895-0",
"Muldrop",
"Luhe.fiha.a",
"Win.ransomware.msilzilla-10014498-0",
"Code overlap",
"Pony",
"Berbew",
"Win.trojan.emotet-9850453",
"Dorv",
"Trojandownloader:win32/cutwail",
"Trojanproxy:win32/ceutv.a",
"Ransom:win32/cve-2017-0147",
"Psw.generic13",
"Win.malware.elenooka-6996044-0",
"Pws:win32/zbot.ms!mtb",
"Win.packer.pkr_ce1a-9980177-0",
"Dialer",
"Trojandownloader:win32/banload.d",
"Trojanspy",
"Win.trojan.generic-9878032-0",
"Trojan:win32/startpage.aea",
"#lowfi:win32/sandboxproductid",
"Trojan:win32/icedid.di!mtb",
"Upatre",
"Win.exploit.rozena-10038302-0",
"Win.malware.pits-10035540-0",
"Win.packed.remcos-10024510-0",
"Win.malware.ursu-9856871-0",
"Win.trojan.nanocore-5",
"Other malware",
"Win32:agent",
"Backdoor:win32/plugx.n!",
"Virtool:win32/autinject.cz!bit",
"Trojandropper:win32/vb.il",
"Win32:cabmod\\ [drp]",
"Psw:win32/vb.cu",
"Zombie",
"Win32:rootkit",
"Pua.optimizerpro/pcoptimizerpro",
"Win.trojan.agent-316098",
"Nemucod",
"Worm:win32/autorun!atmn",
"Worm:win32/bloored",
"Virtool:win32/obfuscator",
"Trojan:win32/zombie",
"Ransom:msil/gandcrab",
"Tofsee"
],
"industries": [
"Healthcare",
"Technology",
"Crypto",
"Entertainment",
"Legal",
"Banks",
"Telecommunications",
"Bank",
"Telecom",
"Media"
],
"unique_indicators": 215735
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/mimecastprotect.com",
"whois": "http://whois.domaintools.com/mimecastprotect.com",
"domain": "mimecastprotect.com",
"hostname": "l.us-1.a.mimecastprotect.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 32,
"pulses": [
{
"id": "6a132a7a71682c83e9c17835",
"name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox",
"description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa",
"modified": "2026-05-26T06:44:42.987000",
"created": "2026-05-24T16:42:34.355000",
"tags": [
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"csv text",
"altitude",
"south shore",
"uas imagery",
"massachusetts",
"marshfield",
"scituate",
"hingham",
"norwell",
"hanover",
"pembroke",
"epub document",
"structure ebook",
"zip document",
"epub",
"nigel poulton",
"docker deep",
"nielson book",
"docker",
"single book",
"anna",
"dive",
"dive zero",
"deep dive",
"zero",
"script",
"ieedge",
"squarespace",
"drones",
"title",
"secchuamodel",
"link",
"static",
"supporte",
"marshfield ldap",
"marshfield ssl",
"certificate",
"common name",
"issued",
"charter",
"llc united",
"statesunited",
"new london",
"diesel",
"comcast ip",
"derry village",
"ssl certificate",
"encrypt",
"comcast cable",
"communications",
"boston",
"key identifier",
"x509v3 subject",
"full name",
"cus odigicert",
"inc cndigicert",
"global g2",
"tls rsa",
"ca1 validity",
"cus stnew",
"range",
"cidr",
"network name",
"type",
"status",
"whois server",
"entity squar30",
"handle",
"net198",
"net1980000",
"squar30",
"varick st",
"city",
"new york",
"stateprov",
"postalcode",
"orgtechhandle",
"orgtechref",
"orgabusehandle",
"orgabuseref",
"orgnochandle",
"orgnocref",
"p version",
"address range",
"span",
"google public",
"form",
"doctype html",
"google",
"public dns",
"head",
"public",
"footer",
"body",
"file type",
"ascii text",
"python script",
"python",
"writes shell",
"unicode text",
"utf8 text",
"ascii",
"writes",
"sample",
"persistence",
"defense evasion",
"info",
"next",
"performs dns",
"united",
"urls",
"found",
"https",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"layer protocol",
"phishing",
"headers age",
"homenet",
"et info",
"file hosting",
"service domain",
"domain",
"dns lookup",
"clientendpoint",
"perimeter",
"high",
"informational",
"domain related",
"as54113",
"top source",
"top destination",
"source source",
"status domain",
"tcp include",
"udp include",
"country united",
"unique",
"ja3 clients",
"destination ip",
"dest port",
"ja3 ja3",
"digest",
"cache",
"california",
"san francisco",
"fastly",
"globalsign",
"title pypi",
"package",
"a domains",
"accept",
"showing",
"entries",
"previous",
"domains show",
"search",
"amazon ec2",
"orgnocemail",
"net75",
"net750000",
"amazon web",
"services",
"ip routing",
"nethandle",
"amazo4",
"aws rpki",
"historical ssl",
"certificates",
"first",
"thumbprint",
"graph summary",
"algorithm",
"number",
"issuer",
"cus cnlet",
"x3 olet",
"subject public",
"key info",
"key algorithm",
"pdf document",
"adobe portable",
"document format",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"sha1",
"acrongl integ",
"adc4240758",
"shutdown",
"sqlite version",
"sqlite rollback",
"utf8",
"json",
"creates",
"journal",
"malicious",
"resolutions",
"date",
"detection",
"hostmaster",
"amazon legal",
"dept",
"amazon",
"code",
"email",
"icann whois",
"nv admin",
"phone",
"stateprovince",
"tech",
"gatsby",
"golf",
"hrhrhr"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf",
"https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx",
"https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo",
"https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp",
"https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Norwell",
"display_name": "Norwell",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1765,
"URL": 1325,
"hostname": 1489,
"FileHash-MD5": 224,
"FileHash-SHA1": 268,
"IPv4": 152,
"domain": 1177,
"CIDR": 4,
"email": 11,
"IPv6": 1,
"URI": 3,
"CVE": 2,
"SSLCertFingerprint": 2,
"Mutex": 2
},
"indicator_count": 6425,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "7 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6a132a7a34bcc860b0e44ffc",
"name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox",
"description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa",
"modified": "2026-05-24T16:42:34.350000",
"created": "2026-05-24T16:42:34.350000",
"tags": [
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"csv text",
"altitude",
"south shore",
"uas imagery",
"massachusetts",
"marshfield",
"scituate",
"hingham",
"norwell",
"hanover",
"pembroke",
"epub document",
"structure ebook",
"zip document",
"epub",
"nigel poulton",
"docker deep",
"nielson book",
"docker",
"single book",
"anna",
"dive",
"dive zero",
"deep dive",
"zero",
"script",
"ieedge",
"squarespace",
"drones",
"title",
"secchuamodel",
"link",
"static",
"supporte",
"marshfield ldap",
"marshfield ssl",
"certificate",
"common name",
"issued",
"charter",
"llc united",
"statesunited",
"new london",
"diesel",
"comcast ip",
"derry village",
"ssl certificate",
"encrypt",
"comcast cable",
"communications",
"boston",
"key identifier",
"x509v3 subject",
"full name",
"cus odigicert",
"inc cndigicert",
"global g2",
"tls rsa",
"ca1 validity",
"cus stnew",
"range",
"cidr",
"network name",
"type",
"status",
"whois server",
"entity squar30",
"handle",
"net198",
"net1980000",
"squar30",
"varick st",
"city",
"new york",
"stateprov",
"postalcode",
"orgtechhandle",
"orgtechref",
"orgabusehandle",
"orgabuseref",
"orgnochandle",
"orgnocref",
"p version",
"address range",
"span",
"google public",
"form",
"doctype html",
"google",
"public dns",
"head",
"public",
"footer",
"body",
"file type",
"ascii text",
"python script",
"python",
"writes shell",
"unicode text",
"utf8 text",
"ascii",
"writes",
"sample",
"persistence",
"defense evasion",
"info",
"next",
"performs dns",
"united",
"urls",
"found",
"https",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"layer protocol",
"phishing",
"headers age",
"homenet",
"et info",
"file hosting",
"service domain",
"domain",
"dns lookup",
"clientendpoint",
"perimeter",
"high",
"informational",
"domain related",
"as54113",
"top source",
"top destination",
"source source",
"status domain",
"tcp include",
"udp include",
"country united",
"unique",
"ja3 clients",
"destination ip",
"dest port",
"ja3 ja3",
"digest",
"cache",
"california",
"san francisco",
"fastly",
"globalsign",
"title pypi",
"package",
"a domains",
"accept",
"showing",
"entries",
"previous",
"domains show",
"search",
"amazon ec2",
"orgnocemail",
"net75",
"net750000",
"amazon web",
"services",
"ip routing",
"nethandle",
"amazo4",
"aws rpki",
"historical ssl",
"certificates",
"first",
"thumbprint",
"graph summary",
"algorithm",
"number",
"issuer",
"cus cnlet",
"x3 olet",
"subject public",
"key info",
"key algorithm",
"pdf document",
"adobe portable",
"document format",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"sha1",
"acrongl integ",
"adc4240758",
"shutdown",
"sqlite version",
"sqlite rollback",
"utf8",
"json",
"creates",
"journal",
"malicious",
"resolutions",
"date",
"detection",
"hostmaster",
"amazon legal",
"dept",
"amazon",
"code",
"email",
"icann whois",
"nv admin",
"phone",
"stateprovince",
"tech",
"gatsby",
"golf",
"hrhrhr"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf",
"https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx",
"https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo",
"https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp",
"https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Norwell",
"display_name": "Norwell",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1686,
"URL": 1309,
"hostname": 1474,
"FileHash-MD5": 166,
"FileHash-SHA1": 204,
"IPv4": 152,
"domain": 1177,
"CIDR": 3,
"email": 11,
"IPv6": 1,
"URI": 1,
"CVE": 1,
"SSLCertFingerprint": 2,
"Mutex": 2
},
"indicator_count": 6189,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "8 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6a132a7762cac9a1007d9ece",
"name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox",
"description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa",
"modified": "2026-05-24T16:42:31.294000",
"created": "2026-05-24T16:42:31.294000",
"tags": [
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"csv text",
"altitude",
"south shore",
"uas imagery",
"massachusetts",
"marshfield",
"scituate",
"hingham",
"norwell",
"hanover",
"pembroke",
"epub document",
"structure ebook",
"zip document",
"epub",
"nigel poulton",
"docker deep",
"nielson book",
"docker",
"single book",
"anna",
"dive",
"dive zero",
"deep dive",
"zero",
"script",
"ieedge",
"squarespace",
"drones",
"title",
"secchuamodel",
"link",
"static",
"supporte",
"marshfield ldap",
"marshfield ssl",
"certificate",
"common name",
"issued",
"charter",
"llc united",
"statesunited",
"new london",
"diesel",
"comcast ip",
"derry village",
"ssl certificate",
"encrypt",
"comcast cable",
"communications",
"boston",
"key identifier",
"x509v3 subject",
"full name",
"cus odigicert",
"inc cndigicert",
"global g2",
"tls rsa",
"ca1 validity",
"cus stnew",
"range",
"cidr",
"network name",
"type",
"status",
"whois server",
"entity squar30",
"handle",
"net198",
"net1980000",
"squar30",
"varick st",
"city",
"new york",
"stateprov",
"postalcode",
"orgtechhandle",
"orgtechref",
"orgabusehandle",
"orgabuseref",
"orgnochandle",
"orgnocref",
"p version",
"address range",
"span",
"google public",
"form",
"doctype html",
"google",
"public dns",
"head",
"public",
"footer",
"body",
"file type",
"ascii text",
"python script",
"python",
"writes shell",
"unicode text",
"utf8 text",
"ascii",
"writes",
"sample",
"persistence",
"defense evasion",
"info",
"next",
"performs dns",
"united",
"urls",
"found",
"https",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"layer protocol",
"phishing",
"headers age",
"homenet",
"et info",
"file hosting",
"service domain",
"domain",
"dns lookup",
"clientendpoint",
"perimeter",
"high",
"informational",
"domain related",
"as54113",
"top source",
"top destination",
"source source",
"status domain",
"tcp include",
"udp include",
"country united",
"unique",
"ja3 clients",
"destination ip",
"dest port",
"ja3 ja3",
"digest",
"cache",
"california",
"san francisco",
"fastly",
"globalsign",
"title pypi",
"package",
"a domains",
"accept",
"showing",
"entries",
"previous",
"domains show",
"search",
"amazon ec2",
"orgnocemail",
"net75",
"net750000",
"amazon web",
"services",
"ip routing",
"nethandle",
"amazo4",
"aws rpki",
"historical ssl",
"certificates",
"first",
"thumbprint",
"graph summary",
"algorithm",
"number",
"issuer",
"cus cnlet",
"x3 olet",
"subject public",
"key info",
"key algorithm",
"pdf document",
"adobe portable",
"document format",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"sha1",
"acrongl integ",
"adc4240758",
"shutdown",
"sqlite version",
"sqlite rollback",
"utf8",
"json",
"creates",
"journal",
"malicious",
"resolutions",
"date",
"detection",
"hostmaster",
"amazon legal",
"dept",
"amazon",
"code",
"email",
"icann whois",
"nv admin",
"phone",
"stateprovince",
"tech",
"gatsby",
"golf",
"hrhrhr"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf",
"https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx",
"https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo",
"https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp",
"https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Norwell",
"display_name": "Norwell",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1686,
"URL": 1309,
"hostname": 1474,
"FileHash-MD5": 166,
"FileHash-SHA1": 204,
"IPv4": 152,
"domain": 1177,
"CIDR": 3,
"email": 11,
"IPv6": 1,
"URI": 1,
"CVE": 1,
"SSLCertFingerprint": 2,
"Mutex": 2
},
"indicator_count": 6189,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "8 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6a132a66fa217054f3e57883",
"name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox",
"description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa",
"modified": "2026-05-24T16:42:14.218000",
"created": "2026-05-24T16:42:14.218000",
"tags": [
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"csv text",
"altitude",
"south shore",
"uas imagery",
"massachusetts",
"marshfield",
"scituate",
"hingham",
"norwell",
"hanover",
"pembroke",
"epub document",
"structure ebook",
"zip document",
"epub",
"nigel poulton",
"docker deep",
"nielson book",
"docker",
"single book",
"anna",
"dive",
"dive zero",
"deep dive",
"zero",
"script",
"ieedge",
"squarespace",
"drones",
"title",
"secchuamodel",
"link",
"static",
"supporte",
"marshfield ldap",
"marshfield ssl",
"certificate",
"common name",
"issued",
"charter",
"llc united",
"statesunited",
"new london",
"diesel",
"comcast ip",
"derry village",
"ssl certificate",
"encrypt",
"comcast cable",
"communications",
"boston",
"key identifier",
"x509v3 subject",
"full name",
"cus odigicert",
"inc cndigicert",
"global g2",
"tls rsa",
"ca1 validity",
"cus stnew",
"range",
"cidr",
"network name",
"type",
"status",
"whois server",
"entity squar30",
"handle",
"net198",
"net1980000",
"squar30",
"varick st",
"city",
"new york",
"stateprov",
"postalcode",
"orgtechhandle",
"orgtechref",
"orgabusehandle",
"orgabuseref",
"orgnochandle",
"orgnocref",
"p version",
"address range",
"span",
"google public",
"form",
"doctype html",
"google",
"public dns",
"head",
"public",
"footer",
"body",
"file type",
"ascii text",
"python script",
"python",
"writes shell",
"unicode text",
"utf8 text",
"ascii",
"writes",
"sample",
"persistence",
"defense evasion",
"info",
"next",
"performs dns",
"united",
"urls",
"found",
"https",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"layer protocol",
"phishing",
"headers age",
"homenet",
"et info",
"file hosting",
"service domain",
"domain",
"dns lookup",
"clientendpoint",
"perimeter",
"high",
"informational",
"domain related",
"as54113",
"top source",
"top destination",
"source source",
"status domain",
"tcp include",
"udp include",
"country united",
"unique",
"ja3 clients",
"destination ip",
"dest port",
"ja3 ja3",
"digest",
"cache",
"california",
"san francisco",
"fastly",
"globalsign",
"title pypi",
"package",
"a domains",
"accept",
"showing",
"entries",
"previous",
"domains show",
"search",
"amazon ec2",
"orgnocemail",
"net75",
"net750000",
"amazon web",
"services",
"ip routing",
"nethandle",
"amazo4",
"aws rpki",
"historical ssl",
"certificates",
"first",
"thumbprint",
"graph summary",
"algorithm",
"number",
"issuer",
"cus cnlet",
"x3 olet",
"subject public",
"key info",
"key algorithm",
"pdf document",
"adobe portable",
"document format",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"sha1",
"acrongl integ",
"adc4240758",
"shutdown",
"sqlite version",
"sqlite rollback",
"utf8",
"json",
"creates",
"journal",
"malicious",
"resolutions",
"date",
"detection",
"hostmaster",
"amazon legal",
"dept",
"amazon",
"code",
"email",
"icann whois",
"nv admin",
"phone",
"stateprovince",
"tech",
"gatsby",
"golf",
"hrhrhr"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf",
"https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx",
"https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo",
"https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp",
"https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Norwell",
"display_name": "Norwell",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1686,
"URL": 1309,
"hostname": 1474,
"FileHash-MD5": 166,
"FileHash-SHA1": 204,
"IPv4": 152,
"domain": 1177,
"CIDR": 3,
"email": 11,
"IPv6": 1,
"URI": 1,
"CVE": 1,
"SSLCertFingerprint": 2,
"Mutex": 2
},
"indicator_count": 6189,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "8 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6a132a577896901b2c0b993b",
"name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox",
"description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa",
"modified": "2026-05-24T16:41:59.005000",
"created": "2026-05-24T16:41:59.005000",
"tags": [
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"csv text",
"altitude",
"south shore",
"uas imagery",
"massachusetts",
"marshfield",
"scituate",
"hingham",
"norwell",
"hanover",
"pembroke",
"epub document",
"structure ebook",
"zip document",
"epub",
"nigel poulton",
"docker deep",
"nielson book",
"docker",
"single book",
"anna",
"dive",
"dive zero",
"deep dive",
"zero",
"script",
"ieedge",
"squarespace",
"drones",
"title",
"secchuamodel",
"link",
"static",
"supporte",
"marshfield ldap",
"marshfield ssl",
"certificate",
"common name",
"issued",
"charter",
"llc united",
"statesunited",
"new london",
"diesel",
"comcast ip",
"derry village",
"ssl certificate",
"encrypt",
"comcast cable",
"communications",
"boston",
"key identifier",
"x509v3 subject",
"full name",
"cus odigicert",
"inc cndigicert",
"global g2",
"tls rsa",
"ca1 validity",
"cus stnew",
"range",
"cidr",
"network name",
"type",
"status",
"whois server",
"entity squar30",
"handle",
"net198",
"net1980000",
"squar30",
"varick st",
"city",
"new york",
"stateprov",
"postalcode",
"orgtechhandle",
"orgtechref",
"orgabusehandle",
"orgabuseref",
"orgnochandle",
"orgnocref",
"p version",
"address range",
"span",
"google public",
"form",
"doctype html",
"google",
"public dns",
"head",
"public",
"footer",
"body",
"file type",
"ascii text",
"python script",
"python",
"writes shell",
"unicode text",
"utf8 text",
"ascii",
"writes",
"sample",
"persistence",
"defense evasion",
"info",
"next",
"performs dns",
"united",
"urls",
"found",
"https",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"layer protocol",
"phishing",
"headers age",
"homenet",
"et info",
"file hosting",
"service domain",
"domain",
"dns lookup",
"clientendpoint",
"perimeter",
"high",
"informational",
"domain related",
"as54113",
"top source",
"top destination",
"source source",
"status domain",
"tcp include",
"udp include",
"country united",
"unique",
"ja3 clients",
"destination ip",
"dest port",
"ja3 ja3",
"digest",
"cache",
"california",
"san francisco",
"fastly",
"globalsign",
"title pypi",
"package",
"a domains",
"accept",
"showing",
"entries",
"previous",
"domains show",
"search",
"amazon ec2",
"orgnocemail",
"net75",
"net750000",
"amazon web",
"services",
"ip routing",
"nethandle",
"amazo4",
"aws rpki",
"historical ssl",
"certificates",
"first",
"thumbprint",
"graph summary",
"algorithm",
"number",
"issuer",
"cus cnlet",
"x3 olet",
"subject public",
"key info",
"key algorithm",
"pdf document",
"adobe portable",
"document format",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"sha1",
"acrongl integ",
"adc4240758",
"shutdown",
"sqlite version",
"sqlite rollback",
"utf8",
"json",
"creates",
"journal",
"malicious",
"resolutions",
"date",
"detection",
"hostmaster",
"amazon legal",
"dept",
"amazon",
"code",
"email",
"icann whois",
"nv admin",
"phone",
"stateprovince",
"tech",
"gatsby",
"golf",
"hrhrhr"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf",
"https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx",
"https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX",
"https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo",
"https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp",
"https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Norwell",
"display_name": "Norwell",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1686,
"URL": 1309,
"hostname": 1474,
"FileHash-MD5": 166,
"FileHash-SHA1": 204,
"IPv4": 152,
"domain": 1177,
"CIDR": 3,
"email": 11,
"IPv6": 1,
"URI": 1,
"CVE": 1,
"SSLCertFingerprint": 2,
"Mutex": 2
},
"indicator_count": 6189,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "8 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69ddeb45c45f6a3cd721397d",
"name": "Active attacks \u2022 Apple \u2022 Tulach",
"description": "Including 360+ Apple\nIoC\u2019s from Malicious Tulac.cc + Virtual Servers Pulses. Ongoing history of malicious attacks, custom malware engineer, malicious media , account control. \n\nI was blocked from VirusToltal. It was Tulach Nextcloud posse. What I am doing now s legal. \n\nReferenced below. URL: \"https://accountapple.com/\" contacted related malicious domain: \"accountapple.com\"\nCONTACTED DOMAIN: \"sqllq.com\" has been identified as malicious",
"modified": "2026-05-14T06:03:18.470000",
"created": "2026-04-14T07:22:45.250000",
"tags": [
"url http",
"ipv4",
"indicator role",
"active related",
"united",
"moved",
"gmt content",
"certificate",
"all domain",
"msie",
"chrome",
"extraction",
"data upload",
"twitter",
"cookie",
"extra",
"include data",
"review locs",
"exclude",
"suggested os",
"onlv",
"failed",
"stop data",
"read c",
"unicode",
"rgba",
"memcommit",
"delete",
"dock",
"write",
"execution",
"sc type",
"extri",
"include review",
"exclude sugges",
"typ data",
"a domains",
"present apr",
"script urls",
"files",
"files ip",
"address",
"ios",
"mac",
"apple",
"appleid",
"itunes",
"next associated",
"all ipv4",
"included ic",
"uny teade",
"type hostnar",
"hostnar hostnar",
"hostnar",
"macair",
"macairaustralia",
"ipad",
"ipod",
"cryptexportkey",
"invalid pointer",
"cryptgenkey",
"stream",
"defender",
"delphi",
"class",
"stack",
"format",
"unknown",
"united states",
"phishing",
"password",
"traffic redirected",
"service mod",
"service execution",
"youtube",
"music",
"streams",
"songs",
"played songs",
"music streams",
"most played",
"fonelab",
"indicator",
"included iocs",
"manually add",
"review ocs",
"exclude inn",
"sugges data",
"find",
"include",
"url https",
"enter sc",
"type",
"no matchme",
"search otx",
"https",
"references x",
"analyze",
"open th",
"url data",
"se http",
"no match",
"excluded iocs",
"iocs",
"ip whitelisted",
"whitelisted",
"tcp include",
"analysis date",
"file score",
"medium risk",
"yara detections",
"contacted",
"related tags",
"x vercel",
"file type",
"type indicator",
"role title",
"related pulses",
"mulch virtua",
"library loade",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugt",
"samuel tulach",
"unity engine",
"tulach",
"sa awareness",
"sabey",
"sar cut",
"autofill",
"includer review",
"portiana oney",
"targeting",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"musickit_1_.js",
"lazarus",
"injection",
"CVE-2017-8570",
"prefetch2",
"target",
"aaaa",
"ip address",
"record value",
"emails",
"samuel tuachs",
"sapev",
"review exclude",
"monitored target",
"script",
"mitre att",
"ascii text",
"span",
"path",
"iframe",
"april",
"hybrid",
"general",
"local",
"click",
"strings",
"body",
"development att",
"t1055.012 list planting",
"active"
],
"references": [
"https://trade.kraken.com/charts/KRAKEN:APT-USD>+y",
"https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/",
"https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/",
"https://podcasts.apple.com/us/podcast/lazarus",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"http://help.aiseesoft.jp/blu-ray-player",
"http://help.aiseesoft.jp/fonelab/",
"https://action.aiseesoft.jp/itunes.php",
"http://help.aiseesoft.jp/total-video-converter",
"http://help.aiseesoft.jp/total-video-converter/",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/",
"http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch",
"http://test-firstmile.digitecgalaxus.ch",
"https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/",
"No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]",
"cdn.rss.applemarketingtools.com",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"1.bing.com.cn",
"www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net",
"www.phantomcameras.cn",
"https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"",
"podcasts.apple.com \u2022 23.34.32.21",
"www.apple.com \u2022 23.34.32.199",
"js-cdn.music.apple.com \u2022 23.78.51.170",
"http://firstmile.digitecgalaxus.ch",
"Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb",
"Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca",
"Tulach.cc",
"https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8",
"www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as",
"Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains",
"asp.net domain pointer",
"developer.x.com",
"aotx.alienvault.com (aotx.?)",
"https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh",
"https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1020.001",
"name": "Traffic Duplication",
"display_name": "T1020.001 - Traffic Duplication"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591.002",
"name": "Business Relationships",
"display_name": "T1591.002 - Business Relationships"
},
{
"id": "T1591.001",
"name": "Determine Physical Locations",
"display_name": "T1591.001 - Determine Physical Locations"
},
{
"id": "T1585.001",
"name": "Social Media Accounts",
"display_name": "T1585.001 - Social Media Accounts"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1055.012",
"name": "Process Hollowing",
"display_name": "T1055.012 - Process Hollowing"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1029,
"domain": 396,
"email": 7,
"URL": 2784,
"FileHash-SHA256": 898,
"FileHash-MD5": 79,
"FileHash-SHA1": 68,
"CVE": 1,
"SSLCertFingerprint": 13
},
"indicator_count": 5275,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "19 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf261cc4e399447d78776c",
"name": "Cyber Bully Attackers | Revenge Attacks | Remote attackers | Malware Packed |",
"description": "Several government entities, attorneys have sought porn revenge including physical violence, attempted crimes, malicious prosecution case , harassment when a female patient of man formerly known as Jeffrey Scott Reimer of Chester Springs, PA, violently, critically injured patient in a sexually charged assault [URL\thttp://foundry2-lbl.dvr.dn2.n-helix.com\t\t\t\nhttps://foundry2-lbl.dvr.dn2.n-helix.com\t\tfoundry2-lbl.dvr.dn2.n-helix.com\t\t\t\t\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\nhttp://datafoundry.com\t\t\t\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\thttps://209-99-40-223.fwd.datafoundry.com\t\t\t\ndatafoundry.com",
"modified": "2026-04-20T21:01:07.869000",
"created": "2026-03-21T23:13:32.760000",
"tags": [
"sc data",
"data upload",
"please sub",
"include data",
"extraction",
"failed",
"sc pulse",
"idron anv",
"extr please",
"include review",
"exclude sugges",
"stop show",
"typ domain",
"united",
"virtool",
"name servers",
"cryp",
"emails",
"win32",
"ip address",
"worm",
"trojan",
"learn",
"suspicious",
"informative",
"ck id",
"name tactics",
"command",
"adversaries",
"spawns",
"ssl certificate",
"initial access",
"link initial",
"prefetch8",
"mitre att",
"ck matrix",
"flag",
"windows nt",
"win64",
"accept",
"encrypt",
"form",
"hybrid",
"bypass",
"general",
"path",
"iframe",
"click",
"strings",
"anchor https",
"anchor",
"liberal",
"sabey",
"liberal friends",
"meta",
"html internet",
"html document",
"unicode text",
"utf8 text",
"info initial",
"access ta0001",
"compromise",
"t1189 network",
"communication",
"get http",
"artifacts v",
"full reports",
"v get",
"help dns",
"resolutions",
"ip traffic",
"extr data",
"enter sc",
"extra data",
"referen",
"broth",
"passive dns",
"urls",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"none google",
"safe browsing",
"inquest labs",
"lucas acha",
"code integrity",
"checks creation",
"otx logo",
"all hostname",
"files",
"domain",
"protect",
"date",
"title",
"exchange",
"se http",
"present jan",
"present feb",
"present dec",
"backdoor",
"certificate",
"all domain",
"alibaba cloud",
"hichina",
"porkbun llc",
"cloudflare",
"namecheap inc",
"namecheap",
"domains",
"dynadot llc",
"ascio",
"denmark",
"url https",
"filehashsha256",
"url http",
"dopple ai",
"snit",
"iocs",
"otx description",
"information",
"report spam",
"delete service",
"poem",
"hunter",
"malicious",
"porn revenge",
"brian sabeys",
"all report",
"spam delete",
"rl http",
"https",
"expiration http",
"spam brian",
"swipper",
"type indicator",
"role title",
"added active",
"related pulses",
"filehashmd5",
"filehashsha1",
"sha256",
"scan",
"learn more",
"indicators show",
"tbmvid",
"sourcelnms",
"zx1724209326040",
"xxx videos",
"xxxvideohd",
"adversary",
"packing",
"palantir.com",
"discovery",
"victim won case",
"doin it",
"palantirian abuse",
"apple",
"sabey data centers",
"insurance",
"quasi government",
"the brother sabey",
"reimer",
"law enforcement",
"vessel state",
"sabey porn",
"hall evans",
"christopher ahmann",
"defamation",
"google"
],
"references": [
"The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/",
"http://watchhers.net/index.php",
"http://212.33.237.86/images/1/report.php",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://webmail.police.govmm.org/owa/",
"https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl",
"https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215",
"Mark Brian Sabey",
"Melvin Sabey",
"Christopher P \u2018Buzz\u2019 Ahmann",
"Ronda Cordova",
"Unknown Persons impersonating Private Investigators (plural)",
"Quasi Government Case",
"Victim silenced. Struck by Car Driven by male police let walk",
"Denver Police let this attempted murder walk. Cited him as a ghost driver",
"Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora",
"Sexual and Physical Assaulter - Jeffrey Scott Reimer",
"Reimer was a PT. Unknown whereabouts , name or job description",
"Denver Police Department Major Crimes closed investigation",
"Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim",
"I bring up the personal nature of the crime because a delete service has been used",
"More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed",
"All IoC\u2019s originate from sources named. There are some unknown attackers",
"This is a serious crime. I\u2019m certain God WILL pay them.",
"https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com",
"http://palantirwww.sweetheartvideo.com/ (weirdness)",
"http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com",
"foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx",
"https://www.datafoundry.com/data-center-contamination-control/",
"https://www.datafoundry.com/data-center-contamination-control/",
"https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/",
"http://foundry2-lbl.dvr.dn2.n-helix.com/",
"https://207-207-25-201.fwd.datafoundry.com/",
"http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd",
"http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"https://rdweb.datafoundry.com/",
"https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/",
"http://foundry2sdbl.dvr.dn2.n-helix.com/",
"Updated | What\u2019s left after theft",
"207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com",
"207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com",
"https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse",
"https://www.datafoundry.com/category/news/press-releases/",
"207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com",
"209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com",
"www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com",
"http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com",
"http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/",
"https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022",
"https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/",
"https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com",
"Some may may find this content is very disturbing and offensive"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Porn Revenge",
"display_name": "Porn Revenge",
"target": null
},
{
"id": "Tons of Malware",
"display_name": "Tons of Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1132.001",
"name": "Standard Encoding",
"display_name": "T1132.001 - Standard Encoding"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1495",
"name": "Firmware Corruption",
"display_name": "T1495 - Firmware Corruption"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1586.001",
"name": "Social Media Accounts",
"display_name": "T1586.001 - Social Media Accounts"
},
{
"id": "T1593.001",
"name": "Social Media",
"display_name": "T1593.001 - Social Media"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6034,
"domain": 1422,
"FileHash-MD5": 274,
"FileHash-SHA1": 252,
"FileHash-SHA256": 3378,
"email": 11,
"hostname": 2753,
"CVE": 1,
"SSLCertFingerprint": 9
},
"indicator_count": 14134,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "42 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699c6ef61298b57cd7275728",
"name": "Apple Support IOC\u2019s IcedID | Bloored | Mydoom worm | iOS IOC\u2019s",
"description": "A list of Apple and Apple related iOS\u2019s linked to a malicious redirect found in an apple.support.com redirect. Two separate Apple ID\u2019s on one iPhone. | Mimecast compromised with Emotet. iCloud siphoning. Related to Pulse found in references. | IOC\u2019s came from a single url.",
"modified": "2026-03-25T07:05:10.628000",
"created": "2026-02-23T15:15:02.857000",
"tags": [
"ipv4",
"http",
"passive dns",
"files domain",
"united",
"unknown ns",
"for privacy",
"ip address",
"domain",
"dynamicloader",
"antivirus",
"yara rule",
"fe ff",
"write c",
"msvisualcpp60",
"rsds",
"e8 c8",
"e8 a8",
"ff e1",
"unknown",
"worm",
"launch",
"write",
"explorer",
"february",
"push",
"service",
"files",
"reverse dns",
"america flag",
"america asn",
"url add",
"otx logo",
"all ipv4",
"searc",
"date checked",
"server response",
"results dec",
"unknown soa",
"present aug",
"present oct",
"present sep",
"present nov",
"moved",
"error",
"title",
"win32mydoom feb",
"aaaa",
"name servers",
"trojan",
"servers",
"virtool",
"united states",
"apple",
"crlf line",
"unicode text",
"utf8",
"ff d5",
"ascii text",
"ee fc",
"suspicious",
"music",
"malware",
"role title",
"ttl value",
".cc",
"d4 f5",
"msvisualcpp2002",
"msvisualcpp2005",
"apple support",
".ch",
"privaterelay",
"pattern match",
"ck id",
"mitre att",
"ck matrix",
"href",
"et info",
"general",
"local",
"path",
"click",
"learn",
"command",
"name tactics",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"present jun",
"backdoor",
"present may",
"status",
"ransom",
"high",
"medium",
"windows",
"tofsee",
"loaderid",
"lidfileupd",
"localcfg",
"rndhex",
"stream",
"delete",
"emotet",
"bot network",
"mitm",
"screenshot",
"mimecast"
],
"references": [
"http://apple.support.com/ht***** redirect",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"mac.store",
"https://icloud.ch/cn/ipod-touch/",
"https://icloud.ch/",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"Redirect: schemas.microsoft.com",
"apple.com(-inc.cc)",
"oas-japac-domains-applecomputer.cn",
"robert-aebi.appleid.com",
"smtp2.icl-privaterelay.appleid.com",
"http://audaxgroup.appleid.com/",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"iphonegermany.com",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"https://aspmx.l.google.com/",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"http://www.icloud-sms-alert.com/",
"monitoring.eurovision.net",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"monitor.kyos.ninja"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/IcedId.DI!MTB",
"display_name": "Trojan:Win32/IcedId.DI!MTB",
"target": "/malware/Trojan:Win32/IcedId.DI!MTB"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Worm:Win32/Bloored",
"display_name": "Worm:Win32/Bloored",
"target": "/malware/Worm:Win32/Bloored"
},
{
"id": "Win.Malware.Elenooka-6996044-0",
"display_name": "Win.Malware.Elenooka-6996044-0",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6031,
"hostname": 1971,
"domain": 1125,
"FileHash-SHA256": 1715,
"email": 18,
"FileHash-MD5": 317,
"FileHash-SHA1": 164
},
"indicator_count": 11341,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "69 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "69 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf27fc6d31ed143807e1db",
"name": "Apple abuse by law firm - remote attackers.",
"description": "They will put you in many botnets. Remote attacks on Apple products.http://thebrotherssabey.com/\t\t\t\nhttps://thebrotherssabey.com/\t\t\t\nthebrotherssabey.com",
"modified": "2026-03-21T23:21:32.200000",
"created": "2026-03-21T23:21:32.200000",
"tags": [
"active related",
"thebrotherssabey",
"apple"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 196,
"domain": 11,
"hostname": 79,
"FileHash-SHA256": 20
},
"indicator_count": 306,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "72 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://l.us-1.a.mimecastprotect.com/l",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://l.us-1.a.mimecastprotect.com/l",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780389413.8816268
}