{
"type": "URL",
"indicator": "https://learn.applepay.apple/security-us",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://learn.applepay.apple/security-us",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3787309696,
"indicator": "https://learn.applepay.apple/security-us",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 4,
"pulses": [
{
"id": "699c6ef61298b57cd7275728",
"name": "Apple Support IOC\u2019s IcedID | Bloored | Mydoom worm | iOS IOC\u2019s",
"description": "A list of Apple and Apple related iOS\u2019s linked to a malicious redirect found in an apple.support.com redirect. Two separate Apple ID\u2019s on one iPhone. | Mimecast compromised with Emotet. iCloud siphoning. Related to Pulse found in references. | IOC\u2019s came from a single url.",
"modified": "2026-03-25T07:05:10.628000",
"created": "2026-02-23T15:15:02.857000",
"tags": [
"ipv4",
"http",
"passive dns",
"files domain",
"united",
"unknown ns",
"for privacy",
"ip address",
"domain",
"dynamicloader",
"antivirus",
"yara rule",
"fe ff",
"write c",
"msvisualcpp60",
"rsds",
"e8 c8",
"e8 a8",
"ff e1",
"unknown",
"worm",
"launch",
"write",
"explorer",
"february",
"push",
"service",
"files",
"reverse dns",
"america flag",
"america asn",
"url add",
"otx logo",
"all ipv4",
"searc",
"date checked",
"server response",
"results dec",
"unknown soa",
"present aug",
"present oct",
"present sep",
"present nov",
"moved",
"error",
"title",
"win32mydoom feb",
"aaaa",
"name servers",
"trojan",
"servers",
"virtool",
"united states",
"apple",
"crlf line",
"unicode text",
"utf8",
"ff d5",
"ascii text",
"ee fc",
"suspicious",
"music",
"malware",
"role title",
"ttl value",
".cc",
"d4 f5",
"msvisualcpp2002",
"msvisualcpp2005",
"apple support",
".ch",
"privaterelay",
"pattern match",
"ck id",
"mitre att",
"ck matrix",
"href",
"et info",
"general",
"local",
"path",
"click",
"learn",
"command",
"name tactics",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"present jun",
"backdoor",
"present may",
"status",
"ransom",
"high",
"medium",
"windows",
"tofsee",
"loaderid",
"lidfileupd",
"localcfg",
"rndhex",
"stream",
"delete",
"emotet",
"bot network",
"mitm",
"screenshot",
"mimecast"
],
"references": [
"http://apple.support.com/ht***** redirect",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"mac.store",
"https://icloud.ch/cn/ipod-touch/",
"https://icloud.ch/",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"Redirect: schemas.microsoft.com",
"apple.com(-inc.cc)",
"oas-japac-domains-applecomputer.cn",
"robert-aebi.appleid.com",
"smtp2.icl-privaterelay.appleid.com",
"http://audaxgroup.appleid.com/",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"iphonegermany.com",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"https://aspmx.l.google.com/",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"http://www.icloud-sms-alert.com/",
"monitoring.eurovision.net",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"monitor.kyos.ninja"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/IcedId.DI!MTB",
"display_name": "Trojan:Win32/IcedId.DI!MTB",
"target": "/malware/Trojan:Win32/IcedId.DI!MTB"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Worm:Win32/Bloored",
"display_name": "Worm:Win32/Bloored",
"target": "/malware/Worm:Win32/Bloored"
},
{
"id": "Win.Malware.Elenooka-6996044-0",
"display_name": "Win.Malware.Elenooka-6996044-0",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6031,
"hostname": 1971,
"domain": 1125,
"FileHash-SHA256": 1715,
"email": 18,
"FileHash-MD5": 317,
"FileHash-SHA1": 164
},
"indicator_count": 11341,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65676fdedd4bf87319fcd14a",
"name": "RATel \u2022 Apple iOS \u2022 NEWORDER.doc \u2022 http://ocsp2.apple.com/",
"description": "",
"modified": "2023-12-29T16:03:00.220000",
"created": "2023-11-29T17:07:42.477000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"apple",
"historical ssl",
"referrer",
"resolutions",
"highly targeted",
"execution",
"password",
"ratel",
"core",
"hacktool",
"attack",
"life",
"android",
"project",
"chaos",
"ransomexx",
"quasar",
"name verdict",
"no data",
"tag count",
"threat report",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"count blacklist",
"tag tag",
"pattern match",
"script",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"beginstring",
"mitre att",
"null",
"date",
"unknown",
"error",
"span",
"class",
"generator",
"critical",
"body",
"meta",
"hybrid",
"general",
"click",
"strings",
"refresh",
"tools",
"ip summary",
"url summary",
"cisco umbrella",
"site",
"safe site",
"million",
"team",
"microsoft",
"malicious url",
"phishing",
"union",
"bank",
"traffic",
"tor known",
"tor relayrouter",
"node tcp",
"spammer",
"anonymizer",
"united",
"firehol gozi",
"cname",
"aaaa",
"record type",
"ttl value",
"algorithm",
"data",
"v3 serial",
"number",
"cus cnapple",
"public server",
"ecc ca",
"g1 oapple",
"validity",
"public key",
"info",
"domain status",
"server",
"redacted for",
"privacy tech",
"privacy admin",
"email",
"registrar abuse",
"country",
"postal code",
"code",
"csc corporate",
"domains",
"registrar url",
"registry domain",
"contact phone",
"registrar whois",
"security",
"dns replication",
"servers",
"passive dns",
"urls",
"creation date",
"rsa cn",
"ca g2",
"search",
"record value",
"object",
"certificate",
"orgtechhandle",
"apple computer",
"orgtechref",
"rauschenberg",
"rtechhandle",
"rtechref",
"network",
"registry arin",
"country us",
"domain",
"lookups",
"city",
"orgid",
"stevens creek",
"city center",
"dropped",
"pe resource",
"collections",
"contacted urls",
"stealer",
"nanocore",
"malicious",
"installer",
"neworder.doc",
"et",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"setcookie geous",
"cookie",
"malware site",
"malicious site",
"genericm",
"phishing site",
"malware",
"lazarus",
"tulach",
"tsara brashears",
"targeting",
"malvertizing",
"ios",
"icloud compromise",
"apple support compromise",
"apple app store compromise",
"t-mobile",
"metroby-tmo",
"metro",
"dgs",
"qwest",
"zombie devices",
"python infostealer",
"soc",
"red",
"galaxy watch",
"gear s",
"watch",
"samsung galaxy",
"app store",
"gear s2",
"gear sport",
"gear s3",
"active",
"active2",
"galaxy",
"blacklist https",
"tld count",
"scan endpoints",
"all search",
"otx octoseek",
"hostname",
"pulse submit",
"url analysis",
"files",
"verdict",
"samsug",
"galaxy watch",
"registrar",
"showing",
"as43350 nforce",
"united kingdom",
"alexa top",
"alexa"
],
"references": [
"https://www.hybrid-analysis.com/sample/c52df9e010faa90f567fb29345b551506398b450a3c68c64e40f337b7b054bca",
"ocsp2.apple.com | IP 17.253.29.199",
"5b574f4989724909s@anonymised.email | contact information seems evasive and illegitimate",
"CA Issuers - http://certs.apple.com/apsecc12g1.der OCSP - http://ocsp.apple.com/ocsp03-apsecc12g101 X509v3 Basic Constraints: CA:FALSE",
"37.48.65.150 | command and control",
"45.33.18.44 | command and control",
"45.33.2.79 | command and control",
"45.33.20.235 | command and control",
"45.33.23.183 | command and control",
"45.33.30.197 | command and control",
"45.56.79.23 | command and control",
"45.79.19.196 | command and control",
"172.93.103.100 | command and control",
"198.58.118.167 | command and control",
"185.107.56.200 | command and control",
"45.33.18.44 | command and control",
"45.33.2.79 | command and control",
"45.79.19.196 | command and control",
"5.79.79.211 | command and control",
"72.14.178.174 | command and control",
"72.14.178.174 | command and control",
"72.14.185.43 | command and control",
"96.126.123.244 | command and control",
"20.99.186.246 | command and contro",
"103.246.145.111 | scanning host",
"https://tulach.cc/ | phishing",
"tulach.cc. | Malicious compromises \u2022 Critical",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | Apple password cracker \u2022 Cyber attack targeting SA victim",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ | phishing attack \u2022 retaliation after alleged SA by Doctor of Physical Therapy",
"https://twitter.com/PORNO_SEXYBABES. | Botnetwork T-Mobile attack",
"http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel | Dangerous Malware",
"message.htm.com | malware ransomware spreader",
"ussjc9-edge-bx-008.ts.apple.com | malware",
"nr-data.net | Apple Private Data Collection",
"https://applemusic-spotlight.myunidays.com/US/en-US? | \"Zero Click\" remote attack \u2022 enters through Apple apps ( apple tv, iTunes,etc)",
"apple.com | malicious \u2022 geo tracking",
"https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | Blog",
"https://apps.apple.com/us/app/samsung-galaxy-watch-gear-s/id1117310635 | App argument",
"drip.colorado.edu = colorado.edu @ University of Colorado Boulder"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Netherlands",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "NEWORDER.doc",
"display_name": "NEWORDER.doc",
"target": null
},
{
"id": "RATel",
"display_name": "RATel",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Ramnit",
"display_name": "Ramnit",
"target": null
},
{
"id": "Nimnul",
"display_name": "Nimnul",
"target": null
},
{
"id": "Botnet Army",
"display_name": "Botnet Army",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1562.003",
"name": "Impair Command History Logging",
"display_name": "T1562.003 - Impair Command History Logging"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1548",
"name": "Abuse Elevation Control Mechanism",
"display_name": "T1548 - Abuse Elevation Control Mechanism"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1448",
"name": "Carrier Billing Fraud",
"display_name": "T1448 - Carrier Billing Fraud"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
}
],
"industries": [
"Telecommunications",
"Public"
],
"TLP": "white",
"cloned_from": null,
"export_count": 39,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4559,
"FileHash-MD5": 187,
"FileHash-SHA1": 161,
"FileHash-SHA256": 2628,
"domain": 744,
"hostname": 1598,
"email": 11,
"CVE": 1,
"CIDR": 2
},
"indicator_count": 9891,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "883 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "656a986b2f9afc18556b1181",
"name": "RATel \u2022 Apple iOS \u2022 NEWORDER.doc \u2022 http://ocsp2.apple.com/",
"description": "",
"modified": "2023-12-29T16:03:00.220000",
"created": "2023-12-02T02:37:31.842000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"apple",
"historical ssl",
"referrer",
"resolutions",
"highly targeted",
"execution",
"password",
"ratel",
"core",
"hacktool",
"attack",
"life",
"android",
"project",
"chaos",
"ransomexx",
"quasar",
"name verdict",
"no data",
"tag count",
"threat report",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"count blacklist",
"tag tag",
"pattern match",
"script",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"beginstring",
"mitre att",
"null",
"date",
"unknown",
"error",
"span",
"class",
"generator",
"critical",
"body",
"meta",
"hybrid",
"general",
"click",
"strings",
"refresh",
"tools",
"ip summary",
"url summary",
"cisco umbrella",
"site",
"safe site",
"million",
"team",
"microsoft",
"malicious url",
"phishing",
"union",
"bank",
"traffic",
"tor known",
"tor relayrouter",
"node tcp",
"spammer",
"anonymizer",
"united",
"firehol gozi",
"cname",
"aaaa",
"record type",
"ttl value",
"algorithm",
"data",
"v3 serial",
"number",
"cus cnapple",
"public server",
"ecc ca",
"g1 oapple",
"validity",
"public key",
"info",
"domain status",
"server",
"redacted for",
"privacy tech",
"privacy admin",
"email",
"registrar abuse",
"country",
"postal code",
"code",
"csc corporate",
"domains",
"registrar url",
"registry domain",
"contact phone",
"registrar whois",
"security",
"dns replication",
"servers",
"passive dns",
"urls",
"creation date",
"rsa cn",
"ca g2",
"search",
"record value",
"object",
"certificate",
"orgtechhandle",
"apple computer",
"orgtechref",
"rauschenberg",
"rtechhandle",
"rtechref",
"network",
"registry arin",
"country us",
"domain",
"lookups",
"city",
"orgid",
"stevens creek",
"city center",
"dropped",
"pe resource",
"collections",
"contacted urls",
"stealer",
"nanocore",
"malicious",
"installer",
"neworder.doc",
"et",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"setcookie geous",
"cookie",
"malware site",
"malicious site",
"genericm",
"phishing site",
"malware",
"lazarus",
"tulach",
"tsara brashears",
"targeting",
"malvertizing",
"ios",
"icloud compromise",
"apple support compromise",
"apple app store compromise",
"t-mobile",
"metroby-tmo",
"metro",
"dgs",
"qwest",
"zombie devices",
"python infostealer",
"soc",
"red",
"galaxy watch",
"gear s",
"watch",
"samsung galaxy",
"app store",
"gear s2",
"gear sport",
"gear s3",
"active",
"active2",
"galaxy",
"blacklist https",
"tld count",
"scan endpoints",
"all search",
"otx octoseek",
"hostname",
"pulse submit",
"url analysis",
"files",
"verdict",
"samsug",
"galaxy watch",
"registrar",
"showing",
"as43350 nforce",
"united kingdom",
"alexa top",
"alexa"
],
"references": [
"https://www.hybrid-analysis.com/sample/c52df9e010faa90f567fb29345b551506398b450a3c68c64e40f337b7b054bca",
"ocsp2.apple.com | IP 17.253.29.199",
"5b574f4989724909s@anonymised.email | contact information seems evasive and illegitimate",
"CA Issuers - http://certs.apple.com/apsecc12g1.der OCSP - http://ocsp.apple.com/ocsp03-apsecc12g101 X509v3 Basic Constraints: CA:FALSE",
"37.48.65.150 | command and control",
"45.33.18.44 | command and control",
"45.33.2.79 | command and control",
"45.33.20.235 | command and control",
"45.33.23.183 | command and control",
"45.33.30.197 | command and control",
"45.56.79.23 | command and control",
"45.79.19.196 | command and control",
"172.93.103.100 | command and control",
"198.58.118.167 | command and control",
"185.107.56.200 | command and control",
"45.33.18.44 | command and control",
"45.33.2.79 | command and control",
"45.79.19.196 | command and control",
"5.79.79.211 | command and control",
"72.14.178.174 | command and control",
"72.14.178.174 | command and control",
"72.14.185.43 | command and control",
"96.126.123.244 | command and control",
"20.99.186.246 | command and contro",
"103.246.145.111 | scanning host",
"https://tulach.cc/ | phishing",
"tulach.cc. | Malicious compromises \u2022 Critical",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | Apple password cracker \u2022 Cyber attack targeting SA victim",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ | phishing attack \u2022 retaliation after alleged SA by Doctor of Physical Therapy",
"https://twitter.com/PORNO_SEXYBABES. | Botnetwork T-Mobile attack",
"http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel | Dangerous Malware",
"message.htm.com | malware ransomware spreader",
"ussjc9-edge-bx-008.ts.apple.com | malware",
"nr-data.net | Apple Private Data Collection",
"https://applemusic-spotlight.myunidays.com/US/en-US? | \"Zero Click\" remote attack \u2022 enters through Apple apps ( apple tv, iTunes,etc)",
"apple.com | malicious \u2022 geo tracking",
"https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | Blog",
"https://apps.apple.com/us/app/samsung-galaxy-watch-gear-s/id1117310635 | App argument",
"drip.colorado.edu = colorado.edu @ University of Colorado Boulder"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Netherlands",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "NEWORDER.doc",
"display_name": "NEWORDER.doc",
"target": null
},
{
"id": "RATel",
"display_name": "RATel",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Ramnit",
"display_name": "Ramnit",
"target": null
},
{
"id": "Nimnul",
"display_name": "Nimnul",
"target": null
},
{
"id": "Botnet Army",
"display_name": "Botnet Army",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1562.003",
"name": "Impair Command History Logging",
"display_name": "T1562.003 - Impair Command History Logging"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1548",
"name": "Abuse Elevation Control Mechanism",
"display_name": "T1548 - Abuse Elevation Control Mechanism"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1448",
"name": "Carrier Billing Fraud",
"display_name": "T1448 - Carrier Billing Fraud"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
}
],
"industries": [
"Telecommunications",
"Public"
],
"TLP": "white",
"cloned_from": "65676fdedd4bf87319fcd14a",
"export_count": 30,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4559,
"FileHash-MD5": 187,
"FileHash-SHA1": 161,
"FileHash-SHA256": 2628,
"domain": 744,
"hostname": 1598,
"email": 11,
"CVE": 1,
"CIDR": 2
},
"indicator_count": 9891,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "883 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"https://aspmx.l.google.com/",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ | phishing attack \u2022 retaliation after alleged SA by Doctor of Physical Therapy",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"monitor.kyos.ninja",
"72.14.185.43 | command and control",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | Apple password cracker \u2022 Cyber attack targeting SA victim",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://apps.apple.com/us/app/samsung-galaxy-watch-gear-s/id1117310635 | App argument",
"185.107.56.200 | command and control",
"apple.com | malicious \u2022 geo tracking",
"Redirect: schemas.microsoft.com",
"96.126.123.244 | command and control",
"tulach.cc. | Malicious compromises \u2022 Critical",
"drip.colorado.edu = colorado.edu @ University of Colorado Boulder",
"http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel | Dangerous Malware",
"iphonegermany.com",
"45.33.2.79 | command and control",
"oas-japac-domains-applecomputer.cn",
"apple.com(-inc.cc)",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"CA Issuers - http://certs.apple.com/apsecc12g1.der OCSP - http://ocsp.apple.com/ocsp03-apsecc12g101 X509v3 Basic Constraints: CA:FALSE",
"div>
",
"I apologize for the lack of reference.",
"http://audaxgroup.appleid.com/",
"https://icloud.ch/cn/ipod-touch/",
"37.48.65.150 | command and control",
"198.58.118.167 | command and control",
"103.246.145.111 | scanning host",
"https://applemusic-spotlight.myunidays.com/US/en-US? | \"Zero Click\" remote attack \u2022 enters through Apple apps ( apple tv, iTunes,etc)",
"Requires further research.",
"45.33.23.183 | command and control",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"monitoring.eurovision.net",
"https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | Blog",
"72.14.178.174 | command and control",
"https://twitter.com/PORNO_SEXYBABES. | Botnetwork T-Mobile attack",
"message.htm.com | malware ransomware spreader",
"45.33.30.197 | command and control",
"https://www.hybrid-analysis.com/sample/c52df9e010faa90f567fb29345b551506398b450a3c68c64e40f337b7b054bca",
"https://l.us-1.a.mimecastprotect.com/l",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"5b574f4989724909s@anonymised.email | contact information seems evasive and illegitimate",
"ocsp2.apple.com | IP 17.253.29.199",
"http://apple.support.com/ht***** redirect",
"45.56.79.23 | command and control",
"172.93.103.100 | command and control",
"45.33.18.44 | command and control",
"5.79.79.211 | command and control",
"ussjc9-edge-bx-008.ts.apple.com | malware",
"20.99.186.246 | command and contro",
"45.33.20.235 | command and control",
"robert-aebi.appleid.com",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"Same legal , and quasi governmental pattern identified",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"45.79.19.196 | command and control",
"http://www.icloud-sms-alert.com/",
"https://icloud.ch/",
"nr-data.net | Apple Private Data Collection",
"It appears there are 5-7 known affected that I was able to find",
"https://tulach.cc/ | phishing",
"smtp2.icl-privaterelay.appleid.com",
"mac.store"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Emotet",
"Worm:win32/bloored",
"Ransomexx",
"Icedid",
"Neworder.doc",
"Ramnit",
"#lowfi:lua:dllsuspiciousexport.a",
"Win.malware.elenooka-6996044-0",
"Botnet army",
"Et",
"Trojan:win32/smkldr.h!mtb",
"Quasar rat",
"Nimnul",
"Tulach malware",
"Ratel",
"Trojan:win32/icedid.di!mtb",
"Mydoom"
],
"industries": [
"Telecommunications",
"Technology",
"Public",
"Telecom",
"Legal"
],
"unique_indicators": 31206
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/applepay.apple",
"whois": "http://whois.domaintools.com/applepay.apple",
"domain": "applepay.apple",
"hostname": "learn.applepay.apple"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 4,
"pulses": [
{
"id": "699c6ef61298b57cd7275728",
"name": "Apple Support IOC\u2019s IcedID | Bloored | Mydoom worm | iOS IOC\u2019s",
"description": "A list of Apple and Apple related iOS\u2019s linked to a malicious redirect found in an apple.support.com redirect. Two separate Apple ID\u2019s on one iPhone. | Mimecast compromised with Emotet. iCloud siphoning. Related to Pulse found in references. | IOC\u2019s came from a single url.",
"modified": "2026-03-25T07:05:10.628000",
"created": "2026-02-23T15:15:02.857000",
"tags": [
"ipv4",
"http",
"passive dns",
"files domain",
"united",
"unknown ns",
"for privacy",
"ip address",
"domain",
"dynamicloader",
"antivirus",
"yara rule",
"fe ff",
"write c",
"msvisualcpp60",
"rsds",
"e8 c8",
"e8 a8",
"ff e1",
"unknown",
"worm",
"launch",
"write",
"explorer",
"february",
"push",
"service",
"files",
"reverse dns",
"america flag",
"america asn",
"url add",
"otx logo",
"all ipv4",
"searc",
"date checked",
"server response",
"results dec",
"unknown soa",
"present aug",
"present oct",
"present sep",
"present nov",
"moved",
"error",
"title",
"win32mydoom feb",
"aaaa",
"name servers",
"trojan",
"servers",
"virtool",
"united states",
"apple",
"crlf line",
"unicode text",
"utf8",
"ff d5",
"ascii text",
"ee fc",
"suspicious",
"music",
"malware",
"role title",
"ttl value",
".cc",
"d4 f5",
"msvisualcpp2002",
"msvisualcpp2005",
"apple support",
".ch",
"privaterelay",
"pattern match",
"ck id",
"mitre att",
"ck matrix",
"href",
"et info",
"general",
"local",
"path",
"click",
"learn",
"command",
"name tactics",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"present jun",
"backdoor",
"present may",
"status",
"ransom",
"high",
"medium",
"windows",
"tofsee",
"loaderid",
"lidfileupd",
"localcfg",
"rndhex",
"stream",
"delete",
"emotet",
"bot network",
"mitm",
"screenshot",
"mimecast"
],
"references": [
"http://apple.support.com/ht***** redirect",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"mac.store",
"https://icloud.ch/cn/ipod-touch/",
"https://icloud.ch/",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"Redirect: schemas.microsoft.com",
"apple.com(-inc.cc)",
"oas-japac-domains-applecomputer.cn",
"robert-aebi.appleid.com",
"smtp2.icl-privaterelay.appleid.com",
"http://audaxgroup.appleid.com/",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"iphonegermany.com",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"https://aspmx.l.google.com/",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"http://www.icloud-sms-alert.com/",
"monitoring.eurovision.net",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"monitor.kyos.ninja"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/IcedId.DI!MTB",
"display_name": "Trojan:Win32/IcedId.DI!MTB",
"target": "/malware/Trojan:Win32/IcedId.DI!MTB"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Worm:Win32/Bloored",
"display_name": "Worm:Win32/Bloored",
"target": "/malware/Worm:Win32/Bloored"
},
{
"id": "Win.Malware.Elenooka-6996044-0",
"display_name": "Win.Malware.Elenooka-6996044-0",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6031,
"hostname": 1971,
"domain": 1125,
"FileHash-SHA256": 1715,
"email": 18,
"FileHash-MD5": 317,
"FileHash-SHA1": 164
},
"indicator_count": 11341,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65676fdedd4bf87319fcd14a",
"name": "RATel \u2022 Apple iOS \u2022 NEWORDER.doc \u2022 http://ocsp2.apple.com/",
"description": "",
"modified": "2023-12-29T16:03:00.220000",
"created": "2023-11-29T17:07:42.477000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"apple",
"historical ssl",
"referrer",
"resolutions",
"highly targeted",
"execution",
"password",
"ratel",
"core",
"hacktool",
"attack",
"life",
"android",
"project",
"chaos",
"ransomexx",
"quasar",
"name verdict",
"no data",
"tag count",
"threat report",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"count blacklist",
"tag tag",
"pattern match",
"script",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"beginstring",
"mitre att",
"null",
"date",
"unknown",
"error",
"span",
"class",
"generator",
"critical",
"body",
"meta",
"hybrid",
"general",
"click",
"strings",
"refresh",
"tools",
"ip summary",
"url summary",
"cisco umbrella",
"site",
"safe site",
"million",
"team",
"microsoft",
"malicious url",
"phishing",
"union",
"bank",
"traffic",
"tor known",
"tor relayrouter",
"node tcp",
"spammer",
"anonymizer",
"united",
"firehol gozi",
"cname",
"aaaa",
"record type",
"ttl value",
"algorithm",
"data",
"v3 serial",
"number",
"cus cnapple",
"public server",
"ecc ca",
"g1 oapple",
"validity",
"public key",
"info",
"domain status",
"server",
"redacted for",
"privacy tech",
"privacy admin",
"email",
"registrar abuse",
"country",
"postal code",
"code",
"csc corporate",
"domains",
"registrar url",
"registry domain",
"contact phone",
"registrar whois",
"security",
"dns replication",
"servers",
"passive dns",
"urls",
"creation date",
"rsa cn",
"ca g2",
"search",
"record value",
"object",
"certificate",
"orgtechhandle",
"apple computer",
"orgtechref",
"rauschenberg",
"rtechhandle",
"rtechref",
"network",
"registry arin",
"country us",
"domain",
"lookups",
"city",
"orgid",
"stevens creek",
"city center",
"dropped",
"pe resource",
"collections",
"contacted urls",
"stealer",
"nanocore",
"malicious",
"installer",
"neworder.doc",
"et",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"setcookie geous",
"cookie",
"malware site",
"malicious site",
"genericm",
"phishing site",
"malware",
"lazarus",
"tulach",
"tsara brashears",
"targeting",
"malvertizing",
"ios",
"icloud compromise",
"apple support compromise",
"apple app store compromise",
"t-mobile",
"metroby-tmo",
"metro",
"dgs",
"qwest",
"zombie devices",
"python infostealer",
"soc",
"red",
"galaxy watch",
"gear s",
"watch",
"samsung galaxy",
"app store",
"gear s2",
"gear sport",
"gear s3",
"active",
"active2",
"galaxy",
"blacklist https",
"tld count",
"scan endpoints",
"all search",
"otx octoseek",
"hostname",
"pulse submit",
"url analysis",
"files",
"verdict",
"samsug",
"galaxy watch",
"registrar",
"showing",
"as43350 nforce",
"united kingdom",
"alexa top",
"alexa"
],
"references": [
"https://www.hybrid-analysis.com/sample/c52df9e010faa90f567fb29345b551506398b450a3c68c64e40f337b7b054bca",
"ocsp2.apple.com | IP 17.253.29.199",
"5b574f4989724909s@anonymised.email | contact information seems evasive and illegitimate",
"CA Issuers - http://certs.apple.com/apsecc12g1.der OCSP - http://ocsp.apple.com/ocsp03-apsecc12g101 X509v3 Basic Constraints: CA:FALSE",
"37.48.65.150 | command and control",
"45.33.18.44 | command and control",
"45.33.2.79 | command and control",
"45.33.20.235 | command and control",
"45.33.23.183 | command and control",
"45.33.30.197 | command and control",
"45.56.79.23 | command and control",
"45.79.19.196 | command and control",
"172.93.103.100 | command and control",
"198.58.118.167 | command and control",
"185.107.56.200 | command and control",
"45.33.18.44 | command and control",
"45.33.2.79 | command and control",
"45.79.19.196 | command and control",
"5.79.79.211 | command and control",
"72.14.178.174 | command and control",
"72.14.178.174 | command and control",
"72.14.185.43 | command and control",
"96.126.123.244 | command and control",
"20.99.186.246 | command and contro",
"103.246.145.111 | scanning host",
"https://tulach.cc/ | phishing",
"tulach.cc. | Malicious compromises \u2022 Critical",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | Apple password cracker \u2022 Cyber attack targeting SA victim",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ | phishing attack \u2022 retaliation after alleged SA by Doctor of Physical Therapy",
"https://twitter.com/PORNO_SEXYBABES. | Botnetwork T-Mobile attack",
"http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel | Dangerous Malware",
"message.htm.com | malware ransomware spreader",
"ussjc9-edge-bx-008.ts.apple.com | malware",
"nr-data.net | Apple Private Data Collection",
"https://applemusic-spotlight.myunidays.com/US/en-US? | \"Zero Click\" remote attack \u2022 enters through Apple apps ( apple tv, iTunes,etc)",
"apple.com | malicious \u2022 geo tracking",
"https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | Blog",
"https://apps.apple.com/us/app/samsung-galaxy-watch-gear-s/id1117310635 | App argument",
"drip.colorado.edu = colorado.edu @ University of Colorado Boulder"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Netherlands",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "NEWORDER.doc",
"display_name": "NEWORDER.doc",
"target": null
},
{
"id": "RATel",
"display_name": "RATel",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Ramnit",
"display_name": "Ramnit",
"target": null
},
{
"id": "Nimnul",
"display_name": "Nimnul",
"target": null
},
{
"id": "Botnet Army",
"display_name": "Botnet Army",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1562.003",
"name": "Impair Command History Logging",
"display_name": "T1562.003 - Impair Command History Logging"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1548",
"name": "Abuse Elevation Control Mechanism",
"display_name": "T1548 - Abuse Elevation Control Mechanism"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1448",
"name": "Carrier Billing Fraud",
"display_name": "T1448 - Carrier Billing Fraud"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
}
],
"industries": [
"Telecommunications",
"Public"
],
"TLP": "white",
"cloned_from": null,
"export_count": 39,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4559,
"FileHash-MD5": 187,
"FileHash-SHA1": 161,
"FileHash-SHA256": 2628,
"domain": 744,
"hostname": 1598,
"email": 11,
"CVE": 1,
"CIDR": 2
},
"indicator_count": 9891,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "883 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "656a986b2f9afc18556b1181",
"name": "RATel \u2022 Apple iOS \u2022 NEWORDER.doc \u2022 http://ocsp2.apple.com/",
"description": "",
"modified": "2023-12-29T16:03:00.220000",
"created": "2023-12-02T02:37:31.842000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"apple",
"historical ssl",
"referrer",
"resolutions",
"highly targeted",
"execution",
"password",
"ratel",
"core",
"hacktool",
"attack",
"life",
"android",
"project",
"chaos",
"ransomexx",
"quasar",
"name verdict",
"no data",
"tag count",
"threat report",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"count blacklist",
"tag tag",
"pattern match",
"script",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"beginstring",
"mitre att",
"null",
"date",
"unknown",
"error",
"span",
"class",
"generator",
"critical",
"body",
"meta",
"hybrid",
"general",
"click",
"strings",
"refresh",
"tools",
"ip summary",
"url summary",
"cisco umbrella",
"site",
"safe site",
"million",
"team",
"microsoft",
"malicious url",
"phishing",
"union",
"bank",
"traffic",
"tor known",
"tor relayrouter",
"node tcp",
"spammer",
"anonymizer",
"united",
"firehol gozi",
"cname",
"aaaa",
"record type",
"ttl value",
"algorithm",
"data",
"v3 serial",
"number",
"cus cnapple",
"public server",
"ecc ca",
"g1 oapple",
"validity",
"public key",
"info",
"domain status",
"server",
"redacted for",
"privacy tech",
"privacy admin",
"email",
"registrar abuse",
"country",
"postal code",
"code",
"csc corporate",
"domains",
"registrar url",
"registry domain",
"contact phone",
"registrar whois",
"security",
"dns replication",
"servers",
"passive dns",
"urls",
"creation date",
"rsa cn",
"ca g2",
"search",
"record value",
"object",
"certificate",
"orgtechhandle",
"apple computer",
"orgtechref",
"rauschenberg",
"rtechhandle",
"rtechref",
"network",
"registry arin",
"country us",
"domain",
"lookups",
"city",
"orgid",
"stevens creek",
"city center",
"dropped",
"pe resource",
"collections",
"contacted urls",
"stealer",
"nanocore",
"malicious",
"installer",
"neworder.doc",
"et",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"setcookie geous",
"cookie",
"malware site",
"malicious site",
"genericm",
"phishing site",
"malware",
"lazarus",
"tulach",
"tsara brashears",
"targeting",
"malvertizing",
"ios",
"icloud compromise",
"apple support compromise",
"apple app store compromise",
"t-mobile",
"metroby-tmo",
"metro",
"dgs",
"qwest",
"zombie devices",
"python infostealer",
"soc",
"red",
"galaxy watch",
"gear s",
"watch",
"samsung galaxy",
"app store",
"gear s2",
"gear sport",
"gear s3",
"active",
"active2",
"galaxy",
"blacklist https",
"tld count",
"scan endpoints",
"all search",
"otx octoseek",
"hostname",
"pulse submit",
"url analysis",
"files",
"verdict",
"samsug",
"galaxy watch",
"registrar",
"showing",
"as43350 nforce",
"united kingdom",
"alexa top",
"alexa"
],
"references": [
"https://www.hybrid-analysis.com/sample/c52df9e010faa90f567fb29345b551506398b450a3c68c64e40f337b7b054bca",
"ocsp2.apple.com | IP 17.253.29.199",
"5b574f4989724909s@anonymised.email | contact information seems evasive and illegitimate",
"CA Issuers - http://certs.apple.com/apsecc12g1.der OCSP - http://ocsp.apple.com/ocsp03-apsecc12g101 X509v3 Basic Constraints: CA:FALSE",
"37.48.65.150 | command and control",
"45.33.18.44 | command and control",
"45.33.2.79 | command and control",
"45.33.20.235 | command and control",
"45.33.23.183 | command and control",
"45.33.30.197 | command and control",
"45.56.79.23 | command and control",
"45.79.19.196 | command and control",
"172.93.103.100 | command and control",
"198.58.118.167 | command and control",
"185.107.56.200 | command and control",
"45.33.18.44 | command and control",
"45.33.2.79 | command and control",
"45.79.19.196 | command and control",
"5.79.79.211 | command and control",
"72.14.178.174 | command and control",
"72.14.178.174 | command and control",
"72.14.185.43 | command and control",
"96.126.123.244 | command and control",
"20.99.186.246 | command and contro",
"103.246.145.111 | scanning host",
"https://tulach.cc/ | phishing",
"tulach.cc. | Malicious compromises \u2022 Critical",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | Apple password cracker \u2022 Cyber attack targeting SA victim",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ | phishing attack \u2022 retaliation after alleged SA by Doctor of Physical Therapy",
"https://twitter.com/PORNO_SEXYBABES. | Botnetwork T-Mobile attack",
"http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel | Dangerous Malware",
"message.htm.com | malware ransomware spreader",
"ussjc9-edge-bx-008.ts.apple.com | malware",
"nr-data.net | Apple Private Data Collection",
"https://applemusic-spotlight.myunidays.com/US/en-US? | \"Zero Click\" remote attack \u2022 enters through Apple apps ( apple tv, iTunes,etc)",
"apple.com | malicious \u2022 geo tracking",
"https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | Blog",
"https://apps.apple.com/us/app/samsung-galaxy-watch-gear-s/id1117310635 | App argument",
"drip.colorado.edu = colorado.edu @ University of Colorado Boulder"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Netherlands",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "NEWORDER.doc",
"display_name": "NEWORDER.doc",
"target": null
},
{
"id": "RATel",
"display_name": "RATel",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Ramnit",
"display_name": "Ramnit",
"target": null
},
{
"id": "Nimnul",
"display_name": "Nimnul",
"target": null
},
{
"id": "Botnet Army",
"display_name": "Botnet Army",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1562.003",
"name": "Impair Command History Logging",
"display_name": "T1562.003 - Impair Command History Logging"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1548",
"name": "Abuse Elevation Control Mechanism",
"display_name": "T1548 - Abuse Elevation Control Mechanism"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1448",
"name": "Carrier Billing Fraud",
"display_name": "T1448 - Carrier Billing Fraud"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
}
],
"industries": [
"Telecommunications",
"Public"
],
"TLP": "white",
"cloned_from": "65676fdedd4bf87319fcd14a",
"export_count": 30,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4559,
"FileHash-MD5": 187,
"FileHash-SHA1": 161,
"FileHash-SHA256": 2628,
"domain": 744,
"hostname": 1598,
"email": 11,
"CVE": 1,
"CIDR": 2
},
"indicator_count": 9891,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "883 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://learn.applepay.apple/security-us",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://learn.applepay.apple/security-us",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780222560.0166311
}