{ "type": "URL", "indicator": "https://learn.appleservices.apple", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://learn.appleservices.apple", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3833891177, "indicator": "https://learn.appleservices.apple", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "699c6ef61298b57cd7275728", "name": "Apple Support IOC\u2019s IcedID | Bloored | Mydoom worm | iOS IOC\u2019s", "description": "A list of Apple and Apple related iOS\u2019s linked to a malicious redirect found in an apple.support.com redirect. Two separate Apple ID\u2019s on one iPhone. | Mimecast compromised with Emotet. iCloud siphoning. Related to Pulse found in references. | IOC\u2019s came from a single url.", "modified": "2026-03-25T07:05:10.628000", "created": "2026-02-23T15:15:02.857000", "tags": [ "ipv4", "http", "passive dns", "files domain", "united", "unknown ns", "for privacy", "ip address", "domain", "dynamicloader", "antivirus", "yara rule", "fe ff", "write c", "msvisualcpp60", "rsds", "e8 c8", "e8 a8", "ff e1", "unknown", "worm", "launch", "write", "explorer", "february", "push", "service", "files", "reverse dns", "america flag", "america asn", "url add", "otx logo", "all ipv4", "searc", "date checked", "server response", "results dec", "unknown soa", "present aug", "present oct", "present sep", "present nov", "moved", "error", "title", "win32mydoom feb", "aaaa", "name servers", "trojan", "servers", "virtool", "united states", "apple", "crlf line", "unicode text", "utf8", "ff d5", "ascii text", "ee fc", "suspicious", "music", "malware", "role title", "ttl value", ".cc", "d4 f5", "msvisualcpp2002", "msvisualcpp2005", "apple support", ".ch", "privaterelay", "pattern match", "ck id", "mitre att", "ck matrix", "href", "et info", "general", "local", "path", "click", "learn", "command", "name tactics", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "present jun", "backdoor", "present may", "status", "ransom", "high", "medium", "windows", "tofsee", "loaderid", "lidfileupd", "localcfg", "rndhex", "stream", "delete", "emotet", "bot network", "mitm", "screenshot", "mimecast" ], "references": [ "http://apple.support.com/ht***** redirect", "https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8", "mac.store", "https://icloud.ch/cn/ipod-touch/", "https://icloud.ch/", "https://multicash.smbcgroup.com/gb/App/Authentication/Challenge", "https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/", "Redirect: schemas.microsoft.com", "apple.com(-inc.cc)", "oas-japac-domains-applecomputer.cn", "robert-aebi.appleid.com", "smtp2.icl-privaterelay.appleid.com", "http://audaxgroup.appleid.com/", "https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php", "iphonegermany.com", "api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud", "https://aspmx.l.google.com/", "api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com", "de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com", "http://www.icloud-sms-alert.com/", "monitoring.eurovision.net", "https://www.irby.com/iub-en/services/testing-and-monitoring", "monitor.kyos.ninja" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/IcedId.DI!MTB", "display_name": "Trojan:Win32/IcedId.DI!MTB", "target": "/malware/Trojan:Win32/IcedId.DI!MTB" }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "Worm:Win32/Bloored", "display_name": "Worm:Win32/Bloored", "target": "/malware/Worm:Win32/Bloored" }, { "id": "Win.Malware.Elenooka-6996044-0", "display_name": "Win.Malware.Elenooka-6996044-0", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6031, "hostname": 1971, "domain": 1125, "FileHash-SHA256": 1715, "email": 18, "FileHash-MD5": 317, "FileHash-SHA1": 164 }, "indicator_count": 11341, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bca8fcbe62297d71b47c33", "name": "Ragnar Locker", "description": "\u2022 FBI Flash CU-000163-MW: RagnarLocker Ransomware Indicators of Compromise\n\u2022 Found in https://www.Esurance.com\n 108.26.193.165\nAS 701 (UUNET)\n\u2022108.26.193.165 Postal Code: 02465 Reverse Domain Lookup: pool-108-26-193-165.bstnma.fios.verizon.net \n| Ragnar Locker is ransomware for Windows and Linux that exfiltrates information from a compromised machine, encrypts files using the Salsa20 encryption algorithm, and demands that victims pay a ransom to recover their data. The Ragnar Locker group is known to employ a double extortion tactic.", "modified": "2024-03-03T08:00:03.432000", "created": "2024-02-02T08:34:04.425000", "tags": [ "referrer", "contacted", "whois record", "ssl certificate", "whois whois", "contacted urls", "execution", "historical ssl", "red team", "gang breached", "agent tesla", "redline stealer", "metro", "android", "urls url", "files", "kgs0", "kls0", "orgtechhandle", "orgtechref", "orgabusehandle", "orgdnshandle", "orgdnsref", "whois lookup", "netrange", "nethandle", "net108", "net1080000", "communicating", "urls http", "ransomware gang", "breached", "team", "first", "utc submissions", "submitters", "gandi sas", "psiusa", "domain robot", "porkbun llc", "keysystems gmbh", "csc corporate", "domains", "domain name", "network pty", "tucows", "com laude", "dynadot inc" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8354, "FileHash-MD5": 104, "FileHash-SHA1": 81, "FileHash-SHA256": 2711, "CIDR": 5, "CVE": 6, "domain": 1489, "hostname": 3058, "email": 5 }, "indicator_count": 15813, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "777 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "apple.com(-inc.cc)", "Redirect: schemas.microsoft.com", "http://audaxgroup.appleid.com/", "https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php", "https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/", "monitoring.eurovision.net", "de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com", "api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud", "robert-aebi.appleid.com", "http://www.icloud-sms-alert.com/", "https://www.irby.com/iub-en/services/testing-and-monitoring", "smtp2.icl-privaterelay.appleid.com", "iphonegermany.com", "https://multicash.smbcgroup.com/gb/App/Authentication/Challenge", "https://icloud.ch/cn/ipod-touch/", "https://aspmx.l.google.com/", "mac.store", "http://apple.support.com/ht***** redirect", "api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com", "monitor.kyos.ninja", "https://icloud.ch/", "https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8", "oas-japac-domains-applecomputer.cn" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Emotet", "Mydoom", "Worm:win32/bloored", "Trojan:win32/icedid.di!mtb", "Win.malware.elenooka-6996044-0" ], "industries": [], "unique_indicators": 27734 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/appleservices.apple", "whois": "http://whois.domaintools.com/appleservices.apple", "domain": "appleservices.apple", "hostname": "learn.appleservices.apple" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "699c6ef61298b57cd7275728", "name": "Apple Support IOC\u2019s IcedID | Bloored | Mydoom worm | iOS IOC\u2019s", "description": "A list of Apple and Apple related iOS\u2019s linked to a malicious redirect found in an apple.support.com redirect. Two separate Apple ID\u2019s on one iPhone. | Mimecast compromised with Emotet. iCloud siphoning. Related to Pulse found in references. | IOC\u2019s came from a single url.", "modified": "2026-03-25T07:05:10.628000", "created": "2026-02-23T15:15:02.857000", "tags": [ "ipv4", "http", "passive dns", "files domain", "united", "unknown ns", "for privacy", "ip address", "domain", "dynamicloader", "antivirus", "yara rule", "fe ff", "write c", "msvisualcpp60", "rsds", "e8 c8", "e8 a8", "ff e1", "unknown", "worm", "launch", "write", "explorer", "february", "push", "service", "files", "reverse dns", "america flag", "america asn", "url add", "otx logo", "all ipv4", "searc", "date checked", "server response", "results dec", "unknown soa", "present aug", "present oct", "present sep", "present nov", "moved", "error", "title", "win32mydoom feb", "aaaa", "name servers", "trojan", "servers", "virtool", "united states", "apple", "crlf line", "unicode text", "utf8", "ff d5", "ascii text", "ee fc", "suspicious", "music", "malware", "role title", "ttl value", ".cc", "d4 f5", "msvisualcpp2002", "msvisualcpp2005", "apple support", ".ch", "privaterelay", "pattern match", "ck id", "mitre att", "ck matrix", "href", "et info", "general", "local", "path", "click", "learn", "command", "name tactics", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "present jun", "backdoor", "present may", "status", "ransom", "high", "medium", "windows", "tofsee", "loaderid", "lidfileupd", "localcfg", "rndhex", "stream", "delete", "emotet", "bot network", "mitm", "screenshot", "mimecast" ], "references": [ "http://apple.support.com/ht***** redirect", "https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8", "mac.store", "https://icloud.ch/cn/ipod-touch/", "https://icloud.ch/", "https://multicash.smbcgroup.com/gb/App/Authentication/Challenge", "https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/", "Redirect: schemas.microsoft.com", "apple.com(-inc.cc)", "oas-japac-domains-applecomputer.cn", "robert-aebi.appleid.com", "smtp2.icl-privaterelay.appleid.com", "http://audaxgroup.appleid.com/", "https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php", "iphonegermany.com", "api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud", "https://aspmx.l.google.com/", "api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com", "de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com", "http://www.icloud-sms-alert.com/", "monitoring.eurovision.net", "https://www.irby.com/iub-en/services/testing-and-monitoring", "monitor.kyos.ninja" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/IcedId.DI!MTB", "display_name": "Trojan:Win32/IcedId.DI!MTB", "target": "/malware/Trojan:Win32/IcedId.DI!MTB" }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "Worm:Win32/Bloored", "display_name": "Worm:Win32/Bloored", "target": "/malware/Worm:Win32/Bloored" }, { "id": "Win.Malware.Elenooka-6996044-0", "display_name": "Win.Malware.Elenooka-6996044-0", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6031, "hostname": 1971, "domain": 1125, "FileHash-SHA256": 1715, "email": 18, "FileHash-MD5": 317, "FileHash-SHA1": 164 }, "indicator_count": 11341, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bca8fcbe62297d71b47c33", "name": "Ragnar Locker", "description": "\u2022 FBI Flash CU-000163-MW: RagnarLocker Ransomware Indicators of Compromise\n\u2022 Found in https://www.Esurance.com\n 108.26.193.165\nAS 701 (UUNET)\n\u2022108.26.193.165 Postal Code: 02465 Reverse Domain Lookup: pool-108-26-193-165.bstnma.fios.verizon.net \n| Ragnar Locker is ransomware for Windows and Linux that exfiltrates information from a compromised machine, encrypts files using the Salsa20 encryption algorithm, and demands that victims pay a ransom to recover their data. The Ragnar Locker group is known to employ a double extortion tactic.", "modified": "2024-03-03T08:00:03.432000", "created": "2024-02-02T08:34:04.425000", "tags": [ "referrer", "contacted", "whois record", "ssl certificate", "whois whois", "contacted urls", "execution", "historical ssl", "red team", "gang breached", "agent tesla", "redline stealer", "metro", "android", "urls url", "files", "kgs0", "kls0", "orgtechhandle", "orgtechref", "orgabusehandle", "orgdnshandle", "orgdnsref", "whois lookup", "netrange", "nethandle", "net108", "net1080000", "communicating", "urls http", "ransomware gang", "breached", "team", "first", "utc submissions", "submitters", "gandi sas", "psiusa", "domain robot", "porkbun llc", "keysystems gmbh", "csc corporate", "domains", "domain name", "network pty", "tucows", "com laude", "dynadot inc" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8354, "FileHash-MD5": 104, "FileHash-SHA1": 81, "FileHash-SHA256": 2711, "CIDR": 5, "CVE": 6, "domain": 1489, "hostname": 3058, "email": 5 }, "indicator_count": 15813, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "777 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://learn.appleservices.apple", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://learn.appleservices.apple", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776630669.0401907 }