{ "type": "URL", "indicator": "https://lil.disabled.racing/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://lil.disabled.racing/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4119603424, "indicator": "https://lil.disabled.racing/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "5 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6953775a0aed71947ca3f90e", "name": "Ransom WannaCrypt- Hackers masquerade as a law firm | Social Engineering |", "description": "Hackers , likely Colorado State employees masquerading as legal, entities, social\nengineering, financial exchanges involved. Fraud. Dangerous enterprise. Found in an \u2018alleged \u2018 Plaintiff Law Firms malicious link discovered in old print out, also seen in earlier pulse. [OTX generated description: Adversaries may be able to evade detection and network filtering by blending in with existing traffic, as well as using web protocols, in order to avoid detection/network filtering. and other measures.]", "modified": "2026-01-29T06:09:08.504000", "created": "2025-12-30T06:55:22.105000", "tags": [ "united", "urls", "moved", "files", "ip address", "gmt content", "x adblock", "encrypt", "backdoor", "bq dec", "virtool", "ipv4 add", "ascii text", "pattern match", "ck id", "mitre att", "meta", "general", "local", "path", "click", "strings", "unknown", "simplified", "etpro trojan", "possible virut", "dga nxdomain", "responses", "virus", "medium", "virustotal", "vipre", "baidu", "vitro", "drweb", "mcafee", "panda", "malware", "write", "dynamicloader", "msie", "windows nt", "slcc2", "media center", "yara rule", "simda", "internal", "learn", "name tactics", "suspicious", "informative", "command", "spawns", "defense evasion", "t1480 execution", "discovery att", "ck matrix", "network traffic", "t1071", "t1057", "hybrid", "yara detections", "composite", "av detections", "ids detections", "alerts", "analysis date", "file score", "none related", "passive dns", "hosting", "reverse dns", "location united", "title", "ences s", "data upload", "extraction", "status", "hostname add", "url analysis", "push", "present sep", "present may", "present jul", "present jan", "win32small dec", "ransom", "write c", "show", "search", "high", "et exploit", "probe ms17010", "eternal blue", "englewood colorado", "wannacry", "wannacrypt", "ransom", "wanna" ], "references": [ "https://aws.hirecar.net/", "w32.virut.cf \u2022 win32.virut.am \u2022 virut.cf \u2022 http://w32.virut.cf \u2022http://w32.virut.cf/ \u2022 https://w32.virut.cf", "pandacookie2018.xyz", "Antivirus Detections: Win.Ransomware.Wanna-9769986-0 , Ransom:Win32/WannaCrypt.H", "IDS Detections: Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS", "DNS Lookup) Possible ETERNALBLUE Probe MS17-010 (MSF style) Possible ETERNALBLUE Probe MS17-010 (Generic Flags) ETERNALBLUE Probe Vulnerable System Response MS17-010 Possible ETERNALBLUE MS17-010 Heap Spray More Yara Detections WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic , MS17_010_WanaCry_worm , stack_string More Alerts 25 Alerts suspicious_iocontrol_codes persistence_autorun persistence_autorun_tasks stealth_file suricata_alert antivm_generic_disk anomalous_deletefil", "Domains Contacted: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com \u2022\u2019survey-smiles.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Backdoor:Win32/Small.IR", "display_name": "Backdoor:Win32/Small.IR", "target": "/malware/Backdoor:Win32/Small.IR" }, { "id": "Win.Trojan.Agent-31853", "display_name": "Win.Trojan.Agent-31853", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Win.Ransomware.Wanna-9769986-0", "display_name": "Win.Ransomware.Wanna-9769986-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Virtool:Win32/Injector.gen!BQ", "display_name": "Virtool:Win32/Injector.gen!BQ", "target": "/malware/Virtool:Win32/Injector.gen!BQ" } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Government", "Technology", "Legal" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8605, "domain": 1228, "email": 2, "hostname": 1981, "FileHash-SHA256": 1617, "FileHash-SHA1": 184, "FileHash-MD5": 206, "SSLCertFingerprint": 2 }, "indicator_count": 13825, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "80 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fbc84609098d17c316f23c", "name": "NSO - Multiple crimes", "description": "Multiple crimes including illegal gambling, loan sharking, cybercrimes , content reputation , instructions. Starfield seen again. Team 8 has seen Starfield in more than 300 pulses. Now it\u2019s gone. Check your devices for innocent looking searches you\u2019ve never searched. Browser extensions found on 3 targeted devices with an adversary with full CnC armed with a deletion and disk wipe service. Local - Denver. \n\nAlso, very concerning is specific Airline to be attacked revealed. It cant be researched without bringing down a flight or messing up air command & control. DJT has already made travel a risky feat by being influenced to fire the (NOAA) & (DOT). Its manipulation. PP Mafia bros. \n\nDoes anyone have any power? Contact someone. We did have a mystery plane incident in Denver after I first reported. Just space junk , ya know the usual. I am serious about preventing crime. I need some help!", "modified": "2025-11-23T17:00:58.297000", "created": "2025-10-24T18:41:10.936000", "tags": [ "type indicator", "added active", "related pulses", "script urls", "united", "unknown ns", "a domains", "ip address", "meta", "asn as13335", "msie", "chrome", "ransom", "trojan", "passive dns", "backdoor", "http request", "twitter", "win32/crix.c check-in", "gmt content", "ipv4", "urls", "files", "data upload", "extraction", "domain add", "e emeseieee", "dynamicloader", "e eue", "eweienedeoewese", "windows nt", "wow64", "slcc2", "media center", "edeeefeaeuelete", "unknown", "write", "bits", "malware", "xserver", "encrypt", "unknown aaaa", "moved", "cloudfront x", "hio52 p1", "name servers", "accept encoding", "emails", "servers", "extr", "u a640", "a69f u", "fe2e fe2f", "u a720", "a7ff", "u feff", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "pattern match", "mitre att", "null", "body", "pizza", "friday", "hybrid", "general", "local", "path", "starfield", "iframe", "click", "strings", "core", "bet", "gambling", "record value", "date", "present sep", "present apr", "colombia", "present jun", "present nov", "cookie", "present oct", "entries", "next associated", "error", "attack", "government", "scotland", "news", "covid19", "subscribe", "october", "crown copyright", "nhs scotland", "parliament", "coronavirus", "redacted for", "domain status", "server", "privacy tech", "privacy admin", "email", "country", "postal code", "stateprovince", "code", "host name", "rdap database", "handle", "iana registrar", "entity roles", "links", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "validity", "subject public", "key info", "medium", "write c", "search", "pe file", "high", "checks", "http", "delete", "copy", "guard", "mozilla", "next", "godaddy", "creation date", "hostname", "pulse submit", "url analysis", "domain", "files ip", "trojandropper", "mtb oct", "mtb may", "refloadapihash", "foundry", "fastly", "value a", "com laude", "ltd dba", "nomiq", "limited dba", "pulse", "location united", "asn asnone", "nameservers" ], "references": [ "giovannisnypizza.net \u2022 http://www.giovannisnypizza.net \u2022", "fazendabetb.live \u2022 bowiesports.com Check first???", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino", "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022", "05bet99.bet \u2022 app.05bet99.bet \u2022 betterlifeschool.kr \u2022 bbrbet.today", "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com", "cashloanboat.com \u2022 mx-loans-5o.today\u2022 nodoccommercialloan", "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/", "m.casinometropol225.com \u2022 casinometropol285.com \u2022 http://bonus.casinometropol285.com \u2022", "https://bonus.casinometropol285.com \u2022 www.aksescasinobet77.icu bonus.casinometropol285.com \u2022", "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au", "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))", "The Scottish Government www.gov.scot The NHS Scotland support", "http://129.2.4.2/32 Lencr", "qlw020.managed-sprint.dynalabs.io (Check)", "brave-ohttp-relay-dev.fastly-edge.com (Palantir)", "ims.foundryfabrication.co.uk \u2022 timelog.foundryfabrication.co.uk \u2022 ims.foundryfabrication.co", "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com", "vb.cu \u2022 vb \u2022 vb.il \u2022 vb.cu \u2022 vb.il \u2022 docs.fastly.com \u2022 docs.fastly.com", "ExternalHosts: US", "Starfield again - HoneyPot / Dod- DoW", "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction", "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware", "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Germany", "Bulgaria", "Singapore", "Denmark", "Australia", "Jersey", "Japan", "Canada" ], "malware_families": [ { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Autoit", "display_name": "Autoit", "target": null }, { "id": "Ransom:Win32/Crowti", "display_name": "Ransom:Win32/Crowti", "target": "/malware/Ransom:Win32/Crowti" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#Lowfi:SIGATTR:DownloadAndExecute", "display_name": "#Lowfi:SIGATTR:DownloadAndExecute", "target": null }, { "id": "Win.Dropper.Vbclone", "display_name": "Win.Dropper.Vbclone", "target": null }, { "id": "Win.Packer", "display_name": "Win.Packer", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6261, "domain": 1806, "hostname": 2427, "FileHash-MD5": 384, "FileHash-SHA1": 381, "email": 13, "FileHash-SHA256": 1418, "SSLCertFingerprint": 14 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fc18514965ccd3b55c216d", "name": "Dorv \u2022 Obfuscator - Affecting DropBox", "description": "", "modified": "2025-11-23T17:00:58.297000", "created": "2025-10-25T00:22:41.686000", "tags": [ "type indicator", "added active", "related pulses", "script urls", "united", "unknown ns", "a domains", "ip address", "meta", "asn as13335", "msie", "chrome", "ransom", "trojan", "passive dns", "backdoor", "http request", "twitter", "win32/crix.c check-in", "gmt content", "ipv4", "urls", "files", "data upload", "extraction", "domain add", "e emeseieee", "dynamicloader", "e eue", "eweienedeoewese", "windows nt", "wow64", "slcc2", "media center", "edeeefeaeuelete", "unknown", "write", "bits", "malware", "xserver", "encrypt", "unknown aaaa", "moved", "cloudfront x", "hio52 p1", "name servers", "accept encoding", "emails", "servers", "extr", "u a640", "a69f u", "fe2e fe2f", "u a720", "a7ff", "u feff", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "pattern match", "mitre att", "null", "body", "pizza", "friday", "hybrid", "general", "local", "path", "starfield", "iframe", "click", "strings", "core", "bet", "gambling", "record value", "date", "present sep", "present apr", "colombia", "present jun", "present nov", "cookie", "present oct", "entries", "next associated", "error", "attack", "government", "scotland", "news", "covid19", "subscribe", "october", "crown copyright", "nhs scotland", "parliament", "coronavirus", "redacted for", "domain status", "server", "privacy tech", "privacy admin", "email", "country", "postal code", "stateprovince", "code", "host name", "rdap database", "handle", "iana registrar", "entity roles", "links", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "validity", "subject public", "key info", "medium", "write c", "search", "pe file", "high", "checks", "http", "delete", "copy", "guard", "mozilla", "next", "godaddy", "creation date", "hostname", "pulse submit", "url analysis", "domain", "files ip", "trojandropper", "mtb oct", "mtb may", "refloadapihash", "foundry", "fastly", "value a", "com laude", "ltd dba", "nomiq", "limited dba", "pulse", "location united", "asn asnone", "nameservers" ], "references": [ "giovannisnypizza.net \u2022 http://www.giovannisnypizza.net \u2022", "fazendabetb.live \u2022 bowiesports.com Check first???", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino", "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022", "05bet99.bet \u2022 app.05bet99.bet \u2022 betterlifeschool.kr \u2022 bbrbet.today", "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com", "cashloanboat.com \u2022 mx-loans-5o.today\u2022 nodoccommercialloan", "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/", "m.casinometropol225.com \u2022 casinometropol285.com \u2022 http://bonus.casinometropol285.com \u2022", "https://bonus.casinometropol285.com \u2022 www.aksescasinobet77.icu bonus.casinometropol285.com \u2022", "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au", "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))", "The Scottish Government www.gov.scot The NHS Scotland support", "http://129.2.4.2/32 Lencr", "qlw020.managed-sprint.dynalabs.io (Check)", "brave-ohttp-relay-dev.fastly-edge.com (Palantir)", "ims.foundryfabrication.co.uk \u2022 timelog.foundryfabrication.co.uk \u2022 ims.foundryfabrication.co", "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com", "vb.cu \u2022 vb \u2022 vb.il \u2022 vb.cu \u2022 vb.il \u2022 docs.fastly.com \u2022 docs.fastly.com", "ExternalHosts: US", "Starfield again - HoneyPot / Dod- DoW", "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction", "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware", "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Germany", "Bulgaria", "Singapore", "Denmark", "Australia", "Jersey", "Japan", "Canada" ], "malware_families": [ { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Autoit", "display_name": "Autoit", "target": null }, { "id": "Ransom:Win32/Crowti", "display_name": "Ransom:Win32/Crowti", "target": "/malware/Ransom:Win32/Crowti" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#Lowfi:SIGATTR:DownloadAndExecute", "display_name": "#Lowfi:SIGATTR:DownloadAndExecute", "target": null }, { "id": "Win.Dropper.Vbclone", "display_name": "Win.Dropper.Vbclone", "target": null }, { "id": "Win.Packer", "display_name": "Win.Packer", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "68fbc84609098d17c316f23c", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6261, "domain": 1806, "hostname": 2427, "FileHash-MD5": 384, "FileHash-SHA1": 381, "email": 13, "FileHash-SHA256": 1418, "SSLCertFingerprint": 14 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ee5e9f8cfc5fbc73142660", "name": "Gaming Studios - YouTube - MyDoom", "description": "", "modified": "2025-11-13T12:05:32.283000", "created": "2025-10-14T14:30:55.471000", "tags": [ "no expiration", "url https", "url http", "iocs", "ipv4", "enter source", "indicator role", "title added", "active related", "united", "present jul", "unknown ns", "search", "for privacy", "moved", "ip address", "encrypt", "a domains", "script urls", "meta", "pragma", "general full", "reverse dns", "software", "resource", "security tls", "piscataway", "asn20473", "asn15169", "google", "asvultr", "portfolio", "josh theriault", "upei", "university", "island", "roblox", "jmt studios", "moon engine", "android", "icpc", "north america", "qualifier", "hello", "apache", "runner", "eric everest", "games", "cloudflar", "amazon02", "as autonomous", "system", "canada", "value", "domainpath name", "cgjerrieegaggq", "name value", "form", "game development", "blog", "jmt99", "developer", "event", "bullseye", "trick or treat", "unofficial trick or treat 2014", "unofficial trick or treat 2015", "egg hunt", "gift hunt", "hallows quest", "studio", "experience", "fall", "january", "july", "founder", "studio head", "passive dns", "urls", "registrar", "title", "roblox jmt99 \"jmt studios\" \"trick or treat\" \"egg hunt\"", "press copyright", "contact", "privacy policy", "safety how", "youtube", "test", "nfl sunday", "ticket", "google llc", "data upload", "extraction", "failed", "files", "twitter", "variables", "cgjjtbieggagla", "nid value", "expiration date", "files ip", "dynamicloader", "write c", "delete c", "intel", "ms windows", "medium", "default", "write", "guard", "mozilla", "malware", "defender", "unknown", "domains", "hashes", "url analysis", "unknown aaaa", "script domains", "certificate", "game", "servers", "unofficial", "settings", "public", "endpoints", "currently", "game servers", "current", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "role title", "related pulses", "domain v", "url indicator", "nameilname", "ascii text", "mitre att", "ck id", "ck matrix", "hybrid", "general", "local", "path", "click", "strings", "pe file", "high", "yara detections", "dynamic", "v hostname", "se fos", "include v", "domain url", "data", "alltypes", "win32mydoom oct", "trojan", "url add", "http", "related nids", "files location", "canada flag", "canada hostname", "canada unknown", "canada", "present aug", "name servers", "present sep", "aaaa", "present oct", "crlf line", "unicode text", "music", "suspicious", "bricked.wtf", "flag united", "google safe", "domain", "address domain", "united states", "filehashsha256", "hostname xn", "finland unknown", "filehashmd5", "indicators hong", "kong", "south korea", "present jun", "present mar", "present may", "olet", "cnr12", "tlsv1", "get updates", "upatre", "added active", "apple", "everest", "josh paul", "upadter", "convagent", "info stealing", "delete service", "phishing", "fraud", "social engineering", "gamer", "hacker", "adversaries", "icloud", "found", "gmt content", "error", "redacted for", "meta http", "content", "gmt server", "france unknown", "poland unknown", "content type", "xml title", "hostname add", "address", "location united", "life", "century link llc", "xfinity", "livesex", "domain add", "users", "show", "delete", "blocked by quad9", "showing", "record value", "location canada", "canada asn", "accept", "cookie", "macbook", "ipv4 add", "america flag", "america asn", "asn as714", "less", "woodynet", "next associated", "status", "exclude sugges", "ip related", "t1027.013" ], "references": [ "https://www.jmtstudios.org/farewell/", "https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw", "graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system", "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html", "ConventionEngine_Term_Dropbox \u2022 Dropbox", "http://api.jmtstudios.org/", "bricked.wtf", "ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com", "http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com", "careersandenterprise.appleid.com \u2022 http://apple.appleid.com/", "https://forwardemail.net/es/blog/open-source/apple-email-clients", "accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud", "http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link", "http://www.visitbooker.com/Dropbox-07/index.htm", "dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/", "Appears to be closely associated with close relative and initial victim of attack.", "Potentially disturbing , personal , invasive, aggressive, intimate behavior of party." ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "United States of America" ], "malware_families": [ { "id": "Win.Malware.Convagent-9981433-0", "display_name": "Win.Malware.Convagent-9981433-0", "target": null }, { "id": "Upadter", "display_name": "Upadter", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6996, "FileHash-MD5": 281, "FileHash-SHA1": 220, "FileHash-SHA256": 2673, "domain": 1747, "email": 24, "hostname": 2803, "SSLCertFingerprint": 3 }, "indicator_count": 14747, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ee5ea4d51d4a1cabdb4ee9", "name": "Gaming Studios - YouTube - MyDoom", "description": "", "modified": "2025-11-13T12:05:32.283000", "created": "2025-10-14T14:31:00.172000", "tags": [ "no expiration", "url https", "url http", "iocs", "ipv4", "enter source", "indicator role", "title added", "active related", "united", "present jul", "unknown ns", "search", "for privacy", "moved", "ip address", "encrypt", "a domains", "script urls", "meta", "pragma", "general full", "reverse dns", "software", "resource", "security tls", "piscataway", "asn20473", "asn15169", "google", "asvultr", "portfolio", "josh theriault", "upei", "university", "island", "roblox", "jmt studios", "moon engine", "android", "icpc", "north america", "qualifier", "hello", "apache", "runner", "eric everest", "games", "cloudflar", "amazon02", "as autonomous", "system", "canada", "value", "domainpath name", "cgjerrieegaggq", "name value", "form", "game development", "blog", "jmt99", "developer", "event", "bullseye", "trick or treat", "unofficial trick or treat 2014", "unofficial trick or treat 2015", "egg hunt", "gift hunt", "hallows quest", "studio", "experience", "fall", "january", "july", "founder", "studio head", "passive dns", "urls", "registrar", "title", "roblox jmt99 \"jmt studios\" \"trick or treat\" \"egg hunt\"", "press copyright", "contact", "privacy policy", "safety how", "youtube", "test", "nfl sunday", "ticket", "google llc", "data upload", "extraction", "failed", "files", "twitter", "variables", "cgjjtbieggagla", "nid value", "expiration date", "files ip", "dynamicloader", "write c", "delete c", "intel", "ms windows", "medium", "default", "write", "guard", "mozilla", "malware", "defender", "unknown", "domains", "hashes", "url analysis", "unknown aaaa", "script domains", "certificate", "game", "servers", "unofficial", "settings", "public", "endpoints", "currently", "game servers", "current", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "role title", "related pulses", "domain v", "url indicator", "nameilname", "ascii text", "mitre att", "ck id", "ck matrix", "hybrid", "general", "local", "path", "click", "strings", "pe file", "high", "yara detections", "dynamic", "v hostname", "se fos", "include v", "domain url", "data", "alltypes", "win32mydoom oct", "trojan", "url add", "http", "related nids", "files location", "canada flag", "canada hostname", "canada unknown", "canada", "present aug", "name servers", "present sep", "aaaa", "present oct", "crlf line", "unicode text", "music", "suspicious", "bricked.wtf", "flag united", "google safe", "domain", "address domain", "united states", "filehashsha256", "hostname xn", "finland unknown", "filehashmd5", "indicators hong", "kong", "south korea", "present jun", "present mar", "present may", "olet", "cnr12", "tlsv1", "get updates", "upatre", "added active", "apple", "everest", "josh paul", "upadter", "convagent", "info stealing", "delete service", "phishing", "fraud", "social engineering", "gamer", "hacker", "adversaries", "icloud", "found", "gmt content", "error", "redacted for", "meta http", "content", "gmt server", "france unknown", "poland unknown", "content type", "xml title", "hostname add", "address", "location united", "life", "century link llc", "xfinity", "livesex", "domain add", "users", "show", "delete", "blocked by quad9", "showing", "record value", "location canada", "canada asn", "accept", "cookie", "macbook", "ipv4 add", "america flag", "america asn", "asn as714", "less", "woodynet", "next associated", "status", "exclude sugges", "ip related", "t1027.013" ], "references": [ "https://www.jmtstudios.org/farewell/", "https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw", "graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system", "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html", "ConventionEngine_Term_Dropbox \u2022 Dropbox", "http://api.jmtstudios.org/", "bricked.wtf", "ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com", "http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com", "careersandenterprise.appleid.com \u2022 http://apple.appleid.com/", "https://forwardemail.net/es/blog/open-source/apple-email-clients", "accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud", "http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link", "http://www.visitbooker.com/Dropbox-07/index.htm", "dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/", "Appears to be closely associated with close relative and initial victim of attack.", "Potentially disturbing , personal , invasive, aggressive, intimate behavior of party." ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "United States of America" ], "malware_families": [ { "id": "Win.Malware.Convagent-9981433-0", "display_name": "Win.Malware.Convagent-9981433-0", "target": null }, { "id": "Upadter", "display_name": "Upadter", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6996, "FileHash-MD5": 281, "FileHash-SHA1": 220, "FileHash-SHA256": 2673, "domain": 1747, "email": 24, "hostname": 2803, "SSLCertFingerprint": 3 }, "indicator_count": 14747, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689cc89e77327602780be49e", "name": "Remotewd Devices \u2022 Spectrum / Charter Communications & AT&T", "description": "Remotewd Devices expanded \u2022 Spectrum / Charter Communications & AT&T.\nAdvesarial. Polymorphic.", "modified": "2025-09-12T16:05:33.542000", "created": "2025-08-13T17:17:18.456000", "tags": [ "url https", "domain", "types of", "united kingdom", "sweden", "virgin islands", "china", "germany", "date", "status", "ip address", "search", "domain add", "passive dns", "urls", "files", "error sep", "present jul", "address google", "safe browsing", "united", "unknown ns", "moved", "body", "cloudfront x", "hio52 p1", "certificate", "win32", "trojan", "entries", "next associated", "title error", "ipv4", "host gh", "secure path", "httponly cache", "x github", "request id", "accept", "encrypt", "formbook cnc", "checkin", "a domains", "lowfi", "mtb jun", "github pages", "as11427", "us note", "route", "ptr record", "hostname add", "url analysis", "verdict", "general info", "geo mckinney", "texas", "spectrum", "charter communications", "charter collection", "auth", "files ip", "address", "asn as16509", "record value", "germany unknown", "meta", "gmt cache", "sans400", "condensed300", "feel lost", "h1 div", "server", "gmt connection", "keep alive", "pragma", "ipv4 add", "url add", "http", "related nids", "files location", "flag united", "unknown aaaa", "china unknown", "beijing", "unknown soa", "hostname", "present aug", "name servers", "aaaa", "windows nt", "dynamicloader", "generic http", "exe upload", "inbound", "outbound", "host", "medium", "write", "markus", "malware", "files domain", "files related", "related tags", "none google", "showing", "error", "extraction", "se enter", "sc type", "data upload", "failed", "extr data", "ox sunnort", "include review", "exclude data", "iocs", "pdf report", "pcap", "stix", "openloc", "pul data", "move", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "pattern match", "ascii text", "show technique", "null", "refresh", "span", "august", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "class", "adversaries", "defense evasion", "initial access", "msie", "chrome", "gmt content", "main", "virtool", "idran anv", "exti", "concor referen", "running webserver", "review iocs", "suggested iocs", "show", "http traffic", "intel", "ms windows", "pe32", "high", "write c", "explorer", "unknown", "worm", "next", "comman_and_control", "et", "vtapi", "dos", "persistence", "polymorphic", "virus", "device", "script", "style", "endcolorstr", "regexp", "link", "powershell", "form", "push", "active", "remote_access", "general full", "protocol h2", "security tls", "austin", "asn7018", "attinternet4", "reverse dns", "software", "domains", "hashes", "at&t", "injection", "rwx", "hackers", "attack", "cape", "stealth hidden extension", "antivm generic", "cape detected", "threat stealth", "public folder", "deletes", "files anomalous", "disables system", "restore dead", "mail procmem", "yara suricata", "queries user name" ], "references": [ "Remotewd.com research - Devices under command and control. Malicious / adversarial | 3000 + devices in Pulse", "https://hybrid-analysis.com/sample/713944cb1accb541622bf99d55f34876b5ff13d042c6c203bab89632a15b9248/689c0eca8dd0033cbb064d12", "device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com TWC-11427-TEXAS, US \u2022 Spectrum", "Geo\tMcKinney, Texas, United States (US) \u2014 AS \u2022AS11427 - TWC-11427-TEXAS, US", "Note: An IP might be announced by multiple ASs.Spectrum | Charter Communications", "This is not shown. Route \u2022 184.92.0.0/16 (Route of ASN) PTR", "syn-184-092-221-096.res.spectrum.com(PTR record of primary IP) IPv4\t184.92.221.96", "https://urlscan.io/domain/device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com", "truist.palantirfoundry.com \u2022 nissansandbox.palantirfoundry.com", "device-7de2fab7-44a1-494e-8f36-8d135628c33a.remotewd.com 104.190.139.162 AT&T", "Stealth Hiddenreg Cape Detected Threat Stealth Timeout Accesses Public Folder Deletes", "Executed Files Anomalous Deletefile Dropper Disables System Restore Dead Connect", "Infostealer Cookies Infostealer Mail Procmem Yara Suricata Alert Modify Proxy Powershell", "Ransomware File Modifications Exec Crash", "Location Antisandbox Sleep Antidebug Setunhandledexceptionfilter Packer Unknown Pe Section Name Packer Entropy Network Bind Antivm Network Adapters Http Request Infostealer Browser Recon Fingerprint Antivm Checks Available Memory Antivm Generic Bios Reads Self Polymorphic Enumerates Physical Drives Network Http Network Cnc Http Antivm Bochs Keys", "Request Queries Keyboard Layout Antivm Generic Disk Resumethread", "Remote Process Static Pe Anomaly Https Urls Virus Process Creation Suspicious", "Contains Pe Overlay Queries Locale Api Language Check Registry" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" }, { "id": "VirTool:Win32/Obfuscator.JM", "display_name": "VirTool:Win32/Obfuscator.JM", "target": "/malware/VirTool:Win32/Obfuscator.JM" }, { "id": "Win.Trojan.Cycbot-1584", "display_name": "Win.Trojan.Cycbot-1584", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6171, "domain": 1823, "hostname": 3155, "email": 8, "FileHash-SHA256": 950, "FileHash-MD5": 345, "FileHash-SHA1": 317, "CVE": 1, "CIDR": 1, "SSLCertFingerprint": 1 }, "indicator_count": 12772, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "218 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "ims.foundryfabrication.co.uk \u2022 timelog.foundryfabrication.co.uk \u2022 ims.foundryfabrication.co", "brave-ohttp-relay-dev.fastly-edge.com (Palantir)", "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction", "bricked.wtf", "Stealth Hiddenreg Cape Detected Threat Stealth Timeout Accesses Public Folder Deletes", "https://bonus.casinometropol285.com \u2022 www.aksescasinobet77.icu bonus.casinometropol285.com \u2022", "giovannisnypizza.net \u2022 http://www.giovannisnypizza.net \u2022", "Starfield again - HoneyPot / Dod- DoW", "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b", "cashloanboat.com \u2022 mx-loans-5o.today\u2022 nodoccommercialloan", "Domains Contacted: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com \u2022\u2019survey-smiles.com", "qlw020.managed-sprint.dynalabs.io (Check)", "ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com", "accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud", "ExternalHosts: US", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com", "http://www.visitbooker.com/Dropbox-07/index.htm", "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware", "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/", "w32.virut.cf \u2022 win32.virut.am \u2022 virut.cf \u2022 http://w32.virut.cf \u2022http://w32.virut.cf/ \u2022 https://w32.virut.cf", "truist.palantirfoundry.com \u2022 nissansandbox.palantirfoundry.com", "Antivirus Detections: Win.Ransomware.Wanna-9769986-0 , Ransom:Win32/WannaCrypt.H", "https://www.jmtstudios.org/farewell/", "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au", "https://urlscan.io/domain/device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com", "DNS Lookup) Possible ETERNALBLUE Probe MS17-010 (MSF style) Possible ETERNALBLUE Probe MS17-010 (Generic Flags) ETERNALBLUE Probe Vulnerable System Response MS17-010 Possible ETERNALBLUE MS17-010 Heap Spray More Yara Detections WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic , MS17_010_WanaCry_worm , stack_string More Alerts 25 Alerts suspicious_iocontrol_codes persistence_autorun persistence_autorun_tasks stealth_file suricata_alert antivm_generic_disk anomalous_deletefil", "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "https://forwardemail.net/es/blog/open-source/apple-email-clients", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com", "graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "Appears to be closely associated with close relative and initial victim of attack.", "https://hybrid-analysis.com/sample/713944cb1accb541622bf99d55f34876b5ff13d042c6c203bab89632a15b9248/689c0eca8dd0033cbb064d12", "vb.cu \u2022 vb \u2022 vb.il \u2022 vb.cu \u2022 vb.il \u2022 docs.fastly.com \u2022 docs.fastly.com", "Executed Files Anomalous Deletefile Dropper Disables System Restore Dead Connect", "IDS Detections: Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Request Queries Keyboard Layout Antivm Generic Disk Resumethread", "Location Antisandbox Sleep Antidebug Setunhandledexceptionfilter Packer Unknown Pe Section Name Packer Entropy Network Bind Antivm Network Adapters Http Request Infostealer Browser Recon Fingerprint Antivm Checks Available Memory Antivm Generic Bios Reads Self Polymorphic Enumerates Physical Drives Network Http Network Cnc Http Antivm Bochs Keys", "The Scottish Government www.gov.scot The NHS Scotland support", "Infostealer Cookies Infostealer Mail Procmem Yara Suricata Alert Modify Proxy Powershell", "Contains Pe Overlay Queries Locale Api Language Check Registry", "https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw", "Remotewd.com research - Devices under command and control. Malicious / adversarial | 3000 + devices in Pulse", "careersandenterprise.appleid.com \u2022 http://apple.appleid.com/", "fazendabetb.live \u2022 bowiesports.com Check first???", "Geo\tMcKinney, Texas, United States (US) \u2014 AS \u2022AS11427 - TWC-11427-TEXAS, US", "syn-184-092-221-096.res.spectrum.com(PTR record of primary IP) IPv4\t184.92.221.96", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino", "pandacookie2018.xyz", "Ransomware File Modifications Exec Crash", "https://aws.hirecar.net/", "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com TWC-11427-TEXAS, US \u2022 Spectrum", "Note: An IP might be announced by multiple ASs.Spectrum | Charter Communications", "Verification failure observed in automated verification handlers during sandbox replay.", "ConventionEngine_Term_Dropbox \u2022 Dropbox", "http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link", "Potentially disturbing , personal , invasive, aggressive, intimate behavior of party.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "http://api.jmtstudios.org/", "This is not shown. Route \u2022 184.92.0.0/16 (Route of ASN) PTR", "m.casinometropol225.com \u2022 casinometropol285.com \u2022 http://bonus.casinometropol285.com \u2022", "05bet99.bet \u2022 app.05bet99.bet \u2022 betterlifeschool.kr \u2022 bbrbet.today", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Remote Process Static Pe Anomaly Https Urls Virus Process Creation Suspicious", "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com", "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards", "http://129.2.4.2/32 Lencr", "device-7de2fab7-44a1-494e-8f36-8d135628c33a.remotewd.com 104.190.139.162 AT&T" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "NSO" ], "malware_families": [ "Backdoor:win32/small.ir", "Worm:win32/lightmoon.h", "Ransom:win32/crowti", "Virut", "Upatre", "Autoit", "Trojan:win32/vflooder", "Win.packer", "Win.dropper.vbclone", "Win.ransomware.wanna-9769986-0", "Backdoor:win32/tofsee.", "Upadter", "Win.trojan.cycbot-1584", "Win.malware.convagent-9981433-0", "#lowfi:sigattr:downloadandexecute", "Ransom:win32/wannacrypt.h", "Virtool:win32/injector.gen!bq", "Win.trojan.agent-31853", "Mydoom", "Virtool:win32/obfuscator.jm" ], "industries": [ "Telecommunications", "Government", "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in", "Technology", "Legal" ], "unique_indicators": 181538 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/disabled.racing", "whois": "http://whois.domaintools.com/disabled.racing", "domain": "disabled.racing", "hostname": "lil.disabled.racing" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "5 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6953775a0aed71947ca3f90e", "name": "Ransom WannaCrypt- Hackers masquerade as a law firm | Social Engineering |", "description": "Hackers , likely Colorado State employees masquerading as legal, entities, social\nengineering, financial exchanges involved. Fraud. Dangerous enterprise. Found in an \u2018alleged \u2018 Plaintiff Law Firms malicious link discovered in old print out, also seen in earlier pulse. [OTX generated description: Adversaries may be able to evade detection and network filtering by blending in with existing traffic, as well as using web protocols, in order to avoid detection/network filtering. and other measures.]", "modified": "2026-01-29T06:09:08.504000", "created": "2025-12-30T06:55:22.105000", "tags": [ "united", "urls", "moved", "files", "ip address", "gmt content", "x adblock", "encrypt", "backdoor", "bq dec", "virtool", "ipv4 add", "ascii text", "pattern match", "ck id", "mitre att", "meta", "general", "local", "path", "click", "strings", "unknown", "simplified", "etpro trojan", "possible virut", "dga nxdomain", "responses", "virus", "medium", "virustotal", "vipre", "baidu", "vitro", "drweb", "mcafee", "panda", "malware", "write", "dynamicloader", "msie", "windows nt", "slcc2", "media center", "yara rule", "simda", "internal", "learn", "name tactics", "suspicious", "informative", "command", "spawns", "defense evasion", "t1480 execution", "discovery att", "ck matrix", "network traffic", "t1071", "t1057", "hybrid", "yara detections", "composite", "av detections", "ids detections", "alerts", "analysis date", "file score", "none related", "passive dns", "hosting", "reverse dns", "location united", "title", "ences s", "data upload", "extraction", "status", "hostname add", "url analysis", "push", "present sep", "present may", "present jul", "present jan", "win32small dec", "ransom", "write c", "show", "search", "high", "et exploit", "probe ms17010", "eternal blue", "englewood colorado", "wannacry", "wannacrypt", "ransom", "wanna" ], "references": [ "https://aws.hirecar.net/", "w32.virut.cf \u2022 win32.virut.am \u2022 virut.cf \u2022 http://w32.virut.cf \u2022http://w32.virut.cf/ \u2022 https://w32.virut.cf", "pandacookie2018.xyz", "Antivirus Detections: Win.Ransomware.Wanna-9769986-0 , Ransom:Win32/WannaCrypt.H", "IDS Detections: Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS", "DNS Lookup) Possible ETERNALBLUE Probe MS17-010 (MSF style) Possible ETERNALBLUE Probe MS17-010 (Generic Flags) ETERNALBLUE Probe Vulnerable System Response MS17-010 Possible ETERNALBLUE MS17-010 Heap Spray More Yara Detections WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic , MS17_010_WanaCry_worm , stack_string More Alerts 25 Alerts suspicious_iocontrol_codes persistence_autorun persistence_autorun_tasks stealth_file suricata_alert antivm_generic_disk anomalous_deletefil", "Domains Contacted: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com \u2022\u2019survey-smiles.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Backdoor:Win32/Small.IR", "display_name": "Backdoor:Win32/Small.IR", "target": "/malware/Backdoor:Win32/Small.IR" }, { "id": "Win.Trojan.Agent-31853", "display_name": "Win.Trojan.Agent-31853", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Win.Ransomware.Wanna-9769986-0", "display_name": "Win.Ransomware.Wanna-9769986-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Virtool:Win32/Injector.gen!BQ", "display_name": "Virtool:Win32/Injector.gen!BQ", "target": "/malware/Virtool:Win32/Injector.gen!BQ" } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Government", "Technology", "Legal" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8605, "domain": 1228, "email": 2, "hostname": 1981, "FileHash-SHA256": 1617, "FileHash-SHA1": 184, "FileHash-MD5": 206, "SSLCertFingerprint": 2 }, "indicator_count": 13825, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "80 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fbc84609098d17c316f23c", "name": "NSO - Multiple crimes", "description": "Multiple crimes including illegal gambling, loan sharking, cybercrimes , content reputation , instructions. Starfield seen again. Team 8 has seen Starfield in more than 300 pulses. Now it\u2019s gone. Check your devices for innocent looking searches you\u2019ve never searched. Browser extensions found on 3 targeted devices with an adversary with full CnC armed with a deletion and disk wipe service. Local - Denver. \n\nAlso, very concerning is specific Airline to be attacked revealed. It cant be researched without bringing down a flight or messing up air command & control. DJT has already made travel a risky feat by being influenced to fire the (NOAA) & (DOT). Its manipulation. PP Mafia bros. \n\nDoes anyone have any power? Contact someone. We did have a mystery plane incident in Denver after I first reported. Just space junk , ya know the usual. I am serious about preventing crime. I need some help!", "modified": "2025-11-23T17:00:58.297000", "created": "2025-10-24T18:41:10.936000", "tags": [ "type indicator", "added active", "related pulses", "script urls", "united", "unknown ns", "a domains", "ip address", "meta", "asn as13335", "msie", "chrome", "ransom", "trojan", "passive dns", "backdoor", "http request", "twitter", "win32/crix.c check-in", "gmt content", "ipv4", "urls", "files", "data upload", "extraction", "domain add", "e emeseieee", "dynamicloader", "e eue", "eweienedeoewese", "windows nt", "wow64", "slcc2", "media center", "edeeefeaeuelete", "unknown", "write", "bits", "malware", "xserver", "encrypt", "unknown aaaa", "moved", "cloudfront x", "hio52 p1", "name servers", "accept encoding", "emails", "servers", "extr", "u a640", "a69f u", "fe2e fe2f", "u a720", "a7ff", "u feff", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "pattern match", "mitre att", "null", "body", "pizza", "friday", "hybrid", "general", "local", "path", "starfield", "iframe", "click", "strings", "core", "bet", "gambling", "record value", "date", "present sep", "present apr", "colombia", "present jun", "present nov", "cookie", "present oct", "entries", "next associated", "error", "attack", "government", "scotland", "news", "covid19", "subscribe", "october", "crown copyright", "nhs scotland", "parliament", "coronavirus", "redacted for", "domain status", "server", "privacy tech", "privacy admin", "email", "country", "postal code", "stateprovince", "code", "host name", "rdap database", "handle", "iana registrar", "entity roles", "links", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "validity", "subject public", "key info", "medium", "write c", "search", "pe file", "high", "checks", "http", "delete", "copy", "guard", "mozilla", "next", "godaddy", "creation date", "hostname", "pulse submit", "url analysis", "domain", "files ip", "trojandropper", "mtb oct", "mtb may", "refloadapihash", "foundry", "fastly", "value a", "com laude", "ltd dba", "nomiq", "limited dba", "pulse", "location united", "asn asnone", "nameservers" ], "references": [ "giovannisnypizza.net \u2022 http://www.giovannisnypizza.net \u2022", "fazendabetb.live \u2022 bowiesports.com Check first???", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino", "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022", "05bet99.bet \u2022 app.05bet99.bet \u2022 betterlifeschool.kr \u2022 bbrbet.today", "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com", "cashloanboat.com \u2022 mx-loans-5o.today\u2022 nodoccommercialloan", "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/", "m.casinometropol225.com \u2022 casinometropol285.com \u2022 http://bonus.casinometropol285.com \u2022", "https://bonus.casinometropol285.com \u2022 www.aksescasinobet77.icu bonus.casinometropol285.com \u2022", "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au", "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))", "The Scottish Government www.gov.scot The NHS Scotland support", "http://129.2.4.2/32 Lencr", "qlw020.managed-sprint.dynalabs.io (Check)", "brave-ohttp-relay-dev.fastly-edge.com (Palantir)", "ims.foundryfabrication.co.uk \u2022 timelog.foundryfabrication.co.uk \u2022 ims.foundryfabrication.co", "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com", "vb.cu \u2022 vb \u2022 vb.il \u2022 vb.cu \u2022 vb.il \u2022 docs.fastly.com \u2022 docs.fastly.com", "ExternalHosts: US", "Starfield again - HoneyPot / Dod- DoW", "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction", "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware", "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Germany", "Bulgaria", "Singapore", "Denmark", "Australia", "Jersey", "Japan", "Canada" ], "malware_families": [ { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Autoit", "display_name": "Autoit", "target": null }, { "id": "Ransom:Win32/Crowti", "display_name": "Ransom:Win32/Crowti", "target": "/malware/Ransom:Win32/Crowti" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#Lowfi:SIGATTR:DownloadAndExecute", "display_name": "#Lowfi:SIGATTR:DownloadAndExecute", "target": null }, { "id": "Win.Dropper.Vbclone", "display_name": "Win.Dropper.Vbclone", "target": null }, { "id": "Win.Packer", "display_name": "Win.Packer", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6261, "domain": 1806, "hostname": 2427, "FileHash-MD5": 384, "FileHash-SHA1": 381, "email": 13, "FileHash-SHA256": 1418, "SSLCertFingerprint": 14 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fc18514965ccd3b55c216d", "name": "Dorv \u2022 Obfuscator - Affecting DropBox", "description": "", "modified": "2025-11-23T17:00:58.297000", "created": "2025-10-25T00:22:41.686000", "tags": [ "type indicator", "added active", "related pulses", "script urls", "united", "unknown ns", "a domains", "ip address", "meta", "asn as13335", "msie", "chrome", "ransom", "trojan", "passive dns", "backdoor", "http request", "twitter", "win32/crix.c check-in", "gmt content", "ipv4", "urls", "files", "data upload", "extraction", "domain add", "e emeseieee", "dynamicloader", "e eue", "eweienedeoewese", "windows nt", "wow64", "slcc2", "media center", "edeeefeaeuelete", "unknown", "write", "bits", "malware", "xserver", "encrypt", "unknown aaaa", "moved", "cloudfront x", "hio52 p1", "name servers", "accept encoding", "emails", "servers", "extr", "u a640", "a69f u", "fe2e fe2f", "u a720", "a7ff", "u feff", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "pattern match", "mitre att", "null", "body", "pizza", "friday", "hybrid", "general", "local", "path", "starfield", "iframe", "click", "strings", "core", "bet", "gambling", "record value", "date", "present sep", "present apr", "colombia", "present jun", "present nov", "cookie", "present oct", "entries", "next associated", "error", "attack", "government", "scotland", "news", "covid19", "subscribe", "october", "crown copyright", "nhs scotland", "parliament", "coronavirus", "redacted for", "domain status", "server", "privacy tech", "privacy admin", "email", "country", "postal code", "stateprovince", "code", "host name", "rdap database", "handle", "iana registrar", "entity roles", "links", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "validity", "subject public", "key info", "medium", "write c", "search", "pe file", "high", "checks", "http", "delete", "copy", "guard", "mozilla", "next", "godaddy", "creation date", "hostname", "pulse submit", "url analysis", "domain", "files ip", "trojandropper", "mtb oct", "mtb may", "refloadapihash", "foundry", "fastly", "value a", "com laude", "ltd dba", "nomiq", "limited dba", "pulse", "location united", "asn asnone", "nameservers" ], "references": [ "giovannisnypizza.net \u2022 http://www.giovannisnypizza.net \u2022", "fazendabetb.live \u2022 bowiesports.com Check first???", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino", "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022", "05bet99.bet \u2022 app.05bet99.bet \u2022 betterlifeschool.kr \u2022 bbrbet.today", "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com", "cashloanboat.com \u2022 mx-loans-5o.today\u2022 nodoccommercialloan", "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/", "m.casinometropol225.com \u2022 casinometropol285.com \u2022 http://bonus.casinometropol285.com \u2022", "https://bonus.casinometropol285.com \u2022 www.aksescasinobet77.icu bonus.casinometropol285.com \u2022", "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au", "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))", "The Scottish Government www.gov.scot The NHS Scotland support", "http://129.2.4.2/32 Lencr", "qlw020.managed-sprint.dynalabs.io (Check)", "brave-ohttp-relay-dev.fastly-edge.com (Palantir)", "ims.foundryfabrication.co.uk \u2022 timelog.foundryfabrication.co.uk \u2022 ims.foundryfabrication.co", "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com", "vb.cu \u2022 vb \u2022 vb.il \u2022 vb.cu \u2022 vb.il \u2022 docs.fastly.com \u2022 docs.fastly.com", "ExternalHosts: US", "Starfield again - HoneyPot / Dod- DoW", "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction", "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware", "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Germany", "Bulgaria", "Singapore", "Denmark", "Australia", "Jersey", "Japan", "Canada" ], "malware_families": [ { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Autoit", "display_name": "Autoit", "target": null }, { "id": "Ransom:Win32/Crowti", "display_name": "Ransom:Win32/Crowti", "target": "/malware/Ransom:Win32/Crowti" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#Lowfi:SIGATTR:DownloadAndExecute", "display_name": "#Lowfi:SIGATTR:DownloadAndExecute", "target": null }, { "id": "Win.Dropper.Vbclone", "display_name": "Win.Dropper.Vbclone", "target": null }, { "id": "Win.Packer", "display_name": "Win.Packer", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "68fbc84609098d17c316f23c", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6261, "domain": 1806, "hostname": 2427, "FileHash-MD5": 384, "FileHash-SHA1": 381, "email": 13, "FileHash-SHA256": 1418, "SSLCertFingerprint": 14 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ee5e9f8cfc5fbc73142660", "name": "Gaming Studios - YouTube - MyDoom", "description": "", "modified": "2025-11-13T12:05:32.283000", "created": "2025-10-14T14:30:55.471000", "tags": [ "no expiration", "url https", "url http", "iocs", "ipv4", "enter source", "indicator role", "title added", "active related", "united", "present jul", "unknown ns", "search", "for privacy", "moved", "ip address", "encrypt", "a domains", "script urls", "meta", "pragma", "general full", "reverse dns", "software", "resource", "security tls", "piscataway", "asn20473", "asn15169", "google", "asvultr", "portfolio", "josh theriault", "upei", "university", "island", "roblox", "jmt studios", "moon engine", "android", "icpc", "north america", "qualifier", "hello", "apache", "runner", "eric everest", "games", "cloudflar", "amazon02", "as autonomous", "system", "canada", "value", "domainpath name", "cgjerrieegaggq", "name value", "form", "game development", "blog", "jmt99", "developer", "event", "bullseye", "trick or treat", "unofficial trick or treat 2014", "unofficial trick or treat 2015", "egg hunt", "gift hunt", "hallows quest", "studio", "experience", "fall", "january", "july", "founder", "studio head", "passive dns", "urls", "registrar", "title", "roblox jmt99 \"jmt studios\" \"trick or treat\" \"egg hunt\"", "press copyright", "contact", "privacy policy", "safety how", "youtube", "test", "nfl sunday", "ticket", "google llc", "data upload", "extraction", "failed", "files", "twitter", "variables", "cgjjtbieggagla", "nid value", "expiration date", "files ip", "dynamicloader", "write c", "delete c", "intel", "ms windows", "medium", "default", "write", "guard", "mozilla", "malware", "defender", "unknown", "domains", "hashes", "url analysis", "unknown aaaa", "script domains", "certificate", "game", "servers", "unofficial", "settings", "public", "endpoints", "currently", "game servers", "current", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "role title", "related pulses", "domain v", "url indicator", "nameilname", "ascii text", "mitre att", "ck id", "ck matrix", "hybrid", "general", "local", "path", "click", "strings", "pe file", "high", "yara detections", "dynamic", "v hostname", "se fos", "include v", "domain url", "data", "alltypes", "win32mydoom oct", "trojan", "url add", "http", "related nids", "files location", "canada flag", "canada hostname", "canada unknown", "canada", "present aug", "name servers", "present sep", "aaaa", "present oct", "crlf line", "unicode text", "music", "suspicious", "bricked.wtf", "flag united", "google safe", "domain", "address domain", "united states", "filehashsha256", "hostname xn", "finland unknown", "filehashmd5", "indicators hong", "kong", "south korea", "present jun", "present mar", "present may", "olet", "cnr12", "tlsv1", "get updates", "upatre", "added active", "apple", "everest", "josh paul", "upadter", "convagent", "info stealing", "delete service", "phishing", "fraud", "social engineering", "gamer", "hacker", "adversaries", "icloud", "found", "gmt content", "error", "redacted for", "meta http", "content", "gmt server", "france unknown", "poland unknown", "content type", "xml title", "hostname add", "address", "location united", "life", "century link llc", "xfinity", "livesex", "domain add", "users", "show", "delete", "blocked by quad9", "showing", "record value", "location canada", "canada asn", "accept", "cookie", "macbook", "ipv4 add", "america flag", "america asn", "asn as714", "less", "woodynet", "next associated", "status", "exclude sugges", "ip related", "t1027.013" ], "references": [ "https://www.jmtstudios.org/farewell/", "https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw", "graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system", "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html", "ConventionEngine_Term_Dropbox \u2022 Dropbox", "http://api.jmtstudios.org/", "bricked.wtf", "ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com", "http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com", "careersandenterprise.appleid.com \u2022 http://apple.appleid.com/", "https://forwardemail.net/es/blog/open-source/apple-email-clients", "accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud", "http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link", "http://www.visitbooker.com/Dropbox-07/index.htm", "dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/", "Appears to be closely associated with close relative and initial victim of attack.", "Potentially disturbing , personal , invasive, aggressive, intimate behavior of party." ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "United States of America" ], "malware_families": [ { "id": "Win.Malware.Convagent-9981433-0", "display_name": "Win.Malware.Convagent-9981433-0", "target": null }, { "id": "Upadter", "display_name": "Upadter", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6996, "FileHash-MD5": 281, "FileHash-SHA1": 220, "FileHash-SHA256": 2673, "domain": 1747, "email": 24, "hostname": 2803, "SSLCertFingerprint": 3 }, "indicator_count": 14747, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ee5ea4d51d4a1cabdb4ee9", "name": "Gaming Studios - YouTube - MyDoom", "description": "", "modified": "2025-11-13T12:05:32.283000", "created": "2025-10-14T14:31:00.172000", "tags": [ "no expiration", "url https", "url http", "iocs", "ipv4", "enter source", "indicator role", "title added", "active related", "united", "present jul", "unknown ns", "search", "for privacy", "moved", "ip address", "encrypt", "a domains", "script urls", "meta", "pragma", "general full", "reverse dns", "software", "resource", "security tls", "piscataway", "asn20473", "asn15169", "google", "asvultr", "portfolio", "josh theriault", "upei", "university", "island", "roblox", "jmt studios", "moon engine", "android", "icpc", "north america", "qualifier", "hello", "apache", "runner", "eric everest", "games", "cloudflar", "amazon02", "as autonomous", "system", "canada", "value", "domainpath name", "cgjerrieegaggq", "name value", "form", "game development", "blog", "jmt99", "developer", "event", "bullseye", "trick or treat", "unofficial trick or treat 2014", "unofficial trick or treat 2015", "egg hunt", "gift hunt", "hallows quest", "studio", "experience", "fall", "january", "july", "founder", "studio head", "passive dns", "urls", "registrar", "title", "roblox jmt99 \"jmt studios\" \"trick or treat\" \"egg hunt\"", "press copyright", "contact", "privacy policy", "safety how", "youtube", "test", "nfl sunday", "ticket", "google llc", "data upload", "extraction", "failed", "files", "twitter", "variables", "cgjjtbieggagla", "nid value", "expiration date", "files ip", "dynamicloader", "write c", "delete c", "intel", "ms windows", "medium", "default", "write", "guard", "mozilla", "malware", "defender", "unknown", "domains", "hashes", "url analysis", "unknown aaaa", "script domains", "certificate", "game", "servers", "unofficial", "settings", "public", "endpoints", "currently", "game servers", "current", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "role title", "related pulses", "domain v", "url indicator", "nameilname", "ascii text", "mitre att", "ck id", "ck matrix", "hybrid", "general", "local", "path", "click", "strings", "pe file", "high", "yara detections", "dynamic", "v hostname", "se fos", "include v", "domain url", "data", "alltypes", "win32mydoom oct", "trojan", "url add", "http", "related nids", "files location", "canada flag", "canada hostname", "canada unknown", "canada", "present aug", "name servers", "present sep", "aaaa", "present oct", "crlf line", "unicode text", "music", "suspicious", "bricked.wtf", "flag united", "google safe", "domain", "address domain", "united states", "filehashsha256", "hostname xn", "finland unknown", "filehashmd5", "indicators hong", "kong", "south korea", "present jun", "present mar", "present may", "olet", "cnr12", "tlsv1", "get updates", "upatre", "added active", "apple", "everest", "josh paul", "upadter", "convagent", "info stealing", "delete service", "phishing", "fraud", "social engineering", "gamer", "hacker", "adversaries", "icloud", "found", "gmt content", "error", "redacted for", "meta http", "content", "gmt server", "france unknown", "poland unknown", "content type", "xml title", "hostname add", "address", "location united", "life", "century link llc", "xfinity", "livesex", "domain add", "users", "show", "delete", "blocked by quad9", "showing", "record value", "location canada", "canada asn", "accept", "cookie", "macbook", "ipv4 add", "america flag", "america asn", "asn as714", "less", "woodynet", "next associated", "status", "exclude sugges", "ip related", "t1027.013" ], "references": [ "https://www.jmtstudios.org/farewell/", "https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw", "graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system", "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html", "ConventionEngine_Term_Dropbox \u2022 Dropbox", "http://api.jmtstudios.org/", "bricked.wtf", "ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com", "http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com", "careersandenterprise.appleid.com \u2022 http://apple.appleid.com/", "https://forwardemail.net/es/blog/open-source/apple-email-clients", "accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud", "http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link", "http://www.visitbooker.com/Dropbox-07/index.htm", "dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/", "Appears to be closely associated with close relative and initial victim of attack.", "Potentially disturbing , personal , invasive, aggressive, intimate behavior of party." ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "United States of America" ], "malware_families": [ { "id": "Win.Malware.Convagent-9981433-0", "display_name": "Win.Malware.Convagent-9981433-0", "target": null }, { "id": "Upadter", "display_name": "Upadter", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6996, "FileHash-MD5": 281, "FileHash-SHA1": 220, "FileHash-SHA256": 2673, "domain": 1747, "email": 24, "hostname": 2803, "SSLCertFingerprint": 3 }, "indicator_count": 14747, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689cc89e77327602780be49e", "name": "Remotewd Devices \u2022 Spectrum / Charter Communications & AT&T", "description": "Remotewd Devices expanded \u2022 Spectrum / Charter Communications & AT&T.\nAdvesarial. Polymorphic.", "modified": "2025-09-12T16:05:33.542000", "created": "2025-08-13T17:17:18.456000", "tags": [ "url https", "domain", "types of", "united kingdom", "sweden", "virgin islands", "china", "germany", "date", "status", "ip address", "search", "domain add", "passive dns", "urls", "files", "error sep", "present jul", "address google", "safe browsing", "united", "unknown ns", "moved", "body", "cloudfront x", "hio52 p1", "certificate", "win32", "trojan", "entries", "next associated", "title error", "ipv4", "host gh", "secure path", "httponly cache", "x github", "request id", "accept", "encrypt", "formbook cnc", "checkin", "a domains", "lowfi", "mtb jun", "github pages", "as11427", "us note", "route", "ptr record", "hostname add", "url analysis", "verdict", "general info", "geo mckinney", "texas", "spectrum", "charter communications", "charter collection", "auth", "files ip", "address", "asn as16509", "record value", "germany unknown", "meta", "gmt cache", "sans400", "condensed300", "feel lost", "h1 div", "server", "gmt connection", "keep alive", "pragma", "ipv4 add", "url add", "http", "related nids", "files location", "flag united", "unknown aaaa", "china unknown", "beijing", "unknown soa", "hostname", "present aug", "name servers", "aaaa", "windows nt", "dynamicloader", "generic http", "exe upload", "inbound", "outbound", "host", "medium", "write", "markus", "malware", "files domain", "files related", "related tags", "none google", "showing", "error", "extraction", "se enter", "sc type", "data upload", "failed", "extr data", "ox sunnort", "include review", "exclude data", "iocs", "pdf report", "pcap", "stix", "openloc", "pul data", "move", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "pattern match", "ascii text", "show technique", "null", "refresh", "span", "august", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "class", "adversaries", "defense evasion", "initial access", "msie", "chrome", "gmt content", "main", "virtool", "idran anv", "exti", "concor referen", "running webserver", "review iocs", "suggested iocs", "show", "http traffic", "intel", "ms windows", "pe32", "high", "write c", "explorer", "unknown", "worm", "next", "comman_and_control", "et", "vtapi", "dos", "persistence", "polymorphic", "virus", "device", "script", "style", "endcolorstr", "regexp", "link", "powershell", "form", "push", "active", "remote_access", "general full", "protocol h2", "security tls", "austin", "asn7018", "attinternet4", "reverse dns", "software", "domains", "hashes", "at&t", "injection", "rwx", "hackers", "attack", "cape", "stealth hidden extension", "antivm generic", "cape detected", "threat stealth", "public folder", "deletes", "files anomalous", "disables system", "restore dead", "mail procmem", "yara suricata", "queries user name" ], "references": [ "Remotewd.com research - Devices under command and control. Malicious / adversarial | 3000 + devices in Pulse", "https://hybrid-analysis.com/sample/713944cb1accb541622bf99d55f34876b5ff13d042c6c203bab89632a15b9248/689c0eca8dd0033cbb064d12", "device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com TWC-11427-TEXAS, US \u2022 Spectrum", "Geo\tMcKinney, Texas, United States (US) \u2014 AS \u2022AS11427 - TWC-11427-TEXAS, US", "Note: An IP might be announced by multiple ASs.Spectrum | Charter Communications", "This is not shown. Route \u2022 184.92.0.0/16 (Route of ASN) PTR", "syn-184-092-221-096.res.spectrum.com(PTR record of primary IP) IPv4\t184.92.221.96", "https://urlscan.io/domain/device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com", "truist.palantirfoundry.com \u2022 nissansandbox.palantirfoundry.com", "device-7de2fab7-44a1-494e-8f36-8d135628c33a.remotewd.com 104.190.139.162 AT&T", "Stealth Hiddenreg Cape Detected Threat Stealth Timeout Accesses Public Folder Deletes", "Executed Files Anomalous Deletefile Dropper Disables System Restore Dead Connect", "Infostealer Cookies Infostealer Mail Procmem Yara Suricata Alert Modify Proxy Powershell", "Ransomware File Modifications Exec Crash", "Location Antisandbox Sleep Antidebug Setunhandledexceptionfilter Packer Unknown Pe Section Name Packer Entropy Network Bind Antivm Network Adapters Http Request Infostealer Browser Recon Fingerprint Antivm Checks Available Memory Antivm Generic Bios Reads Self Polymorphic Enumerates Physical Drives Network Http Network Cnc Http Antivm Bochs Keys", "Request Queries Keyboard Layout Antivm Generic Disk Resumethread", "Remote Process Static Pe Anomaly Https Urls Virus Process Creation Suspicious", "Contains Pe Overlay Queries Locale Api Language Check Registry" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" }, { "id": "VirTool:Win32/Obfuscator.JM", "display_name": "VirTool:Win32/Obfuscator.JM", "target": "/malware/VirTool:Win32/Obfuscator.JM" }, { "id": "Win.Trojan.Cycbot-1584", "display_name": "Win.Trojan.Cycbot-1584", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6171, "domain": 1823, "hostname": 3155, "email": 8, "FileHash-SHA256": 950, "FileHash-MD5": 345, "FileHash-SHA1": 317, "CVE": 1, "CIDR": 1, "SSLCertFingerprint": 1 }, "indicator_count": 12772, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "218 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://lil.disabled.racing/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://lil.disabled.racing/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776607018.6654375 }