{ "type": "URL", "indicator": "https://live.com.bscedge.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://live.com.bscedge.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4109459492, "indicator": "https://live.com.bscedge.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 25, "pulses": [ { "id": "69aa0a62f94a92b5168405c2", "name": "fedpaypal clone Q vashti", "description": "", "modified": "2026-03-06T06:39:27.872000", "created": "2026-03-05T22:57:38.559000", "tags": [ "present sep", "virtool", "cryp", "win32", "ip address", "trojan", "ransom", "asn as54113", "passive dns", "msil", "united states", "dynamicloader", "qaeaav12", "high", "qbeipbdii", "write", "paypal", "medium", "search", "vmware", "floodfix", "malware", "united", "mtb apr", "hostname add", "write c", "read c", "yara detections", "upxoepplace", "next", "markus", "april", "ping", "meta http", "content", "gmt server", "th th", "443 ma2592000", "ipv4 add", "url analysis", "urls", "body", "title", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "status", "name servers", "set cookie", "script urls", "present feb", "cookie", "template", "present oct", "present jul", "present dec", "present jun", "next associated", "urls show", "date checked", "present apr", "url hostname", "united kingdom", "unknown ns", "servers", "great britain", "msr aug", "msr apr", "msr nov", "ite o", "server response", "script script", "files show", "date hash", "avast avg", "creation date", "lcid1033", "sminnotek", "spnvirtualbox", "bvvirtualbox", "present mar", "present nov", "exploit", "error", "server response", "google safe", "results sep", "backdoor", "certificate", "mtb sep", "next http", "scans show", "present may", "results jun", "results jan", "worm", "echo request", "sweep", "payload hello", "world", "ids detections", "cape", "viking", "philis", "et", "torop", "des moines", "contacted hosts", "content reputation", "sabey type", "tulach type", "rexx type", "foundry type", "fred scherr", "twitter", "apple", "monitored target", "financial theft", "psalms 27: 1 - 14" ], "references": [ "fed.paypal.com [redirect for monitored target \u2022 1st documented 2020- still active]", "nr-data.net \u2022 init.ess.apple.com\t\u2022 apple-id-ifind.com \u2022 https://apple-id-ifind.com/\t\u2022 apple-lostandfound.com", "https://www.speakup.it/magazines/places/new-york-city-on-a-budget-big-apple-little-money_2368", "https://login.apple-mac.banugoker.com/cgi-sys/defaultwebpage.cgi \u2022 lsupport-apple.com", "login.apple-mac.banugoker.com \u2022 www.apple-mac.banugoker.com \u2022 http://apple-mac.banugoker.com/", "https://apple-mac.banugoker.com/ \u2022 https://login.apple-mac.banugoker.com/", "http://45.159.189.105/bot/regex \u2022 https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "wallpapers-nature.com \u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.\u2022 com/ \u2022 https://www.csrc.gov.cn.lxcvc.com/", "https://lk-prod-webcol.laika.com.co/category/bog/cat/farmacia/collares-isabelinos/todos/todo-para-mascota/1", "https://twitter.com/PORNO_SEXYBABES \u2022 https://megapornfreehd.com/2025/04/360", "https://57d5.zhanyu66.com/com.slamyugllp.strangerrun.xc.apk/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "Win.Trojan.Fraudpack", "display_name": "Win.Trojan.Fraudpack", "target": null }, { "id": "Fakeav", "display_name": "Fakeav", "target": null }, { "id": "Ransom:MSIL/Genasom.I", "display_name": "Ransom:MSIL/Genasom.I", "target": "/malware/Ransom:MSIL/Genasom.I" }, { "id": "Virtool:Win32/Obfuscator.KI", "display_name": "Virtool:Win32/Obfuscator.KI", "target": "/malware/Virtool:Win32/Obfuscator.KI" }, { "id": "Toga!rfn", "display_name": "Toga!rfn", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Malware.Remoteadmin-7056666-0", "display_name": "Win.Malware.Remoteadmin-7056666-0", "target": null }, { "id": "Floxif", "display_name": "Floxif", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win.Dropper.Unruy-9994363-0", "display_name": "Win.Dropper.Unruy-9994363-0", "target": null }, { "id": "Win.Trojan.Cycler-47", "display_name": "Win.Trojan.Cycler-47", "target": null }, { "id": "Win.Trojan.Clicker-3506", "display_name": "Win.Trojan.Clicker-3506", "target": null }, { "id": "Win.Downloader.Unruy-10026469-0", "display_name": "Win.Downloader.Unruy-10026469-0", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Malware.Urelas", "display_name": "Win.Malware.Urelas", "target": null }, { "id": "Win.Malware.Zusy", "display_name": "Win.Malware.Zusy", "target": null }, { "id": "ALF:HeraklezEval:PWS:Win32/QQPass!rfn", "display_name": "ALF:HeraklezEval:PWS:Win32/QQPass!rfn", "target": null }, { "id": "Win.Malware.Eclz-9953021-0", "display_name": "Win.Malware.Eclz-9953021-0", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:HSTR:TrojanDownloader:Win32/PurityScan.A!bit", "display_name": "ALF:HSTR:TrojanDownloader:Win32/PurityScan.A!bit", "target": null }, { "id": "Win.Dropper.Tiggre-9845940-0", "display_name": "Win.Dropper.Tiggre-9845940-0", "target": null }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Win.Malware.Sfwx-9853337-0", "display_name": "Win.Malware.Sfwx-9853337-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Trojan:Win32/Kaicorn!rf", "display_name": "Trojan:Win32/Kaicorn!rf", "target": "/malware/Trojan:Win32/Kaicorn!rf" }, { "id": "Win32:Banker", "display_name": "Win32:Banker", "target": null }, { "id": "Worm:Win32/Cambot!rfn", "display_name": "Worm:Win32/Cambot!rfn", "target": "/malware/Worm:Win32/Cambot!rfn" }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "Win.Malware.Midie-6847892-0", "display_name": "Win.Malware.Midie-6847892-0", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1401", "name": "Device Administrator Permissions", "display_name": "T1401 - Device Administrator Permissions" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1464", "name": "Jamming or Denial of Service", "display_name": "T1464 - Jamming or Denial of Service" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "68c5743593a4bcc81dd94b0b", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1323, "URL": 4360, "FileHash-MD5": 759, "FileHash-SHA1": 748, "FileHash-SHA256": 5148, "domain": 1076, "email": 7 }, "indicator_count": 13421, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f80c6bcd3fff3a4f126a68", "name": "Sventore \u2022 Agent Tesla Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information ", "description": "", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T22:42:51.657000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": "68f7ced2cf17d264b49628bc", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f7ced2cf17d264b49628bc", "name": "NIDS - Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information", "description": "Multiple malware\u2019s targeting Dropbox & Ebay accounts. Referenced in earlier pukses. Further investigation shows link found in apps on multiple Apple devices. Afraid. Org still running & wreaking havoc globally. Currently targets a Music studio in Clear Creek County Co. The signal bounces from Fire station directly to studio gaining full access to everything.\n\nI am very disappointed with the abuses in f the Palantir , Gotham , Foundry products being abused by law firms and Private Investigators.\nIt is very destructive, causing loss, these firms are literally stealing and making money with other people\u2019s intellectual property and tough luck on the actual inventor, artist, writer because they even steal , cancel your insurance or back accounts leaving you unable to make a claim. \n\nGreat discretion should be used to qualify for these tools used to track, terrorize and access private information as well as tarnish the names of civilians , family ,businesses, stalking tracking known location.", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T18:20:02.120000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68cf2c43f6493c55c8d08bf9", "name": "Executed \u2022 Installend RMS Module | .exe RMS.exe", "description": "Recap: Executed in Denver, Co.USA. Attacked a Newly purchased iPhone. Multi person attempt . Attacker executed via watch. . Related to Trump campaign Palantir text linked in references. \n\nCyberInt states that Remote Manipulator System (RMS) is a legitimate tool developed by Russian organization TektonIT and has been observed in campaigns conducted by TA505 as well as numerous smaller campaigns likely attributable to other, disparate, threat actors. In addition to the availability of commercial licenses, the tool is free for non-commercial use and supports the remote administration of both Microsoft Windows and Android devices.\nCreation Date\n2023-05-01 00:28:45\nLast Modification Date\n2025-09-13 22:34:36\n- by CarlosCabal (VirusTotal)\n\nInteresting. Being used in America.", "modified": "2025-10-20T21:03:08.498000", "created": "2025-09-20T22:35:47.459000", "tags": [ "lowfi", "tektonit yara", "pulses otx", "pexe", "pe32", "intel", "vendor finding", "ms defender", "number", "install", "installend", "igor", "pavlov", "remote access tool", "dynamicloader", "medium", "dynamic", "ip address", "domain", "file name", "reads", "windows", "checks", "pehash external", "rms", "rms module", "private build", "watch", "msie", "windows nt", "wow64", "slcc2", "media center", "port", "destination", "search", "united", "read c", "write", "persistence", "execution", "malware", "push", "copy", "next", "autorun", "unknown", "skykit", "companyname", "insta", "dod", "udp a83f8110", "encoding", "e1203 windows", "file attributes", "catalog tree", "analysis ob0001", "analysis ob0002", "f0002 polling", "control ob0004", "access ob0005", "defense evasion", "extraction", "data upload", "failed", "related tru", "unit data", "included review", "iocs", "suggestedloes", "find su", "type o", "extr", "references try", "cat antivirus", "com tektonit", "original f", "match info", "adversaries", "match unknown", "30000s", "info", "info checks", "taskjob t1053", "execution flow", "t1574 dll", "window", "tulach", "yara", "hallrender", "apple", "ios", "114.114.114.114", "targeted", "monitoring", "brian sabey & co", "tsara brashears target", "angry quasi", "pp mafia", "dangerous", "redrum", "nemtih" ], "references": [ "Try LogMeIn Resolve For Free \u2014 Powerful tools for device management and remote software installs from LogMeInResolve.", "Installed on Tsara Brashears phone in a drive up incident in October 2024", "Yara: CATEGORY _7_Zip_Installer ;!@Install@! ;!@InstallEnd@! 7z Igor,Pavlov", "Antivirus Detections: Yara.Trojan.Remoteadmin-151 (29:30 BST) - a full list of key details:-1-2-3-4.", "EXE:CompanyName \u2022 TektonIT EXE:EntryPoint:0x121cf \u2022 EXE:FileDescription RMS Component", "TektonIT RMS Component \u2022 6.0 Internal Name \u2022 LegalCopyright\u00a9 2014 TektonIT.", "Original Filename: RMS Module PrivateBuild \u2022 ProductName \u2022 RMS ProductVersion 6.0", "Worn as Watch \u2022 Highlighter yellow & green Large Font. Looks like a toy. Clearly a weapon", "Non white or African American , black haired Middle Eastern 55+ male in non discreet Car", "Vehicle described as Midnight blue , attempted to hit target at a high rate of speed when target left", "parking spot on possibly Logan, male tried to clip target at Logan & 18th. No plates", "Same target l followed and observed at Metro T-mobile on Evans & Federal in Denver", "Described as an Opaque white skinned , non Caucasian bald male. Clearly Persian or Israeli (other) Russian?", "He watched a \u2018target\u2019 while buying least expensive product available. Shirt with US Flag distraction", "Target no longer able to provide info. Paper tags over real Co#LP on car dark colored car.", "Attempted, overt side swipe of family member of target in City Park , by W/M w/US Army tags", "Not surprisingly driving a Ford F 150 | Very disturbing incidents continue. Goal clear. Hired to K****", "Alerts: recon_fingerprint antisandbox_sleep dynamic_function_loading encrypted_ioc", "Alerts: resumethread_remote_process reads_self stealth_window uses_windows_utilities", "Alerts: antivm_checks_available_memory queries_keyboard_layout", "Alerts: stealth_timeout dll_load_uncommon_file_types antidebug_setunhandledexceptionfilter", "Alerts: network_icmp modifies_certificates injection_resumethread dumped_buffer", "Alerts: network_cnc_http network_http creates_exe uses_windows_utilities", "Alerts: allocates_rwx antisandbox_foregroundwindows", "Related Trump pulse: https://otx.alienvault.com/pulse/68c954a80675ccc89b0e9b63", "6.0.0.0 Deep Impact: +Tsara Brashears , +callmeDoris , +Merkd1904 , +scnrscnr, likely dorkingbeauty", "6.0.0.0 United States AS749 DOD network information center \u2022 Historical telemetry", "Don\u2019t ask questions. Just terrorize. destroy equipment paid for by US citizens. What\u2019s yours is theirs.", "IDS: MALWARE-CNC Win.Trojan.Rfusclient outbound connection", "IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "IDS: PROTOCOL-ICMP PING Windows PROTOCOL-ICMP PING PROTOCOL-ICMP Echo Reply", "IDS: PUA-OTHER RMS rmansys remote management tool cnc communication", "IDS: Unique rule identifier: This rule belongs to a private collection", "Signa: Matches rule Msiexec Quiet Installation by frack113", "Sigma: Matches rule Remote Access Tool Services Have Been Installed - Security by Connor Martin, Nasreddine Bencherchali (Nextron Systems)", "Sigma: Matches rule Compression Utility Passed Uncommon Directory (via cmdline) by SOC Prime Team", "Capabilities: Collection Get geographical location \u2022 Log keystrokes via polling", "Capabilities: Anti-Analysis Self delete \u2022 Inspect load icon resource", "Capabilities: Targeting Identify system language via API", "Capabilities: Data-Manipulation Encode data using XOR Hash data with CRC32", "Capabilities: Persistence Create shortcut via IShellLink Communication \u2022 Write and execute a file", "Malware packed. Haven\u2019t sorted all.", "Continued stalking \u2022 I am of course also being targeted w/ attempts requiring surgery.", "Very dangerous. Has been going on for 12+ years affecting everyone who knew target.", "Machiavellians have already built a new world with a world. Some fear the Apocalypse they created.", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/mc/challenge/brw/do/210/dd14d159", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/visa/challenge/brw/get/210/d5caee55-c7ae-4b3a-8be7-b65fa5f885c9", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/visa/challenge/brw/get/210/d5caee55-c7ae-4b3a-8be7-b65fa5f885c9", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/visa/challenge/brw/get/220/6b180faa-7ce7-4e26-a3b0-aa241497c70f", "The attackers are all different races, Caucasian, African American, Asian, Indian, Persian, Ethiopian, and ambiguous", "I\u2019d like to make an appeal. Please stop. Your original target has gone away." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#Lowfi:HSTR:MonitoringTool:TektonIt", "display_name": "#Lowfi:HSTR:MonitoringTool:TektonIt", "target": null }, { "id": "Win.Trojan.Remoteadmin-151", "display_name": "Win.Trojan.Remoteadmin-151", "target": null }, { "id": "Win.Trojan.Rfusclient", "display_name": "Win.Trojan.Rfusclient", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "TrojanDownloader:HTML/Adodb.gen!A", "display_name": "TrojanDownloader:HTML/Adodb.gen!A", "target": "/malware/TrojanDownloader:HTML/Adodb.gen!A" } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 479, "FileHash-SHA1": 436, "FileHash-SHA256": 2102, "URL": 659, "domain": 162, "hostname": 305, "SSLCertFingerprint": 1, "email": 6 }, "indicator_count": 4150, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "180 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c59a023815f66367c6900b", "name": "Virus.Injector affecting Online Payment system", "description": "fed.paypal.com_underground_exchange \u2022 \nYara Detections:\nConventionEngine_Keyword_Install |\nHigh Priority Alerts:\ncape_detected_threat | IDS Detections:\nWin32/Viking.GN ICMP Echo Request |\nPhilis.J ICMP Sweep (Payload Hello World)\n[FileHash SHA256 cb83f04591cc1d602e650dd5c12f4470cf21b04328477bd6a52081f37c04bd7c]\n[Virus.Injector.ATA_virussign.com_8f3417c51a5e6b0b2241e61ef1a9eef1.exe] [File present on vx-underground.org | virus.exchange ~ vxunderground_0]\n[OTX populated] Researchers have identified and identified the source of the Viking, Philis malware, which has infected more than 1.5 million victims in the past year and is currently on the verge of being shut down.]\n#inject #install #keyword #fed.paypal #botnet #payload #grey #algorithm_manipulation #virusinstall", "modified": "2025-10-13T15:15:41.500000", "created": "2025-09-13T16:21:22.747000", "tags": [ "echo request", "sweep", "payload hello", "world", "search", "entries", "ids detections", "yara detections", "cape", "viking", "philis", "malware", "et", "adobe acrobat", "filehashsha256", "data upload", "extraction", "type", "no matching", "indicator", "failed", "url url", "samplepath", "samplename", "match info", "info", "base64", "ta0002 command", "t1059 severity", "modules t1129", "windows", "ta0003 modify", "registry t1112", "defense evasion", "encoding", "delete registry", "tree", "analysis ob0002", "control ob0004", "b0030 receive", "files", "ob0007 system", "e1082 file", "resolved ips", "sugges", "stop show", "domain", "hostname", "hostname data", "mitre att", "ip detections", "country" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 7, "FileHash-SHA256": 488, "URL": 758, "hostname": 321, "domain": 104 }, "indicator_count": 1699, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "188 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c5743593a4bcc81dd94b0b", "name": "Fed.PayPal.com - Ransom | Attacks via redirect", "description": "A monitored target, active on various payment platforms for business documented a malicious redirect event 1st seen in 2020. Follows pattern of multiple, critical and ongoing attacks beginning in 2013. In this instance target lost access to PayPal payments. If this is legal, it\u2019s been a grotesque grift. Target was financially and otherwise robbed.\n\n\n#trulymissed #paypal #advesaries #apple #twitter #backdoor #ransom #botnet #reptutationattack", "modified": "2025-10-13T13:27:11.277000", "created": "2025-09-13T13:40:05.671000", "tags": [ "present sep", "virtool", "cryp", "win32", "ip address", "trojan", "ransom", "asn as54113", "passive dns", "msil", "united states", "dynamicloader", "qaeaav12", "high", "qbeipbdii", "write", "paypal", "medium", "search", "vmware", "floodfix", "malware", "united", "mtb apr", "hostname add", "write c", "read c", "yara detections", "upxoepplace", "next", "markus", "april", "ping", "meta http", "content", "gmt server", "th th", "443 ma2592000", "ipv4 add", "url analysis", "urls", "body", "title", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "status", "name servers", "set cookie", "script urls", "present feb", "cookie", "template", "present oct", "present jul", "present dec", "present jun", "next associated", "urls show", "date checked", "present apr", "url hostname", "united kingdom", "unknown ns", "servers", "great britain", "msr aug", "msr apr", "msr nov", "ite o", "server response", "script script", "files show", "date hash", "avast avg", "creation date", "lcid1033", "sminnotek", "spnvirtualbox", "bvvirtualbox", "present mar", "present nov", "exploit", "error", "server response", "google safe", "results sep", "backdoor", "certificate", "mtb sep", "next http", "scans show", "present may", "results jun", "results jan", "worm", "echo request", "sweep", "payload hello", "world", "ids detections", "cape", "viking", "philis", "et", "torop", "des moines", "contacted hosts", "content reputation", "sabey type", "tulach type", "rexx type", "foundry type", "fred scherr", "twitter", "apple", "monitored target", "financial theft", "psalms 27: 1 - 14" ], "references": [ "fed.paypal.com [redirect for monitored target \u2022 1st documented 2020- still active]", "nr-data.net \u2022 init.ess.apple.com\t\u2022 apple-id-ifind.com \u2022 https://apple-id-ifind.com/\t\u2022 apple-lostandfound.com", "https://www.speakup.it/magazines/places/new-york-city-on-a-budget-big-apple-little-money_2368", "https://login.apple-mac.banugoker.com/cgi-sys/defaultwebpage.cgi \u2022 lsupport-apple.com", "login.apple-mac.banugoker.com \u2022 www.apple-mac.banugoker.com \u2022 http://apple-mac.banugoker.com/", "https://apple-mac.banugoker.com/ \u2022 https://login.apple-mac.banugoker.com/", "http://45.159.189.105/bot/regex \u2022 https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "wallpapers-nature.com \u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.\u2022 com/ \u2022 https://www.csrc.gov.cn.lxcvc.com/", "https://lk-prod-webcol.laika.com.co/category/bog/cat/farmacia/collares-isabelinos/todos/todo-para-mascota/1", "https://twitter.com/PORNO_SEXYBABES \u2022 https://megapornfreehd.com/2025/04/360", "https://57d5.zhanyu66.com/com.slamyugllp.strangerrun.xc.apk/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "Win.Trojan.Fraudpack", "display_name": "Win.Trojan.Fraudpack", "target": null }, { "id": "Fakeav", "display_name": "Fakeav", "target": null }, { "id": "Ransom:MSIL/Genasom.I", "display_name": "Ransom:MSIL/Genasom.I", "target": "/malware/Ransom:MSIL/Genasom.I" }, { "id": "Virtool:Win32/Obfuscator.KI", "display_name": "Virtool:Win32/Obfuscator.KI", "target": "/malware/Virtool:Win32/Obfuscator.KI" }, { "id": "Toga!rfn", "display_name": "Toga!rfn", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Malware.Remoteadmin-7056666-0", "display_name": "Win.Malware.Remoteadmin-7056666-0", "target": null }, { "id": "Floxif", "display_name": "Floxif", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win.Dropper.Unruy-9994363-0", "display_name": "Win.Dropper.Unruy-9994363-0", "target": null }, { "id": "Win.Trojan.Cycler-47", "display_name": "Win.Trojan.Cycler-47", "target": null }, { "id": "Win.Trojan.Clicker-3506", "display_name": "Win.Trojan.Clicker-3506", "target": null }, { "id": "Win.Downloader.Unruy-10026469-0", "display_name": "Win.Downloader.Unruy-10026469-0", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Malware.Urelas", "display_name": "Win.Malware.Urelas", "target": null }, { "id": "Win.Malware.Zusy", "display_name": "Win.Malware.Zusy", "target": null }, { "id": "ALF:HeraklezEval:PWS:Win32/QQPass!rfn", "display_name": "ALF:HeraklezEval:PWS:Win32/QQPass!rfn", "target": null }, { "id": "Win.Malware.Eclz-9953021-0", "display_name": "Win.Malware.Eclz-9953021-0", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:HSTR:TrojanDownloader:Win32/PurityScan.A!bit", "display_name": "ALF:HSTR:TrojanDownloader:Win32/PurityScan.A!bit", "target": null }, { "id": "Win.Dropper.Tiggre-9845940-0", "display_name": "Win.Dropper.Tiggre-9845940-0", "target": null }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Win.Malware.Sfwx-9853337-0", "display_name": "Win.Malware.Sfwx-9853337-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Trojan:Win32/Kaicorn!rf", "display_name": "Trojan:Win32/Kaicorn!rf", "target": "/malware/Trojan:Win32/Kaicorn!rf" }, { "id": "Win32:Banker", "display_name": "Win32:Banker", "target": null }, { "id": "Worm:Win32/Cambot!rfn", "display_name": "Worm:Win32/Cambot!rfn", "target": "/malware/Worm:Win32/Cambot!rfn" }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "Win.Malware.Midie-6847892-0", "display_name": "Win.Malware.Midie-6847892-0", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1401", "name": "Device Administrator Permissions", "display_name": "T1401 - Device Administrator Permissions" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1464", "name": "Jamming or Denial of Service", "display_name": "T1464 - Jamming or Denial of Service" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1321, "URL": 4356, "FileHash-MD5": 759, "FileHash-SHA1": 748, "FileHash-SHA256": 5148, "domain": 1076, "email": 7 }, "indicator_count": 13415, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "188 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bbdb22e3d606ae8fb5cda8", "name": "HCPF | Department of Health Care Policy and Financing", "description": "Project Nemesis - Affects Department of Health Care Policy and Financing | Family representative repeatedly told past bills aren\u2019t being paid by United Healthcare. Argus Insurance (unknown entity) was Policy on record target never had. FR was given information regarding HCPF which was being viewed by past vendor seen in (https://otx.alienvault.com/pulse/68bbb31f6d91989d7fcd9592) | Issues with HCPF have been an issue for some time in isolated scenarios. It\u2019s unclear how at least one person keeps getting their name, bills and life pulled into this. Target PURCHASED a Healthcare policy via agent before major social engineering attacks. Same entity literally robs targets. Gift cards, phone services, cloud storage, account, insurance policies, bank account access, tax refunds, paid claims reversed & taken from target\u2019s account.\nMore research needed. Flaws in new system could jeopardize many. \n#trulymissed #rip #techbrohell #palantir", "modified": "2025-10-06T05:01:18.794000", "created": "2025-09-06T06:56:34.649000", "tags": [ "federal changes", "health first", "colorado", "child health", "plan plus", "newimpact", "medicaidour", "impact", "medicaid page", "medicaid", "beware", "text/html", "trackers", "iframes", "external-resources", "new relic", "g1gv3h3sxc0", "utc gcw970gh4gg", "android", "known exploited", "google", "salesloft drift", "sap s4hana", "cve202542957", "cisa", "sitecore", "linux", "france", "meta", "rokrat", "lizar", "project nemesis", "carbanak", "cobalt strike", "domino", "no expiration", "url https", "type indicator", "role title", "related pulses", "hostname https", "m4e5930", "hostname", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "ascii text", "search", "ogoogle trust", "cngts ca", "execution", "next", "dock", "write", "capture", "persistence", "malware", "roboto", "present feb", "united", "a domains", "present dec", "passive dns", "moved", "script domains", "script urls", "urls", "title", "date", "resolved ips", "http traffic", "http get", "match info", "downloads", "info", "https http", "mitre att", "control ta0011", "protocol t1071", "protocol t1095", "endgame systems" ], "references": [ "Researched: https://hcpf.colorado.gov/", "www.onyx-ware.com \u2022 https://www.endgamesystems.com/", "millet-usgc-1.palantirfedstart.com", "https://securityaffairs.com/109671/hacking/50000-home-cameras-hacked.html", "https://passwords.google/?utm_medium=hpp&utm_source=google&utm_campaign=sid2023aunonenms", "https://passwords.google/?utm_medium=hpp&utm", "https://securityaffairs.com/181338/security/google-fixed-chrome-flaw-found-by-big-sleep-ai.html", "Researched publicly available information provided by representative of a target\u2019s estate", "System has placed affected on multiple policies cancelling private policy without notice.", "Paid for plan long after entity put target on a state plan. Target audited for making too much money (framed)", "Provided documented evidence of appealed state issued plan and disclosed financials.", "Won appeal. Denied stimulus until passing another audit showing taxable income and filed taxes", "I hope this goes smoothly. I believe will be a nightmare as witnessed. I hope I\u2019m wrong.", "State (or random \u2022_- hackers) erased evidence of targets insurance all paid for by target.", "Target also owned an online brokerage & lead company, was agent & insurance marketer for years.", "September began with false information, defaulted claims , denials from authorized services rendered years prior.", "If someone has Medicare it\u2019s wise to check with carrier & providers to see policies generated by AI" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lizar", "display_name": "Lizar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Hospitality", "Financial", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1395, "URL": 4304, "CVE": 1, "domain": 694, "FileHash-SHA256": 1790, "FileHash-MD5": 183, "FileHash-SHA1": 103, "SSLCertFingerprint": 5 }, "indicator_count": 8475, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bbb31f6d91989d7fcd9592", "name": "Who is Argus Health Systems in relation to United Healthcare", "description": "Strange. Person/s handling a monitored targeted past accounts was contacted to have old bills paid. Told individual had Argus Health Insurance that wouldn\u2019t pay.\n\nIssues: \u2022 Individual wasn\u2019t a client of vendor in 2024\n\u2022 Was never an Argus client.\n\u2022 Social engineering type call. Angry employee demanding copy of front and back of Health Care Insurance card for UH payments for items purchased after approved prior authorization for in past purchases. \n\u2022 Gave an incredible amount of PHI over phone w/o appropriate new (or former) HIPPA standard verification. \u2022 Angrily refused to provide billing # or requesters name.\n*United Health Care has paid ZERO bills. \n* \n(Auto populated - Anel arauchealth cam) | https://www.argushealth.com. Argus Health Systems is a healthcare technology company based in Kansas City, MO. Specializing in pharmacy benefit management ...", "modified": "2025-10-06T03:04:31.707000", "created": "2025-09-06T04:05:50.955000", "tags": [ "server", "date", "registrar abuse", "csc corporate", "domains", "algorithm", "key identifier", "x509v3 subject", "country", "postal code", "code", "united", "showing", "entries", "ip address", "search", "name servers", "unknown aaaa", "domain add", "pulse submit", "passive dns", "content type", "type content", "all ipv4", "url analysis", "urls", "files", "title", "meta", "certificate", "creation date", "record value", "hostname add", "domain", "unknown ns", "china unknown", "body", "please", "x msedge", "pulse pulses", "present aug", "hong kong", "extraction", "data upload", "levelbluelabs", "search otx", "pcap", "stix", "url or", "texdr", "failedto", "drop", "aaaa", "record type", "ttl value", "historical ssl", "certificates", "thumbprint", "present jan", "next associated", "urls show", "date checked", "url hostname", "server response", "google safe", "results jul", "present jun", "moved", "gmt content", "a domains", "next http", "scans show", "error", "present sep", "present may", "present jul", "present mar", "present apr" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2091, "domain": 817, "URL": 7939, "email": 5, "FileHash-SHA256": 2960, "FileHash-SHA1": 240, "FileHash-MD5": 227 }, "indicator_count": 14279, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c54659742e10df0e2dd0ec", "name": "Archive.ph - Mirai", "description": "", "modified": "2025-10-03T00:01:12.616000", "created": "2025-09-13T10:24:25.814000", "tags": [ "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "initial access", "javascript", "spawns", "united", "present aug", "div div", "meta", "fffae1", "xml title", "drag", "div form", "form div", "a li", "encrypt", "russia", "passive dns", "urls", "aaaa", "netherlands", "your ip", "panama", "russia unknown", "present mar", "present jun", "moved", "present jul", "present sep", "ip address", "present jan", "body", "title", "domain", "files", "content type", "body doctype", "as16509", "intel mac", "os x", "ipv4 add", "port", "destination", "read c", "medium", "entries", "et info", "execution", "next", "dock", "write", "persistence", "malware", "url analysis", "files ip", "name server", "domain address", "algorithm", "key identifier", "v3 serial", "number", "cus olet", "encrypt cne6", "validity", "subject public", "key info", "us as15169", "us as396982", "mitre att", "pattern match", "form", "onload", "general", "local", "path", "click", "strings", "verify", "asnone", "china as4134", "resolverror", "high", "dns query", "as7018 att", "japan as4713", "south korea", "little \u2018endian\u2019", "mirai", "dod", "endgame systems", "government overreach", "sabey type", "foundry type", "apple", "cve" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135858-0", "display_name": "Unix.Dropper.Mirai-7135858-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": "68b798c0a419c49eeb4e2a13", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "privacynotacrime", "id": "349346", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2069, "domain": 406, "FileHash-SHA256": 1498, "hostname": 811, "FileHash-MD5": 150, "FileHash-SHA1": 138, "SSLCertFingerprint": 8, "CIDR": 1, "CVE": 1 }, "indicator_count": 5082, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b798c0a419c49eeb4e2a13", "name": "Archive.ph - Mirai", "description": "Outdated archiving domain of questionable origin can expose or has exposed monitored target/s to\nUnix.Dropper.Mirai-7135858-0.\n\nThe domain seems to want to appear as if it originates from Russia. There is a DoD & Endgame systems relationship. Multiple archived pages have been injected and deleted.\n(Little Endian) is a name seen often related to an innocent known to be targeted by a pro male entity who utilizes Pegasus, Palantir, Gotham, Foundry , Tulach, for silencing.\n#trulymissed #mirai #malicious", "modified": "2025-10-03T00:01:12.616000", "created": "2025-09-03T01:24:16.418000", "tags": [ "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "initial access", "javascript", "spawns", "united", "present aug", "div div", "meta", "fffae1", "xml title", "drag", "div form", "form div", "a li", "encrypt", "russia", "passive dns", "urls", "aaaa", "netherlands", "your ip", "panama", "russia unknown", "present mar", "present jun", "moved", "present jul", "present sep", "ip address", "present jan", "body", "title", "domain", "files", "content type", "body doctype", "as16509", "intel mac", "os x", "ipv4 add", "port", "destination", "read c", "medium", "entries", "et info", "execution", "next", "dock", "write", "persistence", "malware", "url analysis", "files ip", "name server", "domain address", "algorithm", "key identifier", "v3 serial", "number", "cus olet", "encrypt cne6", "validity", "subject public", "key info", "us as15169", "us as396982", "mitre att", "pattern match", "form", "onload", "general", "local", "path", "click", "strings", "verify", "asnone", "china as4134", "resolverror", "high", "dns query", "as7018 att", "japan as4713", "south korea", "little \u2018endian\u2019", "mirai", "dod", "endgame systems", "government overreach", "sabey type", "foundry type", "apple", "cve" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135858-0", "display_name": "Unix.Dropper.Mirai-7135858-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2069, "domain": 406, "FileHash-SHA256": 1498, "hostname": 811, "FileHash-MD5": 150, "FileHash-SHA1": 138, "SSLCertFingerprint": 8, "CIDR": 1, "CVE": 1 }, "indicator_count": 5082, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ae5b9ef87646927a236b61", "name": "Privacy - Google Videos Search - Web Applications Stack Exchange = WannaCry", "description": "Description: dfir.blog - A blog about Digital Forensics & Incident Response\ndfir.blog\nDigital forensics, web browsers, visualizations, & open source tools.\n#monitoring #dod(?) #chinacache #crypt #ransom#infectedsystems", "modified": "2025-09-26T00:01:12.214000", "created": "2025-08-27T01:13:02.780000", "tags": [ "google", "mullvad browser", "value", "incognito mode", "mine", "unix time", "friday", "january", "does", "tor browser", "search", "show", "langchinese", "packing t1045", "t1045", "medium", "pe resource", "module load", "t1129", "service", "trojan", "copy", "dock", "write", "malware", "clock", "united", "passive dns", "urls", "next associated", "gmt cache", "ipv4 add", "pulse pulses", "files", "reverse dns", "win32", "title", "location united", "america flag", "america asn", "as15169 google", "dns resolutions", "domains top", "level", "unique tlds", "present aug", "china unknown", "creation date", "date", "domain", "ip address", "domain name", "expiration date", "status ok", "nanjing", "accept", "body", "div td", "td tr", "div div", "span span", "a li", "span p", "p div", "moved", "a domains", "open", "span", "uuupupu", "t1055", "process32nextw", "high", "windows", "high defense", "evasion", "delphi", "google gmail", "images sign", "advanced search", "solutions", "privacy", "store gmail", "delete delete", "report", "how search", "applying ai", "settings search", "advanced", "search search", "search help", "domainabuse", "showing", "hostname add", "url add", "http", "hostname", "files domain", "files related", "pulses none", "related tags", "read c", "tlsv1", "whitelisted", "port", "destination", "ascii text", "next", "encrypt", "script urls", "msie", "chrome", "bad gateway", "script domains", "present feb", "link", "meta", "digital", "language", "body doctype", "ghost", "present jun", "aaaa", "present jul", "present oct", "record value", "yara detections", "dock zone", "top source", "top destination", "source source", "filehash", "code", "error", "windows nt", "wow64", "slcc2", "media center", "execution", "persistence", "tulach", "brian sabey", "dod network", "orgtechref", "address range", "cidr", "network name", "allocation type", "whois server", "entity dnic", "handle", "whois lookup", "dod", "et trojan", "server header", "suspicious", "et info", "unknown", "virustotal", "specified", "download", "et", "please", "type size", "first seen", "loading", "python wheel", "dynamicloader", "intel", "ms windows", "pe32", "entries", "user agent", "powershell", "agent", "yara rule", "checks", "levelblue", "open threat", "observed dns", "query", "dns lookup", "msdos", "wannacry dns", "lookup", "wannacry", "worm", "explorer", "msil", "darkcomet", "ping", "tools", "capture", "hallrender", "dga domains", "unfurl sites", "honey net", "bot", "nxdomain", "potential-c2" ], "references": [ "Don\u2019t click! https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | Infected systems", "DoD Network Information Center (DNIC)", "DoD Network Information Center disa.columbus.ns.mbx.arin-registrations@mail.mil [seen throughout}", "Python Wheel package", "https://www.google.com/search", "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com", "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Magania.DSK!MTB", "display_name": "Trojan:Win32/Magania.DSK!MTB", "target": "/malware/Trojan:Win32/Magania.DSK!MTB" }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "a variant of Win32/Kryptik.DEOA", "display_name": "a variant of Win32/Kryptik.DEOA", "target": null }, { "id": "ALF:Exploit:Win32/gSharedInfoRef.A", "display_name": "ALF:Exploit:Win32/gSharedInfoRef.A", "target": null }, { "id": "Wannacry", "display_name": "Wannacry", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Telecommunications", "Technology", "Civilian" ], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8221, "domain": 1216, "FileHash-SHA256": 2434, "FileHash-MD5": 296, "FileHash-SHA1": 155, "hostname": 2939, "email": 7, "SSLCertFingerprint": 8, "CIDR": 2 }, "indicator_count": 15278, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68accab3048f960c2012d8f3", "name": "Unruy Infected System | Safari browser Google Search = www2.megawebfind.com", "description": "Unruy affecting safari browser of a currently infected iOS system.\nDescription: The sca_esv parameter is a piece of data in the URL that's likely internal to Google's system for tracking. | \n(https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | ( First time user, I can\u2019t vouch for the safety of website above.)", "modified": "2025-09-24T19:02:24.695000", "created": "2025-08-25T20:42:27.811000", "tags": [ "google search", "please click", "process32nextw", "read c", "united", "show", "entries", "shellexecuteexw", "medium", "module load", "t1129", "dock", "write", "suspicious", "malware", "unknown", "contacted", "ids detections", "forbidden yara", "detections", "domains", "unruy", "safari", "apple", "ios" ], "references": [ "https://www.google.com/search?client=safari&sca_esv= www2.megawebfind.com webfind. com \u2022 www6.mega www.google.com", "IDS Detections: Win32/Unruy.C Activity", "Alerts: network_icmp persistence_autorun antivm_vmware_in_instruction network_http", "Alerts: antisandbox_sleep creates_exe dropper stealth_window injection_process_search protection_rx", "Domains Contacted: www.microsoft.com www.bing.com www2.megawebdeals.com ocsp.pki.goog", "Domains Contacted: www.download.windowsupdate.com ifdnzact.com d38psrni17bvxu.cloudfront.net", "Domains Contacted: www.microsoft.com www.bing.com www2.megawebdeals.com ocsp.pki.goog www.download.windowsupdate.com ifdnzact.com d38psrni17bvxu.cloudfront.net www2.megawebfind.com www.google.com www6.megawebfind.com", "Domains Contacted: www2.megawebfind.com www.google.com www6.megawebfind.com", "The sca_esv parameter is a piece of data in the URL that's likely internal to Google's system for tracking, sorting, or customizing search results.", "A clients infected now former iOS device.", "https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking", "I can\u2019t vouch for the safety of website above. First time user.", "https://otx.alienvault.com/indicator/file/f3a939131ffaf473f8b1ffa0cd11d8cbce46f50dcc7e9fd2ff8404201ab5bc8e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Unruy-6912804-0", "display_name": "Win.Malware.Unruy-6912804-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [ "Technology", "Telecommunications", "Civilian" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 489, "FileHash-MD5": 105, "FileHash-SHA1": 101, "hostname": 297, "URL": 942, "SSLCertFingerprint": 1, "domain": 182 }, "indicator_count": 2117, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68abf66e97031d0ff0c04fed", "name": "Packed sentient.industries links to a targets business website", "description": "Very malicious link found in a targets business.\nPacked. Needs to be categorized.\n(FoundryPalantir rich?) Tracking, hacking, and serious espionage.\nAvailable public Information: \nSENTIENT INDUSTRIES\nsentient.industries\nSentient industries provides design and engineering services, from prototyping to small-batch manufacturing, empowering clients to overcome complex challenges. |\nMore about sentient\nMission sentient accelerates mission critical technology for\u2026\nSENTIENT INDUSTRIES\nAccelerating mission-critical tech for disaster response, defense ...\nContact Now\nAustin, tx 78758. United States. EMAIL us. info@sentient \n\nWorse than it looks. Spying on a several threat researchers.", "modified": "2025-09-24T04:04:05.604000", "created": "2025-08-25T05:36:46.327000", "tags": [ "moved", "body", "x cache", "cloudfront x", "cph50 c2", "certificate", "record value", "title", "h1 center", "server", "redacted for", "servers", "name redacted", "for privacy", "name servers", "org data", "privacy city", "privacy country", "ca creation", "passive dns", "urls", "files", "ip address", "asn as57033", "less whois", "registrar", "tucows domains", "key identifier", "data", "v3 serial", "number", "cat ozerossl", "cnzerossl ecc", "domain secure", "site ca", "validity", "subject public", "extraction", "data upload", "extra data", "include review", "find", "failed", "typ no", "ms windows", "intel", "pe32", "united", "search", "as16509", "from win32bios", "show", "high", "medium", "delphi", "copy", "write", "launcher", "next", "present aug", "present jul", "lowfi", "win32", "a div", "div div", "learn xml", "babylon", "win64", "trojan", "colors", "python", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "et info", "tls handshake", "bad traffic", "failure", "date", "august", "hybrid", "general", "path", "starfield", "click", "strings", "se bethseda", "n bethseda", "n data", "error", "date checked", "url hostname", "server response", "google safe", "results aug", "read c", "tlsv1", "port", "destination", "module load", "execution", "dock", "persistence", "malware", "unknown", "cname", "aaaa", "creation date", "showing", "domain", "dga domains", "palantirfoundry", "foundry", "status", "unknown ns", "g2 tls", "rsa sha256", "italy unknown", "mtb may", "trojandropper", "invalid url", "next associated", "ddos", "body html", "hacktool", "ipv4", "url analysis", "ukraine", "encrypt", "rl add", "http", "hostname", "files domain", "files related", "related tags", "present jun", "entries", "title error", "all ipv4", "reverse dns", "yara detections", "top source", "top destination", "source source", "sha256 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "address range", "cidr", "network name", "allocation type", "whois server", "entity amazon4", "handle", "canada unknown", "content type", "javascript src", "script script", "x powered", "ipv4 add", "pulse submit", "submit url", "analysis", "url add", "related nids", "files location", "canada flag", "canada hostname", "unknown aaaa", "ascii text", "user agent", "powershell", "agent", "czechia unknown", "domain add", "dynamicloader", "hostname add", "pentagon", "defense" ], "references": [ "sentient.industries affects independent artists. Affects several others.", "Bethseda Map - Yara Detections Delphi , InnoSetupInstaller", "Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions", "Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook", "Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files", "Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware", "Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers", "prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022", "talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com", "Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty", "Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html", "http://link.monetizer101.com/widget/custom-2.0.2/templates/1", "https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget", "widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/", "http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022", "https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js", "https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js", "https://link.monetizer101.com/widget/code/dailystaruk.js", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)", "Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical", "(Can't access file- Malware infection files)", "Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront", "constellation.pcfrpegaservice.net (Pegasus related? idk)", "On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service", "TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]", "I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post", "Remotewd.com devices", "If you find anything interesting please research it." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "nUFS_inno", "display_name": "nUFS_inno", "target": null }, { "id": "#Lowfi:HSTR:MSIL/Malicious", "display_name": "#Lowfi:HSTR:MSIL/Malicious", "target": null }, { "id": "ALF:JASYP:PUA:Win32/Bibado", "display_name": "ALF:JASYP:PUA:Win32/Bibado", "target": null }, { "id": "Trojan:Win32/Toga", "display_name": "Trojan:Win32/Toga", "target": "/malware/Trojan:Win32/Toga" }, { "id": "Win32:Downloader-GJK\\ [Trj]", "display_name": "Win32:Downloader-GJK\\ [Trj]", "target": null }, { "id": "Win.Downloader.109205-1", "display_name": "Win.Downloader.109205-1", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:Downloader-GJK\\ [Trj]", "display_name": "Win32:Downloader-GJK\\ [Trj]", "target": null }, { "id": "Win.Downloader.109205-1", "display_name": "Win.Downloader.109205-1", "target": null }, { "id": "Win.Trojan.Jorik-149", "display_name": "Win.Trojan.Jorik-149", "target": null }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.Jorik-130", "display_name": "Win.Trojan.Jorik-130", "target": null }, { "id": "Win.Trojan.Fakecodecs-119", "display_name": "Win.Trojan.Fakecodecs-119", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Trojan.Bulz-9860169-0", "display_name": "Win.Trojan.Bulz-9860169-0", "target": null }, { "id": "Win.Malware.Midie-6847892-0", "display_name": "Win.Malware.Midie-6847892-0", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win.Packed.Razy-9785185-0", "display_name": "Win.Packed.Razy-9785185-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "PWS", "display_name": "PWS", "target": null }, { "id": "DDOS:Win32/Stormser.A", "display_name": "DDOS:Win32/Stormser.A", "target": "/malware/DDOS:Win32/Stormser.A" }, { "id": "ALF:HSTR:DotNET", "display_name": "ALF:HSTR:DotNET", "target": null }, { "id": "DotNET", "display_name": "DotNET", "target": null }, { "id": "Script Exploit", "display_name": "Script Exploit", "target": null }, { "id": "HackTool:Win32/AutoKMS", "display_name": "HackTool:Win32/AutoKMS", "target": "/malware/HackTool:Win32/AutoKMS" }, { "id": "Xanfpezes.A", "display_name": "Xanfpezes.A", "target": null }, { "id": "Trojan:Win32/Gandcrab", "display_name": "Trojan:Win32/Gandcrab", "target": "/malware/Trojan:Win32/Gandcrab" }, { "id": "Win.Trojan.Generic-9862772-0", "display_name": "Win.Trojan.Generic-9862772-0", "target": null }, { "id": "Trojan:Win32/Zbot.SIBL!MTB", "display_name": "Trojan:Win32/Zbot.SIBL!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBL!MTB" }, { "id": "Win32/Nemucod", "display_name": "Win32/Nemucod", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn", "display_name": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn", "target": null }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "Win.Malware.Kolab-9885903-0", "display_name": "Win.Malware.Kolab-9885903-0", "target": null }, { "id": "Win.Malware (30)", "display_name": "Win.Malware (30)", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "#Lowfi:HSTR:MSIL/Malicious.Decryption", "display_name": "#Lowfi:HSTR:MSIL/Malicious.Decryption", "target": null }, { "id": "E5", "display_name": "E5", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6232, "URL": 24908, "hostname": 7993, "FileHash-SHA256": 11128, "email": 6, "FileHash-MD5": 1054, "FileHash-SHA1": 932, "SSLCertFingerprint": 14, "CIDR": 3, "CVE": 3 }, "indicator_count": 52273, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "207 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68a956460f257cf96c454071", "name": "Piracy \u2022 Cloudfront \u2022 Ransom \u2022 Code Overlaps \u2022 Unrelenting attacks.", "description": "Indie songwriter , publisher, promoter, producer & her artists affected by years long copyright infringement , hacking & reputation damage. Website now downed.\n\nBrashears had been involved in music under pseudonyms for decades as a was songwriter , ghostwriter, sold catalogs , charting singles, chops was sponsored. In this instance music was grossly pirated. Initially asked for hook rights then told hook would be used without her permission. Believed dispute resolved verbally + copyright.\n\nTsara learned from an insider/s her hook was pirated & used by artists listed. Modifications make songs pirated samples.\nBrashears song written in 2010 later vaulted in a private catalog later released by her artist. YouTube audio quality tampering on pirated song. \n\nBrashears loved music, not the industry as an artist; preferring business. Always held her privacy to remain unknown. Tsara lived 10 lives at once.\n\nLikely involves male who contacted her @ by email as mentioned in earlier pulse.\n#trulymissed", "modified": "2025-09-21T21:03:28.771000", "created": "2025-08-23T05:48:54.534000", "tags": [ "domains", "hashes", "passive dns", "urls", "url add", "http", "hostname", "files domain", "files related", "related tags", "a domains", "entries", "next associated", "files show", "date hash", "avast avg", "trojanspy", "entries http", "scans show", "search", "body", "body doctype", "dynamicloader", "medium", "reg add", "regsz d", "high", "windows", "audio drivers", "write c", "virtool", "copy", "write", "june", "united", "unknown ns", "samsara", "new york", "city ny", "ip address", "record value", "meta", "date", "music", "encrypt", "win32", "dangeroussig", "lowfi", "msie", "chrome", "precondition", "trojan", "title", "canada unknown", "unknown cname", "domain add", "files", "location united", "hostname add", "verdict", "domain", "files ip", "address", "asn as13335", "hash avast", "avg clamav", "msdefender feb", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "file", "size", "ascii text", "pattern match", "august", "hybrid", "general", "path", "click", "strings", "roboto", "mozilla", "contact", "t1179 hooking", "installs", "t1035 service", "crlf line", "runtime process", "malicious", "unknown", "ssl certificate", "defense evasion", "amazon02", "americachicago", "windows nt", "win64", "khtml", "gecko", "veryhigh", "found", "geo menifee", "california", "as30148", "us note", "route", "ptr record", "information", "t1053", "taskjob", "t1055", "injection", "t1082", "t1112", "modify registry", "t1119", "t1129", "service", "capture", "url http", "url https", "type indicator", "role title", "added active", "related pulses", "showing", "ipv6", "ipv4", "dicator role", "title added", "active related", "sweden", "netherlands", "scan", "iocs", "learn more", "types of", "kingdom", "united kingdom", "denmark", "icator role", "malware attacks", "find encrypted", "t1021", "remote", "t1068", "ta0043", "t1016", "discovery", "t1221", "nobody love", "tori", "kelley", "dj khaled", "justin bieber", "sophos video", "x rack", "x frame", "october", "songculture", "song culture", "tsara brashears", "jess 4", "queryfoundry", "beyond sampling", "pirated", "youtube", "spotify", "twitter", "spy", "tracking" ], "references": [ "https://songculture.com/tsara-brashears-music | Cloudfront below was attached to body of work", "https://d3jjg4nf4bbybe.cloudfront.net/u/210425/397f80d871fe6dla1704cela4b712e387ed8a48a/large/kedence-out-of-my-sight", "\"Nobody Love\" Tori Kelley \"'m the One\" DJ Khaled ft Justin Bieber (Pirated Hook)", "8-25-220-162-static.reverse.queryfoundry.net", "http://117-114-251-162-static.reverse.queryfoundry.net/ - queryfoundry.net", "https://www.youtube.com/watch?v=bJWJbOqg9cM - Falsely flagged to demonetize and not rank", "Dr.Web violence/adult content (False) ThreatSeeker social web - youtube", "music.apple.com \u2022 linktr.ee \u2022 sentient.industries? samsara has been showing up often.", "There is money in the industry for well established , \u2018souled\u2019 out artists. It\u2019s a racket! T signed & exited early", "Worked at some studios attacked by Lazarus Group who allegedly attacked Sony Music", "I apologize if you don\u2019t like my background stories", "\u2018Passin\u2019 I deleted the pulses you asked me to. Your links were malicious. I haven\u2019t weaponize anything I\u2019ve learned... yet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nivdort", "display_name": "Nivdort", "target": null }, { "id": "Virtool", "display_name": "Virtool", "target": null }, { "id": "Evo", "display_name": "Evo", "target": null }, { "id": "Trojanspy", "display_name": "Trojanspy", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Malware Gen", "display_name": "Malware Gen", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [ "Media", "Technology", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1833, "hostname": 902, "domain": 386, "FileHash-MD5": 406, "FileHash-SHA1": 402, "FileHash-SHA256": 1437, "email": 2, "SSLCertFingerprint": 5, "CIDR": 2 }, "indicator_count": 5375, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "209 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68a0cb6a89a10d13623a0018", "name": "Medicaid Mirai Botnet | United Healthcare Mirai Botnet", "description": "https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll. Medicaid Botnet work managed by Lumen Technologies as part of a massive silencing campaign. |\n\nPhone calls routed since forces and investigated disclosures of several attack resulting in great bodily harm and life threatening, ending injuries.\nThis campaign date has one start date 11/13/2013.\n#missed assaults internal investigated 10/08/2013 -11/31/ 2013.\nI\u2019m sure other targets are impacted . This stems from targets personal , documented experiences. \nFormerly k/a Century Link was confronted by associate of targets when a plain clothed male entered targets yard in 11/ 2013, told their box controlled entire neighborhood. Continuously accessed properties. \n\n\n\n#rip #lumen #botnet #fencing #malware #silencing #civil_liberties # monitored_target #remote #corruption #privacy_abuse #centurylink", "modified": "2025-09-15T16:04:47.043000", "created": "2025-08-16T18:18:18.657000", "tags": [ "url https", "search", "type indicator", "role title", "added active", "related pulses", "entries", "httponly", "samesitelax", "read c", "medium", "rgba", "unicode", "port", "memcommit", "delete", "next", "dock", "write", "execution", "present aug", "united", "ip address", "name servers", "unknown ns", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "pattern match", "show technique", "ck matrix", "refresh", "body", "span", "august", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "href", "size", "t1480 execution", "file defense", "ascii text", "trojan", "passive dns", "trojandropper", "next associated", "fastly error", "please", "sea p", "mozilla", "accept", "ipv4 add", "urls", "files", "location united", "ipv4", "url analysis", "america flag", "america asn", "backdoor", "win32", "malware", "date", "domain", "segoe ui", "a domains", "security tls", "san jose", "asn8075", "reverse dns", "software", "resource hash", "general full", "status", "emails", "expiration date", "asp", "microsoft oem", "found", "running webserver", "netherlands", "creation date", "aaaa", "certificate", "protocol h2", "name value", "hash", "present jun", "present apr", "moved", "control att", "t1573 encrypted", "channel command", "decrypted ssl", "runtime process", "appdata", "windows nt", "svg scalable", "patch", "internal", "core", "high", "tcp syn", "icmp traffic", "dns query", "av detections", "ashburn", "ai device id", "telnet", "windows script", "microsoft", "host", "yara detections", "pdb path", "pe resource", "script host", "test", "hostname add", "files ip", "domains", "hashes", "ireland", "mtb jun", "mtb may", "device local", "remotewd", "nemtih", "url add", "http", "hostname", "files domain", "files related", "pulses otx", "present jul", "domain add", "colorado", "quasi", "contracts", "botnet", "remote access", "virginia", "c++", "hacking", "monitored target", "silencing campaign", "audio recording", "cameras", "full service", "tactics" ], "references": [ "Handled by Lumen Technologies | What kind of darkness is this?", "https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll https://myhpnmedicaid.com/Provider", "dev.myhpnmedicaid.com", "ELF:Mirai-ATI | United Healthcare Dark? | https://otx.alienvault.com/indicator/ip/205.132.162.113", "https://hybrid-analysis.com/sample/e439d3dd3d943ecc702d12998a32e15c00008a8f276e6c89cb54f6de43f36de8/689fccb81c4f237eb6009b0f", "https://hybrid-analysis.com/sample/f095ee58f390749315e72cfa46d979cb25a15884b66c7951719c844ebc82b3a3/689fcc753aca4827cd036851", "https://hybrid-analysis.com/sample/dd09e575e6dfa77f081bf0014b2494e02f90cb23723fbb35d6b2a92e7c629920/689fcc40b786f8eaa20534b5", "Primary Request aspnet dotnet.microsoft.com/en-us/apps/ Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/ https://dotnet.microsoft.com/en-us/apps/aspnet", "Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/", "https://dotnet.microsoft.com/en-us/apps/aspnet", "ASP.net - Hack Together: Mar 1-15 Join the hack. Build an app with NET & Microsoft Graph for a\u2026 .", "ASP.net - chance to win prizes! \u53e3\u3001\u4ecb\u5973\u8fa3 All Microsoft Learn more ASP.NET Free. Cross-platform\u2026.", "ASP.net Open source. A framework for building web apps and services with .NET and C#", "Registrant Org: Japan Computer Emergency Response Team Coordination Center", "Interesting: unitedhealthcare cdn.member.unitedhealthcare.com \u2022 data.aca.unitedhealthcare.com \u2022 data.member.unitedhealthcare.com", "Interesting Domain Tactics: https://click.benefits.unitedhealthcare.com/", "Interesting: dev-optum-dataintelligence.com \u2022 optumcoding.xxx \u2022 optuminsightcoding.xxx \u2022 optumrx.xxx", "Interesting: memberforms.optumrx.com \u2022 myoptum.info \u2022 optumrx.com \u2022 cte-scl.new.optumrx.com \u2022 dev-scl.optumrx.com", "http://www.nexcentra.com/fox-news-faces-another-sexual-harassment-lawsuit" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "Trojan:Win32/Daws", "display_name": "Trojan:Win32/Daws", "target": "/malware/Trojan:Win32/Daws" }, { "id": "ELF:Mirai-ATI", "display_name": "ELF:Mirai-ATI", "target": null }, { "id": "Trojan:Win32/IRCbot", "display_name": "Trojan:Win32/IRCbot", "target": "/malware/Trojan:Win32/IRCbot" }, { "id": "alf:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "alf:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Trojandropper:Win32/Muldrop.V!MTB", "display_name": "Trojandropper:Win32/Muldrop.V!MTB", "target": "/malware/Trojandropper:Win32/Muldrop.V!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1092", "name": "Communication Through Removable Media", "display_name": "T1092 - Communication Through Removable Media" }, { "id": "T1433", "name": "Access Call Log", "display_name": "T1433 - Access Call Log" } ], "industries": [ "Technology", "Telecommunications", "Contracts", "Government", "Finance", "Insurance", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4880, "domain": 575, "hostname": 1419, "FileHash-SHA256": 1745, "FileHash-MD5": 284, "FileHash-SHA1": 263, "email": 5, "CVE": 1 }, "indicator_count": 9172, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "216 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689fb86af7ae894997245158", "name": "Lumen Technologies attacks. Affects telecommunication between patient and Intermountain Health", "description": "Severely impacted a monitored target\u2019s communication with health provider , prohibited patient calls, borne answering calls at UC Health & Intermountain Healthcare. Targets devices routed and / or hijacked by or to other known carriers.\nImpacts Medicaid patient files. NOT CHINA. Colorado. Message #trulymissed intentionally routed to outbound decimated her health & provider relationships. \n\u201cYour administrator contact lumen at 877-453-8353 to resolve the issue. You may dial zero to be connected with an operator to complete your call. The charges may apply operator services will require a valid telephone number and a method of payment for charges to complete the call thank you for calling Luman error code CPN1\u201d\n\nWin32:Downloader-KEQ\\ [Trj]\t\t\n#Lowfi:Cutwail_Upatre_GameOver_Obfuscator\n#malware #Schoolboy\n#.Bulz\n#trojan #Redline\n#.Dorkbot\t#Azorult\n#HawkEye\n#Msilperseus\n#AgentTesla\nhacktool:MSIL/Boilod", "modified": "2025-09-14T21:02:42.856000", "created": "2025-08-15T22:44:58.153000", "tags": [ "united", "passive dns", "ipv4", "pulse submit", "url analysis", "urls", "files", "reverse dns", "location united", "america flag", "creation date", "communications", "expiration date", "domain", "files ip", "address", "asn as3356", "el dorado", "present jun", "present dec", "present sep", "present nov", "present may", "entries", "showing", "next associated", "urls show", "search", "read c", "show", "medium", "unicode", "rgba", "next", "memcommit", "delete", "dock", "write", "execution", "copy", "status", "value emails", "name level", "llc name", "org level", "llc address", "city broomfield", "date", "error nov", "next http", "scans record", "value", "body head", "document moved", "title head", "object moved", "href http", "denver", "hostname add", "ip address", "pulse pulses", "verdict", "present aug", "name servers", "hong kong", "china unknown", "domain add", "present jul", "china showing", "date checked", "url hostname", "mirai", "crlf line", "body", "please", "x msedge", "unknown ns", "unknown soa", "trojan", "virtool", "ipv4 add", "hostname", "set cookie", "accept", "dispatcher", "ref b", "wed may", "backdoor", "mtb aug", "mtb dec", "twitter", "smoke loader", "malware", "hacktool", "mtb feb", "aaaa", "cname" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 562, "hostname": 1988, "URL": 7800, "FileHash-SHA256": 657, "email": 5, "FileHash-MD5": 150, "FileHash-SHA1": 127 }, "indicator_count": 11289, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "216 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689d5115ad786de4ff048e5b", "name": "TEL:ECCert!SSLCO | Mirai Malware Hosting | Multi user Tracker", "description": "https://api.mirai.com/MiraiWebService/passbook/180823-77257/4001645 [Malware hosting]\n*TEL:ECCert!SSLCO\nYARA Detections:\nDelphi\nThis program must be run under Win32\ncompilers.\nCode Overlap of Trojan Droppers Backdoors , TrojanSpy\n\n\n#injection_inter_process\n#creates_largekey\n#network_bind\n#ransomware_file_modifications\n#antivm_generic_bios\n#antivm_generic_disk\n#enumerates_physical_drives\n#physical_drive_access\n#deletes_executed_files\n#recon_fingerprint\n#suspicious_command_tools\n#anomalous_deletefile\n#antisandbox_sleep\n#dead_connect\n#dynamic_function_loading\n#http_request\n#ipc_namedpipe\n#network_anomaly\n#powershell_download\n#powershell_request #track #locate #remote_access", "modified": "2025-09-13T02:00:42.729000", "created": "2025-08-14T02:59:33.036000", "tags": [ "url https", "url http", "search", "type indicator", "role title", "added active", "related pulses", "showing", "entries", "present sep", "united", "present aug", "present jul", "present jun", "moved", "unknown ns", "present may", "present apr", "passive dns", "date", "encrypt", "body", "cookie", "gmt server", "content type", "dynamicloader", "medium", "x17x03x01", "download studio", "high", "read c", "show", "windows", "copy", "powershell", "write", "anomaly", "next", "unknown", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "yara detections", "delphi", "codeoverlap", "win32", "rgba", "memcommit", "delete", "png image", "hash", "dock", "execution", "malware", "wine emulator", "dynamic", "msie", "windows nt", "wow64", "slcc2", "media center", "capture", "persistence", "sha256", "submitted", "copy md5", "copy sha1", "copy sha256", "sha1", "script", "mitre att", "ck id", "show technique", "ck matrix", "null", "august", "span", "refresh", "meta", "mirai", "february", "april", "june", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "caribe", "rest", "accept", "friday", "look", "verify", "restart" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6211, "domain": 682, "hostname": 1661, "FileHash-MD5": 117, "FileHash-SHA1": 100, "FileHash-SHA256": 1386, "SSLCertFingerprint": 5 }, "indicator_count": 10162, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "218 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689d14258dd07e26a3bb1d46", "name": "PalantirFoundry.com (?) Multiple Remote Controlled Devices", "description": "Hacking.\nI\u2019m not sure if this is masquerading or not yet. Anything with \u2018PalantirFoundry.com\u2019 redirects to actual Palanrir login. Multiple users. Potentially 5000+ devices included in pulse. All monitored targets.", "modified": "2025-09-12T22:00:43.252000", "created": "2025-08-13T22:39:33.511000", "tags": [ "passive dns", "urls", "files", "ip address", "asn as16509", "less whois", "registrar", "unknown related", "servers", "status", "hostname", "domain", "files ip", "address", "united", "unknown ns", "a domains", "search", "script urls", "authority", "record value", "service", "mirai", "cloud provider", "reverse dns", "sydney", "australia asn", "as16509", "dns resolutions", "related tags", "none indicator", "write c", "mozilla", "nsisinetc", "show", "medium", "entries", "high", "http", "delete", "write", "malware", "data upload", "ms windows", "intel", "pe32", "lowfi", "next", "showing", "present feb", "present jun", "present dec", "present aug", "present may", "present jul", "moved", "media", "segoe ui", "ipv4", "url analysis", "location united", "error", "regopenkeyexa", "regsetvalueexa", "read c", "port", "destination", "regdword", "windows nt", "hostile", "win32", "unknown", "delphi", "persistence", "execution", "extraction", "l data", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "file defense", "sha1", "sha256", "ascii text", "mitre att", "pattern match", "show technique", "null", "refresh", "body", "span", "august", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "type", "please", "pulse submit", "url add", "pulse pulses", "related nids", "files location", "flag united", "ddos", "next associated", "files show", "date hash", "avast avg", "virtool", "downloader", "dadobra", "date", "certificate", "montreal", "canada", "asn16509", "amazon02", "screenshot", "title login", "palantir", "page url", "history https", "evasion att", "remember", "label", "button", "form", "general full", "url https", "protocol h2", "security tls", "software envoy", "value", "domainpath name", "header value", "self", "copy md5", "copy sha1", "copy sha256", "returnur", "south korea", "as9318 sk", "sqlite rollback", "journal", "as701 verizon", "bittorrent dht", "win64", "copy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#LowFi:LinkularNSIS", "display_name": "#LowFi:LinkularNSIS", "target": null }, { "id": "#Lowfi:HSTR:Win32/ObfuscatorDynMemJmpAPI", "display_name": "#Lowfi:HSTR:Win32/ObfuscatorDynMemJmpAPI", "target": null }, { "id": "Fareit", "display_name": "Fareit", "target": null }, { "id": "TrojanDownloader:Win32/Dadobra.E", "display_name": "TrojanDownloader:Win32/Dadobra.E", "target": "/malware/TrojanDownloader:Win32/Dadobra.E" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3149, "domain": 1304, "URL": 5269, "FileHash-SHA256": 968, "FileHash-SHA1": 206, "email": 7, "FileHash-MD5": 274, "SSLCertFingerprint": 1, "CVE": 1 }, "indicator_count": 11179, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "218 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689b9b9fab42ca4f016a226f", "name": "Elastic's Al-driven Endpoint Security - Red Team Malicious (moved?)", "description": "Endgame - Unruy Activity -System infection | (Moved) Endpoint security (MOVED) from Elastic\nElastic's Al-driven security analytics empowers you with comprehensive endpoint protection. Detect, investigate, and respond to threats faster with a single agent and unified console. Gain actionable insights for a proactive defense posture. All built on the Search\nAl platform.\n| Used maliciously against monitored non-criminal targets. |\n{ virus - https://universitycenter.uccs.edu/}\n#unruy #activity #monitored_target #red_team_malicious #trojan #worm #moved\n#ai #adversarial #custom_malware #ransom #crypt #guardrails #dns #cnc #evasive #domain_generation #remote_access #devices #remotewd #virus #custom_malware #rip #endgame \n\u2022 TrojanDropper\t\t\t\n\u2022 Win32:Evo-gen\t\u2022 Cassini\n\u2022 RansomX-gen\u2022 Zombie.A\n\u2022 win32:MalwareX-gen\t\u2022 Win32:Malware-gen \u2022 Nymeria\n\u2022 Forcud +", "modified": "2025-09-11T13:03:18.814000", "created": "2025-08-12T19:53:03.953000", "tags": [ "url http", "url https", "indicator role", "title added", "active related", "pulses url", "entries", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "href", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "show technique", "ck matrix", "null", "refresh", "body", "span", "general", "local", "path", "iframe", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "united", "unknown ns", "ip address", "creation date", "search", "present sep", "moved", "domain add", "encrypt", "accept", "please", "passive dns", "msie", "next associated", "html", "background", "unknown site", "div div", "trojan", "zeus", "process32nextw", "read c", "show", "shellexecuteexw", "windows nt", "wow64", "copy", "dock", "write", "malware", "unknown", "defense evasion", "t1480 execution", "file defense", "august", "hybrid", "port", "destination", "tlsv1", "as15169", "ogoogle trust", "cngts ca", "execution", "next", "persistence", "data upload", "extraction", "win32", "ransom", "trojandropper", "mtb nov", "forcud", "files show", "date hash", "avast avg" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4179, "domain": 774, "hostname": 1673, "FileHash-MD5": 169, "FileHash-SHA1": 110, "FileHash-SHA256": 2073, "email": 1, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 8993, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "220 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689af6a1704fa2745bc8c2a3", "name": "Hijacked Twitter / X.com account. Phishing | Abnormal use", "description": "Hijacked phishing Twitter/ X.com.\nWin32/Unruy.C Activity\n#phishing #hijacked #intercoms #unruy #trojan #VTflood #malware #attack", "modified": "2025-09-11T08:02:36.759000", "created": "2025-08-12T08:09:05.642000", "tags": [ "log id", "gmtn", "secure", "tls web", "passive dns", "urls", "path", "self", "encrypt", "ca issuers", "false", "search", "read c", "united", "entries", "show", "showing", "msie", "windows nt", "wow64", "slcc2", "copy", "write", "suspicious", "malware", "unknown", "process32nextw", "shellexecuteexw", "medium process", "discovery t1057", "t1057", "discovery", "medium", "locally unique", "identifier", "veailmboprd", "next associated", "ipv4 add", "pulse pulses", "files", "asn as13335", "dns resolutions", "domains top", "smoke loader", "trojan", "body", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "show process", "programfiles", "command decode", "flag", "suricata ipv4", "mitre att", "show technique", "ck matrix", "date", "comspec", "model", "twitter", "august", "hybrid", "general", "click", "strings" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1504, "FileHash-SHA256": 1232, "SSLCertFingerprint": 14, "domain": 245, "hostname": 526, "FileHash-MD5": 43, "FileHash-SHA1": 38 }, "indicator_count": 3602, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "220 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68958d96a43dd0d3b5a65220", "name": "Mirai Communication Networks Inc", "description": "BGP Mirai Communication Networks Inc. May be used for Red Hat activities considered enterprise open source solutions. Used for adversarial motives. Abuse.\nResearched a device-local-**********.remotewd.com found in last residential community a monitored target lived.", "modified": "2025-09-07T05:03:49.633000", "created": "2025-08-08T05:39:34.315000", "tags": [ "united", "unknown ns", "moved", "passive dns", "ip address", "cloudfront x", "hio50 c1", "a domains", "domains", "meta", "mirai", "apache", "url hostname", "server response", "google safe", "learn", "ck id", "name tactics", "suspicious", "informative", "spawns", "command", "found", "mitre att", "ck techniques", "sha256", "sha1", "ascii text", "pattern match", "size", "null", "refresh", "body", "span", "august", "hybrid", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "defense evasion", "t1480 execution", "file defense", "show technique", "ck matrix", "adversaries", "general", "starfield", "iframe", "onload", "status", "urls", "domain", "name servers", "hostname", "files", "files ip", "certificate", "urls show", "results aug", "entries", "show process", "utf8", "crlf line", "network traffic", "title error", "next associated", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "equiv content", "win32", "trojan", "servers", "search", "whois show", "record value", "emails", "name legal", "department name", "address po", "city seattle", "present oct", "present jul", "present dec", "present aug", "files domain", "files related", "related tags", "none google", "safe browsing", "external", "data upload", "extraction", "include review", "exclude sugges", "uny inuuue", "find s", "extr", "typ dom", "failed", "extri data", "mirai meta", "japan unknown", "miraipcok meta", "overview ip", "address", "location united", "asn as15169", "nameservers", "less whois", "registrar", "overview domain", "address domain", "ip whois", "title", "create c", "read c", "delete", "write", "medium", "create", "showing", "rgba", "next", "dock", "execution", "malware", "sqlite rollback", "jfif", "journal", "regsetvalueexa", "ascii", "regdword", "baidu", "url add", "http", "related nids", "files location", "flag united", "redacted for", "unknown aaaa", "hostname add", "url analysis", "encrypt", "date", "germany unknown", "ascio", "creation date", "alfper", "ipv4 add", "reverse dns", "mozilla", "set spray", "pty ltd", "date checked", "present jun", "present nov", "present may", "present mar", "present sep", "present jan", "for privacy", "lngen", "ransom", "virtool", "exploit", "as133618", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "asn as133618", "whois registrar", "ietfdtd html", "gmt server", "debian", "dynamicloader", "unknown", "feat", "query", "installer", "results oct", "results jan", "aaaa", "tlsv1", "stcalifornia", "lmountain view", "ogoogle llc", "ogoogle trust", "cngts ca", "lowfi", "urlshortner aug", "urlshortner jul", "urlshortner", "write c", "high", "et exploit", "probe ms17010", "f codeoverlap", "copy", "contacted", "w3wwhb", "svwjh5dd u", "uv5b usvwu", "f us3v9", "cu codeoverlap", "filehash", "sha256 add", "monitored target", "sloffeefoundry.com", "apple", "samsung", "galaxy", "msie", "windows nt", "wow64", "slcc2", "media center", "persistence", "edge", "bing", "racism", "amazon music", "ios", "twitter", "googleapis", "denver" ], "references": [ "Researched: 210.172.192.15 | p192015.mirai.ne.jp | sanso-mirai.jp", "Mirai Communication Network Inc. (AS7690) Seto, Japan ASN is a BGP Network", "*ccm-command-center.int.m1np.symetra.cloud", "Monitored Target/s", "https://hybrid-analysis.com/sample/ff37a006ed8677bafa412d653ce9adfe84744702f28f7dfe9f5f4ec51b599419/689505a3a647793a0300f73f", "https://hybrid-analysis.com/sample/d30cf86f09e3ab7bb7d0a4ac2608aafb31e07c94fe77f5a264ccdb35fe153c59/689505ded9be5613900509fd", "https://hybrid-analysis.com/sample/f6e628e57373bf795bae87c883dcaefdbb720960133edc1adacc6146d10fc88a", "https://otx.alienvault.com/indicator/ip/210.172.192.15", "https://otx.alienvault.com/indicator/domain/sanso-mirai.jp", "device-local-**********. remotewd.com", "https://sms-apple.com/login", "https://www.exito.com/galaxy-m12-64-gb-negro-samsung-sm-m127fzkkcoo-3016108/p", "https://4.img-dpreview.com/files/p/articles/2356747397/samsung_nv24hd_bk.jpeg", "https://shell-gift.website/sweeps/de/amazon-voucher/question1000-agg/index.html?uclick=qdlpqnvr&uclickhash=qdlpqnvr-qdlpqnvr-pmwj-0-xsi4-hovr-hoi4-9b6533", "api.omgpornpics.com", "http://www.mylifelawyer.com/services/denver-affordable-lawyer-child-custody/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Crypt-142", "display_name": "Win.Trojan.Crypt-142", "target": null }, { "id": "#Lowfi:SIGATTR:URLShortner", "display_name": "#Lowfi:SIGATTR:URLShortner", "target": null }, { "id": "Win.Trojan.14278494-1", "display_name": "Win.Trojan.14278494-1", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ransom:Win32/WannaCrypt.H", "display_name": "ransom:Win32/WannaCrypt.H", "target": "/malware/ransom:Win32/WannaCrypt.H" }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Mirai Communications", "display_name": "Mirai Communications", "target": null }, { "id": "Alfper", "display_name": "Alfper", "target": null }, { "id": "telper:HSTR:CLEAN:Ninite", "display_name": "telper:HSTR:CLEAN:Ninite", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" } ], "industries": [ "Technology", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8962, "domain": 1671, "hostname": 2125, "FileHash-SHA256": 2031, "FileHash-MD5": 718, "FileHash-SHA1": 523, "SSLCertFingerprint": 12, "email": 7, "CVE": 1 }, "indicator_count": 16050, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "224 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68930449988277cd29c25cb7", "name": "https://firebase.google.com/ - Ransom \u2022 Wiper\u2022 Trojan dropper", "description": "", "modified": "2025-09-05T07:00:00.711000", "created": "2025-08-06T07:29:13.136000", "tags": [ "url https", "iocs", "learn more", "ipv4", "domain", "hostname", "types of", "sweden", "united", "belgium", "indicator role", "title added", "active related", "pulses hostname", "showing", "document file", "v2 document", "search", "medium", "ms windows", "vista event", "port", "msie", "windows nt", "wow64", "dirty", "write", "powershell", "copy", "next", "defender", "dynamicloader", "high", "fwlink", "windows", "cmd c", "alerts", "bios", "related pulses", "pulses", "related tags", "file type", "ascii text", "sha256", "external", "virustotal api", "screenshots", "june", "flag", "usa windows", "input threat", "level analysis", "summary", "gbrflag", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "ssl certificate", "defense evasion", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "mitre att", "date", "path", "format", "august", "hybrid", "local", "form", "click", "strings", "ubar", "truetype", "web open", "font format", "description web", "general", "iframe", "slcc2", "media center", "destination", "tlsv1", "unknown", "execution", "dock", "persistence", "malware", "encrypt", "ck techniques", "read c", "show", "entries", "delete", "data upload", "extraction", "onlv", "find", "type", "no matching", "indicator", "mtb may", "trojandropper", "passive dns", "next associated", "lowfi", "gmt cache", "sameorigin", "ipv4 add", "trojan", "mtb apr", "files show", "date hash", "avast avg", "shellterlod may", "win32qqpass apr", "trojanspy", "ransom", "wiper", "date checked", "url hostname", "server response", "ip address", "google safe", "results aug", "urls show", "hookwowlow may" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": "6893032410060f658d862c60", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4593, "hostname": 1754, "domain": 399, "FileHash-SHA256": 2128, "FileHash-MD5": 426, "FileHash-SHA1": 299, "SSLCertFingerprint": 17 }, "indicator_count": 9616, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6893032410060f658d862c60", "name": "Hosting App - Partial research | Emotet Worm", "description": "#firebase #google #dark_web_hosting #ransom #tracking #locate #monitored_targets #worm #emotet #malware #remoted_devices #trojan #reputation\n\n\u2022 Targets likely unaware.\n\n[m.pornsexer.xxx.3.1.adiosfil.roksit.net - reputation tool]", "modified": "2025-09-05T07:00:00.711000", "created": "2025-08-06T07:24:20.645000", "tags": [ "url https", "iocs", "learn more", "ipv4", "domain", "hostname", "types of", "sweden", "united", "belgium", "indicator role", "title added", "active related", "pulses hostname", "showing", "document file", "v2 document", "search", "medium", "ms windows", "vista event", "port", "msie", "windows nt", "wow64", "dirty", "write", "powershell", "copy", "next", "defender", "dynamicloader", "high", "fwlink", "windows", "cmd c", "alerts", "bios", "related pulses", "pulses", "related tags", "file type", "ascii text", "sha256", "external", "virustotal api", "screenshots", "june", "flag", "usa windows", "input threat", "level analysis", "summary", "gbrflag", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "ssl certificate", "defense evasion", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "mitre att", "date", "path", "format", "august", "hybrid", "local", "form", "click", "strings", "ubar", "truetype", "web open", "font format", "description web", "general", "iframe", "slcc2", "media center", "destination", "tlsv1", "unknown", "execution", "dock", "persistence", "malware", "encrypt", "ck techniques", "read c", "show", "entries", "delete", "data upload", "extraction", "onlv", "find", "type", "no matching", "indicator", "mtb may", "trojandropper", "passive dns", "next associated", "lowfi", "gmt cache", "sameorigin", "ipv4 add", "trojan", "mtb apr", "files show", "date hash", "avast avg", "shellterlod may", "win32qqpass apr", "trojanspy", "ransom", "wiper", "date checked", "url hostname", "server response", "ip address", "google safe", "results aug", "urls show", "hookwowlow may" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4593, "hostname": 1754, "domain": 399, "FileHash-SHA256": 2128, "FileHash-MD5": 426, "FileHash-SHA1": 299, "SSLCertFingerprint": 17 }, "indicator_count": 9616, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6892e73b32af18aa302df0dc", "name": "Part 1.5", "description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]", "modified": "2025-09-05T04:03:06.929000", "created": "2025-08-06T05:25:15.369000", "tags": [ "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "june", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "impact", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "file defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "script", "mitre att", "pattern match", "show technique", "iframe", "refresh", "august", "general", "local", "tools", "demo", "look", "verify", "restart", "url http", "small", "pulses url", "tellyoun", "showing", "entries", "url https", "indicator role", "title added", "active related", "type indicator", "role title", "added active", "related pulses", "cc08", "f06a6b", "sfurl", "filehashsha256", "types", "indicators show", "search", "pulses", "filehashsha1", "adversaries", "found", "webp image", "ascii text", "riff", "size", "encrypt", "legacy", "filehashmd5", "united", "flag", "server", "markmonitor", "name server", "llc name", "overview dns", "requests domain", "country", "win32", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "detections", "malware", "copy", "show", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "extraction", "data upload", "enter sc", "type", "extra data", "please", "failed", "review", "exclude data", "included review", "ic data", "suggeste", "stop", "type onow", "domain", "passive dns", "urls", "files related", "pulses none", "related tags", "none google", "safe browsing", "sc data", "extr amanuav", "review included", "manualy", "sugges excluded", "filehash", "md5 add", "pulse pulses", "url add", "http", "hostname", "files domain", "pulses otx", "virustotal", "hsmi192547107", "pulses hostname", "r dec", "customer dec", "iski dec", "decision dec", "va dec", "bitcoin", "bitcoin dec", "petra", "torstatus dec", "paul dec", "sodesc", "planet dec", "emilia", "heroin dec", "difference dec", "palantir dec", "loraxlive dec", "chaturbate dec", "sandra", "free dec", "marvel dec", "benjis dec", "fresh dec", "sodesc dec", "srdirport", "srhostname", "link dec", "types of", "italy", "china", "australia", "france", "turkey", "discovery", "information", "ck ids", "t1005", "local system", "t1007", "system service", "part", "track", "locate", "political", "civil society", "news", "created", "hours ago", "report spam", "t1555", "password", "t1560", "collected data", "t1573", "channel", "t1574", "execution flow", "scan", "iocs", "t1497", "u0lhmq", "mtawmq", "t1480", "guardrails", "t1486", "data encrypted", "learn more", "unsubscribe aug", "protocol", "t1074", "staged", "t1083", "t1102", "web service", "t1105", "tool transfer", "t1140", "data engineer", "candidate", "tlsv1", "odigicert inc", "stcalifornia", "lsan jose", "oadobe systems", "incorporated", "cndigicert sha2", "push", "next", "high", "write c", "ireland as16509", "delete", "dirty", "tags", "t1012", "flow endpoint", "security scan", "t1106", "copyright", "levelblue" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 608, "FileHash-SHA1": 433, "FileHash-SHA256": 3663, "URL": 17104, "domain": 1316, "email": 39, "hostname": 4208, "SSLCertFingerprint": 17 }, "indicator_count": 27388, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688c8526be7a4df33863b5c5", "name": "VirusTotal - Shiz.ivr", "description": "*Win.Trojan.Shiz.ivr\n*PWS:Win32/Simda.D\n*virtool #injection#infostealer #network #cnc #block_not #virustotal_google #cnc #checking #procmem_yara\n#injection_inter_process\n#injection_create_remote_thread\n#antidebug_windows\n#multiple_useragents\n#network_fake_useragent\n#persistence_autorun\n#cape_detected_threat\n#antiav_detectfile\n#modify_proxy\n#deletes_self\n#infostealer_cookies\n#injection_createremotethread\n#suricata_alert\n~ vashti", "modified": "2025-08-31T08:01:04.297000", "created": "2025-08-01T09:13:10.510000", "tags": [ "dynamicloader", "unknown", "msie", "windows nt", "slcc2", "media center", "suspicious", "search", "high", "show", "copy", "possible", "write", "internal", "malware", "push", "local", "next", "contacted", "domains", "pulses", "related tags", "file type", "date april", "pm size", "sha1 sha256", "imphash pehash", "virustotal api", "bq jul", "united", "trojan", "backdoor", "virtool", "cnc beacon", "entries", "path max", "passive dns", "next associated", "cookie", "twitter", "body", "date", "medium", "simda", "global" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10303, "hostname": 1413, "FileHash-SHA256": 1868, "domain": 1877, "FileHash-MD5": 357, "FileHash-SHA1": 348, "SSLCertFingerprint": 2 }, "indicator_count": 16168, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "231 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Interesting: unitedhealthcare cdn.member.unitedhealthcare.com \u2022 data.aca.unitedhealthcare.com \u2022 data.member.unitedhealthcare.com", "https://hybrid-analysis.com/sample/f6e628e57373bf795bae87c883dcaefdbb720960133edc1adacc6146d10fc88a", "Sigma: Matches rule Remote Access Tool Services Have Been Installed - Security by Connor Martin, Nasreddine Bencherchali (Nextron Systems)", "http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022", "I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post", "Machiavellians have already built a new world with a world. Some fear the Apocalypse they created.", "If someone has Medicare it\u2019s wise to check with carrier & providers to see policies generated by AI", "https://dotnet.microsoft.com/en-us/apps/aspnet", "Yara: CATEGORY _7_Zip_Installer ;!@Install@! ;!@InstallEnd@! 7z Igor,Pavlov", "https://link.monetizer101.com/widget/code/dailystaruk.js", "Alerts: network_icmp modifies_certificates injection_resumethread dumped_buffer", "https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "https://hybrid-analysis.com/sample/ff37a006ed8677bafa412d653ce9adfe84744702f28f7dfe9f5f4ec51b599419/689505a3a647793a0300f73f", "I\u2019d like to make an appeal. Please stop. Your original target has gone away.", "https://otx.alienvault.com/indicator/domain/sanso-mirai.jp", "Interesting: dev-optum-dataintelligence.com \u2022 optumcoding.xxx \u2022 optuminsightcoding.xxx \u2022 optumrx.xxx", "I hope this goes smoothly. I believe will be a nightmare as witnessed. I hope I\u2019m wrong.", "6.0.0.0 Deep Impact: +Tsara Brashears , +callmeDoris , +Merkd1904 , +scnrscnr, likely dorkingbeauty", "Alerts: allocates_rwx antisandbox_foregroundwindows", "https://securityaffairs.com/109671/hacking/50000-home-cameras-hacked.html", "Handled by Lumen Technologies | What kind of darkness is this?", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers", "https://passwords.google/?utm_medium=hpp&utm", "Non white or African American , black haired Middle Eastern 55+ male in non discreet Car", "http://45.159.189.105/bot/regex \u2022 https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Malware packed. Haven\u2019t sorted all.", "September began with false information, defaulted claims , denials from authorized services rendered years prior.", "Paid for plan long after entity put target on a state plan. Target audited for making too much money (framed)", "https://otx.alienvault.com/indicator/ip/210.172.192.15", "Alerts: stealth_timeout dll_load_uncommon_file_types antidebug_setunhandledexceptionfilter", "2012647\tDropbox.com Offsite File Backup in Use", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://sms-apple.com/login", "Researched: https://hcpf.colorado.gov/", "https://hybrid-analysis.com/sample/dd09e575e6dfa77f081bf0014b2494e02f90cb23723fbb35d6b2a92e7c629920/689fcc40b786f8eaa20534b5", "IDS: PUA-OTHER RMS rmansys remote management tool cnc communication", "gitea.neconsside.com \u2022 http://f7194.vip/login", "Capabilities: Data-Manipulation Encode data using XOR Hash data with CRC32", "Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p", "https://shell-gift.website/sweeps/de/amazon-voucher/question1000-agg/index.html?uclick=qdlpqnvr&uclickhash=qdlpqnvr-qdlpqnvr-pmwj-0-xsi4-hovr-hoi4-9b6533", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)", "https://twitter.com/PORNO_SEXYBABES \u2022 https://megapornfreehd.com/2025/04/360", "Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook", "DoD Network Information Center (DNIC)", "https://apple-mac.banugoker.com/ \u2022 https://login.apple-mac.banugoker.com/", "https://passwords.google/?utm_medium=hpp&utm_source=google&utm_campaign=sid2023aunonenms", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "Primary Request aspnet dotnet.microsoft.com/en-us/apps/ Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/ https://dotnet.microsoft.com/en-us/apps/aspnet", "Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical", "Remotewd.com devices", "Same target l followed and observed at Metro T-mobile on Evans & Federal in Denver", "Don\u2019t click! https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | Infected systems", "music.apple.com \u2022 linktr.ee \u2022 sentient.industries? samsara has been showing up often.", "https://api.strem.io/api/addonCollectionGet%", "Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware", "Worn as Watch \u2022 Highlighter yellow & green Large Font. Looks like a toy. Clearly a weapon", "IDS: PROTOCOL-ICMP PING Windows PROTOCOL-ICMP PING PROTOCOL-ICMP Echo Reply", "Continued stalking \u2022 I am of course also being targeted w/ attempts requiring surgery.", "\"Nobody Love\" Tori Kelley \"'m the One\" DJ Khaled ft Justin Bieber (Pirated Hook)", "api.omgpornpics.com", "https://lk-prod-webcol.laika.com.co/category/bog/cat/farmacia/collares-isabelinos/todos/todo-para-mascota/1", "https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js", "Interesting: memberforms.optumrx.com \u2022 myoptum.info \u2022 optumrx.com \u2022 cte-scl.new.optumrx.com \u2022 dev-scl.optumrx.com", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Researched publicly available information provided by representative of a target\u2019s estate", "Capabilities: Collection Get geographical location \u2022 Log keystrokes via polling", "https://d3jjg4nf4bbybe.cloudfront.net/u/210425/397f80d871fe6dla1704cela4b712e387ed8a48a/large/kedence-out-of-my-sight", "Try LogMeIn Resolve For Free \u2014 Powerful tools for device management and remote software installs from LogMeInResolve.", "Alerts: antivm_checks_available_memory queries_keyboard_layout", "DoD Network Information Center disa.columbus.ns.mbx.arin-registrations@mail.mil [seen throughout}", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "https://www.youtube.com/watch?v=bJWJbOqg9cM - Falsely flagged to demonetize and not rank", "https://www.google.com/search", "Antivirus Detections: Yara.Trojan.Remoteadmin-151 (29:30 BST) - a full list of key details:-1-2-3-4.", "Target no longer able to provide info. Paper tags over real Co#LP on car dark colored car.", "Alerts: recon_fingerprint antisandbox_sleep dynamic_function_loading encrypted_ioc", "The attackers are all different races, Caucasian, African American, Asian, Indian, Persian, Ethiopian, and ambiguous", "Domains Contacted: www.microsoft.com www.bing.com www2.megawebdeals.com ocsp.pki.goog www.download.windowsupdate.com ifdnzact.com d38psrni17bvxu.cloudfront.net www2.megawebfind.com www.google.com www6.megawebfind.com", "8-25-220-162-static.reverse.queryfoundry.net", "There is money in the industry for well established , \u2018souled\u2019 out artists. It\u2019s a racket! T signed & exited early", "talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com", "http://www.mylifelawyer.com/services/denver-affordable-lawyer-child-custody/", "https://www.google.com/search?client=safari&sca_esv= www2.megawebfind.com webfind. com \u2022 www6.mega www.google.com", "Worked at some studios attacked by Lazarus Group who allegedly attacked Sony Music", "If you find anything interesting please research it.", "Capabilities: Targeting Identify system language via API", "Not surprisingly driving a Ford F 150 | Very disturbing incidents continue. Goal clear. Hired to K****", "On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service", "Capabilities: Anti-Analysis Self delete \u2022 Inspect load icon resource", "(Can't access file- Malware infection files)", "TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]", "fed.paypal.com [redirect for monitored target \u2022 1st documented 2020- still active]", "Described as an Opaque white skinned , non Caucasian bald male. Clearly Persian or Israeli (other) Russian?", "Alerts: network_cnc_http network_http creates_exe uses_windows_utilities", "Provided documented evidence of appealed state issued plan and disclosed financials.", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty", "ASP.net - Hack Together: Mar 1-15 Join the hack. Build an app with NET & Microsoft Graph for a\u2026 .", "Attempted, overt side swipe of family member of target in City Park , by W/M w/US Army tags", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/visa/challenge/brw/get/210/d5caee55-c7ae-4b3a-8be7-b65fa5f885c9", "I apologize if you don\u2019t like my background stories", "Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront", "I can\u2019t vouch for the safety of website above. First time user.", "Mirai Communication Network Inc. (AS7690) Seto, Japan ASN is a BGP Network", "http://link.monetizer101.com/widget/custom-2.0.2/templates/1", "https://login.apple-mac.banugoker.com/cgi-sys/defaultwebpage.cgi \u2022 lsupport-apple.com", "Domains Contacted: www.download.windowsupdate.com ifdnzact.com d38psrni17bvxu.cloudfront.net", "Installed on Tsara Brashears phone in a drive up incident in October 2024", "Python Wheel package", "Researched: 210.172.192.15 | p192015.mirai.ne.jp | sanso-mirai.jp", "Alerts: network_icmp persistence_autorun antivm_vmware_in_instruction network_http", "Registrant Org: Japan Computer Emergency Response Team Coordination Center", "https://www.exito.com/galaxy-m12-64-gb-negro-samsung-sm-m127fzkkcoo-3016108/p", "Won appeal. Denied stimulus until passing another audit showing taxable income and filed taxes", "ASP.net Open source. A framework for building web apps and services with .NET and C#", "Interesting Domain Tactics: https://click.benefits.unitedhealthcare.com/", "https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll https://myhpnmedicaid.com/Provider", "EXE:CompanyName \u2022 TektonIT EXE:EntryPoint:0x121cf \u2022 EXE:FileDescription RMS Component", "Alerts: antisandbox_sleep creates_exe dropper stealth_window injection_process_search protection_rx", "Capabilities: Persistence Create shortcut via IShellLink Communication \u2022 Write and execute a file", "parking spot on possibly Logan, male tried to clip target at Logan & 18th. No plates", "Don\u2019t ask questions. Just terrorize. destroy equipment paid for by US citizens. What\u2019s yours is theirs.", "https://www.speakup.it/magazines/places/new-york-city-on-a-budget-big-apple-little-money_2368", "prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022", "https://songculture.com/tsara-brashears-music | Cloudfront below was attached to body of work", "login.apple-mac.banugoker.com \u2022 www.apple-mac.banugoker.com \u2022 http://apple-mac.banugoker.com/", "Related Trump pulse: https://otx.alienvault.com/pulse/68c954a80675ccc89b0e9b63", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/visa/challenge/brw/get/220/6b180faa-7ce7-4e26-a3b0-aa241497c70f", "System has placed affected on multiple policies cancelling private policy without notice.", "Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions", "Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html", "TektonIT RMS Component \u2022 6.0 Internal Name \u2022 LegalCopyright\u00a9 2014 TektonIT.", "consolefoundry.date \u2022 http://consolefoundry.date", "IDS: MALWARE-CNC Win.Trojan.Rfusclient outbound connection", "device-local-**********. remotewd.com", "Alerts: resumethread_remote_process reads_self stealth_window uses_windows_utilities", "http://117-114-251-162-static.reverse.queryfoundry.net/ - queryfoundry.net", "Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/", "Monitored Target/s", "He watched a \u2018target\u2019 while buying least expensive product available. Shirt with US Flag distraction", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "State (or random \u2022_- hackers) erased evidence of targets insurance all paid for by target.", "Signa: Matches rule Msiexec Quiet Installation by frack113", "Dr.Web violence/adult content (False) ThreatSeeker social web - youtube", "ASP.net - chance to win prizes! \u53e3\u3001\u4ecb\u5973\u8fa3 All Microsoft Learn more ASP.NET Free. Cross-platform\u2026.", "dev.myhpnmedicaid.com", "*ccm-command-center.int.m1np.symetra.cloud", "Very dangerous. Has been going on for 12+ years affecting everyone who knew target.", "Original Filename: RMS Module PrivateBuild \u2022 ProductName \u2022 RMS ProductVersion 6.0", "millet-usgc-1.palantirfedstart.com", "Sigma: Matches rule Compression Utility Passed Uncommon Directory (via cmdline) by SOC Prime Team", "https://hybrid-analysis.com/sample/e439d3dd3d943ecc702d12998a32e15c00008a8f276e6c89cb54f6de43f36de8/689fccb81c4f237eb6009b0f", "https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget", "https://securityaffairs.com/181338/security/google-fixed-chrome-flaw-found-by-big-sleep-ai.html", "https://hybrid-analysis.com/sample/f095ee58f390749315e72cfa46d979cb25a15884b66c7951719c844ebc82b3a3/689fcc753aca4827cd036851", "Target also owned an online brokerage & lead company, was agent & insurance marketer for years.", "A clients infected now former iOS device.", "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com", "https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com", "6.0.0.0 United States AS749 DOD network information center \u2022 Historical telemetry", "IDS: Unique rule identifier: This rule belongs to a private collection", "https://4.img-dpreview.com/files/p/articles/2356747397/samsung_nv24hd_bk.jpeg", "https://otx.alienvault.com/indicator/file/f3a939131ffaf473f8b1ffa0cd11d8cbce46f50dcc7e9fd2ff8404201ab5bc8e", "The sca_esv parameter is a piece of data in the URL that's likely internal to Google's system for tracking, sorting, or customizing search results.", "wallpapers-nature.com \u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "sentient.industries affects independent artists. Affects several others.", "https://hybrid-analysis.com/sample/d30cf86f09e3ab7bb7d0a4ac2608aafb31e07c94fe77f5a264ccdb35fe153c59/689505ded9be5613900509fd", "https://57d5.zhanyu66.com/com.slamyugllp.strangerrun.xc.apk/", "Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files", "IDS Detections: Win32/Unruy.C Activity", "Domains Contacted: www2.megawebfind.com www.google.com www6.megawebfind.com", "Bethseda Map - Yara Detections Delphi , InnoSetupInstaller", "aohhpesayw.lawsonengineers.co.", "www.onyx-ware.com \u2022 https://www.endgamesystems.com/", "constellation.pcfrpegaservice.net (Pegasus related? idk)", "target.dropboxbusiness.com", "ELF:Mirai-ATI | United Healthcare Dark? | https://otx.alienvault.com/indicator/ip/205.132.162.113", "http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.\u2022 com/ \u2022 https://www.csrc.gov.cn.lxcvc.com/", "widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "Vehicle described as Midnight blue , attempted to hit target at a high rate of speed when target left", "afraid.org | evergreen.afraid.org", "Domains Contacted: www.microsoft.com www.bing.com www2.megawebdeals.com ocsp.pki.goog", "nr-data.net \u2022 init.ess.apple.com\t\u2022 apple-id-ifind.com \u2022 https://apple-id-ifind.com/\t\u2022 apple-lostandfound.com", "http://www.nexcentra.com/fox-news-faces-another-sexual-harassment-lawsuit", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/mc/challenge/brw/do/210/dd14d159", "\u2018Passin\u2019 I deleted the pulses you asked me to. Your links were malicious. I haven\u2019t weaponize anything I\u2019ve learned... yet" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Virtool:win32/obfuscator.ki", "Pws:win32/qqpass.b!mtb", "Win.trojan.jorik-130", "Win.malware.midie-6847892-0", "Trojan:win32/kaicorn!rf", "Win32/nemucod", "Win.malware.eclz-9953021-0", "Win32:malob-bx\\ [cryp]", "Emotet", "Win.downloader.109205-1", "Ddos:win32/stormser.a", "Alf:exploit:win32/gsharedinforef.a", "Elf:mirai-ati", "Win.dropper.tiggre-9845940-0", "Custom malware", "Trojan:win32/daws", "Worm:win32/autorun.xxy!bit", "E5", "Tulach", "Win.malware.urelas", "Kentuchy", "Ransom:win32/wannacrypt.h", "Win.malware (30)", "Trojan:win32/blihan.a", "Malware gen", "Floxif", "Zegost", "Win.trojan.remoteadmin-151", "#lowfi:hstr:win32/obfuscatordynmemjmpapi", "Trojandropper:win32/muldrop.v!mtb", "Trojan:win32/glupteba.mt!mtb", "Hacktool:win32/autokms", "Win32:malware", "Fareit", "Worm:win32/cambot!rfn", "Win32:downloader-gjk\\ [trj]", "Win.trojan.bulz-9860169-0", "Lizar", "A variant of win32/kryptik.deoa", "Win.trojan.rfusclient", "#lowfi:linkularnsis", "Et", "Script exploit", "Win.trojan.14278494-1", "Mydoom", "Alfper", "Win.malware.zusy", "Carbanak", "Ransom:msil/genasom.i", "Telper:hstr:clean:ninite", "Worm:win32/autorun", "Nivdort", "Win.trojan.fakecodecs-119", "Win.dropper.unruy-9994363-0", "Backdoor:win32/tofsee.t", "Alf:heraklezeval:trojandownloader:html/adodb!rfn", "Win.trojan.crypt-142", "Win.trojan.fraudpack", "Domino", "#lowfi:sigattr:urlshortner", "Win.malware.kolab-9885903-0", "Toga!rfn", "Nids", "#lowfi:hstr:msil/malicious", "Worm:win32/autorun.b", "Malware", "Dotnet", "Trojandownloader:html/adodb.gen!a", "Cobalt strike", "Trojan:win32/zusy", "#lowfi:suspicioussectionname", "Trojan:win32/zbot.sibl!mtb", "Neshta", "Win.trojan.cycler-47", "Backdoor:win32/fynloski.a", "Evo", "Virtool", "Alf:hstr:dotnet", "Trojandownloader:win32/dadobra.e", "Win.malware.remoteadmin-7056666-0", "#lowfienabledtcontinueafterunpacking", "Pws", "Trojanspy:win32/nivdort", "Trojan:win32/ircbot", "Fakeav", "Win.malware.sfwx-9853337-0", "Win.trojan.jorik-149", "Xanfpezes.a", "#lowfidetectsvmware", "Ransom", "Alf:jasyp:trojan:win32/ircbot!atmn", "Alf:heraklezeval:trojan:win32/ymacco.aa47", "Project nemesis", "Trojan:win32/zombie.a", "#lowfi:hstr:msil/malicious.decryption", "Win.trojan.generic-9862772-0", "Trojanspy", "Trojan:win32/pariham.a", "Mirai communications", "Win.packed.razy-9785185-0", "Trojan:win32/magania.dsk!mtb", "Win.downloader.unruy-10026469-0", "Trojan:win32/toga", "Win.packed.generic-9967832-0", "Unix.dropper.mirai-7135858-0", "Trojandropper:win32/muldrop", "Other malware", "Alf:jasyp:pua:win32/bibado", "Alf:hstr:trojandownloader:win32/purityscan.a!bit", "Win.trojan.clicker-3506", "Win.malware.unruy-6912804-0", "Alf:heraklezeval:pws:win32/qqpass!rfn", "Malwarex-gen", "Win32:banker", "Wannacry", "Trojan:win32/floxif.e", "Tofsee", "Trojan:win32/gandcrab", "Nufs_inno", "#lowfi:hstr:monitoringtool:tektonit" ], "industries": [ "Hospitality", "Telecommunications", "Technology", "Civil society", "Healthcare", "Financial", "Government", "Finance", "Insurance", "Civilian", "Media", "Contracts" ], "unique_indicators": 235955 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/bscedge.com", "whois": "http://whois.domaintools.com/bscedge.com", "domain": "bscedge.com", "hostname": "live.com.bscedge.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 25, "pulses": [ { "id": "69aa0a62f94a92b5168405c2", "name": "fedpaypal clone Q vashti", "description": "", "modified": "2026-03-06T06:39:27.872000", "created": "2026-03-05T22:57:38.559000", "tags": [ "present sep", "virtool", "cryp", "win32", "ip address", "trojan", "ransom", "asn as54113", "passive dns", "msil", "united states", "dynamicloader", "qaeaav12", "high", "qbeipbdii", "write", "paypal", "medium", "search", "vmware", "floodfix", "malware", "united", "mtb apr", "hostname add", "write c", "read c", "yara detections", "upxoepplace", "next", "markus", "april", "ping", "meta http", "content", "gmt server", "th th", "443 ma2592000", "ipv4 add", "url analysis", "urls", "body", "title", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "status", "name servers", "set cookie", "script urls", "present feb", "cookie", "template", "present oct", "present jul", "present dec", "present jun", "next associated", "urls show", "date checked", "present apr", "url hostname", "united kingdom", "unknown ns", "servers", "great britain", "msr aug", "msr apr", "msr nov", "ite o", "server response", "script script", "files show", "date hash", "avast avg", "creation date", "lcid1033", "sminnotek", "spnvirtualbox", "bvvirtualbox", "present mar", "present nov", "exploit", "error", "server response", "google safe", "results sep", "backdoor", "certificate", "mtb sep", "next http", "scans show", "present may", "results jun", "results jan", "worm", "echo request", "sweep", "payload hello", "world", "ids detections", "cape", "viking", "philis", "et", "torop", "des moines", "contacted hosts", "content reputation", "sabey type", "tulach type", "rexx type", "foundry type", "fred scherr", "twitter", "apple", "monitored target", "financial theft", "psalms 27: 1 - 14" ], "references": [ "fed.paypal.com [redirect for monitored target \u2022 1st documented 2020- still active]", "nr-data.net \u2022 init.ess.apple.com\t\u2022 apple-id-ifind.com \u2022 https://apple-id-ifind.com/\t\u2022 apple-lostandfound.com", "https://www.speakup.it/magazines/places/new-york-city-on-a-budget-big-apple-little-money_2368", "https://login.apple-mac.banugoker.com/cgi-sys/defaultwebpage.cgi \u2022 lsupport-apple.com", "login.apple-mac.banugoker.com \u2022 www.apple-mac.banugoker.com \u2022 http://apple-mac.banugoker.com/", "https://apple-mac.banugoker.com/ \u2022 https://login.apple-mac.banugoker.com/", "http://45.159.189.105/bot/regex \u2022 https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "wallpapers-nature.com \u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.\u2022 com/ \u2022 https://www.csrc.gov.cn.lxcvc.com/", "https://lk-prod-webcol.laika.com.co/category/bog/cat/farmacia/collares-isabelinos/todos/todo-para-mascota/1", "https://twitter.com/PORNO_SEXYBABES \u2022 https://megapornfreehd.com/2025/04/360", "https://57d5.zhanyu66.com/com.slamyugllp.strangerrun.xc.apk/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "Win.Trojan.Fraudpack", "display_name": "Win.Trojan.Fraudpack", "target": null }, { "id": "Fakeav", "display_name": "Fakeav", "target": null }, { "id": "Ransom:MSIL/Genasom.I", "display_name": "Ransom:MSIL/Genasom.I", "target": "/malware/Ransom:MSIL/Genasom.I" }, { "id": "Virtool:Win32/Obfuscator.KI", "display_name": "Virtool:Win32/Obfuscator.KI", "target": "/malware/Virtool:Win32/Obfuscator.KI" }, { "id": "Toga!rfn", "display_name": "Toga!rfn", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Malware.Remoteadmin-7056666-0", "display_name": "Win.Malware.Remoteadmin-7056666-0", "target": null }, { "id": "Floxif", "display_name": "Floxif", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win.Dropper.Unruy-9994363-0", "display_name": "Win.Dropper.Unruy-9994363-0", "target": null }, { "id": "Win.Trojan.Cycler-47", "display_name": "Win.Trojan.Cycler-47", "target": null }, { "id": "Win.Trojan.Clicker-3506", "display_name": "Win.Trojan.Clicker-3506", "target": null }, { "id": "Win.Downloader.Unruy-10026469-0", "display_name": "Win.Downloader.Unruy-10026469-0", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Malware.Urelas", "display_name": "Win.Malware.Urelas", "target": null }, { "id": "Win.Malware.Zusy", "display_name": "Win.Malware.Zusy", "target": null }, { "id": "ALF:HeraklezEval:PWS:Win32/QQPass!rfn", "display_name": "ALF:HeraklezEval:PWS:Win32/QQPass!rfn", "target": null }, { "id": "Win.Malware.Eclz-9953021-0", "display_name": "Win.Malware.Eclz-9953021-0", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:HSTR:TrojanDownloader:Win32/PurityScan.A!bit", "display_name": "ALF:HSTR:TrojanDownloader:Win32/PurityScan.A!bit", "target": null }, { "id": "Win.Dropper.Tiggre-9845940-0", "display_name": "Win.Dropper.Tiggre-9845940-0", "target": null }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Win.Malware.Sfwx-9853337-0", "display_name": "Win.Malware.Sfwx-9853337-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Trojan:Win32/Kaicorn!rf", "display_name": "Trojan:Win32/Kaicorn!rf", "target": "/malware/Trojan:Win32/Kaicorn!rf" }, { "id": "Win32:Banker", "display_name": "Win32:Banker", "target": null }, { "id": "Worm:Win32/Cambot!rfn", "display_name": "Worm:Win32/Cambot!rfn", "target": "/malware/Worm:Win32/Cambot!rfn" }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "Win.Malware.Midie-6847892-0", "display_name": "Win.Malware.Midie-6847892-0", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1401", "name": "Device Administrator Permissions", "display_name": "T1401 - Device Administrator Permissions" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1464", "name": "Jamming or Denial of Service", "display_name": "T1464 - Jamming or Denial of Service" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "68c5743593a4bcc81dd94b0b", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1323, "URL": 4360, "FileHash-MD5": 759, "FileHash-SHA1": 748, "FileHash-SHA256": 5148, "domain": 1076, "email": 7 }, "indicator_count": 13421, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f80c6bcd3fff3a4f126a68", "name": "Sventore \u2022 Agent Tesla Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information ", "description": "", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T22:42:51.657000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": "68f7ced2cf17d264b49628bc", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f7ced2cf17d264b49628bc", "name": "NIDS - Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information", "description": "Multiple malware\u2019s targeting Dropbox & Ebay accounts. Referenced in earlier pukses. Further investigation shows link found in apps on multiple Apple devices. Afraid. Org still running & wreaking havoc globally. Currently targets a Music studio in Clear Creek County Co. The signal bounces from Fire station directly to studio gaining full access to everything.\n\nI am very disappointed with the abuses in f the Palantir , Gotham , Foundry products being abused by law firms and Private Investigators.\nIt is very destructive, causing loss, these firms are literally stealing and making money with other people\u2019s intellectual property and tough luck on the actual inventor, artist, writer because they even steal , cancel your insurance or back accounts leaving you unable to make a claim. \n\nGreat discretion should be used to qualify for these tools used to track, terrorize and access private information as well as tarnish the names of civilians , family ,businesses, stalking tracking known location.", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T18:20:02.120000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68cf2c43f6493c55c8d08bf9", "name": "Executed \u2022 Installend RMS Module | .exe RMS.exe", "description": "Recap: Executed in Denver, Co.USA. Attacked a Newly purchased iPhone. Multi person attempt . Attacker executed via watch. . Related to Trump campaign Palantir text linked in references. \n\nCyberInt states that Remote Manipulator System (RMS) is a legitimate tool developed by Russian organization TektonIT and has been observed in campaigns conducted by TA505 as well as numerous smaller campaigns likely attributable to other, disparate, threat actors. In addition to the availability of commercial licenses, the tool is free for non-commercial use and supports the remote administration of both Microsoft Windows and Android devices.\nCreation Date\n2023-05-01 00:28:45\nLast Modification Date\n2025-09-13 22:34:36\n- by CarlosCabal (VirusTotal)\n\nInteresting. Being used in America.", "modified": "2025-10-20T21:03:08.498000", "created": "2025-09-20T22:35:47.459000", "tags": [ "lowfi", "tektonit yara", "pulses otx", "pexe", "pe32", "intel", "vendor finding", "ms defender", "number", "install", "installend", "igor", "pavlov", "remote access tool", "dynamicloader", "medium", "dynamic", "ip address", "domain", "file name", "reads", "windows", "checks", "pehash external", "rms", "rms module", "private build", "watch", "msie", "windows nt", "wow64", "slcc2", "media center", "port", "destination", "search", "united", "read c", "write", "persistence", "execution", "malware", "push", "copy", "next", "autorun", "unknown", "skykit", "companyname", "insta", "dod", "udp a83f8110", "encoding", "e1203 windows", "file attributes", "catalog tree", "analysis ob0001", "analysis ob0002", "f0002 polling", "control ob0004", "access ob0005", "defense evasion", "extraction", "data upload", "failed", "related tru", "unit data", "included review", "iocs", "suggestedloes", "find su", "type o", "extr", "references try", "cat antivirus", "com tektonit", "original f", "match info", "adversaries", "match unknown", "30000s", "info", "info checks", "taskjob t1053", "execution flow", "t1574 dll", "window", "tulach", "yara", "hallrender", "apple", "ios", "114.114.114.114", "targeted", "monitoring", "brian sabey & co", "tsara brashears target", "angry quasi", "pp mafia", "dangerous", "redrum", "nemtih" ], "references": [ "Try LogMeIn Resolve For Free \u2014 Powerful tools for device management and remote software installs from LogMeInResolve.", "Installed on Tsara Brashears phone in a drive up incident in October 2024", "Yara: CATEGORY _7_Zip_Installer ;!@Install@! ;!@InstallEnd@! 7z Igor,Pavlov", "Antivirus Detections: Yara.Trojan.Remoteadmin-151 (29:30 BST) - a full list of key details:-1-2-3-4.", "EXE:CompanyName \u2022 TektonIT EXE:EntryPoint:0x121cf \u2022 EXE:FileDescription RMS Component", "TektonIT RMS Component \u2022 6.0 Internal Name \u2022 LegalCopyright\u00a9 2014 TektonIT.", "Original Filename: RMS Module PrivateBuild \u2022 ProductName \u2022 RMS ProductVersion 6.0", "Worn as Watch \u2022 Highlighter yellow & green Large Font. Looks like a toy. Clearly a weapon", "Non white or African American , black haired Middle Eastern 55+ male in non discreet Car", "Vehicle described as Midnight blue , attempted to hit target at a high rate of speed when target left", "parking spot on possibly Logan, male tried to clip target at Logan & 18th. No plates", "Same target l followed and observed at Metro T-mobile on Evans & Federal in Denver", "Described as an Opaque white skinned , non Caucasian bald male. Clearly Persian or Israeli (other) Russian?", "He watched a \u2018target\u2019 while buying least expensive product available. Shirt with US Flag distraction", "Target no longer able to provide info. Paper tags over real Co#LP on car dark colored car.", "Attempted, overt side swipe of family member of target in City Park , by W/M w/US Army tags", "Not surprisingly driving a Ford F 150 | Very disturbing incidents continue. Goal clear. Hired to K****", "Alerts: recon_fingerprint antisandbox_sleep dynamic_function_loading encrypted_ioc", "Alerts: resumethread_remote_process reads_self stealth_window uses_windows_utilities", "Alerts: antivm_checks_available_memory queries_keyboard_layout", "Alerts: stealth_timeout dll_load_uncommon_file_types antidebug_setunhandledexceptionfilter", "Alerts: network_icmp modifies_certificates injection_resumethread dumped_buffer", "Alerts: network_cnc_http network_http creates_exe uses_windows_utilities", "Alerts: allocates_rwx antisandbox_foregroundwindows", "Related Trump pulse: https://otx.alienvault.com/pulse/68c954a80675ccc89b0e9b63", "6.0.0.0 Deep Impact: +Tsara Brashears , +callmeDoris , +Merkd1904 , +scnrscnr, likely dorkingbeauty", "6.0.0.0 United States AS749 DOD network information center \u2022 Historical telemetry", "Don\u2019t ask questions. Just terrorize. destroy equipment paid for by US citizens. What\u2019s yours is theirs.", "IDS: MALWARE-CNC Win.Trojan.Rfusclient outbound connection", "IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "IDS: PROTOCOL-ICMP PING Windows PROTOCOL-ICMP PING PROTOCOL-ICMP Echo Reply", "IDS: PUA-OTHER RMS rmansys remote management tool cnc communication", "IDS: Unique rule identifier: This rule belongs to a private collection", "Signa: Matches rule Msiexec Quiet Installation by frack113", "Sigma: Matches rule Remote Access Tool Services Have Been Installed - Security by Connor Martin, Nasreddine Bencherchali (Nextron Systems)", "Sigma: Matches rule Compression Utility Passed Uncommon Directory (via cmdline) by SOC Prime Team", "Capabilities: Collection Get geographical location \u2022 Log keystrokes via polling", "Capabilities: Anti-Analysis Self delete \u2022 Inspect load icon resource", "Capabilities: Targeting Identify system language via API", "Capabilities: Data-Manipulation Encode data using XOR Hash data with CRC32", "Capabilities: Persistence Create shortcut via IShellLink Communication \u2022 Write and execute a file", "Malware packed. Haven\u2019t sorted all.", "Continued stalking \u2022 I am of course also being targeted w/ attempts requiring surgery.", "Very dangerous. Has been going on for 12+ years affecting everyone who knew target.", "Machiavellians have already built a new world with a world. Some fear the Apocalypse they created.", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/mc/challenge/brw/do/210/dd14d159", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/visa/challenge/brw/get/210/d5caee55-c7ae-4b3a-8be7-b65fa5f885c9", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/visa/challenge/brw/get/210/d5caee55-c7ae-4b3a-8be7-b65fa5f885c9", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/visa/challenge/brw/get/220/6b180faa-7ce7-4e26-a3b0-aa241497c70f", "The attackers are all different races, Caucasian, African American, Asian, Indian, Persian, Ethiopian, and ambiguous", "I\u2019d like to make an appeal. Please stop. Your original target has gone away." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#Lowfi:HSTR:MonitoringTool:TektonIt", "display_name": "#Lowfi:HSTR:MonitoringTool:TektonIt", "target": null }, { "id": "Win.Trojan.Remoteadmin-151", "display_name": "Win.Trojan.Remoteadmin-151", "target": null }, { "id": "Win.Trojan.Rfusclient", "display_name": "Win.Trojan.Rfusclient", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "TrojanDownloader:HTML/Adodb.gen!A", "display_name": "TrojanDownloader:HTML/Adodb.gen!A", "target": "/malware/TrojanDownloader:HTML/Adodb.gen!A" } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 479, "FileHash-SHA1": 436, "FileHash-SHA256": 2102, "URL": 659, "domain": 162, "hostname": 305, "SSLCertFingerprint": 1, "email": 6 }, "indicator_count": 4150, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "180 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c59a023815f66367c6900b", "name": "Virus.Injector affecting Online Payment system", "description": "fed.paypal.com_underground_exchange \u2022 \nYara Detections:\nConventionEngine_Keyword_Install |\nHigh Priority Alerts:\ncape_detected_threat | IDS Detections:\nWin32/Viking.GN ICMP Echo Request |\nPhilis.J ICMP Sweep (Payload Hello World)\n[FileHash SHA256 cb83f04591cc1d602e650dd5c12f4470cf21b04328477bd6a52081f37c04bd7c]\n[Virus.Injector.ATA_virussign.com_8f3417c51a5e6b0b2241e61ef1a9eef1.exe] [File present on vx-underground.org | virus.exchange ~ vxunderground_0]\n[OTX populated] Researchers have identified and identified the source of the Viking, Philis malware, which has infected more than 1.5 million victims in the past year and is currently on the verge of being shut down.]\n#inject #install #keyword #fed.paypal #botnet #payload #grey #algorithm_manipulation #virusinstall", "modified": "2025-10-13T15:15:41.500000", "created": "2025-09-13T16:21:22.747000", "tags": [ "echo request", "sweep", "payload hello", "world", "search", "entries", "ids detections", "yara detections", "cape", "viking", "philis", "malware", "et", "adobe acrobat", "filehashsha256", "data upload", "extraction", "type", "no matching", "indicator", "failed", "url url", "samplepath", "samplename", "match info", "info", "base64", "ta0002 command", "t1059 severity", "modules t1129", "windows", "ta0003 modify", "registry t1112", "defense evasion", "encoding", "delete registry", "tree", "analysis ob0002", "control ob0004", "b0030 receive", "files", "ob0007 system", "e1082 file", "resolved ips", "sugges", "stop show", "domain", "hostname", "hostname data", "mitre att", "ip detections", "country" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 7, "FileHash-SHA256": 488, "URL": 758, "hostname": 321, "domain": 104 }, "indicator_count": 1699, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "188 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c5743593a4bcc81dd94b0b", "name": "Fed.PayPal.com - Ransom | Attacks via redirect", "description": "A monitored target, active on various payment platforms for business documented a malicious redirect event 1st seen in 2020. Follows pattern of multiple, critical and ongoing attacks beginning in 2013. In this instance target lost access to PayPal payments. If this is legal, it\u2019s been a grotesque grift. Target was financially and otherwise robbed.\n\n\n#trulymissed #paypal #advesaries #apple #twitter #backdoor #ransom #botnet #reptutationattack", "modified": "2025-10-13T13:27:11.277000", "created": "2025-09-13T13:40:05.671000", "tags": [ "present sep", "virtool", "cryp", "win32", "ip address", "trojan", "ransom", "asn as54113", "passive dns", "msil", "united states", "dynamicloader", "qaeaav12", "high", "qbeipbdii", "write", "paypal", "medium", "search", "vmware", "floodfix", "malware", "united", "mtb apr", "hostname add", "write c", "read c", "yara detections", "upxoepplace", "next", "markus", "april", "ping", "meta http", "content", "gmt server", "th th", "443 ma2592000", "ipv4 add", "url analysis", "urls", "body", "title", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "status", "name servers", "set cookie", "script urls", "present feb", "cookie", "template", "present oct", "present jul", "present dec", "present jun", "next associated", "urls show", "date checked", "present apr", "url hostname", "united kingdom", "unknown ns", "servers", "great britain", "msr aug", "msr apr", "msr nov", "ite o", "server response", "script script", "files show", "date hash", "avast avg", "creation date", "lcid1033", "sminnotek", "spnvirtualbox", "bvvirtualbox", "present mar", "present nov", "exploit", "error", "server response", "google safe", "results sep", "backdoor", "certificate", "mtb sep", "next http", "scans show", "present may", "results jun", "results jan", "worm", "echo request", "sweep", "payload hello", "world", "ids detections", "cape", "viking", "philis", "et", "torop", "des moines", "contacted hosts", "content reputation", "sabey type", "tulach type", "rexx type", "foundry type", "fred scherr", "twitter", "apple", "monitored target", "financial theft", "psalms 27: 1 - 14" ], "references": [ "fed.paypal.com [redirect for monitored target \u2022 1st documented 2020- still active]", "nr-data.net \u2022 init.ess.apple.com\t\u2022 apple-id-ifind.com \u2022 https://apple-id-ifind.com/\t\u2022 apple-lostandfound.com", "https://www.speakup.it/magazines/places/new-york-city-on-a-budget-big-apple-little-money_2368", "https://login.apple-mac.banugoker.com/cgi-sys/defaultwebpage.cgi \u2022 lsupport-apple.com", "login.apple-mac.banugoker.com \u2022 www.apple-mac.banugoker.com \u2022 http://apple-mac.banugoker.com/", "https://apple-mac.banugoker.com/ \u2022 https://login.apple-mac.banugoker.com/", "http://45.159.189.105/bot/regex \u2022 https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "wallpapers-nature.com \u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.\u2022 com/ \u2022 https://www.csrc.gov.cn.lxcvc.com/", "https://lk-prod-webcol.laika.com.co/category/bog/cat/farmacia/collares-isabelinos/todos/todo-para-mascota/1", "https://twitter.com/PORNO_SEXYBABES \u2022 https://megapornfreehd.com/2025/04/360", "https://57d5.zhanyu66.com/com.slamyugllp.strangerrun.xc.apk/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "Win.Trojan.Fraudpack", "display_name": "Win.Trojan.Fraudpack", "target": null }, { "id": "Fakeav", "display_name": "Fakeav", "target": null }, { "id": "Ransom:MSIL/Genasom.I", "display_name": "Ransom:MSIL/Genasom.I", "target": "/malware/Ransom:MSIL/Genasom.I" }, { "id": "Virtool:Win32/Obfuscator.KI", "display_name": "Virtool:Win32/Obfuscator.KI", "target": "/malware/Virtool:Win32/Obfuscator.KI" }, { "id": "Toga!rfn", "display_name": "Toga!rfn", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Malware.Remoteadmin-7056666-0", "display_name": "Win.Malware.Remoteadmin-7056666-0", "target": null }, { "id": "Floxif", "display_name": "Floxif", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win.Dropper.Unruy-9994363-0", "display_name": "Win.Dropper.Unruy-9994363-0", "target": null }, { "id": "Win.Trojan.Cycler-47", "display_name": "Win.Trojan.Cycler-47", "target": null }, { "id": "Win.Trojan.Clicker-3506", "display_name": "Win.Trojan.Clicker-3506", "target": null }, { "id": "Win.Downloader.Unruy-10026469-0", "display_name": "Win.Downloader.Unruy-10026469-0", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Malware.Urelas", "display_name": "Win.Malware.Urelas", "target": null }, { "id": "Win.Malware.Zusy", "display_name": "Win.Malware.Zusy", "target": null }, { "id": "ALF:HeraklezEval:PWS:Win32/QQPass!rfn", "display_name": "ALF:HeraklezEval:PWS:Win32/QQPass!rfn", "target": null }, { "id": "Win.Malware.Eclz-9953021-0", "display_name": "Win.Malware.Eclz-9953021-0", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:HSTR:TrojanDownloader:Win32/PurityScan.A!bit", "display_name": "ALF:HSTR:TrojanDownloader:Win32/PurityScan.A!bit", "target": null }, { "id": "Win.Dropper.Tiggre-9845940-0", "display_name": "Win.Dropper.Tiggre-9845940-0", "target": null }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Win.Malware.Sfwx-9853337-0", "display_name": "Win.Malware.Sfwx-9853337-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Trojan:Win32/Kaicorn!rf", "display_name": "Trojan:Win32/Kaicorn!rf", "target": "/malware/Trojan:Win32/Kaicorn!rf" }, { "id": "Win32:Banker", "display_name": "Win32:Banker", "target": null }, { "id": "Worm:Win32/Cambot!rfn", "display_name": "Worm:Win32/Cambot!rfn", "target": "/malware/Worm:Win32/Cambot!rfn" }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "Win.Malware.Midie-6847892-0", "display_name": "Win.Malware.Midie-6847892-0", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1401", "name": "Device Administrator Permissions", "display_name": "T1401 - Device Administrator Permissions" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1464", "name": "Jamming or Denial of Service", "display_name": "T1464 - Jamming or Denial of Service" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1321, "URL": 4356, "FileHash-MD5": 759, "FileHash-SHA1": 748, "FileHash-SHA256": 5148, "domain": 1076, "email": 7 }, "indicator_count": 13415, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "188 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bbdb22e3d606ae8fb5cda8", "name": "HCPF | Department of Health Care Policy and Financing", "description": "Project Nemesis - Affects Department of Health Care Policy and Financing | Family representative repeatedly told past bills aren\u2019t being paid by United Healthcare. Argus Insurance (unknown entity) was Policy on record target never had. FR was given information regarding HCPF which was being viewed by past vendor seen in (https://otx.alienvault.com/pulse/68bbb31f6d91989d7fcd9592) | Issues with HCPF have been an issue for some time in isolated scenarios. It\u2019s unclear how at least one person keeps getting their name, bills and life pulled into this. Target PURCHASED a Healthcare policy via agent before major social engineering attacks. Same entity literally robs targets. Gift cards, phone services, cloud storage, account, insurance policies, bank account access, tax refunds, paid claims reversed & taken from target\u2019s account.\nMore research needed. Flaws in new system could jeopardize many. \n#trulymissed #rip #techbrohell #palantir", "modified": "2025-10-06T05:01:18.794000", "created": "2025-09-06T06:56:34.649000", "tags": [ "federal changes", "health first", "colorado", "child health", "plan plus", "newimpact", "medicaidour", "impact", "medicaid page", "medicaid", "beware", "text/html", "trackers", "iframes", "external-resources", "new relic", "g1gv3h3sxc0", "utc gcw970gh4gg", "android", "known exploited", "google", "salesloft drift", "sap s4hana", "cve202542957", "cisa", "sitecore", "linux", "france", "meta", "rokrat", "lizar", "project nemesis", "carbanak", "cobalt strike", "domino", "no expiration", "url https", "type indicator", "role title", "related pulses", "hostname https", "m4e5930", "hostname", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "ascii text", "search", "ogoogle trust", "cngts ca", "execution", "next", "dock", "write", "capture", "persistence", "malware", "roboto", "present feb", "united", "a domains", "present dec", "passive dns", "moved", "script domains", "script urls", "urls", "title", "date", "resolved ips", "http traffic", "http get", "match info", "downloads", "info", "https http", "mitre att", "control ta0011", "protocol t1071", "protocol t1095", "endgame systems" ], "references": [ "Researched: https://hcpf.colorado.gov/", "www.onyx-ware.com \u2022 https://www.endgamesystems.com/", "millet-usgc-1.palantirfedstart.com", "https://securityaffairs.com/109671/hacking/50000-home-cameras-hacked.html", "https://passwords.google/?utm_medium=hpp&utm_source=google&utm_campaign=sid2023aunonenms", "https://passwords.google/?utm_medium=hpp&utm", "https://securityaffairs.com/181338/security/google-fixed-chrome-flaw-found-by-big-sleep-ai.html", "Researched publicly available information provided by representative of a target\u2019s estate", "System has placed affected on multiple policies cancelling private policy without notice.", "Paid for plan long after entity put target on a state plan. Target audited for making too much money (framed)", "Provided documented evidence of appealed state issued plan and disclosed financials.", "Won appeal. Denied stimulus until passing another audit showing taxable income and filed taxes", "I hope this goes smoothly. I believe will be a nightmare as witnessed. I hope I\u2019m wrong.", "State (or random \u2022_- hackers) erased evidence of targets insurance all paid for by target.", "Target also owned an online brokerage & lead company, was agent & insurance marketer for years.", "September began with false information, defaulted claims , denials from authorized services rendered years prior.", "If someone has Medicare it\u2019s wise to check with carrier & providers to see policies generated by AI" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lizar", "display_name": "Lizar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Hospitality", "Financial", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1395, "URL": 4304, "CVE": 1, "domain": 694, "FileHash-SHA256": 1790, "FileHash-MD5": 183, "FileHash-SHA1": 103, "SSLCertFingerprint": 5 }, "indicator_count": 8475, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bbb31f6d91989d7fcd9592", "name": "Who is Argus Health Systems in relation to United Healthcare", "description": "Strange. Person/s handling a monitored targeted past accounts was contacted to have old bills paid. Told individual had Argus Health Insurance that wouldn\u2019t pay.\n\nIssues: \u2022 Individual wasn\u2019t a client of vendor in 2024\n\u2022 Was never an Argus client.\n\u2022 Social engineering type call. Angry employee demanding copy of front and back of Health Care Insurance card for UH payments for items purchased after approved prior authorization for in past purchases. \n\u2022 Gave an incredible amount of PHI over phone w/o appropriate new (or former) HIPPA standard verification. \u2022 Angrily refused to provide billing # or requesters name.\n*United Health Care has paid ZERO bills. \n* \n(Auto populated - Anel arauchealth cam) | https://www.argushealth.com. Argus Health Systems is a healthcare technology company based in Kansas City, MO. Specializing in pharmacy benefit management ...", "modified": "2025-10-06T03:04:31.707000", "created": "2025-09-06T04:05:50.955000", "tags": [ "server", "date", "registrar abuse", "csc corporate", "domains", "algorithm", "key identifier", "x509v3 subject", "country", "postal code", "code", "united", "showing", "entries", "ip address", "search", "name servers", "unknown aaaa", "domain add", "pulse submit", "passive dns", "content type", "type content", "all ipv4", "url analysis", "urls", "files", "title", "meta", "certificate", "creation date", "record value", "hostname add", "domain", "unknown ns", "china unknown", "body", "please", "x msedge", "pulse pulses", "present aug", "hong kong", "extraction", "data upload", "levelbluelabs", "search otx", "pcap", "stix", "url or", "texdr", "failedto", "drop", "aaaa", "record type", "ttl value", "historical ssl", "certificates", "thumbprint", "present jan", "next associated", "urls show", "date checked", "url hostname", "server response", "google safe", "results jul", "present jun", "moved", "gmt content", "a domains", "next http", "scans show", "error", "present sep", "present may", "present jul", "present mar", "present apr" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2091, "domain": 817, "URL": 7939, "email": 5, "FileHash-SHA256": 2960, "FileHash-SHA1": 240, "FileHash-MD5": 227 }, "indicator_count": 14279, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c54659742e10df0e2dd0ec", "name": "Archive.ph - Mirai", "description": "", "modified": "2025-10-03T00:01:12.616000", "created": "2025-09-13T10:24:25.814000", "tags": [ "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "initial access", "javascript", "spawns", "united", "present aug", "div div", "meta", "fffae1", "xml title", "drag", "div form", "form div", "a li", "encrypt", "russia", "passive dns", "urls", "aaaa", "netherlands", "your ip", "panama", "russia unknown", "present mar", "present jun", "moved", "present jul", "present sep", "ip address", "present jan", "body", "title", "domain", "files", "content type", "body doctype", "as16509", "intel mac", "os x", "ipv4 add", "port", "destination", "read c", "medium", "entries", "et info", "execution", "next", "dock", "write", "persistence", "malware", "url analysis", "files ip", "name server", "domain address", "algorithm", "key identifier", "v3 serial", "number", "cus olet", "encrypt cne6", "validity", "subject public", "key info", "us as15169", "us as396982", "mitre att", "pattern match", "form", "onload", "general", "local", "path", "click", "strings", "verify", "asnone", "china as4134", "resolverror", "high", "dns query", "as7018 att", "japan as4713", "south korea", "little \u2018endian\u2019", "mirai", "dod", "endgame systems", "government overreach", "sabey type", "foundry type", "apple", "cve" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135858-0", "display_name": "Unix.Dropper.Mirai-7135858-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": "68b798c0a419c49eeb4e2a13", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "privacynotacrime", "id": "349346", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2069, "domain": 406, "FileHash-SHA256": 1498, "hostname": 811, "FileHash-MD5": 150, "FileHash-SHA1": 138, "SSLCertFingerprint": 8, "CIDR": 1, "CVE": 1 }, "indicator_count": 5082, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b798c0a419c49eeb4e2a13", "name": "Archive.ph - Mirai", "description": "Outdated archiving domain of questionable origin can expose or has exposed monitored target/s to\nUnix.Dropper.Mirai-7135858-0.\n\nThe domain seems to want to appear as if it originates from Russia. There is a DoD & Endgame systems relationship. Multiple archived pages have been injected and deleted.\n(Little Endian) is a name seen often related to an innocent known to be targeted by a pro male entity who utilizes Pegasus, Palantir, Gotham, Foundry , Tulach, for silencing.\n#trulymissed #mirai #malicious", "modified": "2025-10-03T00:01:12.616000", "created": "2025-09-03T01:24:16.418000", "tags": [ "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "initial access", "javascript", "spawns", "united", "present aug", "div div", "meta", "fffae1", "xml title", "drag", "div form", "form div", "a li", "encrypt", "russia", "passive dns", "urls", "aaaa", "netherlands", "your ip", "panama", "russia unknown", "present mar", "present jun", "moved", "present jul", "present sep", "ip address", "present jan", "body", "title", "domain", "files", "content type", "body doctype", "as16509", "intel mac", "os x", "ipv4 add", "port", "destination", "read c", "medium", "entries", "et info", "execution", "next", "dock", "write", "persistence", "malware", "url analysis", "files ip", "name server", "domain address", "algorithm", "key identifier", "v3 serial", "number", "cus olet", "encrypt cne6", "validity", "subject public", "key info", "us as15169", "us as396982", "mitre att", "pattern match", "form", "onload", "general", "local", "path", "click", "strings", "verify", "asnone", "china as4134", "resolverror", "high", "dns query", "as7018 att", "japan as4713", "south korea", "little \u2018endian\u2019", "mirai", "dod", "endgame systems", "government overreach", "sabey type", "foundry type", "apple", "cve" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135858-0", "display_name": "Unix.Dropper.Mirai-7135858-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2069, "domain": 406, "FileHash-SHA256": 1498, "hostname": 811, "FileHash-MD5": 150, "FileHash-SHA1": 138, "SSLCertFingerprint": 8, "CIDR": 1, "CVE": 1 }, "indicator_count": 5082, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://live.com.bscedge.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://live.com.bscedge.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776620213.0662205 }