{ "type": "URL", "indicator": "https://local.fuckoffstoplookinghere.sbs/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://local.fuckoffstoplookinghere.sbs/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4192989887, "indicator": "https://local.fuckoffstoplookinghere.sbs/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "69ce1c7b60a3065cc75b7e23", "name": "Chance Encounter Clone CREDIT: UCP_GoA23 Public - same watering hole?", "description": "", "modified": "2026-04-21T05:29:42.247000", "created": "2026-04-02T07:36:27.829000", "tags": [ "raspberry pi", "hdmi", "hdmi mode", "uncomment", "additional", "usb mass", "pi02", "pi zero", "zero", "enable drm", "program", "license", "free software", "foundation", "general public", "gnu general", "public license", "the program", "copyright", "sections", "june", "general", "april", "vice", "drivers", "analog", "digital", "video", "bus support", "media", "accelerometers", "capacitance", "resolver", "android", "flash", "monitoring", "codec", "loop", "light", "linear", "tools", "class", "speakup", "core support", "legacy", "kernel", "this software", "including", "but not", "limited to", "ltd all", "redistributions", "disclaimer", "is provided", "damage", "info", "params", "gpio", "gpio pin", "select", "digital volume", "load", "gpios", "compute module", "spi bus", "front", "clock", "speed", "tiny", "kali", "oled", "systemd", "digi", "miso", "screen", "show", "global property", "bootmenu", "label", "booting", "please", "javascript", "entity", "file list", "size first", "credits text", "readme text", "no meaningful", "url list", "status https", "domain list", "enom", "registrar", "ltd dba", "com laude", "ip address", "ip adresses", "U of A", "GoA", "Treaty 6", "Treaty 7", "Treaty 8", "AHS" ], "references": [ "cmdline.txt", "config.txt", "COPYING.linux", "config-5.15.44-Re4son-v7+", "config-5.15.44-Re4son-v7l+", "config-5.15.44-Re4son-v8l+", "config-5.15.44-Re4son+", "config-5.15.44-Re4son-v8+", "grub_background.sh", "LICENCE.broadcom", "README", "theme.txt", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/details", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/relations", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/behavior", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e", "https://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1050", "name": "New Service", "display_name": "T1050 - New Service" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Education", "Government", "Healthcare", "Telecommunications", "Agriculture", "Finance", "Transportation" ], "TLP": "white", "cloned_from": "698f07428f6e35876e034e41", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 812, "URL": 2492, "hostname": 1171, "FileHash-SHA256": 2057, "CVE": 2, "FileHash-MD5": 14, "FileHash-SHA1": 16, "email": 2, "CIDR": 118 }, "indicator_count": 6684, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698d30c03b57c38dff915023", "name": "Double Umbrella AS15169/AS21928: This evaluates a critical structural convergence between Google (AS15169) and T-Mobile USA (AS21928) within the global Tier-1 routing backbone", "description": "Research credit: msudosos, The research identifies a high-fidelity pattern where traffic from dual origins commingles within a restricted lateral transit hub, allowing for horizontal movement across backbone providers that typically maintain distinct trust boundaries. Specifically, the Content Origin (Umbrella A) originated by Google (AS15169) reaches the core backbone through a high-trust sequence involving Arelion (AS1299), NTT (AS2914), and GTT (AS3257). Simultaneously, the Mobile Origin (Umbrella B) originated by T-Mobile USA (AS21928) enters the backbone via Cogent (AS174) and Lumen (AS3356). The findings designate Lumen (AS3356) as the central lateral hub where traffic pivots horizontally between the \u201cCore Five\u201d partners-including Zayo (AS6461) and Hurricane Electric (AS6939) \u2014before leaking to international sub-transit peers like Sparkle (AS6762) and Telxius (AS12956), finally exiting at global edge points such as PCCW (AS3491) and Tata (AS6453).", "modified": "2026-03-29T06:02:00.914000", "created": "2026-02-12T01:45:36.128000", "tags": [ "The dynamics of the mudoSOSIntersectalign with sophisticated adv" ], "references": [ "as15169" ], "public": 1, "adversary": "Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URI": 1, "domain": 2661, "URL": 6810, "hostname": 2147, "email": 56, "FileHash-SHA256": 2781, "CVE": 172, "FileHash-MD5": 365, "FileHash-SHA1": 344, "IPv4": 1, "CIDR": 20940 }, "indicator_count": 36278, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "65 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698e906da16336f8e87c3b90", "name": "CoinHive Clone ", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-02-13T02:46:05.544000", "tags": [ "united", "td tr", "a domains", "history group", "state", "b td", "present sep", "find", "alabama", "iowa", "apache", "content type", "passive dns", "meta http", "content", "gmt server", "pragma", "title", "linksys eseries", "device rce", "inbound", "et exploit", "attempt", "et webserver", "suspicious user", "user agent", "et worm", "policy python", "python", "agent", "generic", "malware", "nids", "dst_ip", "\"sid\": 2017515,", "2020/08/23", "dst_port\": 8080", "suricata", "network_icmp", "tcp_syn_scan", "unix", "mirai", "infection", "port 8080", "aitm", "mitm", "xfinity", "lumen backbone", "xfinity cf", "et info", "useragent", "webserver", "android", "linux", "statistically stripped", "local", "Jefferson County", "Colorado", "State", "is__elf", "is__war", "cyber warfare", "marking", "targeting", "stalking", "impersonating", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "defense evasion", "mitre att", "ck matrix", "february", "hybrid", "general", "path", "encrypt", "click", "strings", "attack", "ssl certificate", "ascii text", "dynamicloader", "yara rule", "ff d5", "medium", "high", "eb d8", "f0 ff", "ff bb", "host", "unknown", "explorer", "virtool", "write", "next", "Douglas County", "Michael Roberts", "Brian Sabey", "Chris\u2019Buzz\u2019 Ahmann", "Mirai BotMaster", "file type", "pexe", "pe32", "intel", "ms windows", "date march", "am size", "imphash", "otx logo", "all filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "moved", "urls", "expiration date", "all hostname", "files", "media", "present feb", "present jan", "present dec", "present nov", "ip address", "present", "codex", "sf.net", "next associated", "ipv4 add", "location united", "america flag", "spawns", "found", "t1480 execution", "pattern match", "present aug", "search", "name servers", "showing", "record value", "meta", "accept", "div div", "request blocked", "helvetica neue", "helvetica segoe", "ui arial", "denver", "yandex", "post", "entries", "post http", "show", "post liquor", "execution", "port", "destination", "icmp traffic", "dns query", "include", "top source" ], "references": [ "https://genealogytrails.com/njer/morris/mortality_records.html#:~:text=From%20a%20summary%20statement%2C%20in", "genealogytrails.com", "It appears to be consistent with AI / SpyFu Michael Roberts | Rexxfield| Mikes IT", "Has been present throughout a specific campaign", "Mirai", "IDS Detections TheMoon.linksys.router 2 Linksys E-Series Device RCE Attempt", "IDS: Linksys E-Series Device RCE Attempt Outbound Possible HTTP 403 XSS", "IDS: Attempt (Local Source) 401TRG Generic Webshell Request - POST with wget in body Python Requests", "IDS: Suspicious User Agent WebShell Generic - wget http - POST User-Agent (python-requests)", "IDS: Inbound to Webserver CoinHive In-Browser Miner Detected 403 Forbidden", "ET INFO User-Agent (python-requests) Inbound to Webserver", "Suspicious User Agent | ETPRO POLICY Python Requests", "src_ip\": 192.168.122.51 | dst_ip\": 219.91.207.105", "\u201cNIDS_exploit_alert\" network_icmp\tGenerates some ICMP traffic\t High { \"families\": [], \"description\": \"Generates some ICMP traffic\", \"severity\": 4,", "TCP SYN packets were observed", "ET WORM TheMoon.linksys.router", "ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound", "\"ET WEB_SERVER WebShell Generic - wget http - POST", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , UPXProtectorv10x2 , UPX", "Alerts: dead_host nids_exploit_alert network_icmp tcp_syn_scan nolookup_communication", "Alerts: network_cnc_http network_http network_http_post nids_alert p2p_cnc", "Alerts: writes_to_stdout android , win32 exe , key identifier , win32 dll , x509v3 subject", "File Type: ELF - ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked stripped:", "upx.sf.net Malformed domain IPv4 172.67.240.47 In CDN range: provider=cloudflare\t IPv4", "192.168.122.51 Private IP Address\t MD5 d41d8cd98f00b204e9800998ecf8427e Empty hash of type MD5\t SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Empty hash of type SHA1\t URL http://upx.sf.net", "Win.Trojan.VB-83922 , VirTool:Win32/VBInject.gen!JB", "IDS Detections: Win32/Esfury.T Connectivity Check (sstatic1.histats.com) Win32.VBKrypt.xiz", "IDS: Checkin Win32.VBKrypt.xiz Checkin 2 Win32/Esfury.T Checkin", "Yara Detections: UPX , LZMA , UPX_OEP_place , UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Alerts: infostealer_cookies injection_network_traffic injection_write_exe_process", "Alerts: multiple_useragents persistence_autorun procmem_yara suricata_alert", "Alerts: antivm_bochs_keys physical_drive_access bypass_firewall disables_folder_options", "Alerts: disables_run_command disables_uac injection_runpe modify_hostfile modify_uac_prompt persistence_ifeo stealth_hidden_extension stealth_hiddenreg anomalous_deletefile ..", "IP\u2019s Contacted: 142.251.9.94 104.21.69.250 104.21.61.138 172.237.146.8 34.41.139.193", "IPs Contacted: 149.56.240.31 172.66.136.209", "Domains Contacted: c.statcounter.com sstatic1.histats.com", "Domains Contacted: 54b73b3059myg2kta72weplb2a2uvd.ipcheker.com", "Domains Contacted: rk1pjif98b4r7zed28hle47wdlw9rm.ipgreat.com", "Domains Contacted: a2ex04689txl10z.directorio-w.com www.directorio-w.com", "Domains Contacted. xz4i2o3m7456n7nwd4757wgfta3it7.ipcheker.com", "Domains Contacted: b0h4f160dzkk7hgn65038eb73erxd8.ipgreat.com", "Domains Contacted: l545ds1s2d6v8wxts6pz75835j5hj4.ipcheker.com", "Domains Contacted: wv001gdb6n084bc533j7pf6043xg2v.ipgreat.com", "Hostname ios.chimney-se.cloud.farmerswife.com \u2022 ios.vsila.cloud.farmerswife.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Unix.Trojan.Mirai-7646352-0", "display_name": "Unix.Trojan.Mirai-7646352-0", "target": null }, { "id": "SpyFu", "display_name": "SpyFu", "target": null }, { "id": "Win.Trojan.VB-83922", "display_name": "Win.Trojan.VB-83922", "target": null }, { "id": "virtool:Win32/VBInject.gen!JB", "display_name": "virtool:Win32/VBInject.gen!JB", "target": "/malware/virtool:Win32/VBInject.gen!JB" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" } ], "industries": [], "TLP": "white", "cloned_from": "698966742c9fd9691396bb3a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5836, "domain": 857, "FileHash-MD5": 185, "FileHash-SHA1": 147, "hostname": 1842, "email": 7, "FileHash-SHA256": 947, "CVE": 43, "SSLCertFingerprint": 8 }, "indicator_count": 9872, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698f07428f6e35876e034e41", "name": "Chance Encounter Commuting from U of A to GoA - 02.13.2026", "description": "My 1st Graph: Hidden Boots on my Phone ( Chance Encounter Commuting from U of A to GoA - 02.13.2026 ). \nConclusion: U of A and the Governments of Alberta, and those of Treaty 6/7/8 have been victims of crime.\nhttps://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "modified": "2026-03-15T10:19:15.579000", "created": "2026-02-13T11:13:03.870000", "tags": [ "raspberry pi", "hdmi", "hdmi mode", "uncomment", "additional", "usb mass", "pi02", "pi zero", "zero", "enable drm", "program", "license", "free software", "foundation", "general public", "gnu general", "public license", "the program", "copyright", "sections", "june", "general", "april", "vice", "drivers", "analog", "digital", "video", "bus support", "media", "accelerometers", "capacitance", "resolver", "android", "flash", "monitoring", "codec", "loop", "light", "linear", "tools", "class", "speakup", "core support", "legacy", "kernel", "this software", "including", "but not", "limited to", "ltd all", "redistributions", "disclaimer", "is provided", "damage", "info", "params", "gpio", "gpio pin", "select", "digital volume", "load", "gpios", "compute module", "spi bus", "front", "clock", "speed", "tiny", "kali", "oled", "systemd", "digi", "miso", "screen", "show", "global property", "bootmenu", "label", "booting", "please", "javascript", "entity", "file list", "size first", "credits text", "readme text", "no meaningful", "url list", "status https", "domain list", "enom", "registrar", "ltd dba", "com laude", "ip address", "ip adresses", "U of A", "GoA", "Treaty 6", "Treaty 7", "Treaty 8", "AHS" ], "references": [ "cmdline.txt", "config.txt", "COPYING.linux", "config-5.15.44-Re4son-v7+", "config-5.15.44-Re4son-v7l+", "config-5.15.44-Re4son-v8l+", "config-5.15.44-Re4son+", "config-5.15.44-Re4son-v8+", "grub_background.sh", "LICENCE.broadcom", "README", "theme.txt", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/details", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/relations", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/behavior", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e", "https://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1050", "name": "New Service", "display_name": "T1050 - New Service" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Education", "Government", "Healthcare", "Telecommunications", "Agriculture", "Finance", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 812, "URL": 2492, "hostname": 1171, "FileHash-SHA256": 2057, "CVE": 2, "FileHash-MD5": 14, "FileHash-SHA1": 16, "email": 2, "CIDR": 118 }, "indicator_count": 6684, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "79 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698966742c9fd9691396bb3a", "name": "CoinHive In-Browser Miner | ET EXPLOIT Linksys E-Series Device RCE Attempt via \u2018AI chat\u2019 Xfinity Commercial Fleet vehicle parked /AITM", "description": "Merits further research. Work no is consistent with a man advocate named Michael\nRoberts of Rexxfield and Miles2/ Mile2 / seen frequently in attacks against females | targeted individual apparently was using an AI browser search when a keyword triggered glitches.\nSearch of a URL\ntarget has never heard of or seen found in device search results. Targets device injected, Mirai botnet found, Other suspicious findings. TBConrinued..:.\n[OTX. Auto populated Significantly more details have been revealed about the GoDaddy.com domain, which has been listed as an unregistered domain by the Internet Service Authority (icann). and its users are not allowed to use it.] #man_jn_tve_midxle #drive_ by_compromise #injection.", "modified": "2026-03-11T04:02:50.189000", "created": "2026-02-09T04:45:40.250000", "tags": [ "united", "td tr", "a domains", "history group", "state", "b td", "present sep", "find", "alabama", "iowa", "apache", "content type", "passive dns", "meta http", "content", "gmt server", "pragma", "title", "linksys eseries", "device rce", "inbound", "et exploit", "attempt", "et webserver", "suspicious user", "user agent", "et worm", "policy python", "python", "agent", "generic", "malware", "nids", "dst_ip", "\"sid\": 2017515,", "2020/08/23", "dst_port\": 8080", "suricata", "network_icmp", "tcp_syn_scan", "unix", "mirai", "infection", "port 8080", "aitm", "mitm", "xfinity", "lumen backbone", "xfinity cf", "et info", "useragent", "webserver", "android", "linux", "statistically stripped", "local", "Jefferson County", "Colorado", "State", "is__elf", "is__war", "cyber warfare", "marking", "targeting", "stalking", "impersonating", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "defense evasion", "mitre att", "ck matrix", "february", "hybrid", "general", "path", "encrypt", "click", "strings", "attack", "ssl certificate", "ascii text", "dynamicloader", "yara rule", "ff d5", "medium", "high", "eb d8", "f0 ff", "ff bb", "host", "unknown", "explorer", "virtool", "write", "next", "Douglas County", "Michael Roberts", "Brian Sabey", "Chris\u2019Buzz\u2019 Ahmann", "Mirai BotMaster", "file type", "pexe", "pe32", "intel", "ms windows", "date march", "am size", "imphash", "otx logo", "all filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "moved", "urls", "expiration date", "all hostname", "files", "media", "present feb", "present jan", "present dec", "present nov", "ip address", "present", "codex", "sf.net", "next associated", "ipv4 add", "location united", "america flag", "spawns", "found", "t1480 execution", "pattern match", "present aug", "search", "name servers", "showing", "record value", "meta", "accept", "div div", "request blocked", "helvetica neue", "helvetica segoe", "ui arial", "denver", "yandex", "post", "entries", "post http", "show", "post liquor", "execution", "port", "destination", "icmp traffic", "dns query", "include", "top source" ], "references": [ "https://genealogytrails.com/njer/morris/mortality_records.html#:~:text=From%20a%20summary%20statement%2C%20in", "genealogytrails.com", "It appears to be consistent with AI / SpyFu Michael Roberts | Rexxfield| Mikes IT", "Has been present throughout a specific campaign", "Mirai", "IDS Detections TheMoon.linksys.router 2 Linksys E-Series Device RCE Attempt", "IDS: Linksys E-Series Device RCE Attempt Outbound Possible HTTP 403 XSS", "IDS: Attempt (Local Source) 401TRG Generic Webshell Request - POST with wget in body Python Requests", "IDS: Suspicious User Agent WebShell Generic - wget http - POST User-Agent (python-requests)", "IDS: Inbound to Webserver CoinHive In-Browser Miner Detected 403 Forbidden", "ET INFO User-Agent (python-requests) Inbound to Webserver", "Suspicious User Agent | ETPRO POLICY Python Requests", "src_ip\": 192.168.122.51 | dst_ip\": 219.91.207.105", "\u201cNIDS_exploit_alert\" network_icmp\tGenerates some ICMP traffic\t High { \"families\": [], \"description\": \"Generates some ICMP traffic\", \"severity\": 4,", "TCP SYN packets were observed", "ET WORM TheMoon.linksys.router", "ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound", "\"ET WEB_SERVER WebShell Generic - wget http - POST", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , UPXProtectorv10x2 , UPX", "Alerts: dead_host nids_exploit_alert network_icmp tcp_syn_scan nolookup_communication", "Alerts: network_cnc_http network_http network_http_post nids_alert p2p_cnc", "Alerts: writes_to_stdout android , win32 exe , key identifier , win32 dll , x509v3 subject", "File Type: ELF - ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked stripped:", "upx.sf.net Malformed domain IPv4 172.67.240.47 In CDN range: provider=cloudflare\t IPv4", "192.168.122.51 Private IP Address\t MD5 d41d8cd98f00b204e9800998ecf8427e Empty hash of type MD5\t SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Empty hash of type SHA1\t URL http://upx.sf.net", "Win.Trojan.VB-83922 , VirTool:Win32/VBInject.gen!JB", "IDS Detections: Win32/Esfury.T Connectivity Check (sstatic1.histats.com) Win32.VBKrypt.xiz", "IDS: Checkin Win32.VBKrypt.xiz Checkin 2 Win32/Esfury.T Checkin", "Yara Detections: UPX , LZMA , UPX_OEP_place , UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Alerts: infostealer_cookies injection_network_traffic injection_write_exe_process", "Alerts: multiple_useragents persistence_autorun procmem_yara suricata_alert", "Alerts: antivm_bochs_keys physical_drive_access bypass_firewall disables_folder_options", "Alerts: disables_run_command disables_uac injection_runpe modify_hostfile modify_uac_prompt persistence_ifeo stealth_hidden_extension stealth_hiddenreg anomalous_deletefile ..", "IP\u2019s Contacted: 142.251.9.94 104.21.69.250 104.21.61.138 172.237.146.8 34.41.139.193", "IPs Contacted: 149.56.240.31 172.66.136.209", "Domains Contacted: c.statcounter.com sstatic1.histats.com", "Domains Contacted: 54b73b3059myg2kta72weplb2a2uvd.ipcheker.com", "Domains Contacted: rk1pjif98b4r7zed28hle47wdlw9rm.ipgreat.com", "Domains Contacted: a2ex04689txl10z.directorio-w.com www.directorio-w.com", "Domains Contacted. xz4i2o3m7456n7nwd4757wgfta3it7.ipcheker.com", "Domains Contacted: b0h4f160dzkk7hgn65038eb73erxd8.ipgreat.com", "Domains Contacted: l545ds1s2d6v8wxts6pz75835j5hj4.ipcheker.com", "Domains Contacted: wv001gdb6n084bc533j7pf6043xg2v.ipgreat.com", "Hostname ios.chimney-se.cloud.farmerswife.com \u2022 ios.vsila.cloud.farmerswife.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Unix.Trojan.Mirai-7646352-0", "display_name": "Unix.Trojan.Mirai-7646352-0", "target": null }, { "id": "SpyFu", "display_name": "SpyFu", "target": null }, { "id": "Win.Trojan.VB-83922", "display_name": "Win.Trojan.VB-83922", "target": null }, { "id": "virtool:Win32/VBInject.gen!JB", "display_name": "virtool:Win32/VBInject.gen!JB", "target": "/malware/virtool:Win32/VBInject.gen!JB" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5779, "domain": 730, "FileHash-MD5": 185, "FileHash-SHA1": 147, "hostname": 1790, "email": 5, "FileHash-SHA256": 947, "CVE": 3, "SSLCertFingerprint": 8 }, "indicator_count": 9594, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "83 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698037098c99c37cb91037c2", "name": "Busy Box MITM Attacks via Drive-by-Compromise | Facebook | Apple", "description": "Busy Box - MITM Attack\n\nDrive-by-Compromise | Facebook | Jamie Oliver Recipes | My sister-in-law made this once and I couldn\u2019t stop eating it. \nAdversarial Facebook pop up posts. .\n\n|| Pykspa.C Check in. \"Pykspa is a type of Remote Access Trojan (RAT). A powerful a worm that spreads via social media or via DGA algorithms. Parking crews are fond of these types of attacks. Christopher Ahmann", "modified": "2026-03-04T04:07:14.513000", "created": "2026-02-02T05:32:57.303000", "tags": [ "no expiration", "filehashsha256", "ipv4", "url http", "domain", "hostname", "filehashmd5", "filehashsha1", "iocs", "url https", "search", "type indicator", "review iocs", "role title", "create new", "pulse use", "pdf report", "pcap", "extraction", "sc data", "extre data", "include review", "exclude sugges", "data upload", "failed", "find s", "oo data", "enter source", "url or", "text drag", "expiration", "showing", "entries", "protect", "pulse show", "email abuse", "related pulses", "indicator role", "returnurl no", "drop", "pulse provide", "public tlp", "green", "adversary tags", "buzz", "x8664", "add tag", "groups add", "add industry", "trojan", "tags" ], "references": [ "https://www.facebook.com/groups/378607181955796/posts/773093455840498/?hpir=1&http_ref=eyJ0cyI6MTc2OTk2MDkxOTAwMCwiciI6IiJ9", "www.crazyfrost.com IPv4 104.21.5.49 IPv4 172.67.132.250", "Antivirus Detections: Trojan:Win32/Dorv.A", "IDS Detections: Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host)", "IDS Detections: IP Check Domain (showmyipaddress .com in HTTP Host) External IP Lookup", "IDS Detections: Domain in DNS Lookup (whatismyipaddress .com) IP Check", "IDS Detections: Domain (whatismyipaddress .com in HTTP Host)", "Yara Detections XOR_embeded_exefile_xored_with_round_256_bytes_key", "Alerts: antiav_servicestop antisandbox_sleep process_creation_suspicious_location", "Alerts: network_bind persistence_autorun binary_yara procmem_yara suricata_alert", "Alerts: disables_uac infostealer_keylog modify_uac_prompt anomalous_deletefile", "Alerts: mouse_movement_detect dead_connect enumerates_running_processes process_needed", "Alerts: dynamic_function_loading reads_memory_remote_process packer_entropy network_http", "IP\u2019s Contacted: 188.223.42.134 78.57.88.30 84.73.234.83 78.84.44.225 89.252.203.80", "IP\u2019s Contacted: 77.76.39.110 104.156.155.94 77.77.13.89 78.61.87.173 78.63.104.75", "Domains Contacted: www.whatismyip.com www.showmyipaddress.com www.whatismyip.ca", "Domains Contacted: whatismyipaddress.com whatismyip.everdot.org www.facebook.com", "Domains Contacted: fexexwjehud.org lxclombt.net jpnzlsaqogv.com esccuyigsy.org", "Antivirus Detections: Win.Malware.Pits-10035540-0", "Yara: Detections Delphi", "Alerts: infostealer_cookies antiav_detectfile", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "nigger.cat \u2022 http://a.nigger.cat/ \u2022 http://a.nigger.cat/imrred.exe \u2022 http://a.nigger.cat/iwzptk.pdf \u2022", "http://a.nigger.cat/ltbexb.jpg \u2022 http://a.nigger.cat/ocnxdv.exe \u2022 http://a.nigger.cat/ocnxdv.exe/", "http://a.nigger.cat/ovefvy.html \u2022 http://a.nigger.cat/snkikb.rar \u2022 http://a.nigger.cat/unipms.exe", "http://a.nigger.cat/ypphgg.exe \u2022 http://u.nigger.cat/ \u2022 https://a.nigger.cat/", "http://www.a.nigger.cat/ocnxdv.exe \u2022 https://a.nigger.cat/pwzbrt.txt", "output.228572717.txt [fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f]", "https://www.virustotal.com/gui/file/fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f/summary", "https://hybrid-analysis.com/sample/3aaca21b3918eecd127867bdd724611398cf897a0686fedfde1d424b7ad6130a", "https://hybrid-analysis.com/sample/e4999984a69a65a69bec9fef1200f7ec36a10bc401cdd15db3510fdc87ec5008/697fb0fec4a9bda3410454cf", "https://hybrid-analysis.com/sample/f6ccff8dec08334fab98d4f6cb9b2774acd00e98d1afabd219c2634d5b3e2147/697faa178cc598cfb90b0423", "https://hybrid-analysis.com/sample/01a1a2106bcddc591cab08d31c13966bd0413fe312bce9be396e964e114631a6/697f8c04475b90e7fb0d7ff9", "apple4you.it \u2022 https://www.apple4you.it/ \u2022 cpcalendars.apple4you.it \u2022 ftp.apple4you.it \u2022", "https://ftp.apple4you.it \u2022 http://cpcalendars.apple4you.it \u2022 http://cpcontacts.apple4you.it \u2022", "http://ftp.apple4you.it \u2022 http://www.apple4you.it/ \u2022https://cpcalendars.apple4you.it \u2022", "https://cpcontacts.apple4you.it", "AppleWebKit Christopher P. \u2018BUZZ\u2019 Ahmann interference", "adsparkahz.shop \u2022 https://adsparkahz.shop/ \u2022 parkedbits.com", "https://parkedbits.com \u2022 spiritzuridgerunelahubcloudgusparkx.rest", "https://fs25.mygamesteam.com/download/underground-parking/", "http://spiritzuridgerunelahubcloudgusparkx.rest/", "127.0.0.1 Private IP Address \u2022 http://facebook.com/iWebTechnologies", "9e8c2f9e77b4b6a7538e4136d3bda379c560dc1a5931643da119da2f28881e4d\tELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0\tDDoS:Linux/Gafgyt.YA!MTB", "ELF:DDoS-S\\ [Trj] , Unix.Trojan.Gafgyt-6981154-0 , DDoS:Linux/Gafgyt.YA!MTB", "IDS Detections: Suspicious Activity potential UPnProxy", "Yara Detections: is__elf , ECHOBOT", "Alerts: dead_host network_icmp tcp_by", "Unix.Dropper.Mirai-7135925-0 , DDoS:Linux/Gafgyt.YA!MTB Yara Detections is__elf , ECHOBOT", "TAGS: aaaa accept activity address adversaries aes128gcm ahmann all hostname all ipv4 as15169", "TAGS: as29278 deninet as29728 cottage as47325 ascii text asn as29278 asn as29728 asn13335", "TAGS: av detections av exploit belgium belgium unknown binbusybox bits body canada unknown", "TAGS: christopher p christopher p. \u2018buzz\u2019 ahmann ck id ck matrix ck techniques clare click cloud", "TAGS: cloudflare cloudflarenet command config connection copy crazyfrost cyber attacks", "TAGS: data upload date date hash ddos dead connection default defense evasion delphi destination", "TAGS: detection detections detections name development att direct dirty dns resolutions domain", "TAGS: add dynamicloader ecdsa echobot echobot related encrypt entries error evasion att", "TAGS: expiration date explorer extraction facebook facebook failed february filehash files files ip", "TAGS: flag gecko general general full general info generator geo hungary guard hackers hash hide", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passiv", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passive dns path pattern match pink screen port possible prefetch8 present dec present feb present jan", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver", "TAGS: json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey", "TAGS: macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec", "TAGS: mtb yara name servers name tactics network traffic new browser next associated next", "TAGS: yara niggercat none file null object os x outbound passive dns path pattern match", "TAGS: pink screen port possible prefetch8 present program protocol h3 ptr record none push", "TAGS: pyspark python python initiated quic ransom recipes record value redacted for", "TAGS. redirect refresh related tags remoteIPAddress resource restart reverse dns route runner", "TAGS: sample analysis se domains search security quic add source level span spawns spy", "TAGS: state of colorado stream strings suspicious t1590 gather tcp syn title tools tr trex triangulation", "TAGS: trojan trojandropper trojanspy united unknown unknown aaaa unknown ns updater", "TAGS: upnproxy url analysis url https url text urls verified verify veryhigh victim network vubbuv win32 win64 windows windows nt windows server worm write write c yara detections yara rule" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Hungary" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "DDos:Linux/Gafgyt.YA!MTB", "display_name": "DDos:Linux/Gafgyt.YA!MTB", "target": "/malware/DDos:Linux/Gafgyt.YA!MTB" }, { "id": "ELF:DDoS-S\\ [Trj]", "display_name": "ELF:DDoS-S\\ [Trj]", "target": null }, { "id": "Pykspa.C", "display_name": "Pykspa.C", "target": null }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Unix.Trojan.Gafgyt-698115", "display_name": "Unix.Trojan.Gafgyt-698115", "target": null }, { "id": "4-0 Win.Malware.Pits-10035540-0", "display_name": "4-0 Win.Malware.Pits-10035540-0", "target": null }, { "id": "Win.Packed.Usteal-7531303-0", "display_name": "Win.Packed.Usteal-7531303-0", "target": null }, { "id": "tR", "display_name": "tR", "target": null }, { "id": "DeathHiddenTear (Large&Small HT) >", "display_name": "DeathHiddenTear (Large&Small HT) >", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1586, "FileHash-SHA1": 1479, "FileHash-SHA256": 1938, "URL": 4548, "domain": 1052, "hostname": 2501, "email": 9, "SSLCertFingerprint": 7, "CIDR": 2 }, "indicator_count": 13122, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IDS: Checkin Win32.VBKrypt.xiz Checkin 2 Win32/Esfury.T Checkin", "TAGS: data upload date date hash ddos dead connection default defense evasion delphi destination", "Domains Contacted: b0h4f160dzkk7hgn65038eb73erxd8.ipgreat.com", "IP\u2019s Contacted: 77.76.39.110 104.156.155.94 77.77.13.89 78.61.87.173 78.63.104.75", "TAGS: aaaa accept activity address adversaries aes128gcm ahmann all hostname all ipv4 as15169", "adsparkahz.shop \u2022 https://adsparkahz.shop/ \u2022 parkedbits.com", "TAGS: add dynamicloader ecdsa echobot echobot related encrypt entries error evasion att", "TAGS: upnproxy url analysis url https url text urls verified verify veryhigh victim network vubbuv win32 win64 windows windows nt windows server worm write write c yara detections yara rule", "IDS Detections: Win32/Esfury.T Connectivity Check (sstatic1.histats.com) Win32.VBKrypt.xiz", "http://ftp.apple4you.it \u2022 http://www.apple4you.it/ \u2022https://cpcalendars.apple4you.it \u2022", "Yara: Detections Delphi", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passive dns path pattern match pink screen port possible prefetch8 present dec present feb present jan", "IPs Contacted: 149.56.240.31 172.66.136.209", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passiv", "Domains Contacted: fexexwjehud.org lxclombt.net jpnzlsaqogv.com esccuyigsy.org", "config-5.15.44-Re4son-v8+", "TAGS: macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec", "IDS Detections: IP Check Domain (showmyipaddress .com in HTTP Host) External IP Lookup", "Mirai", "IDS: Attempt (Local Source) 401TRG Generic Webshell Request - POST with wget in body Python Requests", "It appears to be consistent with AI / SpyFu Michael Roberts | Rexxfield| Mikes IT", "Domains Contacted: c.statcounter.com sstatic1.histats.com", "TAGS: mtb yara name servers name tactics network traffic new browser next associated next", "https://hybrid-analysis.com/sample/01a1a2106bcddc591cab08d31c13966bd0413fe312bce9be396e964e114631a6/697f8c04475b90e7fb0d7ff9", "https://fs25.mygamesteam.com/download/underground-parking/", "Suspicious User Agent | ETPRO POLICY Python Requests", "Alerts: dead_host nids_exploit_alert network_icmp tcp_syn_scan nolookup_communication", "https://hybrid-analysis.com/sample/f6ccff8dec08334fab98d4f6cb9b2774acd00e98d1afabd219c2634d5b3e2147/697faa178cc598cfb90b0423", "src_ip\": 192.168.122.51 | dst_ip\": 219.91.207.105", "IP\u2019s Contacted: 188.223.42.134 78.57.88.30 84.73.234.83 78.84.44.225 89.252.203.80", "Domains Contacted: 54b73b3059myg2kta72weplb2a2uvd.ipcheker.com", "Domains Contacted: l545ds1s2d6v8wxts6pz75835j5hj4.ipcheker.com", "http://spiritzuridgerunelahubcloudgusparkx.rest/", "https://www.facebook.com/groups/378607181955796/posts/773093455840498/?hpir=1&http_ref=eyJ0cyI6MTc2OTk2MDkxOTAwMCwiciI6IiJ9", "TAGS: av detections av exploit belgium belgium unknown binbusybox bits body canada unknown", "IP\u2019s Contacted: 142.251.9.94 104.21.69.250 104.21.61.138 172.237.146.8 34.41.139.193", "cmdline.txt", "\"ET WEB_SERVER WebShell Generic - wget http - POST", "config-5.15.44-Re4son-v8l+", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e", "config.txt", "https://ftp.apple4you.it \u2022 http://cpcalendars.apple4you.it \u2022 http://cpcontacts.apple4you.it \u2022", "127.0.0.1 Private IP Address \u2022 http://facebook.com/iWebTechnologies", "Yara Detections: UPX , LZMA , UPX_OEP_place , UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "IDS Detections: Domain (whatismyipaddress .com in HTTP Host)", "ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound", "TAGS: sample analysis se domains search security quic add source level span spawns spy", "Domains Contacted: a2ex04689txl10z.directorio-w.com www.directorio-w.com", "Alerts: infostealer_cookies antiav_detectfile", "TAGS. redirect refresh related tags remoteIPAddress resource restart reverse dns route runner", "Alerts: dynamic_function_loading reads_memory_remote_process packer_entropy network_http", "File Type: ELF - ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked stripped:", "9e8c2f9e77b4b6a7538e4136d3bda379c560dc1a5931643da119da2f28881e4d\tELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0\tDDoS:Linux/Gafgyt.YA!MTB", "as15169", "Alerts: infostealer_cookies injection_network_traffic injection_write_exe_process", "ELF:DDoS-S\\ [Trj] , Unix.Trojan.Gafgyt-6981154-0 , DDoS:Linux/Gafgyt.YA!MTB", "TAGS: christopher p christopher p. \u2018buzz\u2019 ahmann ck id ck matrix ck techniques clare click cloud", "IDS: Linksys E-Series Device RCE Attempt Outbound Possible HTTP 403 XSS", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver", "config-5.15.44-Re4son-v7+", "Alerts: disables_run_command disables_uac injection_runpe modify_hostfile modify_uac_prompt persistence_ifeo stealth_hidden_extension stealth_hiddenreg anomalous_deletefile ..", "grub_background.sh", "TAGS: detection detections detections name development att direct dirty dns resolutions domain", "Antivirus Detections: Win.Malware.Pits-10035540-0", "Alerts: network_cnc_http network_http network_http_post nids_alert p2p_cnc", "Domains Contacted: wv001gdb6n084bc533j7pf6043xg2v.ipgreat.com", "Alerts: writes_to_stdout android , win32 exe , key identifier , win32 dll , x509v3 subject", "Alerts: dead_host network_icmp tcp_by", "Yara Detections: is__elf , ECHOBOT", "TAGS: yara niggercat none file null object os x outbound passive dns path pattern match", "Yara Detections XOR_embeded_exefile_xored_with_round_256_bytes_key", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , UPXProtectorv10x2 , UPX", "https://www.virustotal.com/gui/file/fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f/summary", "\u201cNIDS_exploit_alert\" network_icmp\tGenerates some ICMP traffic\t High { \"families\": [], \"description\": \"Generates some ICMP traffic\", \"severity\": 4,", "Domains Contacted: www.whatismyip.com www.showmyipaddress.com www.whatismyip.ca", "TAGS: as29278 deninet as29728 cottage as47325 ascii text asn as29278 asn as29728 asn13335", "output.228572717.txt [fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f]", "IDS Detections: Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host)", "ET INFO User-Agent (python-requests) Inbound to Webserver", "www.crazyfrost.com IPv4 104.21.5.49 IPv4 172.67.132.250", "AppleWebKit Christopher P. \u2018BUZZ\u2019 Ahmann interference", "TAGS: cloudflare cloudflarenet command config connection copy crazyfrost cyber attacks", "TAGS: state of colorado stream strings suspicious t1590 gather tcp syn title tools tr trex triangulation", "https://hybrid-analysis.com/sample/3aaca21b3918eecd127867bdd724611398cf897a0686fedfde1d424b7ad6130a", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e/iocs", "Domains Contacted: rk1pjif98b4r7zed28hle47wdlw9rm.ipgreat.com", "Domains Contacted: whatismyipaddress.com whatismyip.everdot.org www.facebook.com", "TAGS: expiration date explorer extraction facebook facebook failed february filehash files files ip", "nigger.cat \u2022 http://a.nigger.cat/ \u2022 http://a.nigger.cat/imrred.exe \u2022 http://a.nigger.cat/iwzptk.pdf \u2022", "theme.txt", "IDS Detections TheMoon.linksys.router 2 Linksys E-Series Device RCE Attempt", "https://genealogytrails.com/njer/morris/mortality_records.html#:~:text=From%20a%20summary%20statement%2C%20in", "http://a.nigger.cat/ltbexb.jpg \u2022 http://a.nigger.cat/ocnxdv.exe \u2022 http://a.nigger.cat/ocnxdv.exe/", "Alerts: mouse_movement_detect dead_connect enumerates_running_processes process_needed", "upx.sf.net Malformed domain IPv4 172.67.240.47 In CDN range: provider=cloudflare\t IPv4", "TCP SYN packets were observed", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/details", "README", "config-5.15.44-Re4son-v7l+", "LICENCE.broadcom", "IDS: Suspicious User Agent WebShell Generic - wget http - POST User-Agent (python-requests)", "https://cpcontacts.apple4you.it", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections", "http://a.nigger.cat/ypphgg.exe \u2022 http://u.nigger.cat/ \u2022 https://a.nigger.cat/", "IDS: Inbound to Webserver CoinHive In-Browser Miner Detected 403 Forbidden", "Alerts: multiple_useragents persistence_autorun procmem_yara suricata_alert", "TAGS: pyspark python python initiated quic ransom recipes record value redacted for", "genealogytrails.com", "IDS Detections: Suspicious Activity potential UPnProxy", "Win.Trojan.VB-83922 , VirTool:Win32/VBInject.gen!JB", "apple4you.it \u2022 https://www.apple4you.it/ \u2022 cpcalendars.apple4you.it \u2022 ftp.apple4you.it \u2022", "TAGS: flag gecko general general full general info generator geo hungary guard hackers hash hide", "TAGS: json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "http://www.a.nigger.cat/ocnxdv.exe \u2022 https://a.nigger.cat/pwzbrt.txt", "https://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "Alerts: network_bind persistence_autorun binary_yara procmem_yara suricata_alert", "COPYING.linux", "192.168.122.51 Private IP Address\t MD5 d41d8cd98f00b204e9800998ecf8427e Empty hash of type MD5\t SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Empty hash of type SHA1\t URL http://upx.sf.net", "Hostname ios.chimney-se.cloud.farmerswife.com \u2022 ios.vsila.cloud.farmerswife.com", "Alerts: antiav_servicestop antisandbox_sleep process_creation_suspicious_location", "Antivirus Detections: Trojan:Win32/Dorv.A", "https://parkedbits.com \u2022 spiritzuridgerunelahubcloudgusparkx.rest", "Unix.Dropper.Mirai-7135925-0 , DDoS:Linux/Gafgyt.YA!MTB Yara Detections is__elf , ECHOBOT", "config-5.15.44-Re4son+", "Alerts: antivm_bochs_keys physical_drive_access bypass_firewall disables_folder_options", "Alerts: disables_uac infostealer_keylog modify_uac_prompt anomalous_deletefile", "http://a.nigger.cat/ovefvy.html \u2022 http://a.nigger.cat/snkikb.rar \u2022 http://a.nigger.cat/unipms.exe", "IDS Detections: Domain in DNS Lookup (whatismyipaddress .com) IP Check", "ET WORM TheMoon.linksys.router", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/relations", "Has been present throughout a specific campaign", "TAGS: pink screen port possible prefetch8 present program protocol h3 ptr record none push", "TAGS: trojan trojandropper trojanspy united unknown unknown aaaa unknown ns updater", "Domains Contacted. xz4i2o3m7456n7nwd4757wgfta3it7.ipcheker.com", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/behavior", "https://hybrid-analysis.com/sample/e4999984a69a65a69bec9fef1200f7ec36a10bc401cdd15db3510fdc87ec5008/697fb0fec4a9bda3410454cf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act" ], "malware_families": [ "Unix.trojan.gafgyt-698115", "Unix.trojan.mirai-7646352-0", "Pykspa.c", "Win.packed.usteal-7531303-0", "Deathhiddentear (large&small ht) >", "Virtool:win32/vbinject.gen!jb", "Alf:heraklezeval:trojan:win32/clipbanker", "4-0 win.malware.pits-10035540-0", "Trojan:win32/dorv.a", "Nids", "Spyfu", "Elf:ddos-s\\ [trj]", "Ddos:linux/gafgyt.ya!mtb", "Et", "Tr", "Win.trojan.vb-83922" ], "industries": [ "Education", "Telecommunications", "Agriculture", "Healthcare", "Government", "Transportation", "Finance" ], "unique_indicators": 45939 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/fuckoffstoplookinghere.sbs", "whois": "http://whois.domaintools.com/fuckoffstoplookinghere.sbs", "domain": "fuckoffstoplookinghere.sbs", "hostname": "local.fuckoffstoplookinghere.sbs" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "69ce1c7b60a3065cc75b7e23", "name": "Chance Encounter Clone CREDIT: UCP_GoA23 Public - same watering hole?", "description": "", "modified": "2026-04-21T05:29:42.247000", "created": "2026-04-02T07:36:27.829000", "tags": [ "raspberry pi", "hdmi", "hdmi mode", "uncomment", "additional", "usb mass", "pi02", "pi zero", "zero", "enable drm", "program", "license", "free software", "foundation", "general public", "gnu general", "public license", "the program", "copyright", "sections", "june", "general", "april", "vice", "drivers", "analog", "digital", "video", "bus support", "media", "accelerometers", "capacitance", "resolver", "android", "flash", "monitoring", "codec", "loop", "light", "linear", "tools", "class", "speakup", "core support", "legacy", "kernel", "this software", "including", "but not", "limited to", "ltd all", "redistributions", "disclaimer", "is provided", "damage", "info", "params", "gpio", "gpio pin", "select", "digital volume", "load", "gpios", "compute module", "spi bus", "front", "clock", "speed", "tiny", "kali", "oled", "systemd", "digi", "miso", "screen", "show", "global property", "bootmenu", "label", "booting", "please", "javascript", "entity", "file list", "size first", "credits text", "readme text", "no meaningful", "url list", "status https", "domain list", "enom", "registrar", "ltd dba", "com laude", "ip address", "ip adresses", "U of A", "GoA", "Treaty 6", "Treaty 7", "Treaty 8", "AHS" ], "references": [ "cmdline.txt", "config.txt", "COPYING.linux", "config-5.15.44-Re4son-v7+", "config-5.15.44-Re4son-v7l+", "config-5.15.44-Re4son-v8l+", "config-5.15.44-Re4son+", "config-5.15.44-Re4son-v8+", "grub_background.sh", "LICENCE.broadcom", "README", "theme.txt", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/details", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/relations", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/behavior", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e", "https://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1050", "name": "New Service", "display_name": "T1050 - New Service" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Education", "Government", "Healthcare", "Telecommunications", "Agriculture", "Finance", "Transportation" ], "TLP": "white", "cloned_from": "698f07428f6e35876e034e41", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 812, "URL": 2492, "hostname": 1171, "FileHash-SHA256": 2057, "CVE": 2, "FileHash-MD5": 14, "FileHash-SHA1": 16, "email": 2, "CIDR": 118 }, "indicator_count": 6684, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698d30c03b57c38dff915023", "name": "Double Umbrella AS15169/AS21928: This evaluates a critical structural convergence between Google (AS15169) and T-Mobile USA (AS21928) within the global Tier-1 routing backbone", "description": "Research credit: msudosos, The research identifies a high-fidelity pattern where traffic from dual origins commingles within a restricted lateral transit hub, allowing for horizontal movement across backbone providers that typically maintain distinct trust boundaries. Specifically, the Content Origin (Umbrella A) originated by Google (AS15169) reaches the core backbone through a high-trust sequence involving Arelion (AS1299), NTT (AS2914), and GTT (AS3257). Simultaneously, the Mobile Origin (Umbrella B) originated by T-Mobile USA (AS21928) enters the backbone via Cogent (AS174) and Lumen (AS3356). The findings designate Lumen (AS3356) as the central lateral hub where traffic pivots horizontally between the \u201cCore Five\u201d partners-including Zayo (AS6461) and Hurricane Electric (AS6939) \u2014before leaking to international sub-transit peers like Sparkle (AS6762) and Telxius (AS12956), finally exiting at global edge points such as PCCW (AS3491) and Tata (AS6453).", "modified": "2026-03-29T06:02:00.914000", "created": "2026-02-12T01:45:36.128000", "tags": [ "The dynamics of the mudoSOSIntersectalign with sophisticated adv" ], "references": [ "as15169" ], "public": 1, "adversary": "Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URI": 1, "domain": 2661, "URL": 6810, "hostname": 2147, "email": 56, "FileHash-SHA256": 2781, "CVE": 172, "FileHash-MD5": 365, "FileHash-SHA1": 344, "IPv4": 1, "CIDR": 20940 }, "indicator_count": 36278, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "65 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698e906da16336f8e87c3b90", "name": "CoinHive Clone ", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-02-13T02:46:05.544000", "tags": [ "united", "td tr", "a domains", "history group", "state", "b td", "present sep", "find", "alabama", "iowa", "apache", "content type", "passive dns", "meta http", "content", "gmt server", "pragma", "title", "linksys eseries", "device rce", "inbound", "et exploit", "attempt", "et webserver", "suspicious user", "user agent", "et worm", "policy python", "python", "agent", "generic", "malware", "nids", "dst_ip", "\"sid\": 2017515,", "2020/08/23", "dst_port\": 8080", "suricata", "network_icmp", "tcp_syn_scan", "unix", "mirai", "infection", "port 8080", "aitm", "mitm", "xfinity", "lumen backbone", "xfinity cf", "et info", "useragent", "webserver", "android", "linux", "statistically stripped", "local", "Jefferson County", "Colorado", "State", "is__elf", "is__war", "cyber warfare", "marking", "targeting", "stalking", "impersonating", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "defense evasion", "mitre att", "ck matrix", "february", "hybrid", "general", "path", "encrypt", "click", "strings", "attack", "ssl certificate", "ascii text", "dynamicloader", "yara rule", "ff d5", "medium", "high", "eb d8", "f0 ff", "ff bb", "host", "unknown", "explorer", "virtool", "write", "next", "Douglas County", "Michael Roberts", "Brian Sabey", "Chris\u2019Buzz\u2019 Ahmann", "Mirai BotMaster", "file type", "pexe", "pe32", "intel", "ms windows", "date march", "am size", "imphash", "otx logo", "all filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "moved", "urls", "expiration date", "all hostname", "files", "media", "present feb", "present jan", "present dec", "present nov", "ip address", "present", "codex", "sf.net", "next associated", "ipv4 add", "location united", "america flag", "spawns", "found", "t1480 execution", "pattern match", "present aug", "search", "name servers", "showing", "record value", "meta", "accept", "div div", "request blocked", "helvetica neue", "helvetica segoe", "ui arial", "denver", "yandex", "post", "entries", "post http", "show", "post liquor", "execution", "port", "destination", "icmp traffic", "dns query", "include", "top source" ], "references": [ "https://genealogytrails.com/njer/morris/mortality_records.html#:~:text=From%20a%20summary%20statement%2C%20in", "genealogytrails.com", "It appears to be consistent with AI / SpyFu Michael Roberts | Rexxfield| Mikes IT", "Has been present throughout a specific campaign", "Mirai", "IDS Detections TheMoon.linksys.router 2 Linksys E-Series Device RCE Attempt", "IDS: Linksys E-Series Device RCE Attempt Outbound Possible HTTP 403 XSS", "IDS: Attempt (Local Source) 401TRG Generic Webshell Request - POST with wget in body Python Requests", "IDS: Suspicious User Agent WebShell Generic - wget http - POST User-Agent (python-requests)", "IDS: Inbound to Webserver CoinHive In-Browser Miner Detected 403 Forbidden", "ET INFO User-Agent (python-requests) Inbound to Webserver", "Suspicious User Agent | ETPRO POLICY Python Requests", "src_ip\": 192.168.122.51 | dst_ip\": 219.91.207.105", "\u201cNIDS_exploit_alert\" network_icmp\tGenerates some ICMP traffic\t High { \"families\": [], \"description\": \"Generates some ICMP traffic\", \"severity\": 4,", "TCP SYN packets were observed", "ET WORM TheMoon.linksys.router", "ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound", "\"ET WEB_SERVER WebShell Generic - wget http - POST", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , UPXProtectorv10x2 , UPX", "Alerts: dead_host nids_exploit_alert network_icmp tcp_syn_scan nolookup_communication", "Alerts: network_cnc_http network_http network_http_post nids_alert p2p_cnc", "Alerts: writes_to_stdout android , win32 exe , key identifier , win32 dll , x509v3 subject", "File Type: ELF - ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked stripped:", "upx.sf.net Malformed domain IPv4 172.67.240.47 In CDN range: provider=cloudflare\t IPv4", "192.168.122.51 Private IP Address\t MD5 d41d8cd98f00b204e9800998ecf8427e Empty hash of type MD5\t SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Empty hash of type SHA1\t URL http://upx.sf.net", "Win.Trojan.VB-83922 , VirTool:Win32/VBInject.gen!JB", "IDS Detections: Win32/Esfury.T Connectivity Check (sstatic1.histats.com) Win32.VBKrypt.xiz", "IDS: Checkin Win32.VBKrypt.xiz Checkin 2 Win32/Esfury.T Checkin", "Yara Detections: UPX , LZMA , UPX_OEP_place , UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Alerts: infostealer_cookies injection_network_traffic injection_write_exe_process", "Alerts: multiple_useragents persistence_autorun procmem_yara suricata_alert", "Alerts: antivm_bochs_keys physical_drive_access bypass_firewall disables_folder_options", "Alerts: disables_run_command disables_uac injection_runpe modify_hostfile modify_uac_prompt persistence_ifeo stealth_hidden_extension stealth_hiddenreg anomalous_deletefile ..", "IP\u2019s Contacted: 142.251.9.94 104.21.69.250 104.21.61.138 172.237.146.8 34.41.139.193", "IPs Contacted: 149.56.240.31 172.66.136.209", "Domains Contacted: c.statcounter.com sstatic1.histats.com", "Domains Contacted: 54b73b3059myg2kta72weplb2a2uvd.ipcheker.com", "Domains Contacted: rk1pjif98b4r7zed28hle47wdlw9rm.ipgreat.com", "Domains Contacted: a2ex04689txl10z.directorio-w.com www.directorio-w.com", "Domains Contacted. xz4i2o3m7456n7nwd4757wgfta3it7.ipcheker.com", "Domains Contacted: b0h4f160dzkk7hgn65038eb73erxd8.ipgreat.com", "Domains Contacted: l545ds1s2d6v8wxts6pz75835j5hj4.ipcheker.com", "Domains Contacted: wv001gdb6n084bc533j7pf6043xg2v.ipgreat.com", "Hostname ios.chimney-se.cloud.farmerswife.com \u2022 ios.vsila.cloud.farmerswife.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Unix.Trojan.Mirai-7646352-0", "display_name": "Unix.Trojan.Mirai-7646352-0", "target": null }, { "id": "SpyFu", "display_name": "SpyFu", "target": null }, { "id": "Win.Trojan.VB-83922", "display_name": "Win.Trojan.VB-83922", "target": null }, { "id": "virtool:Win32/VBInject.gen!JB", "display_name": "virtool:Win32/VBInject.gen!JB", "target": "/malware/virtool:Win32/VBInject.gen!JB" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" } ], "industries": [], "TLP": "white", "cloned_from": "698966742c9fd9691396bb3a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5836, "domain": 857, "FileHash-MD5": 185, "FileHash-SHA1": 147, "hostname": 1842, "email": 7, "FileHash-SHA256": 947, "CVE": 43, "SSLCertFingerprint": 8 }, "indicator_count": 9872, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698f07428f6e35876e034e41", "name": "Chance Encounter Commuting from U of A to GoA - 02.13.2026", "description": "My 1st Graph: Hidden Boots on my Phone ( Chance Encounter Commuting from U of A to GoA - 02.13.2026 ). \nConclusion: U of A and the Governments of Alberta, and those of Treaty 6/7/8 have been victims of crime.\nhttps://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "modified": "2026-03-15T10:19:15.579000", "created": "2026-02-13T11:13:03.870000", "tags": [ "raspberry pi", "hdmi", "hdmi mode", "uncomment", "additional", "usb mass", "pi02", "pi zero", "zero", "enable drm", "program", "license", "free software", "foundation", "general public", "gnu general", "public license", "the program", "copyright", "sections", "june", "general", "april", "vice", "drivers", "analog", "digital", "video", "bus support", "media", "accelerometers", "capacitance", "resolver", "android", "flash", "monitoring", "codec", "loop", "light", "linear", "tools", "class", "speakup", "core support", "legacy", "kernel", "this software", "including", "but not", "limited to", "ltd all", "redistributions", "disclaimer", "is provided", "damage", "info", "params", "gpio", "gpio pin", "select", "digital volume", "load", "gpios", "compute module", "spi bus", "front", "clock", "speed", "tiny", "kali", "oled", "systemd", "digi", "miso", "screen", "show", "global property", "bootmenu", "label", "booting", "please", "javascript", "entity", "file list", "size first", "credits text", "readme text", "no meaningful", "url list", "status https", "domain list", "enom", "registrar", "ltd dba", "com laude", "ip address", "ip adresses", "U of A", "GoA", "Treaty 6", "Treaty 7", "Treaty 8", "AHS" ], "references": [ "cmdline.txt", "config.txt", "COPYING.linux", "config-5.15.44-Re4son-v7+", "config-5.15.44-Re4son-v7l+", "config-5.15.44-Re4son-v8l+", "config-5.15.44-Re4son+", "config-5.15.44-Re4son-v8+", "grub_background.sh", "LICENCE.broadcom", "README", "theme.txt", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/details", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/relations", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/behavior", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e", "https://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1050", "name": "New Service", "display_name": "T1050 - New Service" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Education", "Government", "Healthcare", "Telecommunications", "Agriculture", "Finance", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 812, "URL": 2492, "hostname": 1171, "FileHash-SHA256": 2057, "CVE": 2, "FileHash-MD5": 14, "FileHash-SHA1": 16, "email": 2, "CIDR": 118 }, "indicator_count": 6684, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "79 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698966742c9fd9691396bb3a", "name": "CoinHive In-Browser Miner | ET EXPLOIT Linksys E-Series Device RCE Attempt via \u2018AI chat\u2019 Xfinity Commercial Fleet vehicle parked /AITM", "description": "Merits further research. Work no is consistent with a man advocate named Michael\nRoberts of Rexxfield and Miles2/ Mile2 / seen frequently in attacks against females | targeted individual apparently was using an AI browser search when a keyword triggered glitches.\nSearch of a URL\ntarget has never heard of or seen found in device search results. Targets device injected, Mirai botnet found, Other suspicious findings. TBConrinued..:.\n[OTX. Auto populated Significantly more details have been revealed about the GoDaddy.com domain, which has been listed as an unregistered domain by the Internet Service Authority (icann). and its users are not allowed to use it.] #man_jn_tve_midxle #drive_ by_compromise #injection.", "modified": "2026-03-11T04:02:50.189000", "created": "2026-02-09T04:45:40.250000", "tags": [ "united", "td tr", "a domains", "history group", "state", "b td", "present sep", "find", "alabama", "iowa", "apache", "content type", "passive dns", "meta http", "content", "gmt server", "pragma", "title", "linksys eseries", "device rce", "inbound", "et exploit", "attempt", "et webserver", "suspicious user", "user agent", "et worm", "policy python", "python", "agent", "generic", "malware", "nids", "dst_ip", "\"sid\": 2017515,", "2020/08/23", "dst_port\": 8080", "suricata", "network_icmp", "tcp_syn_scan", "unix", "mirai", "infection", "port 8080", "aitm", "mitm", "xfinity", "lumen backbone", "xfinity cf", "et info", "useragent", "webserver", "android", "linux", "statistically stripped", "local", "Jefferson County", "Colorado", "State", "is__elf", "is__war", "cyber warfare", "marking", "targeting", "stalking", "impersonating", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "defense evasion", "mitre att", "ck matrix", "february", "hybrid", "general", "path", "encrypt", "click", "strings", "attack", "ssl certificate", "ascii text", "dynamicloader", "yara rule", "ff d5", "medium", "high", "eb d8", "f0 ff", "ff bb", "host", "unknown", "explorer", "virtool", "write", "next", "Douglas County", "Michael Roberts", "Brian Sabey", "Chris\u2019Buzz\u2019 Ahmann", "Mirai BotMaster", "file type", "pexe", "pe32", "intel", "ms windows", "date march", "am size", "imphash", "otx logo", "all filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "moved", "urls", "expiration date", "all hostname", "files", "media", "present feb", "present jan", "present dec", "present nov", "ip address", "present", "codex", "sf.net", "next associated", "ipv4 add", "location united", "america flag", "spawns", "found", "t1480 execution", "pattern match", "present aug", "search", "name servers", "showing", "record value", "meta", "accept", "div div", "request blocked", "helvetica neue", "helvetica segoe", "ui arial", "denver", "yandex", "post", "entries", "post http", "show", "post liquor", "execution", "port", "destination", "icmp traffic", "dns query", "include", "top source" ], "references": [ "https://genealogytrails.com/njer/morris/mortality_records.html#:~:text=From%20a%20summary%20statement%2C%20in", "genealogytrails.com", "It appears to be consistent with AI / SpyFu Michael Roberts | Rexxfield| Mikes IT", "Has been present throughout a specific campaign", "Mirai", "IDS Detections TheMoon.linksys.router 2 Linksys E-Series Device RCE Attempt", "IDS: Linksys E-Series Device RCE Attempt Outbound Possible HTTP 403 XSS", "IDS: Attempt (Local Source) 401TRG Generic Webshell Request - POST with wget in body Python Requests", "IDS: Suspicious User Agent WebShell Generic - wget http - POST User-Agent (python-requests)", "IDS: Inbound to Webserver CoinHive In-Browser Miner Detected 403 Forbidden", "ET INFO User-Agent (python-requests) Inbound to Webserver", "Suspicious User Agent | ETPRO POLICY Python Requests", "src_ip\": 192.168.122.51 | dst_ip\": 219.91.207.105", "\u201cNIDS_exploit_alert\" network_icmp\tGenerates some ICMP traffic\t High { \"families\": [], \"description\": \"Generates some ICMP traffic\", \"severity\": 4,", "TCP SYN packets were observed", "ET WORM TheMoon.linksys.router", "ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound", "\"ET WEB_SERVER WebShell Generic - wget http - POST", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , UPXProtectorv10x2 , UPX", "Alerts: dead_host nids_exploit_alert network_icmp tcp_syn_scan nolookup_communication", "Alerts: network_cnc_http network_http network_http_post nids_alert p2p_cnc", "Alerts: writes_to_stdout android , win32 exe , key identifier , win32 dll , x509v3 subject", "File Type: ELF - ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked stripped:", "upx.sf.net Malformed domain IPv4 172.67.240.47 In CDN range: provider=cloudflare\t IPv4", "192.168.122.51 Private IP Address\t MD5 d41d8cd98f00b204e9800998ecf8427e Empty hash of type MD5\t SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Empty hash of type SHA1\t URL http://upx.sf.net", "Win.Trojan.VB-83922 , VirTool:Win32/VBInject.gen!JB", "IDS Detections: Win32/Esfury.T Connectivity Check (sstatic1.histats.com) Win32.VBKrypt.xiz", "IDS: Checkin Win32.VBKrypt.xiz Checkin 2 Win32/Esfury.T Checkin", "Yara Detections: UPX , LZMA , UPX_OEP_place , UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Alerts: infostealer_cookies injection_network_traffic injection_write_exe_process", "Alerts: multiple_useragents persistence_autorun procmem_yara suricata_alert", "Alerts: antivm_bochs_keys physical_drive_access bypass_firewall disables_folder_options", "Alerts: disables_run_command disables_uac injection_runpe modify_hostfile modify_uac_prompt persistence_ifeo stealth_hidden_extension stealth_hiddenreg anomalous_deletefile ..", "IP\u2019s Contacted: 142.251.9.94 104.21.69.250 104.21.61.138 172.237.146.8 34.41.139.193", "IPs Contacted: 149.56.240.31 172.66.136.209", "Domains Contacted: c.statcounter.com sstatic1.histats.com", "Domains Contacted: 54b73b3059myg2kta72weplb2a2uvd.ipcheker.com", "Domains Contacted: rk1pjif98b4r7zed28hle47wdlw9rm.ipgreat.com", "Domains Contacted: a2ex04689txl10z.directorio-w.com www.directorio-w.com", "Domains Contacted. xz4i2o3m7456n7nwd4757wgfta3it7.ipcheker.com", "Domains Contacted: b0h4f160dzkk7hgn65038eb73erxd8.ipgreat.com", "Domains Contacted: l545ds1s2d6v8wxts6pz75835j5hj4.ipcheker.com", "Domains Contacted: wv001gdb6n084bc533j7pf6043xg2v.ipgreat.com", "Hostname ios.chimney-se.cloud.farmerswife.com \u2022 ios.vsila.cloud.farmerswife.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Unix.Trojan.Mirai-7646352-0", "display_name": "Unix.Trojan.Mirai-7646352-0", "target": null }, { "id": "SpyFu", "display_name": "SpyFu", "target": null }, { "id": "Win.Trojan.VB-83922", "display_name": "Win.Trojan.VB-83922", "target": null }, { "id": "virtool:Win32/VBInject.gen!JB", "display_name": "virtool:Win32/VBInject.gen!JB", "target": "/malware/virtool:Win32/VBInject.gen!JB" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5779, "domain": 730, "FileHash-MD5": 185, "FileHash-SHA1": 147, "hostname": 1790, "email": 5, "FileHash-SHA256": 947, "CVE": 3, "SSLCertFingerprint": 8 }, "indicator_count": 9594, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "83 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698037098c99c37cb91037c2", "name": "Busy Box MITM Attacks via Drive-by-Compromise | Facebook | Apple", "description": "Busy Box - MITM Attack\n\nDrive-by-Compromise | Facebook | Jamie Oliver Recipes | My sister-in-law made this once and I couldn\u2019t stop eating it. \nAdversarial Facebook pop up posts. .\n\n|| Pykspa.C Check in. \"Pykspa is a type of Remote Access Trojan (RAT). A powerful a worm that spreads via social media or via DGA algorithms. Parking crews are fond of these types of attacks. Christopher Ahmann", "modified": "2026-03-04T04:07:14.513000", "created": "2026-02-02T05:32:57.303000", "tags": [ "no expiration", "filehashsha256", "ipv4", "url http", "domain", "hostname", "filehashmd5", "filehashsha1", "iocs", "url https", "search", "type indicator", "review iocs", "role title", "create new", "pulse use", "pdf report", "pcap", "extraction", "sc data", "extre data", "include review", "exclude sugges", "data upload", "failed", "find s", "oo data", "enter source", "url or", "text drag", "expiration", "showing", "entries", "protect", "pulse show", "email abuse", "related pulses", "indicator role", "returnurl no", "drop", "pulse provide", "public tlp", "green", "adversary tags", "buzz", "x8664", "add tag", "groups add", "add industry", "trojan", "tags" ], "references": [ "https://www.facebook.com/groups/378607181955796/posts/773093455840498/?hpir=1&http_ref=eyJ0cyI6MTc2OTk2MDkxOTAwMCwiciI6IiJ9", "www.crazyfrost.com IPv4 104.21.5.49 IPv4 172.67.132.250", "Antivirus Detections: Trojan:Win32/Dorv.A", "IDS Detections: Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host)", "IDS Detections: IP Check Domain (showmyipaddress .com in HTTP Host) External IP Lookup", "IDS Detections: Domain in DNS Lookup (whatismyipaddress .com) IP Check", "IDS Detections: Domain (whatismyipaddress .com in HTTP Host)", "Yara Detections XOR_embeded_exefile_xored_with_round_256_bytes_key", "Alerts: antiav_servicestop antisandbox_sleep process_creation_suspicious_location", "Alerts: network_bind persistence_autorun binary_yara procmem_yara suricata_alert", "Alerts: disables_uac infostealer_keylog modify_uac_prompt anomalous_deletefile", "Alerts: mouse_movement_detect dead_connect enumerates_running_processes process_needed", "Alerts: dynamic_function_loading reads_memory_remote_process packer_entropy network_http", "IP\u2019s Contacted: 188.223.42.134 78.57.88.30 84.73.234.83 78.84.44.225 89.252.203.80", "IP\u2019s Contacted: 77.76.39.110 104.156.155.94 77.77.13.89 78.61.87.173 78.63.104.75", "Domains Contacted: www.whatismyip.com www.showmyipaddress.com www.whatismyip.ca", "Domains Contacted: whatismyipaddress.com whatismyip.everdot.org www.facebook.com", "Domains Contacted: fexexwjehud.org lxclombt.net jpnzlsaqogv.com esccuyigsy.org", "Antivirus Detections: Win.Malware.Pits-10035540-0", "Yara: Detections Delphi", "Alerts: infostealer_cookies antiav_detectfile", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "nigger.cat \u2022 http://a.nigger.cat/ \u2022 http://a.nigger.cat/imrred.exe \u2022 http://a.nigger.cat/iwzptk.pdf \u2022", "http://a.nigger.cat/ltbexb.jpg \u2022 http://a.nigger.cat/ocnxdv.exe \u2022 http://a.nigger.cat/ocnxdv.exe/", "http://a.nigger.cat/ovefvy.html \u2022 http://a.nigger.cat/snkikb.rar \u2022 http://a.nigger.cat/unipms.exe", "http://a.nigger.cat/ypphgg.exe \u2022 http://u.nigger.cat/ \u2022 https://a.nigger.cat/", "http://www.a.nigger.cat/ocnxdv.exe \u2022 https://a.nigger.cat/pwzbrt.txt", "output.228572717.txt [fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f]", "https://www.virustotal.com/gui/file/fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f/summary", "https://hybrid-analysis.com/sample/3aaca21b3918eecd127867bdd724611398cf897a0686fedfde1d424b7ad6130a", "https://hybrid-analysis.com/sample/e4999984a69a65a69bec9fef1200f7ec36a10bc401cdd15db3510fdc87ec5008/697fb0fec4a9bda3410454cf", "https://hybrid-analysis.com/sample/f6ccff8dec08334fab98d4f6cb9b2774acd00e98d1afabd219c2634d5b3e2147/697faa178cc598cfb90b0423", "https://hybrid-analysis.com/sample/01a1a2106bcddc591cab08d31c13966bd0413fe312bce9be396e964e114631a6/697f8c04475b90e7fb0d7ff9", "apple4you.it \u2022 https://www.apple4you.it/ \u2022 cpcalendars.apple4you.it \u2022 ftp.apple4you.it \u2022", "https://ftp.apple4you.it \u2022 http://cpcalendars.apple4you.it \u2022 http://cpcontacts.apple4you.it \u2022", "http://ftp.apple4you.it \u2022 http://www.apple4you.it/ \u2022https://cpcalendars.apple4you.it \u2022", "https://cpcontacts.apple4you.it", "AppleWebKit Christopher P. \u2018BUZZ\u2019 Ahmann interference", "adsparkahz.shop \u2022 https://adsparkahz.shop/ \u2022 parkedbits.com", "https://parkedbits.com \u2022 spiritzuridgerunelahubcloudgusparkx.rest", "https://fs25.mygamesteam.com/download/underground-parking/", "http://spiritzuridgerunelahubcloudgusparkx.rest/", "127.0.0.1 Private IP Address \u2022 http://facebook.com/iWebTechnologies", "9e8c2f9e77b4b6a7538e4136d3bda379c560dc1a5931643da119da2f28881e4d\tELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0\tDDoS:Linux/Gafgyt.YA!MTB", "ELF:DDoS-S\\ [Trj] , Unix.Trojan.Gafgyt-6981154-0 , DDoS:Linux/Gafgyt.YA!MTB", "IDS Detections: Suspicious Activity potential UPnProxy", "Yara Detections: is__elf , ECHOBOT", "Alerts: dead_host network_icmp tcp_by", "Unix.Dropper.Mirai-7135925-0 , DDoS:Linux/Gafgyt.YA!MTB Yara Detections is__elf , ECHOBOT", "TAGS: aaaa accept activity address adversaries aes128gcm ahmann all hostname all ipv4 as15169", "TAGS: as29278 deninet as29728 cottage as47325 ascii text asn as29278 asn as29728 asn13335", "TAGS: av detections av exploit belgium belgium unknown binbusybox bits body canada unknown", "TAGS: christopher p christopher p. \u2018buzz\u2019 ahmann ck id ck matrix ck techniques clare click cloud", "TAGS: cloudflare cloudflarenet command config connection copy crazyfrost cyber attacks", "TAGS: data upload date date hash ddos dead connection default defense evasion delphi destination", "TAGS: detection detections detections name development att direct dirty dns resolutions domain", "TAGS: add dynamicloader ecdsa echobot echobot related encrypt entries error evasion att", "TAGS: expiration date explorer extraction facebook facebook failed february filehash files files ip", "TAGS: flag gecko general general full general info generator geo hungary guard hackers hash hide", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passiv", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passive dns path pattern match pink screen port possible prefetch8 present dec present feb present jan", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver", "TAGS: json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey", "TAGS: macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec", "TAGS: mtb yara name servers name tactics network traffic new browser next associated next", "TAGS: yara niggercat none file null object os x outbound passive dns path pattern match", "TAGS: pink screen port possible prefetch8 present program protocol h3 ptr record none push", "TAGS: pyspark python python initiated quic ransom recipes record value redacted for", "TAGS. redirect refresh related tags remoteIPAddress resource restart reverse dns route runner", "TAGS: sample analysis se domains search security quic add source level span spawns spy", "TAGS: state of colorado stream strings suspicious t1590 gather tcp syn title tools tr trex triangulation", "TAGS: trojan trojandropper trojanspy united unknown unknown aaaa unknown ns updater", "TAGS: upnproxy url analysis url https url text urls verified verify veryhigh victim network vubbuv win32 win64 windows windows nt windows server worm write write c yara detections yara rule" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Hungary" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "DDos:Linux/Gafgyt.YA!MTB", "display_name": "DDos:Linux/Gafgyt.YA!MTB", "target": "/malware/DDos:Linux/Gafgyt.YA!MTB" }, { "id": "ELF:DDoS-S\\ [Trj]", "display_name": "ELF:DDoS-S\\ [Trj]", "target": null }, { "id": "Pykspa.C", "display_name": "Pykspa.C", "target": null }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Unix.Trojan.Gafgyt-698115", "display_name": "Unix.Trojan.Gafgyt-698115", "target": null }, { "id": "4-0 Win.Malware.Pits-10035540-0", "display_name": "4-0 Win.Malware.Pits-10035540-0", "target": null }, { "id": "Win.Packed.Usteal-7531303-0", "display_name": "Win.Packed.Usteal-7531303-0", "target": null }, { "id": "tR", "display_name": "tR", "target": null }, { "id": "DeathHiddenTear (Large&Small HT) >", "display_name": "DeathHiddenTear (Large&Small HT) >", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1586, "FileHash-SHA1": 1479, "FileHash-SHA256": 1938, "URL": 4548, "domain": 1052, "hostname": 2501, "email": 9, "SSLCertFingerprint": 7, "CIDR": 2 }, "indicator_count": 13122, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://local.fuckoffstoplookinghere.sbs/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://local.fuckoffstoplookinghere.sbs/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780448195.92896 }