{ "type": "URL", "indicator": "https://macn.corp.cc/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://macn.corp.cc/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4192993117, "indicator": "https://macn.corp.cc/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "6a07250fb9562ea208d26946", "name": "Credit *Q.Vashti* Clone [\u2022 Virus Total | P.S Banker | Attacked/Blocked \u2022] ", "description": "", "modified": "2026-05-16T05:47:36.553000", "created": "2026-05-15T13:52:15.176000", "tags": [ "indicator role", "active related", "ck ids", "files", "information", "discovery", "mitre att", "pattern match", "ck id", "ck matrix", "ascii text", "united", "binary file", "april", "hybrid", "apikey", "general", "local", "path", "iframe", "click", "protocol", "learn", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "related pulses", "dll read", "function read", "icmp traffic", "machineguid", "systembiosdate", "total", "read", "write", "network_icmp", "js_eval", "recon_fingerprint", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "tls handshake", "execution", "dock", "persistence", "malware", "unknown", "neue", "certificate", "error", "scans show", "record value", "title site", "servers", "emails", "all hostname", "dnsadmin", "data upload", "extraction", "failed", "include review", "exclude sugges", "find s", "typ no", "active", "urls", "ip address", "asn as54113", "registrar", "wscript", "united states", "stcalifornia", "lmountain view", "ogoogle llc", "ogoogle trust", "cngts ca", "whitelisted", "as15169", "hostile", "crash", "contacted", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "detections alf", "hostile yara", "detections none", "less ip", "domains", "ms windows", "intel", "pe32", "regsetvalueexa", "langturkish", "sublangdefault", "port", "destination", "entries", "worm", "delphi", "win32", "body", "explorer", "defender", "regdword", "false", "true", "end sub", "object", "createobject", "sheetschanged", "private sub", "string", "boolean", "cancel", "trojan", "copy", "query", "dns update", "useragent", "myapp", "delphi alerts", "alerts deadhost", "women who code", "tulach", "114.114.114.114", "samuel", "brian sabey" ], "references": [ "https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file", "this.target", "c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1", "amazon.com \u2022 pki.goog \u2022 google-analytics.com", "authrootstl.cab common file extension", "dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell", "https://securityaffairs.com/144927/cyber-crime~#", "https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html", "virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com", "https://clockoutbox.es/password", "http://cr-malware.testpanw.com/url", "IDS Detections: Query to a *.pw domain - Likely Hostile", "Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer", "Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows", "Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_", "Alerts: windows_utilities antivm_memory_available pe_features raises_exception", "IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227", "IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94", "Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog", "Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com", "Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw", "Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections compromised_site_redirector_fromcharcode , Delphi", "Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad", "Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx", "IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29", "Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org", "Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com", "114.114.114.114 = Tulach" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:Trojan:Win64/PsBanker", "display_name": "ALF:Trojan:Win64/PsBanker", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Trojan:O97M/Madeba.A!det", "display_name": "Trojan:O97M/Madeba.A!det", "target": "/malware/Trojan:O97M/Madeba.A!det" }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": "69dc04c12782d2d76c111a93", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1114, "hostname": 594, "domain": 200, "FileHash-SHA256": 2379, "FileHash-MD5": 426, "FileHash-SHA1": 259, "SSLCertFingerprint": 24, "email": 2, "IPv4": 1 }, "indicator_count": 4999, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dc04c12782d2d76c111a93", "name": "VirusTotal \u2022 PsBanker \u2022 Attacked / Blocked", "description": "", "modified": "2026-05-12T20:40:08.152000", "created": "2026-04-12T20:46:57.338000", "tags": [ "indicator role", "active related", "ck ids", "files", "information", "discovery", "mitre att", "pattern match", "ck id", "ck matrix", "ascii text", "united", "binary file", "april", "hybrid", "apikey", "general", "local", "path", "iframe", "click", "protocol", "learn", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "related pulses", "dll read", "function read", "icmp traffic", "machineguid", "systembiosdate", "total", "read", "write", "network_icmp", "js_eval", "recon_fingerprint", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "tls handshake", "execution", "dock", "persistence", "malware", "unknown", "neue", "certificate", "error", "scans show", "record value", "title site", "servers", "emails", "all hostname", "dnsadmin", "data upload", "extraction", "failed", "include review", "exclude sugges", "find s", "typ no", "active", "urls", "ip address", "asn as54113", "registrar", "wscript", "united states", "stcalifornia", "lmountain view", "ogoogle llc", "ogoogle trust", "cngts ca", "whitelisted", "as15169", "hostile", "crash", "contacted", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "detections alf", "hostile yara", "detections none", "less ip", "domains", "ms windows", "intel", "pe32", "regsetvalueexa", "langturkish", "sublangdefault", "port", "destination", "entries", "worm", "delphi", "win32", "body", "explorer", "defender", "regdword", "false", "true", "end sub", "object", "createobject", "sheetschanged", "private sub", "string", "boolean", "cancel", "trojan", "copy", "query", "dns update", "useragent", "myapp", "delphi alerts", "alerts deadhost", "women who code", "tulach", "114.114.114.114", "samuel", "brian sabey" ], "references": [ "https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file", "this.target", "c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1", "amazon.com \u2022 pki.goog \u2022 google-analytics.com", "authrootstl.cab common file extension", "dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell", "https://securityaffairs.com/144927/cyber-crime~#", "https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html", "virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com", "https://clockoutbox.es/password", "http://cr-malware.testpanw.com/url", "IDS Detections: Query to a *.pw domain - Likely Hostile", "Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer", "Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows", "Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_", "Alerts: windows_utilities antivm_memory_available pe_features raises_exception", "IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227", "IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94", "Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog", "Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com", "Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw", "Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections compromised_site_redirector_fromcharcode , Delphi", "Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad", "Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx", "IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29", "Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org", "Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com", "114.114.114.114 = Tulach" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:Trojan:Win64/PsBanker", "display_name": "ALF:Trojan:Win64/PsBanker", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Trojan:O97M/Madeba.A!det", "display_name": "Trojan:O97M/Madeba.A!det", "target": "/malware/Trojan:O97M/Madeba.A!det" }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1114, "hostname": 594, "domain": 200, "FileHash-SHA256": 2379, "FileHash-MD5": 426, "FileHash-SHA1": 259, "SSLCertFingerprint": 24, "email": 2 }, "indicator_count": 4998, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a2127d12dce12538b57d72", "name": "FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets ~ Apple Jacked Targets", "description": "Remote Attack - FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets.\n\nChecked search history on a targeted device and found an FBI link apparently delivered via unknown AI technology.\n|| yara detections\nzur foerderung\nA\n+ Add Tag\n\u8840\nCount: 1\nGRO Probability: 1\nText: Suricata Alerts Event\nCategory Description CID\nIND131.188.40.12g otx.alienvault.com\nlocal:49181 (TCP) Misc\nAttack ET TOR Known Tor\nRelay/Router (Not Exit)\n\"A\" | [[Next pulse will list on malware, rats , bats, Trojans used]", "modified": "2026-03-29T20:03:36.333000", "created": "2026-02-27T21:54:05.261000", "tags": [ "pattern match", "heuristic match", "all url", "files domain", "pulses otx", "germany unknown", "aaaa", "ip address", "emails", "gmt server", "vary", "modified", "accept", "title", "present feb", "present jan", "united", "part", "moved", "passive dns", "cname", "final", "bill", "antivm", "xlsx", "xlsm", "urls", "otx logo", "all hostname", "server", "organization", "city", "stateprovince", "postal code", "phone", "registrar abuse", "privacy admin", "paris admin", "april", "direct", "february", "http", "dfn verein", "zur foerderung", "domain", "page url", "tags", "de summary", "erlangen", "germany", "securitytrails", "de seen", "general info", "geo erlangen", "as as680", "de note", "route", "data upload", "extraction", "failed", "extra data", "referen", "include review", "exclude data", "summary", "url age", "as680", "se source", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "over", "ascii text", "mitre att", "size", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "node traffic", "tlsv1", "search", "rgba", "medium", "read c", "module load", "t1129", "execution", "next", "dock", "write", "persistence", "calls", "apis", "reads", "model", "value", "getprocaddress", "show technique", "ck matrix", "access type", "windir", "regexp", "open", "date", "format", "virtual disk drive", "sha256", "sha1", "body", "filehashsha1", "found", "unknown", "stop", "root", "form", "9999", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "bad traffic", "et info", "tls handshake", "failure", "flag", "analysis tip", "openurl c", "msie", "windows nt", "wow64", "slcc2", "media center", "show", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "malicious yara", "detections none", "less ip", "dynamicloader", "get na", "c3bhaw", "high", "copy", "guard", "push", "Palantir", "Foundry", "Whitehouse", "X.Com", "Justice.gov", "Apple", "AI", "node traffic" ], "references": [ "tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net", "https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022", "http://truefoundry.prodigaltech.com/", "git.spywarewatchdog.org", "marriott-control-prd.accenture.cn", "marriott-datacenter-prd.accenture.cn", "accenture.cn", "c.j.location.host \u2022 videodata.video \u2022 referrer.search", "target.id \u2022 tostring.call \u2022 title.search", "https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737", "https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019", "http://truefoundry.prodigaltech.com/", "Attacker being used by several legal entities attacking a target\u2019s family", "Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render", "Luxury Apartments and Townhome communities do use Foundry Palantir", "Some Colorado communities have been taken over by the State Government", "Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)", "Denver Justice System. Palantir allegedly moved potato Headquarters to Miami", "Foundry Foot Soldiers are still in Colorado targeting innocents", "Foundry Palantir still has a presence in Colorado", "I need some help.", "Accurately tipped about air travel safety. In past. Proven true.", "Tipped of new looming airline threats", "Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.", "Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.", "FBI files opened up on a targeted phone, Iunseel, only in search history.", "Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /", "No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!", "Hours after files were deemed malicious. We powered on targeted Smart TV", "You have to go through a series of steps to change themes and wallpapers , including powering off TV", "Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .", "A man claiming to have the name Sebastian is communicating with targets love one", "Uses code, no phone calls. Connected via instagram.", "I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious", "By remote view of NEW targeys view, all key calls are routed through him.", "Targets associated warned. Not very open to advice.", "I would post his public information. It may be unwise.", "Connects to all NEW targets key contacts main targets contacts.", "We have foot soldiers. Be aware", "https://www.justice.gov/opa/pr/departmen.t", "https://api.manus.im/api/oauth2_callback/apple", "https://apple.btprmjo.cc/", "https://creative.miqdigital.com/.well-known/apple-app-site-association", "internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf", "http://www.internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf", "https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~", "Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Node Traffic", "display_name": "Node Traffic", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1055.011", "name": "Extra Window Memory Injection", "display_name": "T1055.011 - Extra Window Memory Injection" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1055.004", "name": "Asynchronous Procedure Call", "display_name": "T1055.004 - Asynchronous Procedure Call" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1055.014", "name": "VDSO Hijacking", "display_name": "T1055.014 - VDSO Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5643, "domain": 700, "hostname": 1918, "FileHash-SHA256": 1161, "FileHash-MD5": 235, "email": 4, "FileHash-SHA1": 200, "CVE": 1, "CIDR": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9873, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "62 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69aa019f4509897e354fe029", "name": "credit Q Vashti Cloned Pulse ", "description": "", "modified": "2026-03-29T20:03:36.333000", "created": "2026-03-05T22:20:15.324000", "tags": [ "pattern match", "heuristic match", "all url", "files domain", "pulses otx", "germany unknown", "aaaa", "ip address", "emails", "gmt server", "vary", "modified", "accept", "title", "present feb", "present jan", "united", "part", "moved", "passive dns", "cname", "final", "bill", "antivm", "xlsx", "xlsm", "urls", "otx logo", "all hostname", "server", "organization", "city", "stateprovince", "postal code", "phone", "registrar abuse", "privacy admin", "paris admin", "april", "direct", "february", "http", "dfn verein", "zur foerderung", "domain", "page url", "tags", "de summary", "erlangen", "germany", "securitytrails", "de seen", "general info", "geo erlangen", "as as680", "de note", "route", "data upload", "extraction", "failed", "extra data", "referen", "include review", "exclude data", "summary", "url age", "as680", "se source", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "over", "ascii text", "mitre att", "size", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "node traffic", "tlsv1", "search", "rgba", "medium", "read c", "module load", "t1129", "execution", "next", "dock", "write", "persistence", "calls", "apis", "reads", "model", "value", "getprocaddress", "show technique", "ck matrix", "access type", "windir", "regexp", "open", "date", "format", "virtual disk drive", "sha256", "sha1", "body", "filehashsha1", "found", "unknown", "stop", "root", "form", "9999", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "bad traffic", "et info", "tls handshake", "failure", "flag", "analysis tip", "openurl c", "msie", "windows nt", "wow64", "slcc2", "media center", "show", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "malicious yara", "detections none", "less ip", "dynamicloader", "get na", "c3bhaw", "high", "copy", "guard", "push", "Palantir", "Foundry", "Whitehouse", "X.Com", "Justice.gov", "Apple", "AI", "node traffic" ], "references": [ "tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net", "https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022", "http://truefoundry.prodigaltech.com/", "git.spywarewatchdog.org", "marriott-control-prd.accenture.cn", "marriott-datacenter-prd.accenture.cn", "accenture.cn", "c.j.location.host \u2022 videodata.video \u2022 referrer.search", "target.id \u2022 tostring.call \u2022 title.search", "https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737", "https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019", "http://truefoundry.prodigaltech.com/", "Attacker being used by several legal entities attacking a target\u2019s family", "Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render", "Luxury Apartments and Townhome communities do use Foundry Palantir", "Some Colorado communities have been taken over by the State Government", "Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)", "Denver Justice System. Palantir allegedly moved potato Headquarters to Miami", "Foundry Foot Soldiers are still in Colorado targeting innocents", "Foundry Palantir still has a presence in Colorado", "I need some help.", "Accurately tipped about air travel safety. In past. Proven true.", "Tipped of new looming airline threats", "Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.", "Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.", "FBI files opened up on a targeted phone, Iunseel, only in search history.", "Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /", "No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!", "Hours after files were deemed malicious. We powered on targeted Smart TV", "You have to go through a series of steps to change themes and wallpapers , including powering off TV", "Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .", "A man claiming to have the name Sebastian is communicating with targets love one", "Uses code, no phone calls. Connected via instagram.", "I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious", "By remote view of NEW targeys view, all key calls are routed through him.", "Targets associated warned. Not very open to advice.", "I would post his public information. It may be unwise.", "Connects to all NEW targets key contacts main targets contacts.", "We have foot soldiers. Be aware", "https://www.justice.gov/opa/pr/departmen.t", "https://api.manus.im/api/oauth2_callback/apple", "https://apple.btprmjo.cc/", "https://creative.miqdigital.com/.well-known/apple-app-site-association", "internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf", "http://www.internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf", "https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~", "Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Node Traffic", "display_name": "Node Traffic", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1055.011", "name": "Extra Window Memory Injection", "display_name": "T1055.011 - Extra Window Memory Injection" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1055.004", "name": "Asynchronous Procedure Call", "display_name": "T1055.004 - Asynchronous Procedure Call" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1055.014", "name": "VDSO Hijacking", "display_name": "T1055.014 - VDSO Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": "69a2127d12dce12538b57d72", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5644, "domain": 701, "hostname": 1920, "FileHash-SHA256": 1161, "FileHash-MD5": 235, "email": 4, "FileHash-SHA1": 200, "CVE": 1, "CIDR": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9877, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "62 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698037098c99c37cb91037c2", "name": "Busy Box MITM Attacks via Drive-by-Compromise | Facebook | Apple", "description": "Busy Box - MITM Attack\n\nDrive-by-Compromise | Facebook | Jamie Oliver Recipes | My sister-in-law made this once and I couldn\u2019t stop eating it. \nAdversarial Facebook pop up posts. .\n\n|| Pykspa.C Check in. \"Pykspa is a type of Remote Access Trojan (RAT). A powerful a worm that spreads via social media or via DGA algorithms. Parking crews are fond of these types of attacks. Christopher Ahmann", "modified": "2026-03-04T04:07:14.513000", "created": "2026-02-02T05:32:57.303000", "tags": [ "no expiration", "filehashsha256", "ipv4", "url http", "domain", "hostname", "filehashmd5", "filehashsha1", "iocs", "url https", "search", "type indicator", "review iocs", "role title", "create new", "pulse use", "pdf report", "pcap", "extraction", "sc data", "extre data", "include review", "exclude sugges", "data upload", "failed", "find s", "oo data", "enter source", "url or", "text drag", "expiration", "showing", "entries", "protect", "pulse show", "email abuse", "related pulses", "indicator role", "returnurl no", "drop", "pulse provide", "public tlp", "green", "adversary tags", "buzz", "x8664", "add tag", "groups add", "add industry", "trojan", "tags" ], "references": [ "https://www.facebook.com/groups/378607181955796/posts/773093455840498/?hpir=1&http_ref=eyJ0cyI6MTc2OTk2MDkxOTAwMCwiciI6IiJ9", "www.crazyfrost.com IPv4 104.21.5.49 IPv4 172.67.132.250", "Antivirus Detections: Trojan:Win32/Dorv.A", "IDS Detections: Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host)", "IDS Detections: IP Check Domain (showmyipaddress .com in HTTP Host) External IP Lookup", "IDS Detections: Domain in DNS Lookup (whatismyipaddress .com) IP Check", "IDS Detections: Domain (whatismyipaddress .com in HTTP Host)", "Yara Detections XOR_embeded_exefile_xored_with_round_256_bytes_key", "Alerts: antiav_servicestop antisandbox_sleep process_creation_suspicious_location", "Alerts: network_bind persistence_autorun binary_yara procmem_yara suricata_alert", "Alerts: disables_uac infostealer_keylog modify_uac_prompt anomalous_deletefile", "Alerts: mouse_movement_detect dead_connect enumerates_running_processes process_needed", "Alerts: dynamic_function_loading reads_memory_remote_process packer_entropy network_http", "IP\u2019s Contacted: 188.223.42.134 78.57.88.30 84.73.234.83 78.84.44.225 89.252.203.80", "IP\u2019s Contacted: 77.76.39.110 104.156.155.94 77.77.13.89 78.61.87.173 78.63.104.75", "Domains Contacted: www.whatismyip.com www.showmyipaddress.com www.whatismyip.ca", "Domains Contacted: whatismyipaddress.com whatismyip.everdot.org www.facebook.com", "Domains Contacted: fexexwjehud.org lxclombt.net jpnzlsaqogv.com esccuyigsy.org", "Antivirus Detections: Win.Malware.Pits-10035540-0", "Yara: Detections Delphi", "Alerts: infostealer_cookies antiav_detectfile", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "nigger.cat \u2022 http://a.nigger.cat/ \u2022 http://a.nigger.cat/imrred.exe \u2022 http://a.nigger.cat/iwzptk.pdf \u2022", "http://a.nigger.cat/ltbexb.jpg \u2022 http://a.nigger.cat/ocnxdv.exe \u2022 http://a.nigger.cat/ocnxdv.exe/", "http://a.nigger.cat/ovefvy.html \u2022 http://a.nigger.cat/snkikb.rar \u2022 http://a.nigger.cat/unipms.exe", "http://a.nigger.cat/ypphgg.exe \u2022 http://u.nigger.cat/ \u2022 https://a.nigger.cat/", "http://www.a.nigger.cat/ocnxdv.exe \u2022 https://a.nigger.cat/pwzbrt.txt", "output.228572717.txt [fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f]", "https://www.virustotal.com/gui/file/fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f/summary", "https://hybrid-analysis.com/sample/3aaca21b3918eecd127867bdd724611398cf897a0686fedfde1d424b7ad6130a", "https://hybrid-analysis.com/sample/e4999984a69a65a69bec9fef1200f7ec36a10bc401cdd15db3510fdc87ec5008/697fb0fec4a9bda3410454cf", "https://hybrid-analysis.com/sample/f6ccff8dec08334fab98d4f6cb9b2774acd00e98d1afabd219c2634d5b3e2147/697faa178cc598cfb90b0423", "https://hybrid-analysis.com/sample/01a1a2106bcddc591cab08d31c13966bd0413fe312bce9be396e964e114631a6/697f8c04475b90e7fb0d7ff9", "apple4you.it \u2022 https://www.apple4you.it/ \u2022 cpcalendars.apple4you.it \u2022 ftp.apple4you.it \u2022", "https://ftp.apple4you.it \u2022 http://cpcalendars.apple4you.it \u2022 http://cpcontacts.apple4you.it \u2022", "http://ftp.apple4you.it \u2022 http://www.apple4you.it/ \u2022https://cpcalendars.apple4you.it \u2022", "https://cpcontacts.apple4you.it", "AppleWebKit Christopher P. \u2018BUZZ\u2019 Ahmann interference", "adsparkahz.shop \u2022 https://adsparkahz.shop/ \u2022 parkedbits.com", "https://parkedbits.com \u2022 spiritzuridgerunelahubcloudgusparkx.rest", "https://fs25.mygamesteam.com/download/underground-parking/", "http://spiritzuridgerunelahubcloudgusparkx.rest/", "127.0.0.1 Private IP Address \u2022 http://facebook.com/iWebTechnologies", "9e8c2f9e77b4b6a7538e4136d3bda379c560dc1a5931643da119da2f28881e4d\tELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0\tDDoS:Linux/Gafgyt.YA!MTB", "ELF:DDoS-S\\ [Trj] , Unix.Trojan.Gafgyt-6981154-0 , DDoS:Linux/Gafgyt.YA!MTB", "IDS Detections: Suspicious Activity potential UPnProxy", "Yara Detections: is__elf , ECHOBOT", "Alerts: dead_host network_icmp tcp_by", "Unix.Dropper.Mirai-7135925-0 , DDoS:Linux/Gafgyt.YA!MTB Yara Detections is__elf , ECHOBOT", "TAGS: aaaa accept activity address adversaries aes128gcm ahmann all hostname all ipv4 as15169", "TAGS: as29278 deninet as29728 cottage as47325 ascii text asn as29278 asn as29728 asn13335", "TAGS: av detections av exploit belgium belgium unknown binbusybox bits body canada unknown", "TAGS: christopher p christopher p. \u2018buzz\u2019 ahmann ck id ck matrix ck techniques clare click cloud", "TAGS: cloudflare cloudflarenet command config connection copy crazyfrost cyber attacks", "TAGS: data upload date date hash ddos dead connection default defense evasion delphi destination", "TAGS: detection detections detections name development att direct dirty dns resolutions domain", "TAGS: add dynamicloader ecdsa echobot echobot related encrypt entries error evasion att", "TAGS: expiration date explorer extraction facebook facebook failed february filehash files files ip", "TAGS: flag gecko general general full general info generator geo hungary guard hackers hash hide", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passiv", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passive dns path pattern match pink screen port possible prefetch8 present dec present feb present jan", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver", "TAGS: json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey", "TAGS: macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec", "TAGS: mtb yara name servers name tactics network traffic new browser next associated next", "TAGS: yara niggercat none file null object os x outbound passive dns path pattern match", "TAGS: pink screen port possible prefetch8 present program protocol h3 ptr record none push", "TAGS: pyspark python python initiated quic ransom recipes record value redacted for", "TAGS. redirect refresh related tags remoteIPAddress resource restart reverse dns route runner", "TAGS: sample analysis se domains search security quic add source level span spawns spy", "TAGS: state of colorado stream strings suspicious t1590 gather tcp syn title tools tr trex triangulation", "TAGS: trojan trojandropper trojanspy united unknown unknown aaaa unknown ns updater", "TAGS: upnproxy url analysis url https url text urls verified verify veryhigh victim network vubbuv win32 win64 windows windows nt windows server worm write write c yara detections yara rule" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Hungary" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "DDos:Linux/Gafgyt.YA!MTB", "display_name": "DDos:Linux/Gafgyt.YA!MTB", "target": "/malware/DDos:Linux/Gafgyt.YA!MTB" }, { "id": "ELF:DDoS-S\\ [Trj]", "display_name": "ELF:DDoS-S\\ [Trj]", "target": null }, { "id": "Pykspa.C", "display_name": "Pykspa.C", "target": null }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Unix.Trojan.Gafgyt-698115", "display_name": "Unix.Trojan.Gafgyt-698115", "target": null }, { "id": "4-0 Win.Malware.Pits-10035540-0", "display_name": "4-0 Win.Malware.Pits-10035540-0", "target": null }, { "id": "Win.Packed.Usteal-7531303-0", "display_name": "Win.Packed.Usteal-7531303-0", "target": null }, { "id": "tR", "display_name": "tR", "target": null }, { "id": "DeathHiddenTear (Large&Small HT) >", "display_name": "DeathHiddenTear (Large&Small HT) >", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1586, "FileHash-SHA1": 1479, "FileHash-SHA256": 1938, "URL": 4548, "domain": 1052, "hostname": 2501, "email": 9, "SSLCertFingerprint": 7, "CIDR": 2 }, "indicator_count": 13122, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "TAGS: pyspark python python initiated quic ransom recipes record value redacted for", "Domains Contacted: whatismyipaddress.com whatismyip.everdot.org www.facebook.com", "amazon.com \u2022 pki.goog \u2022 google-analytics.com", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections", "TAGS. redirect refresh related tags remoteIPAddress resource restart reverse dns route runner", "adsparkahz.shop \u2022 https://adsparkahz.shop/ \u2022 parkedbits.com", "Accurately tipped about air travel safety. In past. Proven true.", "IDS Detections: Domain in DNS Lookup (whatismyipaddress .com) IP Check", "Yara Detections XOR_embeded_exefile_xored_with_round_256_bytes_key", "Yara Detections compromised_site_redirector_fromcharcode , Delphi", "https://hybrid-analysis.com/sample/3aaca21b3918eecd127867bdd724611398cf897a0686fedfde1d424b7ad6130a", "output.228572717.txt [fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f]", "https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19", "9e8c2f9e77b4b6a7538e4136d3bda379c560dc1a5931643da119da2f28881e4d\tELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0\tDDoS:Linux/Gafgyt.YA!MTB", "No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!", "Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_", "ELF:DDoS-S\\ [Trj] , Unix.Trojan.Gafgyt-6981154-0 , DDoS:Linux/Gafgyt.YA!MTB", "Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx", "We have foot soldiers. Be aware", "Domains Contacted: fexexwjehud.org lxclombt.net jpnzlsaqogv.com esccuyigsy.org", "marriott-control-prd.accenture.cn", "c.j.location.host \u2022 videodata.video \u2022 referrer.search", "Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render", "Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97", "Alerts: antiav_servicestop antisandbox_sleep process_creation_suspicious_location", "marriott-datacenter-prd.accenture.cn", "Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)", "I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious", "Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.", "TAGS: sample analysis se domains search security quic add source level span spawns spy", "Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org", "https://ftp.apple4you.it \u2022 http://cpcalendars.apple4you.it \u2022 http://cpcontacts.apple4you.it \u2022", "https://www.facebook.com/groups/378607181955796/posts/773093455840498/?hpir=1&http_ref=eyJ0cyI6MTc2OTk2MDkxOTAwMCwiciI6IiJ9", "Hours after files were deemed malicious. We powered on targeted Smart TV", "TAGS: expiration date explorer extraction facebook facebook failed february filehash files files ip", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9", "http://a.nigger.cat/ltbexb.jpg \u2022 http://a.nigger.cat/ocnxdv.exe \u2022 http://a.nigger.cat/ocnxdv.exe/", "tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html", "IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94", "target.id \u2022 tostring.call \u2022 title.search", "Targets associated warned. Not very open to advice.", "https://parkedbits.com \u2022 spiritzuridgerunelahubcloudgusparkx.rest", "calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019", "IDS Detections: Query to a *.pw domain - Likely Hostile", "TAGS: as29278 deninet as29728 cottage as47325 ascii text asn as29278 asn as29728 asn13335", "http://cr-malware.testpanw.com/url", "https://www.justice.gov/opa/pr/departmen.t", "https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~", "IDS Detections: IP Check Domain (showmyipaddress .com in HTTP Host) External IP Lookup", "Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows", "Alerts: dynamic_function_loading reads_memory_remote_process packer_entropy network_http", "http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf", "TAGS: trojan trojandropper trojanspy united unknown unknown aaaa unknown ns updater", "http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf", "http://truefoundry.prodigaltech.com/", "TAGS: state of colorado stream strings suspicious t1590 gather tcp syn title tools tr trex triangulation", "IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29", "Antivirus Detections: Trojan:Win32/Dorv.A", "Alerts: mouse_movement_detect dead_connect enumerates_running_processes process_needed", "Yara: Detections Delphi", "https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737", "http://spiritzuridgerunelahubcloudgusparkx.rest/", "http://a.nigger.cat/ypphgg.exe \u2022 http://u.nigger.cat/ \u2022 https://a.nigger.cat/", "git.spywarewatchdog.org", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver", "Uses code, no phone calls. Connected via instagram.", "www.crazyfrost.com IPv4 104.21.5.49 IPv4 172.67.132.250", "By remote view of NEW targeys view, all key calls are routed through him.", "authrootstl.cab common file extension", "Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passiv", "Antivirus Detections: Win.Malware.Pits-10035540-0", "TAGS: upnproxy url analysis url https url text urls verified verify veryhigh victim network vubbuv win32 win64 windows windows nt windows server worm write write c yara detections yara rule", "https://securityaffairs.com/144927/cyber-crime~#", "IDS Detections: Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host)", "https://clockoutbox.es/password", "Foundry Palantir still has a presence in Colorado", "nigger.cat \u2022 http://a.nigger.cat/ \u2022 http://a.nigger.cat/imrred.exe \u2022 http://a.nigger.cat/iwzptk.pdf \u2022", "Some Colorado communities have been taken over by the State Government", "https://creative.miqdigital.com/.well-known/apple-app-site-association", "https://api.manus.im/api/oauth2_callback/apple", "TAGS: cloudflare cloudflarenet command config connection copy crazyfrost cyber attacks", "TAGS: macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec", "Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn", "TAGS: mtb yara name servers name tactics network traffic new browser next associated next", "TAGS: christopher p christopher p. \u2018buzz\u2019 ahmann ck id ck matrix ck techniques clare click cloud", "Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /", "Yara Detections: is__elf , ECHOBOT", "https://fs25.mygamesteam.com/download/underground-parking/", "Alerts: windows_utilities antivm_memory_available pe_features raises_exception", "https://hybrid-analysis.com/sample/f6ccff8dec08334fab98d4f6cb9b2774acd00e98d1afabd219c2634d5b3e2147/697faa178cc598cfb90b0423", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passive dns path pattern match pink screen port possible prefetch8 present dec present feb present jan", "TAGS: pink screen port possible prefetch8 present program protocol h3 ptr record none push", "https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file", "IP\u2019s Contacted: 188.223.42.134 78.57.88.30 84.73.234.83 78.84.44.225 89.252.203.80", "Foundry Foot Soldiers are still in Colorado targeting innocents", "Attacker being used by several legal entities attacking a target\u2019s family", "Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer", "Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .", "TAGS: detection detections detections name development att direct dirty dns resolutions domain", "http://a.nigger.cat/ovefvy.html \u2022 http://a.nigger.cat/snkikb.rar \u2022 http://a.nigger.cat/unipms.exe", "https://cpcontacts.apple4you.it", "http://www.a.nigger.cat/ocnxdv.exe \u2022 https://a.nigger.cat/pwzbrt.txt", "https://www.virustotal.com/gui/file/fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f/summary", "Alerts: dead_host network_icmp tcp_by", "https://hybrid-analysis.com/sample/e4999984a69a65a69bec9fef1200f7ec36a10bc401cdd15db3510fdc87ec5008/697fb0fec4a9bda3410454cf", "Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw", "IDS Detections: Domain (whatismyipaddress .com in HTTP Host)", "Alerts: network_bind persistence_autorun binary_yara procmem_yara suricata_alert", "Connects to all NEW targets key contacts main targets contacts.", "TAGS: data upload date date hash ddos dead connection default defense evasion delphi destination", "virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com", "Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.", "dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell", "Unix.Dropper.Mirai-7135925-0 , DDoS:Linux/Gafgyt.YA!MTB Yara Detections is__elf , ECHOBOT", "internationalfrontier.com", "I would post his public information. It may be unwise.", "Alerts: disables_uac infostealer_keylog modify_uac_prompt anomalous_deletefile", "114.114.114.114 = Tulach", "apple4you.it \u2022 https://www.apple4you.it/ \u2022 cpcalendars.apple4you.it \u2022 ftp.apple4you.it \u2022", "TAGS: flag gecko general general full general info generator geo hungary guard hackers hash hide", "Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad", "Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com", "Denver Justice System. Palantir allegedly moved potato Headquarters to Miami", "http://ftp.apple4you.it \u2022 http://www.apple4you.it/ \u2022https://cpcalendars.apple4you.it \u2022", "c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1", "IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227", "Domains Contacted: www.whatismyip.com www.showmyipaddress.com www.whatismyip.ca", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "AppleWebKit Christopher P. \u2018BUZZ\u2019 Ahmann interference", "https://hybrid-analysis.com/sample/01a1a2106bcddc591cab08d31c13966bd0413fe312bce9be396e964e114631a6/697f8c04475b90e7fb0d7ff9", "TAGS: yara niggercat none file null object os x outbound passive dns path pattern match", "TAGS: add dynamicloader ecdsa echobot echobot related encrypt entries error evasion att", "FBI files opened up on a targeted phone, Iunseel, only in search history.", "127.0.0.1 Private IP Address \u2022 http://facebook.com/iWebTechnologies", "TAGS: json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey", "TAGS: av detections av exploit belgium belgium unknown binbusybox bits body canada unknown", "Alerts: infostealer_cookies antiav_detectfile", "IP\u2019s Contacted: 77.76.39.110 104.156.155.94 77.77.13.89 78.61.87.173 78.63.104.75", "TAGS: aaaa accept activity address adversaries aes128gcm ahmann all hostname all ipv4 as15169", "Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com", "this.target", "A man claiming to have the name Sebastian is communicating with targets love one", "Tipped of new looming airline threats", "accenture.cn", "https://apple.btprmjo.cc/", "I need some help.", "You have to go through a series of steps to change themes and wallpapers , including powering off TV", "IDS Detections: Suspicious Activity potential UPnProxy", "https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022", "http://www.internationalfrontier.com", "Luxury Apartments and Townhome communities do use Foundry Palantir" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Pykspa.c", "Alf:trojan:win64/psbanker", "Alf:heraklezeval:trojan:win32/clipbanker", "Win.packed.usteal-7531303-0", "Ddos:linux/gafgyt.ya!mtb", "Node traffic", "Elf:ddos-s\\ [trj]", "Unix.trojan.gafgyt-698115", "Worm:win32/autorun!atmn", "Tulach", "Deathhiddentear (large&small ht) >", "Tr", "4-0 win.malware.pits-10035540-0", "Trojan:o97m/madeba.a!det", "Trojan:win32/dorv.a" ], "industries": [], "unique_indicators": 27672 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/corp.cc", "whois": "http://whois.domaintools.com/corp.cc", "domain": "corp.cc", "hostname": "macn.corp.cc" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "6a07250fb9562ea208d26946", "name": "Credit *Q.Vashti* Clone [\u2022 Virus Total | P.S Banker | Attacked/Blocked \u2022] ", "description": "", "modified": "2026-05-16T05:47:36.553000", "created": "2026-05-15T13:52:15.176000", "tags": [ "indicator role", "active related", "ck ids", "files", "information", "discovery", "mitre att", "pattern match", "ck id", "ck matrix", "ascii text", "united", "binary file", "april", "hybrid", "apikey", "general", "local", "path", "iframe", "click", "protocol", "learn", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "related pulses", "dll read", "function read", "icmp traffic", "machineguid", "systembiosdate", "total", "read", "write", "network_icmp", "js_eval", "recon_fingerprint", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "tls handshake", "execution", "dock", "persistence", "malware", "unknown", "neue", "certificate", "error", "scans show", "record value", "title site", "servers", "emails", "all hostname", "dnsadmin", "data upload", "extraction", "failed", "include review", "exclude sugges", "find s", "typ no", "active", "urls", "ip address", "asn as54113", "registrar", "wscript", "united states", "stcalifornia", "lmountain view", "ogoogle llc", "ogoogle trust", "cngts ca", "whitelisted", "as15169", "hostile", "crash", "contacted", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "detections alf", "hostile yara", "detections none", "less ip", "domains", "ms windows", "intel", "pe32", "regsetvalueexa", "langturkish", "sublangdefault", "port", "destination", "entries", "worm", "delphi", "win32", "body", "explorer", "defender", "regdword", "false", "true", "end sub", "object", "createobject", "sheetschanged", "private sub", "string", "boolean", "cancel", "trojan", "copy", "query", "dns update", "useragent", "myapp", "delphi alerts", "alerts deadhost", "women who code", "tulach", "114.114.114.114", "samuel", "brian sabey" ], "references": [ "https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file", "this.target", "c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1", "amazon.com \u2022 pki.goog \u2022 google-analytics.com", "authrootstl.cab common file extension", "dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell", "https://securityaffairs.com/144927/cyber-crime~#", "https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html", "virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com", "https://clockoutbox.es/password", "http://cr-malware.testpanw.com/url", "IDS Detections: Query to a *.pw domain - Likely Hostile", "Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer", "Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows", "Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_", "Alerts: windows_utilities antivm_memory_available pe_features raises_exception", "IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227", "IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94", "Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog", "Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com", "Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw", "Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections compromised_site_redirector_fromcharcode , Delphi", "Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad", "Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx", "IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29", "Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org", "Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com", "114.114.114.114 = Tulach" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:Trojan:Win64/PsBanker", "display_name": "ALF:Trojan:Win64/PsBanker", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Trojan:O97M/Madeba.A!det", "display_name": "Trojan:O97M/Madeba.A!det", "target": "/malware/Trojan:O97M/Madeba.A!det" }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": "69dc04c12782d2d76c111a93", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1114, "hostname": 594, "domain": 200, "FileHash-SHA256": 2379, "FileHash-MD5": 426, "FileHash-SHA1": 259, "SSLCertFingerprint": 24, "email": 2, "IPv4": 1 }, "indicator_count": 4999, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dc04c12782d2d76c111a93", "name": "VirusTotal \u2022 PsBanker \u2022 Attacked / Blocked", "description": "", "modified": "2026-05-12T20:40:08.152000", "created": "2026-04-12T20:46:57.338000", "tags": [ "indicator role", "active related", "ck ids", "files", "information", "discovery", "mitre att", "pattern match", "ck id", "ck matrix", "ascii text", "united", "binary file", "april", "hybrid", "apikey", "general", "local", "path", "iframe", "click", "protocol", "learn", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "related pulses", "dll read", "function read", "icmp traffic", "machineguid", "systembiosdate", "total", "read", "write", "network_icmp", "js_eval", "recon_fingerprint", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "tls handshake", "execution", "dock", "persistence", "malware", "unknown", "neue", "certificate", "error", "scans show", "record value", "title site", "servers", "emails", "all hostname", "dnsadmin", "data upload", "extraction", "failed", "include review", "exclude sugges", "find s", "typ no", "active", "urls", "ip address", "asn as54113", "registrar", "wscript", "united states", "stcalifornia", "lmountain view", "ogoogle llc", "ogoogle trust", "cngts ca", "whitelisted", "as15169", "hostile", "crash", "contacted", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "detections alf", "hostile yara", "detections none", "less ip", "domains", "ms windows", "intel", "pe32", "regsetvalueexa", "langturkish", "sublangdefault", "port", "destination", "entries", "worm", "delphi", "win32", "body", "explorer", "defender", "regdword", "false", "true", "end sub", "object", "createobject", "sheetschanged", "private sub", "string", "boolean", "cancel", "trojan", "copy", "query", "dns update", "useragent", "myapp", "delphi alerts", "alerts deadhost", "women who code", "tulach", "114.114.114.114", "samuel", "brian sabey" ], "references": [ "https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file", "this.target", "c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1", "amazon.com \u2022 pki.goog \u2022 google-analytics.com", "authrootstl.cab common file extension", "dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell", "https://securityaffairs.com/144927/cyber-crime~#", "https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html", "virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com", "https://clockoutbox.es/password", "http://cr-malware.testpanw.com/url", "IDS Detections: Query to a *.pw domain - Likely Hostile", "Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer", "Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows", "Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_", "Alerts: windows_utilities antivm_memory_available pe_features raises_exception", "IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227", "IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94", "Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog", "Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com", "Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw", "Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections compromised_site_redirector_fromcharcode , Delphi", "Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad", "Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx", "IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29", "Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org", "Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com", "114.114.114.114 = Tulach" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:Trojan:Win64/PsBanker", "display_name": "ALF:Trojan:Win64/PsBanker", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Trojan:O97M/Madeba.A!det", "display_name": "Trojan:O97M/Madeba.A!det", "target": "/malware/Trojan:O97M/Madeba.A!det" }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1114, "hostname": 594, "domain": 200, "FileHash-SHA256": 2379, "FileHash-MD5": 426, "FileHash-SHA1": 259, "SSLCertFingerprint": 24, "email": 2 }, "indicator_count": 4998, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a2127d12dce12538b57d72", "name": "FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets ~ Apple Jacked Targets", "description": "Remote Attack - FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets.\n\nChecked search history on a targeted device and found an FBI link apparently delivered via unknown AI technology.\n|| yara detections\nzur foerderung\nA\n+ Add Tag\n\u8840\nCount: 1\nGRO Probability: 1\nText: Suricata Alerts Event\nCategory Description CID\nIND131.188.40.12g otx.alienvault.com\nlocal:49181 (TCP) Misc\nAttack ET TOR Known Tor\nRelay/Router (Not Exit)\n\"A\" | [[Next pulse will list on malware, rats , bats, Trojans used]", "modified": "2026-03-29T20:03:36.333000", "created": "2026-02-27T21:54:05.261000", "tags": [ "pattern match", "heuristic match", "all url", "files domain", "pulses otx", "germany unknown", "aaaa", "ip address", "emails", "gmt server", "vary", "modified", "accept", "title", "present feb", "present jan", "united", "part", "moved", "passive dns", "cname", "final", "bill", "antivm", "xlsx", "xlsm", "urls", "otx logo", "all hostname", "server", "organization", "city", "stateprovince", "postal code", "phone", "registrar abuse", "privacy admin", "paris admin", "april", "direct", "february", "http", "dfn verein", "zur foerderung", "domain", "page url", "tags", "de summary", "erlangen", "germany", "securitytrails", "de seen", "general info", "geo erlangen", "as as680", "de note", "route", "data upload", "extraction", "failed", "extra data", "referen", "include review", "exclude data", "summary", "url age", "as680", "se source", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "over", "ascii text", "mitre att", "size", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "node traffic", "tlsv1", "search", "rgba", "medium", "read c", "module load", "t1129", "execution", "next", "dock", "write", "persistence", "calls", "apis", "reads", "model", "value", "getprocaddress", "show technique", "ck matrix", "access type", "windir", "regexp", "open", "date", "format", "virtual disk drive", "sha256", "sha1", "body", "filehashsha1", "found", "unknown", "stop", "root", "form", "9999", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "bad traffic", "et info", "tls handshake", "failure", "flag", "analysis tip", "openurl c", "msie", "windows nt", "wow64", "slcc2", "media center", "show", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "malicious yara", "detections none", "less ip", "dynamicloader", "get na", "c3bhaw", "high", "copy", "guard", "push", "Palantir", "Foundry", "Whitehouse", "X.Com", "Justice.gov", "Apple", "AI", "node traffic" ], "references": [ "tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net", "https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022", "http://truefoundry.prodigaltech.com/", "git.spywarewatchdog.org", "marriott-control-prd.accenture.cn", "marriott-datacenter-prd.accenture.cn", "accenture.cn", "c.j.location.host \u2022 videodata.video \u2022 referrer.search", "target.id \u2022 tostring.call \u2022 title.search", "https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737", "https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019", "http://truefoundry.prodigaltech.com/", "Attacker being used by several legal entities attacking a target\u2019s family", "Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render", "Luxury Apartments and Townhome communities do use Foundry Palantir", "Some Colorado communities have been taken over by the State Government", "Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)", "Denver Justice System. Palantir allegedly moved potato Headquarters to Miami", "Foundry Foot Soldiers are still in Colorado targeting innocents", "Foundry Palantir still has a presence in Colorado", "I need some help.", "Accurately tipped about air travel safety. In past. Proven true.", "Tipped of new looming airline threats", "Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.", "Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.", "FBI files opened up on a targeted phone, Iunseel, only in search history.", "Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /", "No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!", "Hours after files were deemed malicious. We powered on targeted Smart TV", "You have to go through a series of steps to change themes and wallpapers , including powering off TV", "Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .", "A man claiming to have the name Sebastian is communicating with targets love one", "Uses code, no phone calls. Connected via instagram.", "I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious", "By remote view of NEW targeys view, all key calls are routed through him.", "Targets associated warned. Not very open to advice.", "I would post his public information. It may be unwise.", "Connects to all NEW targets key contacts main targets contacts.", "We have foot soldiers. Be aware", "https://www.justice.gov/opa/pr/departmen.t", "https://api.manus.im/api/oauth2_callback/apple", "https://apple.btprmjo.cc/", "https://creative.miqdigital.com/.well-known/apple-app-site-association", "internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf", "http://www.internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf", "https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~", "Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Node Traffic", "display_name": "Node Traffic", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1055.011", "name": "Extra Window Memory Injection", "display_name": "T1055.011 - Extra Window Memory Injection" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1055.004", "name": "Asynchronous Procedure Call", "display_name": "T1055.004 - Asynchronous Procedure Call" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1055.014", "name": "VDSO Hijacking", "display_name": "T1055.014 - VDSO Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5643, "domain": 700, "hostname": 1918, "FileHash-SHA256": 1161, "FileHash-MD5": 235, "email": 4, "FileHash-SHA1": 200, "CVE": 1, "CIDR": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9873, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "62 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69aa019f4509897e354fe029", "name": "credit Q Vashti Cloned Pulse ", "description": "", "modified": "2026-03-29T20:03:36.333000", "created": "2026-03-05T22:20:15.324000", "tags": [ "pattern match", "heuristic match", "all url", "files domain", "pulses otx", "germany unknown", "aaaa", "ip address", "emails", "gmt server", "vary", "modified", "accept", "title", "present feb", "present jan", "united", "part", "moved", "passive dns", "cname", "final", "bill", "antivm", "xlsx", "xlsm", "urls", "otx logo", "all hostname", "server", "organization", "city", "stateprovince", "postal code", "phone", "registrar abuse", "privacy admin", "paris admin", "april", "direct", "february", "http", "dfn verein", "zur foerderung", "domain", "page url", "tags", "de summary", "erlangen", "germany", "securitytrails", "de seen", "general info", "geo erlangen", "as as680", "de note", "route", "data upload", "extraction", "failed", "extra data", "referen", "include review", "exclude data", "summary", "url age", "as680", "se source", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "over", "ascii text", "mitre att", "size", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "node traffic", "tlsv1", "search", "rgba", "medium", "read c", "module load", "t1129", "execution", "next", "dock", "write", "persistence", "calls", "apis", "reads", "model", "value", "getprocaddress", "show technique", "ck matrix", "access type", "windir", "regexp", "open", "date", "format", "virtual disk drive", "sha256", "sha1", "body", "filehashsha1", "found", "unknown", "stop", "root", "form", "9999", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "bad traffic", "et info", "tls handshake", "failure", "flag", "analysis tip", "openurl c", "msie", "windows nt", "wow64", "slcc2", "media center", "show", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "malicious yara", "detections none", "less ip", "dynamicloader", "get na", "c3bhaw", "high", "copy", "guard", "push", "Palantir", "Foundry", "Whitehouse", "X.Com", "Justice.gov", "Apple", "AI", "node traffic" ], "references": [ "tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net", "https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022", "http://truefoundry.prodigaltech.com/", "git.spywarewatchdog.org", "marriott-control-prd.accenture.cn", "marriott-datacenter-prd.accenture.cn", "accenture.cn", "c.j.location.host \u2022 videodata.video \u2022 referrer.search", "target.id \u2022 tostring.call \u2022 title.search", "https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737", "https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019", "http://truefoundry.prodigaltech.com/", "Attacker being used by several legal entities attacking a target\u2019s family", "Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render", "Luxury Apartments and Townhome communities do use Foundry Palantir", "Some Colorado communities have been taken over by the State Government", "Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)", "Denver Justice System. Palantir allegedly moved potato Headquarters to Miami", "Foundry Foot Soldiers are still in Colorado targeting innocents", "Foundry Palantir still has a presence in Colorado", "I need some help.", "Accurately tipped about air travel safety. In past. Proven true.", "Tipped of new looming airline threats", "Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.", "Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.", "FBI files opened up on a targeted phone, Iunseel, only in search history.", "Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /", "No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!", "Hours after files were deemed malicious. We powered on targeted Smart TV", "You have to go through a series of steps to change themes and wallpapers , including powering off TV", "Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .", "A man claiming to have the name Sebastian is communicating with targets love one", "Uses code, no phone calls. Connected via instagram.", "I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious", "By remote view of NEW targeys view, all key calls are routed through him.", "Targets associated warned. Not very open to advice.", "I would post his public information. It may be unwise.", "Connects to all NEW targets key contacts main targets contacts.", "We have foot soldiers. Be aware", "https://www.justice.gov/opa/pr/departmen.t", "https://api.manus.im/api/oauth2_callback/apple", "https://apple.btprmjo.cc/", "https://creative.miqdigital.com/.well-known/apple-app-site-association", "internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf", "http://www.internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf", "https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~", "Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Node Traffic", "display_name": "Node Traffic", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1055.011", "name": "Extra Window Memory Injection", "display_name": "T1055.011 - Extra Window Memory Injection" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1055.004", "name": "Asynchronous Procedure Call", "display_name": "T1055.004 - Asynchronous Procedure Call" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1055.014", "name": "VDSO Hijacking", "display_name": "T1055.014 - VDSO Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": "69a2127d12dce12538b57d72", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5644, "domain": 701, "hostname": 1920, "FileHash-SHA256": 1161, "FileHash-MD5": 235, "email": 4, "FileHash-SHA1": 200, "CVE": 1, "CIDR": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9877, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "62 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698037098c99c37cb91037c2", "name": "Busy Box MITM Attacks via Drive-by-Compromise | Facebook | Apple", "description": "Busy Box - MITM Attack\n\nDrive-by-Compromise | Facebook | Jamie Oliver Recipes | My sister-in-law made this once and I couldn\u2019t stop eating it. \nAdversarial Facebook pop up posts. .\n\n|| Pykspa.C Check in. \"Pykspa is a type of Remote Access Trojan (RAT). A powerful a worm that spreads via social media or via DGA algorithms. Parking crews are fond of these types of attacks. Christopher Ahmann", "modified": "2026-03-04T04:07:14.513000", "created": "2026-02-02T05:32:57.303000", "tags": [ "no expiration", "filehashsha256", "ipv4", "url http", "domain", "hostname", "filehashmd5", "filehashsha1", "iocs", "url https", "search", "type indicator", "review iocs", "role title", "create new", "pulse use", "pdf report", "pcap", "extraction", "sc data", "extre data", "include review", "exclude sugges", "data upload", "failed", "find s", "oo data", "enter source", "url or", "text drag", "expiration", "showing", "entries", "protect", "pulse show", "email abuse", "related pulses", "indicator role", "returnurl no", "drop", "pulse provide", "public tlp", "green", "adversary tags", "buzz", "x8664", "add tag", "groups add", "add industry", "trojan", "tags" ], "references": [ "https://www.facebook.com/groups/378607181955796/posts/773093455840498/?hpir=1&http_ref=eyJ0cyI6MTc2OTk2MDkxOTAwMCwiciI6IiJ9", "www.crazyfrost.com IPv4 104.21.5.49 IPv4 172.67.132.250", "Antivirus Detections: Trojan:Win32/Dorv.A", "IDS Detections: Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host)", "IDS Detections: IP Check Domain (showmyipaddress .com in HTTP Host) External IP Lookup", "IDS Detections: Domain in DNS Lookup (whatismyipaddress .com) IP Check", "IDS Detections: Domain (whatismyipaddress .com in HTTP Host)", "Yara Detections XOR_embeded_exefile_xored_with_round_256_bytes_key", "Alerts: antiav_servicestop antisandbox_sleep process_creation_suspicious_location", "Alerts: network_bind persistence_autorun binary_yara procmem_yara suricata_alert", "Alerts: disables_uac infostealer_keylog modify_uac_prompt anomalous_deletefile", "Alerts: mouse_movement_detect dead_connect enumerates_running_processes process_needed", "Alerts: dynamic_function_loading reads_memory_remote_process packer_entropy network_http", "IP\u2019s Contacted: 188.223.42.134 78.57.88.30 84.73.234.83 78.84.44.225 89.252.203.80", "IP\u2019s Contacted: 77.76.39.110 104.156.155.94 77.77.13.89 78.61.87.173 78.63.104.75", "Domains Contacted: www.whatismyip.com www.showmyipaddress.com www.whatismyip.ca", "Domains Contacted: whatismyipaddress.com whatismyip.everdot.org www.facebook.com", "Domains Contacted: fexexwjehud.org lxclombt.net jpnzlsaqogv.com esccuyigsy.org", "Antivirus Detections: Win.Malware.Pits-10035540-0", "Yara: Detections Delphi", "Alerts: infostealer_cookies antiav_detectfile", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "nigger.cat \u2022 http://a.nigger.cat/ \u2022 http://a.nigger.cat/imrred.exe \u2022 http://a.nigger.cat/iwzptk.pdf \u2022", "http://a.nigger.cat/ltbexb.jpg \u2022 http://a.nigger.cat/ocnxdv.exe \u2022 http://a.nigger.cat/ocnxdv.exe/", "http://a.nigger.cat/ovefvy.html \u2022 http://a.nigger.cat/snkikb.rar \u2022 http://a.nigger.cat/unipms.exe", "http://a.nigger.cat/ypphgg.exe \u2022 http://u.nigger.cat/ \u2022 https://a.nigger.cat/", "http://www.a.nigger.cat/ocnxdv.exe \u2022 https://a.nigger.cat/pwzbrt.txt", "output.228572717.txt [fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f]", "https://www.virustotal.com/gui/file/fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f/summary", "https://hybrid-analysis.com/sample/3aaca21b3918eecd127867bdd724611398cf897a0686fedfde1d424b7ad6130a", "https://hybrid-analysis.com/sample/e4999984a69a65a69bec9fef1200f7ec36a10bc401cdd15db3510fdc87ec5008/697fb0fec4a9bda3410454cf", "https://hybrid-analysis.com/sample/f6ccff8dec08334fab98d4f6cb9b2774acd00e98d1afabd219c2634d5b3e2147/697faa178cc598cfb90b0423", "https://hybrid-analysis.com/sample/01a1a2106bcddc591cab08d31c13966bd0413fe312bce9be396e964e114631a6/697f8c04475b90e7fb0d7ff9", "apple4you.it \u2022 https://www.apple4you.it/ \u2022 cpcalendars.apple4you.it \u2022 ftp.apple4you.it \u2022", "https://ftp.apple4you.it \u2022 http://cpcalendars.apple4you.it \u2022 http://cpcontacts.apple4you.it \u2022", "http://ftp.apple4you.it \u2022 http://www.apple4you.it/ \u2022https://cpcalendars.apple4you.it \u2022", "https://cpcontacts.apple4you.it", "AppleWebKit Christopher P. \u2018BUZZ\u2019 Ahmann interference", "adsparkahz.shop \u2022 https://adsparkahz.shop/ \u2022 parkedbits.com", "https://parkedbits.com \u2022 spiritzuridgerunelahubcloudgusparkx.rest", "https://fs25.mygamesteam.com/download/underground-parking/", "http://spiritzuridgerunelahubcloudgusparkx.rest/", "127.0.0.1 Private IP Address \u2022 http://facebook.com/iWebTechnologies", "9e8c2f9e77b4b6a7538e4136d3bda379c560dc1a5931643da119da2f28881e4d\tELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0\tDDoS:Linux/Gafgyt.YA!MTB", "ELF:DDoS-S\\ [Trj] , Unix.Trojan.Gafgyt-6981154-0 , DDoS:Linux/Gafgyt.YA!MTB", "IDS Detections: Suspicious Activity potential UPnProxy", "Yara Detections: is__elf , ECHOBOT", "Alerts: dead_host network_icmp tcp_by", "Unix.Dropper.Mirai-7135925-0 , DDoS:Linux/Gafgyt.YA!MTB Yara Detections is__elf , ECHOBOT", "TAGS: aaaa accept activity address adversaries aes128gcm ahmann all hostname all ipv4 as15169", "TAGS: as29278 deninet as29728 cottage as47325 ascii text asn as29278 asn as29728 asn13335", "TAGS: av detections av exploit belgium belgium unknown binbusybox bits body canada unknown", "TAGS: christopher p christopher p. \u2018buzz\u2019 ahmann ck id ck matrix ck techniques clare click cloud", "TAGS: cloudflare cloudflarenet command config connection copy crazyfrost cyber attacks", "TAGS: data upload date date hash ddos dead connection default defense evasion delphi destination", "TAGS: detection detections detections name development att direct dirty dns resolutions domain", "TAGS: add dynamicloader ecdsa echobot echobot related encrypt entries error evasion att", "TAGS: expiration date explorer extraction facebook facebook failed february filehash files files ip", "TAGS: flag gecko general general full general info generator geo hungary guard hackers hash hide", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passiv", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passive dns path pattern match pink screen port possible prefetch8 present dec present feb present jan", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver", "TAGS: json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey", "TAGS: macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec", "TAGS: mtb yara name servers name tactics network traffic new browser next associated next", "TAGS: yara niggercat none file null object os x outbound passive dns path pattern match", "TAGS: pink screen port possible prefetch8 present program protocol h3 ptr record none push", "TAGS: pyspark python python initiated quic ransom recipes record value redacted for", "TAGS. redirect refresh related tags remoteIPAddress resource restart reverse dns route runner", "TAGS: sample analysis se domains search security quic add source level span spawns spy", "TAGS: state of colorado stream strings suspicious t1590 gather tcp syn title tools tr trex triangulation", "TAGS: trojan trojandropper trojanspy united unknown unknown aaaa unknown ns updater", "TAGS: upnproxy url analysis url https url text urls verified verify veryhigh victim network vubbuv win32 win64 windows windows nt windows server worm write write c yara detections yara rule" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Hungary" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "DDos:Linux/Gafgyt.YA!MTB", "display_name": "DDos:Linux/Gafgyt.YA!MTB", "target": "/malware/DDos:Linux/Gafgyt.YA!MTB" }, { "id": "ELF:DDoS-S\\ [Trj]", "display_name": "ELF:DDoS-S\\ [Trj]", "target": null }, { "id": "Pykspa.C", "display_name": "Pykspa.C", "target": null }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Unix.Trojan.Gafgyt-698115", "display_name": "Unix.Trojan.Gafgyt-698115", "target": null }, { "id": "4-0 Win.Malware.Pits-10035540-0", "display_name": "4-0 Win.Malware.Pits-10035540-0", "target": null }, { "id": "Win.Packed.Usteal-7531303-0", "display_name": "Win.Packed.Usteal-7531303-0", "target": null }, { "id": "tR", "display_name": "tR", "target": null }, { "id": "DeathHiddenTear (Large&Small HT) >", "display_name": "DeathHiddenTear (Large&Small HT) >", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1586, "FileHash-SHA1": 1479, "FileHash-SHA256": 1938, "URL": 4548, "domain": 1052, "hostname": 2501, "email": 9, "SSLCertFingerprint": 7, "CIDR": 2 }, "indicator_count": 13122, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://macn.corp.cc/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://macn.corp.cc/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780242890.0190248 }